October 05, 2022

To help bring our ambitious documentation plans to fruition, we’re going to be hiring people to work in documentation – over the next couple of years, we’ll be increasing the number of Technical Authors at Canonical four-fold.

This isn’t about documentation alone. If documentation is part of a product, and documentation work is part of engineering, then it has implications for engineering too.

Generally speaking, technical writing is a poorly-understood discipline in the software industry. It’s a specialised role, and though the skills that it requires are typically exercised privately, the results are very public.

And yet, everybody seems to have confident opinions about documentation! For example, an engineer might bristle hotly with indignation if an outsider were to cast judgements or make pronouncements about software theory or practice – but not hesitate to do the same about technical documentation.

Some of this is fair enough, and some of it must change. 

Documentation in software engineering

Product documentation is public property. Like software, it exists to serve its users. And, as in the case of software, the final test of documentation is: does it meet the needs of its users? So it’s perfectly right that everyone is positively encouraged to think about, and express opinions on documentation; it’s part of public ownership of it.

On the other hand, it’s problematic that in the software industry, documentation is not properly understood as a technical discipline. In many instances, it’s not even understood that it is a technical discipline, that takes time to learn and longer to master, and that there are right and wrong ways of doing things, that themselves might not be obvious, and so on. This gap of understanding is one of the reasons that so much software documentation is not as good as it should be.

Professionals who work in the discipline of software have a strong tradition of looking inwards, at their work and the way they do it. Programming is a reflective craft, with effective values of self-criticism. For programming, software engineering has paradigms, methodologies, models and movements, that are in continual evolution and dialogue with each other. For documentation – we cannot say the same.

Thinking about documentation

Documentation is part of software engineering, but much less thought is given to it. Questions like how should we do it? what are our values? what works? how can we advance the discipline? are asked often of programming, and rarely of documentation.

Sometimes in software, we’re so far from treating documentation as a practice deserving attention that the mere existence of documentation can be considered an achievement. This is extraordinary. There can be no other industry in which the standards of product documentation are routinely set so low.

What we’re going to do about it

The clearest way to signal our intention to change this pattern is by hiring and dedicating people to work on documentation, not just as technical writers who produce it, but to be Technical Authors: visible, high-profile practitioners of the discipline with an important role in defining our engineering culture.

Our plan, for the next few months, is to increase the number of Technical Authors dramatically, from six full-time authors at present, to at least 28. That’s an enormous increase. The sheer number of new colleagues who are dedicated to documentation will make a difference, but it’s not all; what also matters is the role that our Technical Authors have.

What Technical Authors do

Canonical Technical Authors are key members of engineering teams. These teams work on a vast range of software engineering challenges and products. The products and their documentation need to meet the needs of an equally wide range of users: from end-users of Ubuntu on the desktop to kernel-level engineering teams across multiple different industries, and everything in between.

Documentation has to be like security, or performance: a team responsibility. It can only be done effectively when it belongs to everyone in the team, and is led effectively. A Technical Author leads the team’s documentation efforts.

At Canonical, Technical Authors are not passive communicators of knowledge. They are active contributors to the business of software development; their contributions are real, meaningful and respected.

Above all, they have technical authority, hence their title. They are custodians of one of the most important relationships in software, the one between a product and the users’ grasp of it.

Authors are inventive and creative. Their work helps define the identity and presentation of products. They identify the needs of users, and frame products and their operation according to the needs of those users. They find imaginative ways to present highly-technical ideas and structures in narratives and flows that lead users to understanding and success. They find new and better ways to teach, show, describe and explain.

Technical authors engage critically with their developer colleagues – many technical authors themselves have engineering backgrounds – to challenge and question assumptions about the way products work and are used.  They dive deeply into the thinking behind software decisions, and use their skills of comprehension and communication to hold up a mirror that reflects them back, and brings them into focus. They are able to show how a problem in communicating about a technical matter can represent a problem in the technical concern itself.

They listen. Listening is an active discipline of receptivity to needs. It’s a crucial part of the role, because users of software are not always inside formal feedback loops, are sometimes hard to hear, and always have needs that must be placed at the heart of our documentation.

It’s a special constellation of abilities and responsibilities – hard to find, and hard to do well – and one that the software industry needs to understand better.

(Does this description of the role of a Technical Author appeal to you? Perhaps you’re ready to be one of them. Learn more – see our job description for Canonical Technical Authors.)

Transformation engineering

By introducing new Technical Authors into teams right across the company, we are purposefully and systematically engineering a tectonic shift in our own software culture. It will take place through our documentation practice and the professionals who lead it, our Technical Authors.

A Technical Author is a transformative presence in an engineering team. They will change the way that Canonical does documentation, but will also change the way Canonical makes software too.

We expect the presence of the new Technical Authors to have an immediate impact in each team, and a permanent effect on Canonical engineering. It will place new conversations, perspectives and ways of thinking about making software right at the heart of the engineering process.

This is also an opportunity for talented documentation authors who are looking for a new challenge. If your skills and interests lie in the intersection of technical writing, software product documentation and open-source software development, we’d love to hear from you.

Technical Author roles at Canonical

on October 05, 2022 04:08 PM

Ubuntu Pro, the expanded security maintenance and compliance subscription, is now offered in public beta for data centres and workstations. Canonical will provide a free tier for personal and small-scale commercial use in line with the company’s community commitment and mission to make open source more easily consumable by everyone.

“Since we first launched Ubuntu LTS, with five years free security coverage for the main OS, our enterprise customers have asked us to cover more and more of the wider open-source landscape under private commercial agreements. Today, we are excited to offer the benefits of all of that work, free of charge, to anyone in the world, with a free personal Ubuntu Pro subscription”, said Mark Shuttleworth, CEO of Canonical.

Ubuntu Pro expands security coverage for critical, high and medium Common Vulnerabilities and Exposures (CVEs) to thousands of applications and toolchains, including Ansible, Apache Tomcat, Apache Zookeeper, Docker, Drupal, Nagios, Node.js, phpMyAdmin, Puppet, PowerDNS, Python 2, Redis, Rust, WordPress, and more. 

Ubuntu Pro is available for every Ubuntu LTS from 16.04 LTS. It is already in production for large-scale customers offering global services. 

“For the last decade, Google has partnered with Canonical to promote the adoption of open-source software”, said Derry Cheng, Product Manager for Compute Engine. “By offering Ubuntu Pro on Google Compute Engine, together we help customers enhance the security and compliance for their production workloads”.

Users can obtain a free personal Ubuntu Pro subscription at ubuntu.com/pro for up to five machines.

Enterprise-grade security

Canonical has an 18-year track record of timely security updates for the main Ubuntu OS, with critical CVEs patched in less than 24 hours on average. Ubuntu Pro expands this coverage to ten times the number of packages in the standard Ubuntu repositories – more than 25,000 of them. Patches are applied for critical, high, and selected medium CVEs, with many zero-day vulnerabilities fixed under embargo for release the moment the CVE is public.

Most users apply these security fixes automatically, with Ubuntu’s unattended upgrades. Canonical Livepatch, which allows users to apply kernel security patches at run time without the need for an immediate reboot, is also included in Ubuntu Pro.

Canonical works with major security scanning and vulnerability management providers to ensure that information about Ubuntu Pro CVE fixes is available through widely used tooling and dashboards.

“Tenable and Canonical collaborate to provide timely, accurate and actionable vulnerability alerts”, said Robert Huber, Chief Security Officer at Tenable. “Ubuntu Pro offers security patch assurance for a broad spectrum of open-source software. Together, we give customers a foundation for trustworthy open source”.

Long-term stability for infrastructure and applications 

A fragmented approach to long-term maintenance is among the most significant challenges of open source adoption. Ubuntu Pro is ideal for business builders who want to focus on innovation and be confident of ongoing security maintenance and dependency tracking.

Canonical backports security fixes from newer versions of applications, giving Ubuntu Pro users a path to long-term security with no forced upgrades. The result is a decade of API stability.

“Transformative innovations such as AI and deep learning are being put to work to unlock new levels of business automation”, said Justin Boitano, vice president of Enterprise Computing at NVIDIA. “With the introduction of Ubuntu Pro, enterprises will benefit from better security, support and long-term maintenance for thousands of open source libraries that are at the core of modern AI and data science workflows“.

Compliance and hardening

Ubuntu Pro includes tools for compliance management in regulated and audited environments. Ubuntu Security Guide (USG) enables well-known hardening and compliance standards such as certified CIS benchmark tooling and DISA-STIG profiles. System management at scale is facilitated through Landscape. 

Ubuntu Pro users can access FIPS 140-2 certified cryptographic packages, necessary for all Federal Government agencies as well as organisations operating under compliance regimes like FedRAMP, HIPAA, and PCI-DSS. 

“Enterprises need modular, cloud-native application platforms that accelerate how they build, run, and manage their applications without compromising on their compliance, security, or support requirements”, said Ajay Patel, GM and SVP, Modern Apps & Cloud Management Business, VMWare. “VMware is thrilled to partner with Canonical with their field-proven expertise in securing and supporting open-source. By offering Ubuntu Pro with VMware Tanzu, we can provide customers with a hardened, better, secure and enterprise-grade application environment that is as friendly to their developers as it is to their CISO”.

Subscription types

The standard Ubuntu Pro subscription covers the full set of security updates for all packages in Ubuntu. Canonical’s Ubuntu Advantage for Infrastructure subscription is now rebranded to Ubuntu Pro (Infra-only) with no price or scope changes.

An Ubuntu Pro (Infra-only) subscription covers the base OS and the private cloud components needed for large-scale bare-metal deployments, but excludes the new broader application coverage. It is useful for organisations building private clouds that use other guest operating systems for applications.

“Ubuntu Pro enables our engineering teams to focus on delivering industry-leading products and services to Acquia customers. Canonical’s transparency and patching expedience give me peace of mind that we are providing the most secure and compelling solutions to power innovative digital experiences”, said Robert Former, Acquia’s Chief Information Security Officer.

Optional support

Ubuntu Pro can be combined with up to 24×7 enterprise-grade support coverage for the Ubuntu operating system. Additionally, it can cover open infrastructure such as MAAS, LXD, Kubernetes, OpenStack or Ceph / Swift storage, and now also a range of open source applications.

Initial application support coverage consists of over 30 upstream applications, including many popular projects such as Kafka, Kubeflow, OpenJDK, PostgreSQL, Telegraf, Samba, and Vault. We continue to add to the list based on prioritised customer demand. 

Canonical can extend the service further by providing a Technical Account Manager or Dedicated Support Engineer or take full responsibility for the whole environment – from the initial setup to operations of the environment on behalf of the customer with up to 99.9% SLA-backed uptime.

“FIPS 140-2 certified Ubuntu images on AWS fulfil our FedRAMP compliance requirements. With enterprise-grade Ubuntu Pro support backed by Canonical’s 10-year security maintenance commitment, we provide critical development infrastructure for some of the world’s most famous brands”, said Patrick Kaeding, Security Engineer at LaunchDarkly.

Free trial available for new and existing customers

A 30-day free trial of Ubuntu Pro is also available for new enterprise customers. Paid plans are priced at $25 per year for workstation or $500 per year for server. On public clouds, Ubuntu Pro is priced at approximately 3.5% of the average underlying compute cost. Additional services such as 24×7 support can be added if required, so businesses can choose the level of service they need. Full pricing details are available at ubuntu.com/pricing/pro

Canonical is also pleased to offer existing Ubuntu Advantage for Infrastructure customers (now Ubuntu Pro (Infra-only), with or without support) a trial of the new full Ubuntu Pro application security maintenance service at no extra cost until the end of their existing contract (up to one year).

For more information:

Learn more about Ubuntu Pro

Join the community & share your feedback

About Canonical

Canonical is the publisher of Ubuntu, the operating system for most public cloud workloads as well as the emerging categories of smart gateways, self-driving cars and advanced robots. Canonical provides enterprise security, support and services to commercial users of Ubuntu. Established in 2004, Canonical is a privately held company

on October 05, 2022 12:56 PM

October 04, 2022

The Community Council is still looking for nominees for the upcoming election.

We will be filling all seven seats this term, with terms lasting two years. To be eligible, a nominee must be an Ubuntu Member. Ideally, they should have a vast understanding of the Ubuntu community, be well-organized, and be a natural leader.

The work of the Community Council, as it stands, is to uphold the Code of Conduct throughout the community, ensure that all the other leadership boards and council are running smoothly, and to ensure the general health of the community, including not only supporting contributors but also stepping in for dispute resolution, as needed.

Historically, there would be two meetings per month, so the nominee should be willing to commit, at minimum, to that particular time requirement. Additionally, as needs arise, other communication, most often by email, will happen. The input of the entire Council is essential for swift and appropriate actions to get enacted, so participation in these conversations should be expected.

To nominate someone (including yourself), send the name and Launchpad ID of the nominee to community-council [AT] lists.ubuntu.com. The nominations period has been extended and will now close on 6 October 2022 11:59 UTC.

Once the nominations are collected, Mark Shuttleworth will shortlist them and an actual election will take place, using the Condorcet Internet Voting Service. All Ubuntu Members are eligible to vote in this election.

If you have any other questions, feel free to post something in the Ubuntu Discourse #community-council category so all may benefit from the answer.

Thanks in advance to all that participate and for your desire to make Ubuntu better!

on October 04, 2022 02:47 PM

October 03, 2022

Welcome to the Ubuntu Weekly Newsletter, Issue 755 for the week of September 25 – October 1, 2022. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • Wild Man
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

on October 03, 2022 10:25 PM

Akademy Talks Day 2

Jonathan Riddell

The sun is shining, the beach is busy, the cava is flowing, the record shops are full of hipsters. Akademy is in full swing here in Barcelona, Here’s some scribbled notes I took from some of the talks I went to incase they are any interest to anyone.

The keynote was from Ashai dev Hector Martin. Ashai Linux runs on M1 ARM macs. EFI is a security nightmare, it’s an operating system in itself. Linus said Apple Macs won’t be available for Linux unless Apple opens up its GPU. Macs have a permissive mode to boot custom kernels including XNU (Apple’s open source OS kernel). He got himself a patreon and github sponsorship and enough people fund him to do it as a job. He did lots of impressive things to get Linux working on ARM M1 Macs and voila his video shows a Plasma desktop on a Mac.

Neil Gompa on Fedora and KDE

Neil Gompa spoke on Fedora. See http://fedoraloveskde.org/ . Packages by Fedora KDE SIG. Fedora has Wayland by default (also RHEL). Better graphics performance, less resource usage. For gaming SDL is Wayland native (Simmple Direcmedia Layer), needed replaced with a shim library for SDL 1 to use SDL 2. Fedora is first distro for Pipewire for all audio routing (dropping Pulseaudio and JACK). Btrfs by default, optimised for flash storage, transparent compression, improves space efficiency and IO performance. The flagship variant is Fedora KDE Plasma Spin. It has some minor branding and usability tweaks, Firefox as browser, FirewallD and SELinux. Fedora Kinoite launched last year, minimal default experience, rpm-ostree immutable base, apps as Flatpaks. In RHEL Plasma is in Extra Packages for Enterprise Linux. CentIS Hyperscale and AlmaLinux have Plasma ISOs from RHEL. (AlmaLinux is a RHEL rebuilt and replaces much of what CentOS used to.) In the future they hope to make SDDM use Wayland (needs an SDDM release). Fedora workstation is shipped by Lenovo and more, he wants Fedora KDE on hardware. The out of box experience isn’t great for this yet but he’s working with Nate to do it. Plasma Mobile packages just integrated into Fedora Rawhide so maybe x86 tablets and then ARM device support.
Wayland downside are that it has quirkyness, multi monitor quirky, mixed DPI is quirky, Plasma Wayland is pretty much feature complete. Accessibility not there and input methods not there so no screen readers. Plasma LTS was horrible to maintain as a distro because underlying frameworks and apps not inline. He suggests to spend the energy of Plasma LTS dev fixing normal Plasma releases.

Volker Krause spoke about push notifications, they must be part of the platform and app does not need to run, there’s potential for apps to abuse them but they are crucial for some uses. On proprietary systems (Google, Apple, Windows) you are locked in, they can’t be removed. UnifiedPush standardises interface and DBus, Android etc. Push drivers are Ntfy, NextPush (for NextCloud), Gotify. Android distributors FCM bridge. DBus mostly proof of concept. He shows the distributor in the KCM. He shows an app subscribed to notifications of German weather warnings. There’s legal and privacy risks: storage, authentication and encryption is not standardised. We have all the blocks, the main challenge is hosting the provider service.

Lunch Time

Shyamnath Premnadh (Shyam) spoke on How C++ and Python can thrive together. He’s a Senior Software dev at Qt for Python team. C++ is loved, fast, control, mature etc. Python is also popular, at least from Stackoverflow rankings. You wouldn’t use C++ for something quick and dirty. He gives some exmaples of where Python is easier than C++. Qt for Python is an application suite. Pyside6qmlls, Shiboken, assistant, linguist and others. Shiboken makes the bindings, it uses libclang to parse the Qt headers. He shows a C++Papp with Python plugins which can change the themes and other settings in the C++ app. The code to make this is easy and he shows that too. He shows QtScrypt, a proof of concept for integrating Python inside C++ in the same file. He shows pyside-deploy making a Flatpak package for his app.

Volker Krause spoke about Frameworks 6 porting. At Akademy 2019 they made a plan, do the work in the Qt 5 codebase, branch late, actionable tasks. Now KF builds on Linux, BSD and Android. Windows has 30 of 55 building. CI coverage is good. Plasma platform integration builds and works. QtWidget apps work, QML ones need more work. He shows his desktop running Kate with KF6, then Konsole, then Systemsettings. And he reveals that the whole Plasma desktop and KWin is running with KF6. This is not the out of box experience it requires some modifications for QML. ToDo before we can branch is not much. Still to be decided the scope, just KF6 or Plasma as well.

Pleasingly I tested free of Flu and Covid. Masks are still needed though.

Lydia talks about fundraising with Jean-Baptiste. It was lots of work and not cool. They’re trying project specific fundraising starting with Kdenlive. Jean-Baptiste takes the stage, their workload is increasing, they want a sustainable project. That needs a CI for binaries. For 1 year he’s been working with the e.V. board on a fundraiser. Signed a contract in March for the new fundraising software. Launched September. After 12 days it has now raised over €12,000 which is amazing. Challenges: make it sustainable. Increase presence in schools. Keep having fun. Lydia says contact the board if you want to do the same with your app.

Albert Astals Cid talks about security, 9 people with history in KDE (3 of them accounts so old they don’t know when they started). Needs new blood. When they get an e-mail they reply to say “thanks we will look into it”. Then check if it’s a bug or a feature. Then contact with someone who might be able to fix it. Get a CVE and publish. But you need to be careful when else it’ll go on The Register. They would like help from oss-fuzz adding kfilemetadata, baloo, kmime etc. They want KAuth uses audited.

Healthy Mind Healthy Code talk with Harald

Harald talks about Healthy Mind Healthy Code. He became aware some people had problems and struggles with their KDE contributing. It’s important to have sleep. Learn to say no. Have friendships. Reflect on your state on mind, maybe you’re being stressed out by KDE. You should be mindful you should get something out of it. You don’t want to lose sleep over it. Know your limits, do not stress too much if you can’t fix all the bugs in the world (half might do). Sometimes its OK to take a holiday for a couple of years. Do not over plan your life. He points to a Gitlab activity chart showing gaps, gaps are a good thing as it means you did go on holiday.

Akademy Award Winners

Akademy Awards winners for winning app is KStars, winning developer is Harald, winning non-dev contributions is Aniqa.

Akademy next year will be in Greece! Now onto the week of Birds of a Feather Meetings!

Party Time at the Social Event
on October 03, 2022 03:44 PM

October 02, 2022

Akademy Talks in Barcelona

Akademy is back, online and in person. FFP2 masks being the only sign of a pandemic having happened. Barcelona is warm and sunny and we’re meeting at the Universidad Polytechniqua de Catalunya in grand lecture theatres with high def projectors. It’s great to see some old faces and some new and discuss the progress of the last couple of years since we could last meet. Here’s some notes on some talks I went to.

Volker Hilsheimer gives the keynote aschief architect of Qt for last 6 months. We are 2 years into Qt 6 and stuff is still being ported. Qt 6.4 is now out and it adds QtLocation as the last major module to be ported to 6. Qt WebAssembly is an important development, zero deploy, near native performance, Web in Qt and Qt in Web, they consider it to be Docker for Apps. How will KDE use it? Lots of work is happening to make Qt prepared for C++20. C++23 is on its way, stuff like the stack tracing library will be valuable. There’s some C++ successor languages upcoming like cppfront and carbon which they want to see what’s relevant. Python is something they have invested in. People are asking about Rust, they’re not actively doing anything but it’s something they’ll need to look into. Many people think of Qt as a user interface library, that’s not the only aspect but it’s a big part of it. What controls are still missing? QtWidgets they won’t throw much resources at, they will keep it relevant and up to date but QtQuick is where they want to put effort. They have not spent a great deal of time making sure Qt apps look great on the Linux desktop in recent years – they are now looking at that again. HMI, Human Machine Interface, is relevant. Connectivity is interesting for Qt (it’s not just a UI framework). Community is important for the Qt project, there’s a long and good history with the KDE community. Qt now has a community manager Pedro Bessa (who takes the stage). Almost 100% of the real world problems being solved with Qt is done outwith Qt Company so your perspective is important to them. 1/3 of maintainers are outside the Qt Company. Having an ecosystem for Qt. A question about speed recognition in Qt? Yes, contribution was this summer to QtSpeech repo.

This big church looks familiar

Adam Szopa goals talk. Goals initiative was started in the distant past of 2017. In 2019 Wayland, Consistency and All About the Apps kicked off. Then Covid happened.

Aleix talks about Apps: if humanity used more of our apps we would have less wars. It’s hard for us to do all the work. Are we as good as it gets to getting the last mile? On all the stores and all the platforms? We always have a one to one relationship with the app and the user. Snapcraft has most apps and 350k base users, 60,000 installs of Krita and Kdenlive. Flathub has 120 apps with Krita and Kdenlive most popular at about 25,000 installs. On Google Play Krita has 1m active installs (Android and ChromeOS) which KDE Connect has 300k installs. The Craft SDK now works for Android. KDE Connect uses native Java-style code in Android. Windows store has lots of users, 1M Krita installs but otherwise only 8 apps. Apple not convenient, incompatible with GPL in the store.

Snaps give us some stats. 350,000 active installs of the base. 60,000 active installs of the most popular apps Krita and Kdenlive.

Niccolo and The Dawn of Consistency. He gives the example of KHamburgerMenu which should have a similar widget which is a panel, having a common component was something he kept talking of but it was never done. App redundancy, one part of the goal was removing multiple applications. This depends if KDE is an umbrella for any app or if it’s a brand that promotes a set of apps. For example Maui is very much doing the wrong thing with their own design with their own Kit and they have their own shell but MauiShel isn’t part of KDE even though MauiKit is. Maybe we should have a requirement for KDE look and feel as part of being KDE. Some apps are a bit stagnant, in general I’d like to move them to Kirigami because that helps consistency. Kate and KWrite use the same code so congratulations. Band consistency, many apps had their own website, there has been a lot of improvement for this. Consistency within applications has improved.

Méven talks about Wayland goal. In Plasma 5.24 we got the Overview Effect, improved NVidia support (where the distro uses the patches), improved stability too. In Plasma 5.25 we got touch mode for better tablet support and a tonne of stability improvements. In Plasma 5.26 we got improved virtual keyboard support, improved graphical tablet support, xwayland and DPI improvements and a lot of stability improvement. But showstoppers are still missing colour profiles, blurry rendering with fractional scaling and many more. Virtualisation and screen recording still needed before people can switch from X.

Announcing the New Goals for 2022:
KDE For All: Boosting Accessibility with Carl
Automate and systematize internal processes with Nate – make sure people’s processes they know about are automated so when they move on that knowledge is still there, e.g. bug triaging, CI checks, document knowledge, doing off-boarding when people leave,
Sustainable Software with Corelius, see eco.kde.org

Barcelona goes hipster with record store cocktail bars

Tomaz spoke on Terminals. Unix users will use a shell, but terminals are difficult. He got some users to use different terminals with various tasks: how to change text size, how to open another program etc. 5 different universities took part. Changing text size. For xterm etc 0%, gnome-terminal 90% could but the name of option is “zoom”. Konsole 100%. Kitty is a new terminal based on Rust got 70%. Copy and paste didn’t work well as everyone used control-c (except on MacOS) maybe we should allow control-C for copy. One student cried in despair. Thankfully Konsole has sane defaults but we are still far from good. He demos the SSH session panel and the quick commands

Devin Lin and Bhushan spoke about Plasma Mobile. Within Plasma Mobile there’s over 40+ projects, 300+ tickets and 6+ active downstreams (opensuse, fedora, manjaro, postmarketOS etc). He showed the new shell as it will be in Plasma 5.26. He shows the quick settings. In the middle is the pin view with notifications, the same tech as desktop. He shows the audio applet and lock screen notifications. For telephony they switched from ofono to modemmanager. Plasma Dialer is for calls. Spacebar app is for SMS and MMS. callaudiod from Mobian for audio routing. There’s convergent apps like Discover, Elisa, Koko, Kasts, Neochat, KClock etc. Some mobile specific apps like Angelfish, QMLKonsole. Supports Pinephones and postmarketOS supporter devices such as OnePlus 6. It can also be installed anywhere on Linux distros. But there is more vendor lock in coming, a fragmentation between open mobile communities. Coming up: Kontact. Improved tablet support. And a great feature would be full convergence – you can walk up to monitors and plug in mouse and keyboard and get a desktop.

Bhush and Devin talk Plasma Mobile
on October 02, 2022 09:22 AM

October 01, 2022

Xubuntu 22.10 Beta

Xubuntu Development Update October 2022

Xubuntu 22.10 "Kinetic Kudu" Beta (download, release notes) was released on Thursday, September 29. It features the latest updates from Xfce 4.17, GNOME 43, and MATE 1.26. Xfce 4.17, the development series for the upcoming Xfce 4.18 release, includes a massive number of improvements and new features. Many of our GNOME 43 components are now using GTK4 and libadwaita. MATE 1.26 is still the same as in Xubuntu 22.04.

Xubuntu Development Update October 2022On the surface, little has changed in Xubuntu 22.10. Go deeper, however, and you&aposll find that almost every app and component has meaningful updates and improvements.

For those wondering, the Xubuntu 22.10 wallpaper is still in development, with an update expected early in October.

22.10 September Package Updates

As we move toward the October release of Xubuntu 22.10, package updates are slowing down. Nevertheless, there were still a few notable updates.  

xubuntu-artwork (22.10)

The 22.10 update of xubuntu-artwork restored the missing Xubuntu Light and Dark (LP: #1986935) editor themes. These themes were lost with Mousepad&aposs update to GtkSourceView 4. With the updated xubuntu-artwork package, these themes are once again available for any standard GTK text editor, including Gedit, Pluma, and others.

xubuntu-default-settings (22.10.1)

xubuntu-default-settings versions 22.10 and 22.10.1 include a handful of improvements. Support has been added for picom, an alternative compositor for X and fork of the popular compton. The Noto fonts can now be removed without uninstalling xubuntu-default-settings (LP: #1891714). Additionally, URL handling in xfce4-appfinder has been fixed (LP: #1892651).

xfce4-notifyd (0.6.4-1ubuntu1)

xfce4-notifyd 0.6.4 features a range of bug fixes and usability improvements. Improved application icon and name matching make it easier to manage your notifications. Notification positions are now correctly reset during slideout. Xubuntu also includes an upstream patch to fix a segfault under certain conditions (!30).

xfce4-pulseaudio-plugin (0.4.5-0ubuntu1)

The latest version of xfce4-pulseaudio-plugin, 0.4.5, further refines audio support in Xubuntu. The recording indicator will now flicker less frequently and no longer be shown while making changes in pavucontrol. Notifications will now be displayed for microphone volume changes and when volume levels are at min/max values. Finally, menu positioning when the panel is set to auto-hide has been fixed.

GitHub Issues

In September, I continued expanding our GitHub issue trackers. Issues reported on Launchpad are synced to GitHub daily. With the improvements made this month, comments and issue statuses are also synced. It&aposs now easier than ever to find, review, and collaborate on issues. New contributors can easily find something to work on.

Xubuntu Development Update October 2022Issues, comments, and status updates are now all synced from Launchpad.

These updates apply to Xubuntu&aposs own projects:

Shared projects have also been updated with the expanded issue sync and status tracking:

Ready to contribute?

Join us in making Xubuntu one of the best desktop Linux experiences around. If you&aposre looing for ways to get involved, check out the Get Involved page on the Xubuntu website.

If you appreciate these development updates, consider sponsoring my work on GitHub Sponsors, Patreon, or Ko-Fi. Pick your method or support one of the upstream projects on Donate page.

Thanks for reading!

on October 01, 2022 01:08 AM

September 30, 2022

We are preparing Ubuntu MATE 22.10 (Kinetic Kudu) for distribution on October 20th, 2022. With this Beta pre-release, you can see what we are trying out in preparation for our next (stable) version.

Ubuntu MATE 22.10 is a modest update by recent standards and focused on “quality of life improvements”. And there is good reason why this release of Ubuntu MATE doesn’t feature the usual bucket 🪣 list of changes you’d typically expect, and that’s because I’ve been helping bring the full Ubuntu MATE experience to Debian MATE 🧉

This may raise some questions for Ubuntu MATE users, so let’s try and address them:

  • I’m not stepping away from Ubuntu or Ubuntu MATE. I will continue to use and develop Ubuntu MATE 👍
  • I’ve closely collaborated with the MATE packaging team for Debian for over 8 years 👴
  • Making the MATE experience in Debian and Ubuntu consistent makes maintenance easier for all involved 🛠
  • Ubuntu MATE offers some modernisation of MATE via home-grown apps such as MATE Tweak and Ayatana Indicators. We want Debian users to benefit from those improvements too 💖
  • We’re hopeful the MATE spin in Debian 12 will offer the same (or extremely similar) experience Ubuntu MATE users have enjoyed for some time 🎁

Thank you! 🙇

I’d like to extend my sincere thanks to everyone who has played an active role in improving Ubuntu MATE for this release 👏 From reporting bugs, submitting translations, providing patches, contributing to our crowd funding, developing new features, creating artwork, offering community support, actively testing and providing QA feedback to writing documentation or creating this fabulous website. Thank you! Thank you all for getting out there and making a difference! 💚

Ubuntu MATE 22.10 Ubuntu MATE 22.10 using the Pantheon layout and new centered panel applets and HUD

What works?

People tell us that Ubuntu MATE is stable. You may, or may not, agree.

Ubuntu MATE Beta Releases are NOT recommended for:

  • Regular users who are not aware of pre-release issues
  • Anyone who needs a stable system
  • Anyone uncomfortable running a possibly frequently broken system
  • Anyone in a production environment with data or workflows that need to be reliable

Ubuntu MATE Beta Releases are recommended for:

  • Regular users who want to help us test by finding, reporting, and/or fixing bugs
  • Ubuntu MATE, MATE, and GTK+ developers.

What changed since the Ubuntu MATE 22.04?

Here are the highlights of what’s changed since the release of Ubuntu MATE 22.04

MATE Desktop

The usual point release updates to MATE Desktop and Ayatana Indicators have been included that fix 🩹 an assortment on minor bugs 🐛 The main change in MATE Desktop is to MATE Panel, where we’ve included an early snapshot release of mate-panel 1.27.0 along with a patch set that adds centre alignment of panel applets.

This much requested feature comes from Ubuntu MATE community contributor Gordon N. Squash 🇺🇸 and allows panel applets to be centre aligned, as well as the usual left and right alignment. I’m sure you’ll all join me in thanking 🙇 Gordon for working on this feature.

Centre aligning of applet icons will ship with MATE Desktop 1.28, but we’re including it early 🐓 for Ubuntu MATE users. We’ve updated MATE Tweak to correctly save/restore custom layouts that use centre aligned applets and all the panel layouts shipped with Ubuntu MATE 22.10 have been updated so they’re compatible with center alignment of applets ✅

AI Generated wallpapers (again!)

My friend Simon Butcher 🇬🇧 is Head of Research Platforms at Queen Mary University of London managing the Apocrita HPC cluster service. Once again, Simon has created some stunning AI generated 🤖🧠 wallpapers for Ubuntu MATE using bleeding edge diffusion models 🖌 The samples below are 1920x1080 but the versions include in Ubuntu MATE 22.10 are 3840x2160.

Here’s what Simon has to say about about some of the challenges he faced creating these new wallpapers for Kinetic Kudu:

AI image generation is continuing to improve at a mind-boggling rate. Yet, until recently, coherent human faces, hands and anatomically correct animals have proved rather tricky. Fortunately human faces are getting particular attention in the open source community after the release of Stable Diffusion. However, while an anthropomorphic portrait of a Kudu wearing a rather dapper suit will be stylishly rendered, getting consistent results for kudu in their natural habitat proved particularly tricky, exacerbated by their elegant horn structure. Often you will get rather wild interpretations of the horns, 5 legged creatures, or nightmarish output akin to the Pushmi-Pullyu from the Dr Doolittle stories.

Jellyfish, on the other hand, are a mass of tentacles and perhaps benefit aesthetically from the randomness induced by AI-generated images, in the same way that forests, mountains and hobbit villages generated by AI can be produced en-masse to a very satisfying extent. So while 1000 stunning unique images of jellyfish can be produced in a few minutes with a powerful GPU, the kudu was quite a challenge, and I had to experiment a lot with various prompts and styles, and a lot of cherry-picking - throwing away about 99% of the results that weren’t quite right. For the next release, I’m hoping we’ll see further AI innovation in time for the next release, or…maybe the next code name will be a lionfish?


PulseAudio has been replaced with PipeWire and Bluetooth audio codec support has been expanded with the addition of AAC, LDAC, aptX and aptX HD.

As a podcaster and streamer I’m delighted to have PipeWire installed by default in Ubuntu MATE 22.10. The migration to PipeWire has resolved some longstanding minor annoyances I’ve had with audio in that past and all the tools 🧰 I use for audio and video production continue to function correctly.

PipeWire on Ubuntu MATE 22.04

If you like to ride the LTS train 🚆 but want to use PipeWire in Ubuntu MATE 22.04 (as I have been doing for some months) then this is how to make the change:

sudo apt-get install gstreamer1.0-pipewire pipewire-audio-client-libraries wireplumber
sudo apt-get remove pulseaudio-module-bluetooth
sudo apt-get install libfdk-aac2 libldacbt-abr2 libldacbt-enc2 libopenaptx0 libspa-0.2-bluetooth libspa-0.2-jack

Once the installs/removals are complete restart your computer.

Ubuntu MATE Stuff

The “MATE HUD” has seen some significant work from community contributor twa022 🌎. The HUD now supports MATE, XFCE and Budgie, has improved accuracy for HUD placement (taking into account various panel offsets/struts), is highly configurable and includes a new HUD settings app

HUD Settings HUD Settings

MATE User Manager

A new utility, User Manager, has been added to compliment the suite of MATE tools. User Manager replaces the aging gnome-system-tools which was removed from Ubuntu MATE in the 22.04 release and allows you to add/modify/remove user accounts. It also includes the ability to define which users are Administrators, enable/disable auto-login, set profile images and manage group memberships.

MATE User Manager MATE User Manager


And last but not least, the Ubuntu MATE Artwork package has been updated to include all the refinements and improvements in the suite of Yaru themes 🎨

Major Applications

Accompanying MATE Desktop 1.26.1 🧉 and Linux 5.19 🐧 are Firefox 105 🔥🦊, Celluloid 0.20 🎥, Evolution 3.46 📧, LibreOffice 7.4 📚

See the Ubuntu 22.10 Release Notes for details of all the changes and improvements that Ubuntu MATE benefits from.

Download Ubuntu MATE 22.10

This new release will be first available for PC/Mac users.


Upgrading from Ubuntu MATE 22.04

You can upgrade to Ubuntu MATE 22.10 from Ubuntu MATE 22.04. Ensure that you have all updates installed for your current version of Ubuntu MATE before you upgrade.

  • Open the “Software & Updates” from the Control Center.
  • Select the 3rd Tab called “Updates”.
  • Set the “Notify me of a new Ubuntu version” drop down menu to “For any new version”.
  • Press Alt+F2 and type in update-manager -c -d into the command box.
  • Update Manager should open up and tell you: New distribution release ‘22.10’ is available.
    • If not, you can use /usr/lib/ubuntu-release-upgrader/check-new-release-gtk
  • Click “Upgrade” and follow the on-screen instructions.

There are no offline upgrade options for Ubuntu MATE. Please ensure you have network connectivity to one of the official mirrors or to a locally accessible mirror and follow the instructions above.

Known Issues

Here are the known issues.

Component Problem Workarounds Upstream Links
Ubuntu Ubiquity slide shows are missing for OEM installs of Ubuntu MATE
Ubuntu Snaps not preseeded in Ubuntu (and flavours) 22.10 beta
Ubuntu MATE A default wallpaper is not set after installing Ubuntu MATE 22.10 beta


Is there anything you can help with or want to be involved in? Maybe you just want to discuss your experiences or ask the maintainers some questions. Please come and talk to us.

on September 30, 2022 03:56 PM
KDE Plasma desktop 5.25 on Kubuntu 22.10 BetaKDE Plasma desktop 5.25 on Kubuntu 22.10 Beta

The beta of Kubuntu Kinetic Kudu (to become 22.10 in October) has now been released, and is available for download.

This milestone features images for Kubuntu and other Ubuntu flavours.

Pre-releases of Kubuntu Kinetic Kudu are not recommended for:

  • Anyone needing a stable system
  • Regular users who are not aware of pre-release issues
  • Anyone in a production environment with data or workflows that need to be reliable

They are, however, recommended for:

  • Regular users who want to help us test by finding, reporting, and/or fixing bugs
  • Kubuntu, KDE, and Qt developers
  • Other Ubuntu flavour developers

The Beta includes some software updates that are ready for broader testing. However, it is an early set of images, so you should expect some bugs.

We STRONGLY advise testers to read the Kubuntu 22.10 Beta release notes before installing, and in particular the section on ‘Known issues‘.

Kubuntu is taking part in ‘Ubuntu Testing Week’ from September 29th to October 6th. Details for all flavours are available on the Ubuntu Discourse announcement.

You can also find more information about the entire 22.10 release (base, kernel, graphics etc) in the main Ubuntu Beta release notes and announcement.

on September 30, 2022 03:42 PM

The Ubuntu Studio team is pleased to announce the beta release of Ubuntu Studio 22.10, codenamed “Kinetic Kudu”.

While this beta is reasonably free of any showstopper installer bugs, you may find some bugs within. This image is, however, mostly representative of what you will find when Ubuntu Studio 22.10 is released on October 20, 2022.

Special notes:

The Ubuntu Studio 22.10 disk image (ISO) exceeds 4 GB and cannot be downloaded to some file systems such as FAT32, and may not be readable when burned to a DVD. For this reason, we recommend downloading to a compatible file system. When creating a boot medium, we recommend creating a bootable USB stick with the ISO image, or burning to a Dual-Layer DVD.

Images can be obtained from this link: https://cdimage.ubuntu.com/ubuntustudio/releases/22.10/beta/

Full updated information, including Upgrade Instructions, are available in the Release Notes.

Regarding Pipewire

One of our goals this release was to create some kind of switch between our traditional PulseAudio/JACK setup and Pipewire, but this did not come to fruition as we had quite a few other bugs to squash as a result of the transition to ffmpeg 5. Additionally, we had a lot of clean-up after the transition to Python 3.10 in 22.04 LTS among other bugs. Sadly, that’s where our attention went and Pipewire support had to be deprioritized for this release.

New Features This Release

  • Ubuntu Studio Installer now includes Ubuntu Studio Feature Uninstaller to remove features of Ubuntu Studio that you don’t need. This is a long-requested feature that will be detailed in the official release announcement when Ubuntu Studio 22.10 releases on October 20th.
  • Q Light Controller Plus version 4.12.5
  • Freeshow version 0.5.6
  • openLP version 2.9.5

Major Package Upgrades

  • Darktable version 4.0.0
  • OBS Studio version 28.0.1
  • Audacity version 3.1.3
  • digiKam version 8.0.0 development snapshot (pre-release, see notes below)
  • Kdenlive version 22.08.1
  • Krita version 5.1.1

There are many other improvements, too numerous to list here. We encourage you to take a look around the freely-downloadable ISO image.

Known Issues

  • digiKam is a development snapshot of 8.0.0. As such, it likely has undocumented bugs. We hope these bugs get ironed out by the time 8.0.0 beta comes out, but we are not sure when that will be as the digiKam developers have not released a timeline or release date. When the 8.0.0 beta or stable release of digiKam becomes available, we hope to provide these to you as Stable Release Updates. This came from the transition to ffmpeg 5 as prior versions of digiKam do not support ffmpeg 5. If you would like a stable version of digiKam now, a snap of 7.8.0 is available.

Official Ubuntu Studio release notes can be found at https://ubuntustudio.org/ubuntu-studio-22-10-release-notes/

Further known issues, mostly pertaining to the desktop environment, can be found at https://wiki.ubuntu.com/KineticKudu/ReleaseNotes/Kubuntu

Additionally, the main Ubuntu release notes contain more generic issues: https://discourse.ubuntu.com/t/kinetic-kudu-release-notes/27976

Frequently Asked Questions

Q: Does KDE Plasma use more resources than your former desktop environment (Xfce)?
A: In our testing, the increase in resource usage is negligible, and our optimizations were never tied to the desktop environment.

Q: Does Ubuntu Studio contain snaps?
A: Yes. Mozilla’s distribution agreement with Canonical changed, and Ubuntu was forced to no-longer distribute Firefox in a native .deb package. We have found that, after numerous improvements, Firefox now performs just as well as the native .deb package did.

Additionally, Audacity 2.4.2, due to incompatibilities with ffmpeg 5, had to be removed from the official Ubuntu repositories this cycle. For that reason, we worked hard with the snap packager to include it in Ubuntu Studio 22.10. Therefore, Audacity 3.1.3 is included as a snap. Watch this bug to track Audacity’s reintroduction into the Ubuntu repositories. Right now, it is on-pace to happen before the release of Ubuntu 22.10. When this happens, we fully intend to drop the snap and re-include the .deb package in Ubuntu Studio. Watch Ubuntu Studio News for updates.

Finally, Freeshow is an Electron-based application. Electron-based applications cannot be packaged in the Ubuntu repositories in that they cannot be packaged in a traditional Debian source package. While such apps do have a build system to create a .deb binary package, it circumvents the source package build system in Launchpad, which is required when packaging for Ubuntu. However, Electron apps also have a facility for creating snaps, which can be uploaded included. Therefore, for Freeshow to be included in Ubuntu Studio, it had to be packaged as a snap.

Q: If I install this Beta release, will I have to reinstall when the final release comes out?
A: No. If you keep it updated, your installation will automatically become the final release. However, if Audacity returns to the Ubuntu repositories before final release, then you might end-up with a double-installation of Audacity. Removal instructions of one or the other will be made available in a future post.

Q: Will you make an ISO with {my favorite desktop environment}?
A: To do so would require creating an entirely new flavor of Ubuntu, which would require going through the Official Ubuntu Flavor application process. Since we’re completely volunteer-run, we don’t have the time or resources to do this. Instead, we recommend you download the official flavor for the desktop environment of your choice and use Ubuntu Studio Installer to get Ubuntu Studio.

Q: What if I don’t want all of these packages installed on my machine?
A: Simply use the Ubuntu Studio Feature Uninstaller to remove the features of Ubuntu Studio you don’t want or need!

Please Test!

on September 30, 2022 01:18 AM

September 29, 2022

E214 Rentrée, Mais Uma!

Podcast Ubuntu Portugal

Voltámos, cheios de saudades e, como todos os miúdos que regressam das férias, com um saco cheio de histórias. O Miguel está ansioso para mudar de casa, e pelas obras… Vai ser tão bom. O Constantino esteve nos locais mais inóspitos a gravar podcasts enquanto afina agulhas para o que virá a ser um centro Linux em Lisboa. Já o Carrondo fartou-se de passear e descobriu o Wakeboard!!! Já sabem: oiçam, subscrevam e partilhem!


Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal. E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8. Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem. Se estiverem interessados em outros bundles não listados nas notas usem o link https://www.humblebundle.com/?partner=PUP e vão estar também a apoiar-nos.

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização.

on September 29, 2022 12:00 AM

September 24, 2022

Full Circle Weekly News #280

Full Circle Magazine

Continuation of GNOME Shell development for mobile devices:

Performance and Retbleed:

Release of GNU Emacs 28.2:

Cross-platform Ladybird web-browser:

WD is developing a NVMe driver in Rust:

Fedora Linux 37 has moved to beta testing:

SME Server 10.1 is available:

Ubuntu has implemented the ability to dynamically obtain debugging information:

Release of EndeavourOS 22.9:

Vulnerability in the Enlightenment user environment:

KDE Plasma 5.26 desktop testing for TV use:

Ubuntu 22.10 intends to provide support for  RISC-V Sipeed Lichee RV:

Release of WebKitGTK 2.38.0 Epiphany 43:

Floorp web browser 10.5.0:

Full Circle Magazine
Host: bardmoss@pm.me, @bardictriad
Bumper: Canonical
Theme Music: From The Dust - Stardust
on September 24, 2022 02:54 PM

September 22, 2022

E206 Bruno Miguel

Podcast Ubuntu Portugal

Ainda em férias, estivemos à conversa com o Bruno Miguel, pela segunda vez… Conforme prometido, eis a repetição da conversa com fantástico Bruno. Falámos sobre múltiplos assuntos mas destacamos a sua participação no projecto Fosshost, bem como todas as boas práticas de um experimentado utilizador do software Logseq. Já sabem: oiçam, subscrevam e partilhem!


Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal. E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8. Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem. Se estiverem interessados em outros bundles não listados nas notas usem o link https://www.humblebundle.com/?partner=PUP e vão estar também a apoiar-nos.

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização.

on September 22, 2022 12:00 AM

September 20, 2022

Members of the Kubuntu Council are responsible for considering proposals made by the wider Kubuntu community. The council formalises and ratifies proposals, then votes to obtain an outcome which directs the course of progress for Kubuntu.

On 11 September I (Rick Timmis) will have been a councilor for the Kubuntu Council for 5 years. Being a councilor is a lot of fun, provides a wonderful sense of fulfillment and also carries a lot of ‘Kudos’ in conversations with those of a technical persuasion.

If you have been using Kubuntu for a while, and have explored some of our community, why not consider getting involved a little deeper ? We are always looking for testers, contributors, bug reporters, documentation, and blog writers.

Becoming a Kubuntu member is the next step up from being a contributor, and if you’ve already made a few contributions over the last 3 to 6 months, then you should consider making an application to become a member.

Kubuntu members are also entitled to stand for election to the Kubuntu council, where you get to support the development of the Kubuntu project.

3 council positions came up for election, as their 2 year terms were coming to an end. We are delighted to announce that existing councillors Myriam Schwiengruber, and Valorie Zimmerman were elected for a further term of 2 years. Simon Quigley has step down from the Council, and we thank him greatly for his many contributions to the project.
Stepping in to replace Simon, we are delighted to have Darin Miller join the Kubuntu council, Welcome Darin.

on September 20, 2022 08:45 PM

September 15, 2022

Full Circle Weekly News #278

Full Circle Magazine

Based on Sway, a port of LXQt is being developed:

Fedora Linux 39 plans to disable SHA-1-based signatures support by default:

Apache OpenOffice passed 333 million downloads:

Release of the QEMU 7.1:

Armbian 22.08:

Release of Ubuntu 20.04.5 LTS with graphical stack and kernel update:

Linux From Scratch 11.2 and Beyond Linux From Scratch 11.2:

Release of the OBS Studio 28.0:

Release of Nmap 7.93, timed to the 25th anniversary of the project:

The webOS Open Source Edition 2.18:

Release of Nitrux 2.4:

Google Open Source Software Vulnerability Rewards Program:

Peter Eckersley, co-founder of Let's Encrypt, passed away:

The platform code for Notesnook, has been opened:

Full Circle Magazine
Host: bardmoss@pm.me, @bardictriad
Bumper: Canonical
Theme Music: From The Dust - Stardust
on September 15, 2022 06:00 PM

September 10, 2022

I previously announced the end of new Qt5-based Grantlee releases. The Grantlee template system is to find new life as part of KDE Frameworks 6 in the form of KTextTemplate. The Grantlee textdocument library will probably become part of another KDE library with similar scope.

Meanwhile, some changes have accumulated since the last Grantlee release, so I’ve made a new release to make them available to users. Many of the changes are small, but with a few new features which were cherry-picked from the Cutelee repo.

The other significant change is that Grantlee 5.3.0 can be built with Qt 6. This is not a change of plan regarding migration to KDE Frameworks, but is intended to assist with porting existing code to Qt 6.

Speaking of new releases, we welcomed our baby into the world almost a year ago. Years ago it was a common refrain within the KDE community to new parents to remind them, tongue in cheek, to never shake the baby. I was amused to find that the advise given as a printed book to all new Irish parents reminds the same :).

on September 10, 2022 02:17 PM

September 05, 2022

Xubuntu 22.10 Dev Update

Xubuntu 22.10 "Kinetic Kudu" is set to arrive on October 20, 2022. It will include the latest updates from Xfce 4.17, GNOME 43, MATE 1.26, and the family of supported applications that make up Xubuntu. With the Beta freeze coming later this month, it&aposs time to start testing to make Xubuntu 22.10 a stable environment for users that want the latest and greatest from the Linux desktop.

What&aposs new?

As usual, I&aposve grouped the updates into some common categories: Appearance, GNOME Apps, Xfce Apps, Other Apps, and Libraries. Unless noted otherwise, each app listed just includes regular maintenance updates, bug fixes, or usability tweaks. It should also be noted that these apps will continue to change and be updated through the 22.10 final release in October.


The elementary-xfce icon theme has been getting some extra love recently with new and refreshed icons added over the last few months. The brighter, more complete theme adds a ton of extra polish to the Xubuntu desktop. Combined with the latest improvements to the Greybird GTK theme, Xubuntu provides a cohesive and usable desktop experience.

  • Elementary Xfce Icon Theme 0.16 to 0.17
    • Deprecated elementary-xfce-darker theme
    • Transitioned various monochrome icons back to colored for better legibility in dark/bright themes
    • Dropped legacy symbolic links (stock_, gnome-)
    • Added lots of new mimetype icons
  • Greybird GTK Theme 3.23.1 to 3.23.2
    • Added OpenBox support
    • Improvements to window decorations and alt-tab
    • Decreased height for GNOME Software headerbar


Ubuntu 22.04 skipped much of GNOME 42, which introduced libadwaita and complicated theming. With Ubuntu 22.10, apps built with libadwaita have started to make their way in, bringing the (admittedly divisive) libadwaita styles to Xubuntu. Other apps, such as Rhythmbox and GNOME Disks are still shipping with SSD (server-side decorations) and CSD (client-side decorations) respectively.

  • GNOME Disk Usage Analyzer (baobab) 41.0 to 43 beta
    • Ported to libadwaita. Numbers in cells are now aligned, preventing the interface from shifting around while scanning.
  • GNOME Disk Utility 42.0 to 43 beta
  • GNOME Font Viewer 41.0 to 43 beta
    • Ported to libadwaita.
  • GNOME Software 41.5 to 42.4
    • Ported to libadwaita.
  • GNOME Sudoku 42.0 to 43 beta
  • Rhythmbox 3.4.4 to 3.4.6
    • Improved podcast downloader, network stream support, and Android/MTP device syncing.

Xfce Apps

Xfce 4.18 is in active development, with several components now shipping with 4.17 development releases. Xubuntu 22.10 includes the latest 4.17 releases as well as the 4.16 releases for apps that aren&apost quite there yet. The 4.18 series is largely an incremental update, built upon GTK 3 and featuring some technical and graphical improvements.

  • Appfinder 4.16.1 to 4.17.0
    • Adds support for the PrefersNonDefaultGPU property and improves .desktop file handling.
  • Catfish 4.16.3 to 4.16.4
    • File sizes can now be displayed in binary or decimal.
  • Desktop 4.16.0 to 4.17.0
  • Mousepad 0.5.8 to 0.5.10
    • Adds a new shortcuts plugin, search history, and file monitoring.
  • Panel 4.16.3 to 4.17.3
    • Adds middle-click support for the tasklist plugin and a binary time mode for the clock.
  • PulseAudio Plugin 0.4.3 to 0.4.4
    • Adds a new recording indicator and filters out multiple button press events.
  • Ristretto 0.12.2 to 0.12.3
  • Screenshooter 1.9.9 to 1.9.11
    • Switches to using symbolic icons and adds support for WebP.
  • Task Manager 1.5.2 to 1.5.4
  • Terminal 0.8.10 to 1.0.4
    • Usability improvements for the Unsafe Paste dialog, Find dialog, shortcut editing, and keyboard shortcut handling.
  • Thunar 4.16.10 to 4.17.9
  • Thunar Archive Plugin 0.4.0 to 0.5.0
    • Adds support for compressing zip files.
  • XKB Plugin 0.8.2 to 0.8.3
    • Adds optional notification support.

Other Apps

Outside of GNOME and Xfce, our core applications include a tremendous set of updates. With too many to list (and too many to review), I leave it to you click into the release notes and discover the changes for yourself.

Xubuntu 22.10 Dev UpdateSynaptic 0.91.2, GIMP 2.10.32, and Hexchat 2.16.1 are just a few of Xubuntu&aposs core applications.
  • Blueman 2.2.4 to 2.3.2
    • New audio profile switcher in the applet and an optional symbolic tray icon.
  • GIMP 2.10.30 to 2.10.32
  • Hexchat 2.16.0 to 2.16.1
  • LibreOffice 7.3.2 to 7.4.1
  • Synaptic 0.90.2 to 0.91.2
  • Thunderbird 91.8 to 102.2


  • Garcon 4.16.1 to 4.17.1
  • Libxfce4ui 4.16.1 to 4.17.6
    • Adds a new shortcuts editor widget.
  • Libxfce4util 4.16.0 to 4.17.2
  • PulseAudio 15.99.1 to 16.1
  • Tumbler 4.16.0 to 4.17.2
    • Adds support for x-large and xx-large thumbnails.

Download Xubuntu 22.10

Xubuntu 22.10 is currently in heavy development in preparation for the Beta release later this month. If you&aposd like to test it out, be sure to download the daily image and report bugs on the ISO Tracker. If you&aposd like to join in the development conversation, please join us on the #xubuntu-devel channel on Libera.chat.

on September 05, 2022 08:23 PM

September 01, 2022

Thanks to all the hard work from our contributors, we are pleased to announce that Lubuntu 20.04.5 LTS has been released! What is Lubuntu? Lubuntu is an official Ubuntu flavor which uses the Lightweight Qt Desktop Environment (LXQt). The project’s goal is to provide a lightweight yet functional Linux distribution based on a rock-solid Ubuntu […]
on September 01, 2022 09:55 PM

August 31, 2022

So, I made a game. It’s called Farmbound. It’s a puzzle; you get a sequence of farm things — seeds, crops, knives, water — and they combine to make better items and to give you points. Knives next to crops and fields continually harvest them for points; seeds combine to make crops which combine to make fields; water and manure grow a seed into a crop and a crop into a field. Think of it like a cross between a match-3 game and Little Alchemy. The wrinkle is that the sequence of items you get is the same for the whole day: if you play again, you’ll get the same things in the same order, so you can learn and refine your strategy. It’s rather fun: give it a try.

Farmbound, on a mobile, in light mode

It’s a web app. Works for everyone. And I thought it would be useful to explain why it is, why I think that’s the way to do things, and some of the interesting parts of building an app for everyone to play which is delivered over the web rather than via app stores and downloads.

Why’s it a web app and not a platform-specific native app?

Well, there are a bunch of practical reasons. You get completely immediate play with a web app; someone taps on a share link, and they’re playing. No installation, no platform detection, it Just Works (to coin a phrase which nobody has ever used before about apps ever in the history of technology). And for something like this, an app with platform-specific code isn’t needed: sure, if you’re talking to some hardware devices, or doing low-level device fiddling or operating system integration, you might need to build and deliver something separately to each platform. But Farmbound is not that. There is nothing that Farmbound needs that requires a native app (well, nearly nothing, and see later). So it isn’t one.

There are some benefits for me as the developer, too. Such things are less important; the people playing are the important ones. But if I can make things nicer for myself without making them worse for players, then I’m going to do it. Obviously there’s only one codebase. (For platform-specific apps that can be alleviated a little with cross-platform frameworks, some of which are OK these days.) One still needs to test across platforms, though, so that’s not a huge benefit. On the other hand, I don’t have to pay extra to distribute it (beyond it being on my website, which I’d be paying for anyway), and importantly I don’t have to keep paying in order to keep my game available for ever. There’s no annual tithe required. There’s no review process. I also get support for minority platforms by publishing on the web… and I’m not really talking about something in use by a half-dozen people here. I’m talking about desktop computers. How many people building a native app, even a relatively simple puzzle game like this, make a build for iOS and Android and Windows and Mac and Linux? Not many. The web gets me all that for minimal extra work, and if someone on FreeBSD or KaiOS wants to play, they can, as long as they’ve got a modern browser. (People saying “what about those without modern browsers”… see below.)

But from a less practical and more philosophical point of view… I shouldn’t need to build a platform-specific native app to make a game like this. We want a world where anyone can build and publish an app without having to ask permission, right? I shouldn’t need to go through a review process or be beholden to someone else deciding whether to publish my game. The web works. Would Wordle have become so popular if you had to download a Windows app or wait for review before an update happened? I doubt it. I used to say that if you’re building something complex like Photoshop then maybe go native, but in a world with Figma in it, that maybe doesn’t apply any more, and so Adobe listened to that and now Photoshop is on the web. Give people a thing which doesn’t need installation, gets them playing straight away, and works everywhere? Sounds good to me. Farmbound’s a web app.

Why’s it not got its own domain, then, if it’s on the web?

Farmbound shouldn’t need its own domain, I don’t think. If people find out about it, it’ll likely be by shared links showing off how someone else did, which means they click the link. If it’s popular then it’ll be top hit for its own name (if it isn’t, the Google people need to have a serious talk with themselves), and if it isn’t popular then it doesn’t matter. And, like native app building, I don’t really want to be on the hook forever for paying for a domain; sure, it’s not much money, but it’s still annoying that I’m paying for a couple of ideas that I had a decade ago and which nobody cares about any more. I can’t drop them, because of course cool URIs don’t change, and I didn’t want to be thinking a decade from now, do I still need to pay for this?

In slightly more ego-driven terms, it being on my website means I get the credit, too. Plus, I quite like seeing things that are part of an existing site. This is what drove the (admittedly hipster-ish) rise of “tilde sites” again a few years ago; a bit of nostalgia for a long time ago. Fortunately, I’ve also got Cloudflare in front of my site, which alleviates worries I might have had about it dying under load, although check back with me again if that happens to see if it turns out to be true or not. (Also, I’m considering alternatives to Cloudflare at the moment too.)

So what was annoying and a problem when building an app on the web?


Firstly, I separated the front and back ends and deployed them in different places. I’m not all that confident that my hosted site can cope with being hammered, if I’m honest. This is alleviated somewhat by cloud caching, and hopefully quite a bit more by having a service worker in place which caches almost everything (although see below about that), but a lot of this decision was driven by not wanting to incur a server hit for every visitor every time, as much as possible. This drove at least some of the architectural decisions. The front end is on my site and is plain HTML, CSS, and JavaScript. The back end is not touched when starting the game; it’s only touched when you finish a game, in order to submit your score and get back the best score that day to see if you beat that. That back end is written in Deno, and is hosted on fly.io, who seem pretty cool. (I did look at Deno Deploy, but they don’t do permanent storage.)

Part of the reason the back end is a bit of extra work is that it verifies your submitted game to check you aren’t cheating and lying about your score. This required me to completely reimplement the game code in Deno. Now, you may be saying “what? the front end game code is in JavaScript and so is the back end? why don’t they share a library?” and the answer is, because I didn’t think of it. So I wrote the front end first and didn’t separate out the core game management from all the “animate this stuff with CSS” bits, because it was a fun weekend project done as a proof of concept. Once I got a bit further into it and realised that I should have done that… I didn’t wanna, because that would have sucked all the fun out of the project like a vampire and meant that I’d have never done it. So, take this as a lesson: think about whether you want a thing to be popular up front. Not that you’ll listen to this advice, because I never do either.

Similarly, this means that there’s less in the way of analytics, so I don’t get information about users, or real-time monitoring of popularity. This is because I did not want to add Google Analytics or similar things. No personal data about you ever leaves your device. You’ll have noticed that there’s no awful pop-up cookie consent dialogue; this is because I don’t need one, because I don’t collect any analytics data about players at all! Guess what, people who find those dialogues annoying (i.e., everyone?) You can tell companies to stop collecting data about you and then they won’t need an annoying dialogue! And when they say no… well, then you’ll have learned something about how they view you as customers, perhaps. Similarly, when scores are submitted, there’s no personal information that goes with them. I don’t even know whether two scores were submitted by the same person; there’s no unique ID per person or per device or anything. (Technically, the IP is submitted to the server, of course, but I don’t record it or use it; you’ll have to take my word for that.)

This architecture split also partially explains why the game’s JavaScript-dependent. I know, right? Me, the bloke who wrote “Everyone has JavaScript, right?“, building a thing which requires JS to run? What am I doing? Well, honestly, I don’t want to incur repeated server hits is the thing. For a real project, something which was critical, then I absolutely would do that; I have the server game simulation, and I could relatively easily have the server pass back a game state along with the HTML which was then submitted. The page is set up to work this way: the board is a <form>, the things you click on are <button>s, and so on. But I’m frightened of it getting really popular and then me getting a large bill for cloud hosting. In this particular situation and this particular project, I’d rather the thing die than do that. That’s not how I’d build something more critical, but… Farmbound’s a puzzle game. I’m OK with it not working, and if I turn out to be wrong about that, I can change that implementation relatively quickly without it being a big problem. It’s not architected in a JS-dependent way; it’s just progressively enhanced that way.

iOS browser

I had a certain amount of hassle from iOS Safari. Some of this is pretty common — how do I stop a double-tap zooming in? How do I stop the page overscrolling? — but most of the “fixes” are a combination of experimentation, cargo culting ideas off Stack Overflow, and something akin to wishing on a star. That’s all pretty irritating, although Safari is hardly alone in this. But there is a separate thing which is iOS Safari specific, which is this: I can’t sensibly present an “add this to your home screen” hint in iOS browsers other than Safari itself. In iOS Safari, I can show a little hint to help people know that they can add Farmbound to their home screen (which of course is delayed until a second game is begun and then goes away for a month if you dismiss it, because hassling your own players is a foolish thing to do). But in non Safari iOS browsers (which, lest we forget, are still Safari under the covers; see Open Web Advocacy if this is a surprise to you or if you don’t like it), I can’t sensibly present that hint. Because those non-Safari iOS browsers aren’t allowed to add web apps to your home screen at all. I can’t even give people a convenient tap to open Farmbound in iOS Safari where they can add the app to their home screen, because there’s no way of doing that. So, apologies, Chrome iOS or Firefox iOS users and others: you’ll have to open Farmbound in Safari itself if you want an easy way to come back every day. At least for now.

Service workers

And finally, and honestly most annoyingly, the service worker.

Building and debugging and testing a service worker is still so hard. Working out why this page is cached, or why it isn’t cached, or why it isn’t loading, is incredibly baffling and infuriating still, and I just don’t get it. I tried using “workbox”, but that doesn’t actually explain how to use it properly. In particular, for this use case, a completely static unchanging site, what I want is “cache this actual page and all its dependencies forever, unless there’s a change”. However, all the docs assume that I’m building an “app shell” which then uses fetch() to get data off the server repeatedly, and so won’t shut up about “network first” and “cache first, falling back” and so on rather than the “just cache it all because it’s static, and then shut up” methodology. And getting insight into why a thing loaded or didn’t is really hard! Sure, also having Cloudflare caching stuff and my browser caching stuff as well really doesn’t help here. But I am not even slightly convinced that I’ve done all this correctly, and I don’t really know how to be better. It’s too hard, still.


So that’s why Farmbound is the way it is. It’s been interesting to create, and I am very grateful to the Elite Farmbound Testing Team for a great deal of feedback and helping me refine the idea and the play: lots of love to popey, Roger, Simon, Martin, and Mark, as well as Handy Matt and my mum!

There are still some things I might do in the future (achievements? maybe), and I might change the design (I’m not great at visual design, as you can tell), and I really wish that I could have done all the animations with Shared Element Transitions because it would have been 312 times easier than the way I did it (a bunch of them add generated content and then web-animations-api move the ::before around, which I thought was quite neat but is also daft by comparison with SET). But I’m pleased with the implementation, and most importantly it’s actually fun to play. Getting over a thousand points is really good (although sometimes impossible, on some days), and I don’t really think the best strategies have been worked out yet. Is it better to make fields and tractors, or not go that far? Is water a boon or an annoyance? I’d be interested in your thoughts. Go play Farmbound, and share your results with me on Twitter.

on August 31, 2022 11:56 AM

August 27, 2022

When I began working on Ubuntu Studio, I was working for a large church. We were doing amazing things in our services every Sunday. Our video, audio, and lighting were top-notch, but the problem was that it was hard to replicate without spending thousands of dollars.

This made me frustrated when running services for our youth in the church’s youth center. I couldn’t use those same tools and didn’t have a budget to spend. This got me wondering what tools existed in the open-source world. Remembering my days of experimenting with Linux and multimedia, I remembered seeing audio plugins in Ubuntu Studio, so that was the first place I looked.

Back then, I thought, “What would it take to replace all of these Apple and Windows computers with Ubuntu Studio?” We could use that money we would otherwise spend on software, on stage lighting, projectors, and audio equipment upgrades. Unfortunately, at that time, we were missing key components. While the audio was top-notch, it was lacking a good video editor and good software for controlling DMX-based lighting. This isn’t even to mention lyric and presentation software, which couldn’t hold a candle to ProPresenter.

Fast forward to now. Just four years later, those problems are being solved. We have some amazing audio plugins, and more keep coming to the repositories. Harrison’s MixBus is one of the best Digital Audio Workstations on the market and works flawlessly. Kdenlive, the video editor we include, has matured dramatically, and keeps getting better. Besides that, BlackMagic Design’s DaVinci Resolve is easy to install. For DMX lighting, we now have Q Light Controller Plus installed by default.

Lyric projection and presentation software out there was the final piece of the puzzle. Sure, OpenLP has been out there and has matured quite well, but it remains lacking in the usability department. However, I stumbled upon one thing that made me cry nearly tears of joy when I discovered it: FreeShow.


FreeShow reminded me of ProPresenter and operates very similarly. However, in some ways, it operates easier, because to set up another display, you just need a web browser to point it at the FreeShow presentation computer’s address. Same with the stage display. This was the application I had hoped would come about years ago.

FreeShow is being developed by Kristoffer Vassbø. It’s an application written in Electron. As such, to package it for Ubuntu, I had to go a non-traditional route and package it as a snap. This way, I could include it in Ubuntu Studio and complete the last piece of the puzzle for a full, out-of-the-box multimedia production system for churches. It will be included by default in Ubuntu Studio 22.10.

With that, I hope to find a church that would be willing to try Ubuntu Studio for its multimedia production needs. This could potentially save churches thousands of dollars per year that they could use for outreach in their local area, in their local region, or even to the ends of the earth!

This might be the unique ministry that God has been calling me to my whole life that I’ve been looking for.

on August 27, 2022 10:36 PM

Helm is a remarkable piece of technology to manage your Kubernetes deployments, and used along Terraform is perfect for deploying following the GitOps strategy.

Terraform Helm CRDs manager

Illustration by unDraw+.

What’s GitOps? Great question! As this helpful, introductory article summarize, it is Infrastructure as Code, plus Merge Requests, plus Continuous Integration. Follow the link to explore further the concept.

However, Helm has a limitation: it doesn’t manage the lifecycle of Custom Resource Definitions (CRDs), meaning it will only install the CRD during the first installation of a chart. Subsequent chart upgrades will not add or remove CRDs, even if the CRDs have changed.

This can be a huge problem for a GitOps approach: having to update CRDs manually isn’t a great strategy, and makes it very hard to keep in sync with deployments and rollbacks.

For this very reason, I created a small Terraform module that will read from some online manifests of CRDs, and apply them. When parametrizing the version of the chart, it is simple to keep Helm Charts and CRDs in sync, without having to do anything manually.


Karpenter is an incredible open-source Kubernetes node provisioner built by AWS. If you haven’t tried it yet, take some minutes to read about it.

Let’s use Karpenter as an example on how to use the module. We want to deploy the chart with the Helm provider, and we use this new Terraform module to manage its CRDs as well:

resource "helm_release" "karpenter" {
  name            = "karpenter"
  namespace       = "karpenter"
  repository      = "https://charts.karpenter.sh"
  chart           = "karpenter"
  version         = var.chart_version

  // ... All the other parameters necessary, skipping them here ...

module "karpenter-crds" {
  source  = "rpadovani/helm-crds/kubectl"
  version = "0.1.0"
  crds_urls = [

As you can see, we parametrize the version of the chart, so we can be sure to have the same version for CRDs as the Helm chart. Behind the curtains, Terraform will download the raw file, and apply it with kubectl. Of course, the operator running Terraform needs to have enough permissions to launch such scripts, so you need to configure the kubectl provider.

The URLs must point to just the Kubernetes manifests, and this is why we use the raw version of the GitHub URL.

The source code of the module is available on GitHub, so you are welcome to chime in and open any issue: I will do my best to address problems and implement suggestions.


I use this module in production, and I am very satisfied with it: it brings under GitOps the last part I missed: the CRDs. Now, my only task when I install a new chart is finding all the CRDs, and build a URL that contains the chart version. Terraform will take care of the rest.

I hope this module can be useful to you as it is to me. If you have any question, or feedback, or if you would like some help, please leave a comment below, tweet me @rpadovani93 or write me an email at hello@rpadovani.com.


on August 27, 2022 12:00 AM

August 25, 2022

Running darktable on RISC-V

Simon Raffeiner

How well does darktable work on RISC-V? Surprisingly well, if the hardware is fast enough...

The post Running darktable on RISC-V appeared first on LIEBERBIBER.

on August 25, 2022 08:21 AM

August 19, 2022

Ubuntu MATE 22.04 LTS is the culmination of 2 years of continual improvement 😅 to Ubuntu and MATE Desktop. As is tradition, the LTS development cycle has a keen focus on eliminating paper 🧻 cuts 🔪 but we’ve jammed in some new features and a fresh coat of paint too 🖌 The following is a summary of what’s new since Ubuntu MATE 21.10 and some reminders of how we got here from 20.04. Read on to learn more 🧑‍🎓

Thank you! 🙇

I’d like to extend my sincere thanks to everyone who has played an active role in improving Ubuntu MATE for this LTS release 👏 From reporting bugs, submitting translations, providing patches, contributing to our crowd funding, developing new features, creating artwork, offering community support, actively testing and providing QA feedback to writing documentation or creating this fabulous website. Thank you! Thank you all for getting out there and making a difference! 💚

Ubuntu MATE 22.04 LTS Ubuntu MATE 22.04 LTS (Jammy Jellyfish) - Mutiny layout with Yark-MATE-dark

What’s changed?

Here are the highlights of what’s changed recently.

MATE Desktop 1.26.1 🧉

Ubuntu MATE 22.04 features MATE Desktop 1.26.1. MATE Desktop 1.26.0 was introduced in 21.10 and benefits from significant effort 😅 in fixing bugs 🐛 in MATE Desktop, optimising performance ⚡ and plugging memory leaks. MATE Desktop 1.26.1 addresses the bugs we discovered following the initial 1.26.0 release. Our community also fixed some bugs in Plank and Brisk Menu 👍 and also fixed the screen reader during installs for visually impaired users 🥰 In all over 500 bugs have been addressed in this release 🩹

Yaru 🎨

Ubuntu MATE 21.04 was the first release to ship with a MATE variant of the Yaru theme. A year later and we’ve been working hard with members of the Yaru and Ubuntu Desktop teams to bring full MATE compatibility to upstream Yaru, including all the accent colour varieties. All reported bugs 🐞 in the Yaru implementation for MATE have also been fixed 🛠

Yaru Themes Yaru Themes in Ubuntu MATE 22.04 LTS

Ubuntu MATE 22.04 LTS ships with all the Yaru themes, including our own “chelsea cucumber” version 🥒 The legacy Ambiant/Radiant themes are no longer installed by default and neither are the stock MATE Desktop themes. We’ve added an automatic settings migration to transition users who upgrade to an appropriate Yaru MATE theme.

Cherries on top 🍒

In collaboration with Paul Kepinski 🇫🇷 (Yaru team) and Marco Trevisan 🇮🇹 (Ubuntu Desktop team) we’ve added dark/light panels and panel icons to Yaru for MATE Desktop and Unity. I’ve added a collection of new dark/light panel icons to Yaru for popular apps with indicators such as Steam, Dropbox, uLauncher, RedShift, Transmission, Variety, etc.

Light Panel Dark Panel Light and Dark panels

I’ve added patches 🩹 to the Appearance Control Center that applies theme changes to Plank (the dock), Pluma (text editor) and correctly toggles the colour scheme preference for GNOME 42 apps. When you choose a dark theme, everything will go dark in unison 🥷 and vice versa.

So, Ubuntu MATE 22.04 LTS is now using everything Yaru/Suru has to offer. 🎉

AI Generated wallpapers

My friend Simon Butcher 🇬🇧 is Head of Research Platforms at Queen Mary University of London managing the Apocrita HPC cluster service. He’s been creating AI 🤖 generated art using bleeding edge CLIP guided diffusion models 🖌 The results are pretty incredible and we’ve included the 3 top voted “Jammy Jellyfish” in our wallpaper selection as their vivid and vibrant styles compliment the Yaru accent colour theme options very nicely indeed 😎

If you want the complete set, here’s a tarball of all 8 wallpapers at 3840x2160:

Ubuntu MATE stuff 🧉

Ubuntu MATE has a few distinctive apps and integrations of it’s own, here’s a run down of what’s new and shiny ✨

MATE Tweak

Switching layouts with MATE Tweak is its most celebrated feature. We’ve improved the reliability of desktop layout switching and restoring custom layouts is now 100% accurate 💯

Ubuntu MATE Desktop Layouts Having your desktop your way in Ubuntu MATE

We’ve removed mate-netbook from the default installation of Ubuntu MATE and as a result the Netbook layout is no longer available. We did this because mate-maximus, a component of mate-netbook, is the cause of some compatibility issues with client side decorated (CSD) windows. There are still several panel layouts that offer efficient resolution use 📐 for those who need it.

MATE Tweak has refreshed its supported for 3rd party compositors. Support for Compton has been dropped, as it is no longer actively maintained and comprehensive support for picom has been added. picom has three compositor options: Xrender, GLX and Hybrid. All three are can be selected via MATE Tweak as the performance and compatibility of each varies depending on your hardware. Some people choose to use picom because they get better gaming performance or screen tearing is reduced. Some just like subtle animation effects picom adds 💖


Recent versions of rofi, the tool used by MATE HUD to visualise menu searches, has a new theme system. MATE HUD has been updated to support this new theme engine and comes with two MATE specific themes (mate-hud and mate-hud-rounded) that automatically adapt to match the currently selected GTK theme.

You can add your own rofi themes to ~/.local/share/rofi/themes. Should you want to, you can use any rofi theme in MATE HUD. Use Alt + F2 to run rofi-theme-selector to try out the different themes, and if there is one you prefer you can set it as default by using running the following in a terminal:

gsettings set org.mate.hud rofi-theme <theme name>

MATE HUD MATE HUD uses the new rofi theme engine

Windows & Shadows

I’ve updated the Metacity/Marco (the MATE Window Manager) themes in Yaru to make sure they match GNOME/CSD/Handy windows for a consistent look and feel across all window types 🪟 and 3rd party compositors like picom. I even patched how Marco and picom render shadows so windows they look cohesive regardless of toolkit or compositor being used.

Ubuntu MATE Welcome & Boutique

The Software Boutique has been restocked with software for 22.04 and Firefox 🔥🦊 ESR (.deb) has been added to the Browser Ballot in Ubuntu MATE Welcome.

Ubuntu MATE Welcome Browser Ballot Comprehensive browser options just a click away

41% less fat 🍩

Ubuntu MATE, like it’s lead developer, was starting to get a bit large around the mid section 😊 During the development of 22.04, the image 📀 got to 4.1GB 😮

So, we put Ubuntu MATE on a strict diet 🥗 We’ve removed the proprietary NVIDIA drivers from the local apt pool on the install media and thanks to migrating fully to Yaru (which now features excellent de-duplication of icons) and also removing our legacy themes/icons. And now the Yaru-MATE themes/icons are completely in upstream Yaru, we were able to remove 3 snaps from the default install and the image is now a much more reasonable 2.7GB; 41% smaller. 🗜

This is important to us, because the majority of our users are in countries where Internet bandwidth is not always plentiful. Those of you with NVIDIA GPUs, don’t worry. If you tick the 3rd party software and drivers during the install the appropriate driver for your GPU will be downloaded and installed 👍

Install 3rd party drivers NVIDIA GPU owners should tick Install 3rd party software and drivers during install

While investigating 🕵 a bug in Xorg Server that caused Marco (the MATE window manager) to crash we discovered that Marco has lower frame time latency ⏱ when using Xrender with the NVIDIA proprietary drivers. We’ve published a PPA where NVIDIA GPU users can install a version of Marco that uses Xpresent for optimal performance

sudo apt-add-repository ppa:ubuntu-mate-dev/marco
sudo apt upgrade

Should you want to revert this change you install ppa-purge and run the following from a terminal: sudo ppa-purge -o ubuntu-mate-dev -p marco.

But wait! There’s more! 😲

These reductions in size are after we added three new applications to the default install on Ubuntu MATE: GNOME Clocks, Maps and Weather My family and I 👨‍👩‍👧 have found these applications particularly useful and use them regularly on our laptops without having to reach for a phone or tablet.

GNOME Clocks, Maps & Weather New additions to the default desktop application in Ubuntu MATE 22.04 LTS

For those of you who like a minimal base platform, then the minimal install option is still available which delivers just the essential Ubuntu MATE Desktop and Firefox browser. You can then build up from there 👷

Packages, packages, packages 📦

It doesn’t matter how you like to consume your Linux 🐧 packages, Ubuntu MATE has got you covered with PPA, Snap, AppImage and FlatPak support baked in by default. You’ll find flatpak, snapd and xdg-desktop-portal-gtk to support Snap and FlatPak and the (ageing) libfuse2 to support AppImage are all pre-installed.

Although flatpak is installed, FlatHub is not enabled by default. To enable FlatHub run the following in a terminal:

flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo

We’ve also included snapd-desktop-integration which provides a bridge between the user’s session and snapd to integrate theme preferences 🎨 with snapped apps and can also automatically install snapped themes 👔 All the Yaru themes shipped in Ubuntu MATE are fully snap aware.

Ayatana Indicators

Ubuntu MATE 20.10 transitioned to Ayatana Indicators 🚥 As a quick refresher, Ayatana Indicators are a fork of Ubuntu Indicators that aim to be cross-distro compatible and re-usable for any desktop environment 👌

Ubuntu MATE 22.04 LTS comes with Ayatana Indicators 22.2.0 and sees the return of Messages Indicator 📬 to the default install. Ayatana Indicators now provide improved backwards compatibility to Ubuntu Indicators and no longer requires the installation of two sets of libraries, saving RAM, CPU cycles and improving battery endurance 🔋

Ayatana Indicator Settings Ayatana Indicators Settings

To compliment the BlueZ 5.64 protocol stack in Ubuntu, Ubuntu MATE ships Blueman 2.2.4 which offers comprehensive management of Bluetooth devices and much improved pairing compatibility 💙🦷

I also patched mate-power-manager, ayatana-indicator-power and Yaru to add support for battery powered gaming input devices, such as controllers 🎮 and joysticks 🕹

Active Directory

And in case you missed it, the Ubuntu Desktop team added the option to enroll your computer into an Active Directory domain 🔑 during install. Ubuntu MATE has supported the same capability since it was first made available in the 20.10 release.

Raspberry Pi image 🥧

  • Should be available very shortly after the release of 22.04.

Major Applications

Accompanying MATE Desktop 1.26.1 and Linux 5.15 are Firefox 99.0, Celluloid 0.20, Evolution 3.44 & LibreOffice

See the Ubuntu 22.04 Release Notes for details of all the changes and improvements that Ubuntu MATE benefits from.

Download Ubuntu MATE 22.04 LTS

This new release will be first available for PC/Mac users.


Upgrading from Ubuntu MATE 20.04 LTS and 21.10

You can upgrade to Ubuntu MATE 22.04 LTS from Ubuntu MATE either 20.04 LTS or 21.10. Ensure that you have all updates installed for your current version of Ubuntu MATE before you upgrade.

  • Open the “Software & Updates” from the Control Center.
  • Select the 3rd Tab called “Updates”.
  • Set the “Notify me of a new Ubuntu version” drop down menu to “For long-term support versions” if you are using 20.04 LTS; set it to “For any new version” if you are using 21.10.
  • Press Alt+F2 and type in update-manager -c -d into the command box.
  • Update Manager should open up and tell you: New distribution release ‘XX.XX’ is available.
    • If not, you can use /usr/lib/ubuntu-release-upgrader/check-new-release-gtk
  • Click “Upgrade” and follow the on-screen instructions.

There are no offline upgrade options for Ubuntu MATE. Please ensure you have network connectivity to one of the official mirrors or to a locally accessible mirror and follow the instructions above.

Known Issues

Here are the known issues.

Component Problem Workarounds Upstream Links
Ubuntu Ubiquity slide shows are missing for OEM installs of Ubuntu MATE


Is there anything you can help with or want to be involved in? Maybe you just want to discuss your experiences or ask the maintainers some questions. Please come and talk to us.

on August 19, 2022 10:23 PM

August 18, 2022

I’m happy to announce that Netplan version 0.105 is now available on GitHub and is soon to be deployed into an Ubuntu/Debian installation near you! Six month and exactly 100 commits after the previous version, this release is brought to you by 7 free software contributors from around the globe.


  • Add support for VXLAN tunnels (#288), LP#1764716
  • Add support for VRF devices (#285), LP#1773522
  • Add support for InfiniBand (IPoIB) (#283), LP#1848471
  • Allow key configuration for GRE tunnels (#274), LP#1966476
  • Allow setting the regulatory domain (#281), LP#1951586
  • Documentation improvements & restructuring (#287)
  • Add meson build system (#268)
  • Add abigail ABI compatibility checker (#269)
  • Update of Fedora RPM spec (#264)
  • CI improvements (#265#282)
  • Netplan set uses the consolidated libnetplan YAML parser (#254)
  • Refactor ConfigManager to use the libnetplan YAML parser (#255)
  • New netplan_netdef_get_filepath API (#275)
  • Improve NetworkManager device management logic (#276), LP#1951653

Bug fixes

on August 18, 2022 09:40 AM

August 14, 2022

Debuginfod is coming to Ubuntu

Sergio Durigan Junior

These past couple of months I have been working to bring debuginfod to Ubuntu. I thought it would be a good idea to make this post and explain a little bit about what the service is and how I'm planning to deploy it.

A quick recap: what's debuginfod?

Here's a good summary of what debuginfod is:

debuginfod is a new-ish project whose purpose is to serve
ELF/DWARF/source-code information over HTTP.  It is developed under the
elfutils umbrella.  You can find more information about it here:


In a nutshell, by using a debuginfod service you will not need to
install debuginfo (a.k.a. dbgsym) files anymore; the symbols will be
served to GDB (or any other debuginfo consumer that supports debuginfod)
over the network.  Ultimately, this makes the debugging experience much
smoother (I myself never remember the full URL of our debuginfo
repository when I need it).

If you follow the Debian project, you might know that I run their debuginfod service. In fact, the excerpt above was taken from the announcement I made last year, letting the Debian community know that the service was available.

First stage

With more and more GNU/Linux distributions offering a debuginfod service to their users, I strongly believe that Ubuntu cannot afford to stay out of this "party" anymore. Fortunately, I have a manager who not only agrees with me but also turned the right knobs in order to make this project one of my priorities for this development cycle.

The deployment of this service will be made in stages. The first one, whose results are due to be announced in the upcoming weeks, encompasses indexing and serving all of the available debug symbols from the official Ubuntu repository. In other words, the service will serve everything from main, universe and multiverse, from every supported Ubuntu release out there.

This initial (a.k.a. "alpha") stage will also allow us to have an estimate of how much the service is used, so that we can better determine the resources allocated to it.

More down the road

This is just the beginning. In the following cycles, I will be working on a few interesting projects to expand the scope of the service and make it even more useful for the broader Ubuntu community. To give you an idea, here is what is on my plate:

  • Working on the problem of indexing and serving source code as well. This is an interesting problem and I already have some ideas, but it's also challenging and may unfold into more sub-projects. The good news is that a solution for this problem will also be beneficial to Debian.

  • Working with the snap developers to come up with a way to index and serve debug symbols for snaps as well.

  • Improve the integration of the service into Ubuntu. In fact, I have already started working on this by making elfutils (actually, libdebuginfod) install a customized shell snippet to automatically setup access to Ubuntu's debuginfod instance.

As you can see, there's a lot to do. I am happy to be working on this project, and I hope it will be helpful and useful for the Ubuntu community.

on August 14, 2022 04:00 AM

August 11, 2022

Thanks to all the hard work from our contributors, Lubuntu 22.04.1 LTS has been released. With the codename Jammy Jellyfish, Lubuntu 22.04 is the 22nd release of Lubuntu, the eighth release of Lubuntu with LXQt as the default desktop environment. Support lifespan Lubuntu 22.04 LTS will be supported for 3 years until April 2025. Our […]
on August 11, 2022 02:34 PM

August 10, 2022


Dylan McCall

I spent a week at GUADEC 2022 in Guadalajara, Mexico. It was an excellent conference, with some good talks, good people, and a delightful hallway track. I think everyone was excited to see each other in person after so long, and for many attendees, this was closer to home than GUADEC has ever been.

For this event, I was sponsored by the GNOME Foundation, so many thanks to them as well as my employer the Endless OS Foundation for both encouraging me to submit a talk and for giving me the opportunity to take off and drink tequila for the week.

For me, the big themes this GUADEC were information resilience, scaling our community, and how these topics fit together.


Stepping into the Guadalajara Connectory for the first time, I couldn’t help but feel a little out of place. Everyone was incredibly welcoming, but this was still my first GUADEC, and my first real in-person event with the desktop Linux community in ages.

So, I was happy to come across Jona Azizaj and Justin Flory’s series of thoughtful and inviting workshops on Wednesday morning. These were Icebreakers & Community Social, followed by Unconscious bias & imposter syndrome workshop. They eased my anxiety enough that I wandered off and missed the follow-up (Exploring privilege dynamics workshop), but it looked like a cool session. It was a brilliant idea to put these kinds of sessions right at the start.

The workshop about unconscious bias inspired me to consciously mix up who I was going out for lunch with throughout the week, as I realized how easy it is to create bubbles without thinking about it.

Beyond that, I attended quite a few interesting sessions. It is always fun hearing about bits of the software stack I’m unfamiliar with, so some standouts were Matthias Clasen’s Font rendering in GNOME (YouTube), and David King’s Cheese strings: Webcams, PipeWire and portals (YouTube). Both highly recommended if you are interested in those components, or in learning about some clever things!

But for the most part, this wasn’t a very code-oriented conference for me.

Accessibility, diversity, remote attendance

This was the first hybrid GUADEC after two years of running a virtual-only conference, and I think the format worked very well. The remote-related stuff was smoothly handled in the background. The volunteers in each room did a great job relaying questions from chat so remote attendees were represented during Q&As.

I did wish that those remote attendees — especially the Berlin Mini-GUADEC — were more visible in other contexts. If this format sticks, it would be nice to have a device or two set up so people in different venues can see and interact with each other during the event. After all, it is unlikely that in-person attendees will spend much time looking at chat rooms on their own.

But I definitely like how this looks. I think having good representation for remote attendees is important for accessibility. Pandemic or otherwise. So with that in mind, Robin Tafel’s Keynote: Peeling Vegetables and the Craft of (Software) Inclusivity (YouTube), struck a chord for me. She elegantly explains how making anything more accessible — from vegetable peelers to sidewalks to software — comes back to help all of us in a variety of ways: increased diversity, better designs in general, and — let’s face it — a huge number of people will need accessibility tools at some point in their lives.

“We are temporarily abled.”

Community, ecosystems, and offline content

I especially enjoyed Sri Ramkrishna’s thoughtful talk, GNOME and Sustainability – Ecosystem Management (YouTube). I came away from his session thinking how we don’t just need to recruit GNOME contributors; we need to connect free software ecosystems horizontally. Find those like-minded people in other projects and find places where we can collaborate, even if we aren’t all using GNOME as a desktop environment. For instance, I think we’re doing a great job of this across the freedesktop world, but it’s something we could think about more widely, too.

Who else benefits, or could benefit, from Meson, BuildStream, Flatpak, GJS, and the many other technologies GNOME champions? How can we advocate for these technologies in other communities and use those as bridges for each other’s benefit? How do we get their voices at events like GUADEC, and what stops us from lending our voices to theirs?

“We need to grow and feed our ecosystem, and build relations with other ecosystems.”

So I was pretty excited (mostly anxious, since I needed to use printed notes and there were no podiums, but also excited) to be doing a session with Manuel Quiñones a few hours later: Offline learning with GNOME and Kolibri (YouTube). I’ll write a more detailed blog post about it later on, but I didn’t anticipate quite how neatly our session would fit in with what other people were talking about.

At Endless, we have been working with offline content for a long time. We build custom Endless OS images designed for different contexts, with massive libraries of pre-installed educational resources. Resources like Wikipedia, books, educational games, and more: all selected to empower people with limited connectivity. The trick with offline content is it involves a whole lot of very large files, it needs to be possible to update it, and it needs to be easy to rapidly customize it for different deployments.

That becomes expensive to maintain, which is why we have started working with Kolibri.

Kolibri is an open source platform for offline-first teaching and learning, with a powerful local application and a huge library of freely licensed educational content. Like Endless OS, it is designed for difficult use cases. For example, a community with sporadic internet access can use Kolibri to share Khan Academy videos and exercises, as well as assignments for individual learners, between devices.

Using Kolibri instead of our older in-house solution means we can collaborate with an existing free software project that is dedicated to offline content. In turn, we are learning many interesting lessons as we build the Kolibri desktop app for GNOME. We hope those lessons will feed back into the Kolibri project to improve how it works on other platforms, too.

Giving our talk at GUADEC made me think about how there is a lot to gain when we bring these types of projects together.

The hallway track

Like I wrote earlier, this wasn’t a particularly code-oriented conference for me. I did sit down and poke at Break Timer for a while — in particular, reviving a branch with a GTK 4 port — and I had some nice chats about various other projects people are doing. (GNOME Crosswords was the silent star of the show). But I didn’t find many opportunities to actively collaborate on things. Something to aim for with my next GUADEC.

I wonder if the early 3pm stop each day was a bit of a contributor there, but it did make for some excellent outings, so I’m not complaining. The pictures say a lot!

Everyone here is amazing, humble and kind. I really cannot recommend enough, if you are interested in GNOME, check out GUADEC, or LAS, or another such event. It was tremendously valuable to be here and meet such a wide range of GNOME users and contributors. I came away with a better understanding of what I can do to contribute, and a renewed appreciation for this community.

on August 10, 2022 07:43 PM

August 08, 2022


Para Yok Festival! The beautiful summer called for tropical and summery vibes, so that’s what you are going to find here! It was a lovely event and I was looking forward to play some of these tunes for a long time! Thanks a lot to everyone who made this a very special weekend! 💖

Unfortunately the set was fraught with complications - I had to to replace parts of the equipment 💻🎛💥 … and deal with other difficulties in between. Anyway, it’s a bit of a wild mix, but all the tracks are in my favourite category.

  1. Twerking Class Heroes - Hustlin'
  2. Claudia - Deixa Eu Dizer (iZem ReShape)
  3. Mc Loma e as Gêmeas Lacração - Predadora
  4. Thiaguinho MT feat Mila e JS O Mão de Ouro - Tudo OK
  5. MC Ysa - Baile da Colômbia (Brega Funk) (Remix)
  6. Daniel Haaksman - Toma Que Toma (Waldo Squash Remix)
  7. Gang Do Eletro - Pith Bull
  8. Banda Uó - Cremosa
  9. Sofi Tukker - Purple Hat
  10. Nick León - Latigazo
  11. Tribilin Sound - Condorcanqui
  12. – Break –
  13. Omar ؏ - Dola Re Dola
  14. Yendry - Ki-Ki
  16. The Living Graham Bond - Werk
  17. Kalemba - Wegue Wegue (Krafty Kuts Remix)
  18. Zeds Dead - Rumble In The Jungle
  19. Bert On Beats - Arriba
  20. Baja Frequencia - O Galop
  21. Sango - Fica Caladinha (K-Wash Remix)
  22. Castro - Warning
  23. Daniel Haaksman - Copabanana
  24. Dj Djeff e Maskarado - Elegom Bounsa
  25. London Afrobeat Collective - Prime Minister (Captain Planet Remix)
  26. Omar ft Zed Bias - Dancing
  27. Rafi El - Bacanal
  28. The Chemical Brothers - Go (Claude VonStroke Remix)
  29. nicholas ryan gant - Gypsy Woman (Kaytronik Remix Extended Version)
  30. Kurd Maverick - Dancing To (Extended Mix)
  31. Kotelett - I Got Something For You
  32. Sanoi & Rattler - Walking
  33. Dino Lenny - Tokyo (Damon Jee Remix)
  34. Quantic - You Used to Love Me feat. Denitia (Selva Remix)
  35. Psychemagik - Mink & Shoes feat Navid Izadi
  36. Noir & Haze - Around (Solomon remix)
  37. Emanuelle - Italove
on August 08, 2022 06:20 AM

July 20, 2022

It’s that time of year again – Hacker Summer Camp. (Hacker Summer Camp is the ~weeklong period where several of the largest hacker/information security conferences take place in Las Vegas, NV, including DEF CON and Black Hat USA.) This will be the 3rd year in a row where it takes place under the spectre of a worldwide pandemic, and the first one to be fully in-person again. BSidesLV has returned to in-person, DEF CON is in-person only, Black Hat will be in full swing, and Ringzer0 will be offerring in-person trainings. It’s almost enough to forget there’s still an ongoing pandemic.

I did attend last year’s hybrid DEF CON in person, and I’ve been around a few times, so I wanted to share a few tidbits, especially for first timers. Hopefully it’s useful to some of you.


  • DEF CON is arguably the penultimate event of the week. By far the largest by attendance, it also brings the greatest variety in hackers to the event. Ranging from students just getting into the scene to seasoned hackers with decades of experience to industry professionals, the networking opportunities are limitless. The talks are generally high quality, though they can be a bit of a mixed bag sometimes. Some will teach/demonstrate great things, and I always find a few worth watching, even if only when they get published on YouTube.

    There are “villages” for every topic and space – voting machines, hardware hacking, Red Teaming, IoT, lockpicking, social engineering, and more. The villages allow niche areas of hacking to showcase their special interests, and are generally run by individuals with a pure passion for their field. If you want to know more about a particular subfield of hacking, there is no better way than finding the right village.

    For the more competitive type, there’s a variety of competitions. In addition to the main “DEF CON CTF”, there’s also typically smaller CTFs in the Contest area or individual villages, so those looking for a challenge can put their skills to the test. Other competitions in the past have included a scavenger hunt, a password cracking competition, a beverage cooling competition, and more.

    In the evening, there’s variety of activities from parties/concerts to “Hacker Jeopardy” – a very mature take on Jeopdardy! with a hacker theme. There’s also plenty of private parties and places to hang out with fellow hackers all evening long.

    You may also hear people refer to “the badge” when talking about admission to the conference. While other conferences usually talk about registration or a ticket and have some boring piece of paper to present as your admission, DEF CON badges have become a work of art. Approximately every other year, the badge is electronic and has microcontrollers and some electronic function. In theory, DEF CON 30 should be a “passive” year, the creators of the badge (MK Factor) have confirmed that it will be electronic this year. (Check out the linked interview if you’re curious.)

    New this year is DEFCON trainings. These are taking place after DEF CON and providing some opportunities to get high-quality training associated with the conference. They’re all 2-day trainings, but they appear to be a good value for money in comparison to many other commercial training offerings.

  • Black Hat is the premiere security industry conference. I differentiate it from a hacking conference in that most of the people who are there will be people who strictly work in the industry and far fewer who are hackers just for the fun of it. Part of this is the cost (at least an order of magnitude more than DEF CON), and part of this is the general atmosphere. Polo shirts are the order of the day instead of black t-shirts and mohawks.

    There’s lots of high-quality technical material, but also a vendor sales floor with all the sales pitches you can possibly imagine. (But this is also where you can get free SWAG and party invites, so it’s not all terrible news.)

    Black Hat also has a multitude of training opportunities. In fact, Black Hat USA is likely the largest single site training event for the information security space each year. There’s trainings for every background and skill level, for all kinds of specialities, and in both 2- and 4-day formats.

  • BSidesLV is the B-Side to Black Hat. A community conference through-and-through, it has many similarities to the DEF CON of many years ago, but with a little more chill attitude. BSides is a great opportunity for new speakers as well as those who want to interact with fellow hackers in a more chill and (slightly) smaller atmosphere – though it’s gotten quite busy itself over the years. BSides takes over all the conference space at the Tuscany, and most of the hotel rooms, so it’s a great opportunity to be completely immersed in the hacker scene.

  • The Diana Initiative is “A conference committed to helping all those underrepresented in Information Security.” In the past, it’s been a 1 day or 1/2 day affair, but now it’s becoming a 2 day event, and I’m so happy to see such an important topic getting more love.

  • Ringzer0 is a training-only event focusing predominantly on reverse engineering and exploitation. It provides a nice alternative to Black Hat trainings (it’s the same days, but an independent event). The trainings offered here seem much more specific than Black Hat trainings, and I’m planning to take one, so I’ll have a review here after the event.


The biggest single piece of advice I can offer is: don’t try to do everything. You can’t do it, and managing your energy is actually an important part of the week, especially if you’re attending multiple of the conferences during the week.

Beyond that, I encourage you to think about what you hope to get out of your time. If you’d like to try out contests, pick out one or maybe two and focus on them. If you’re looking for a new role or wanting to meet new people, find social opportunities. If you’re looking to expand your skills in a particular direction, identify all of the relevant content in the area.

I’ve had years where I tried to do too much and ended the week feeling I’d done nothing at all. I typically prioritize interactive events – contests, meeting people, etc., – over talks, because the talks will be recorded and available later, unless the talk is something I plan to immediately apply. At the bigger events (DEF CON and Black Hat) the audience is likely to be so large that even if you have questions, it will be hard to get them answered by the speaker.


Quite frankly, the best time to plan hotel and airfare has probably already passed, but the 2nd best time to plan them is right now. I expect both will only rise in price from this point forward. Unfortunately, prices have been very volatile this summer. As of writing, the following group rates for hotels are still available:

  • DEF CON Room Block – Note that this year, DEF CON is at Caesar’s Forum, which is a new conference center located behind the Linq and Harrah’s. (It is attached to these two hotels by a skybridge.)
  • The Tuscany is the off-strip resort that hosts BSidesLV. They still have a number of rooms available, and most of the guests at the hotel will be fellow hackers during the course of the week.
  • Black Hat has rates at the Mandalay Bay. I’d only recommend this if you’ll be attending Black Hat, however, as it’s at the far south end of the strip.
  • Ringzer0 has a special rate for those attending their training at Park MGM. One feature of this hotel is that the entire thing is Non-Smoking. Along with Vdara and the Delano, this is an unusual quality on the strip and great for those with allergies.

Airfare is obviously high dependant on where you are originating. If it’s not too far and airfare looks a bit pricey for you, check out whether anyone from a local DEF CON Group is driving and maybe you can split the gas and make a new friend! There’s also ride and room share threads on the DEF CON Forum. While there’s obviously good reasons to be careful of who you ride or room with, lots of people have had success and met new friends along the way.

Bringing Tech

Some people want to spend the whole week hacking. Some want to be hands-off keyboard the whole week. You might be somewhere in between. What you want to do during the week will dictate a lot of the tech you bring with you.

Since I will be attending a training event and enjoy playing in the contests/CTFs, I will necessarily be bringing a laptop with me – in this case, my Framework Laptop that I love. (Full review of that coming soon.) I have a 1TB SSD which should be enough for VMs for training and CTFs as well, but I’ll probably also bring along an external SSD for sharing resources. They’re light enough that the speed advantage over a typical flash drive is worth it.

If you do intend to take a training or play a CTF for more than a little bit, I can’t recommend a wireless mouse enough. Even the great trackpad on Macbooks just doesn’t feel as good to me as a mouse after a few hours.

Outlets can also be quite limited, so if you bring a travel power strip, you can always squeeze in where someone else has plugged in and even provide more outlets. Sharing is caring!

I’ll also have my Pixel 6 Pro, but won’t bring any work tech along with me – I’m fortunate to not be in an urgent/oncall role, and this allows me to better focus on what I’m doing there instead of what’s going on in the office. Though phone battery life has gotten pretty good for a lot of phones, I’ll still bring a backup battery bank. There are even ones capable of charging many laptops available, though they get a bit bulky and heavy.

I’ll cover protecting your tech down below, but the short form is that I have no problem bringing things (laptop, phone, etc.).


Look, it’s Las Vegas in August. You don’t need to check a weather forecast to know that it’s going to be hot. Reaching 45℃ (110℉) is not out of the question. There’s not likely to be much rain, but I have seen it a time or two. Windy is a definite possibility though. Dress accordingly.

In the casinos and the conference areas, the air conditioning is often on full blast. I’m personally comfortable in a T-Shirt and jeans or shorts, but if you’re prone to being cold under such conditions, a lightweight hoodie or jacket might not be a bad idea.

I have two schools of thought on carrying things with me. Some years, I have intentionally used a smaller backpack to avoid lugging so much stuff around with me for days on end. This does work out, but then I end up wishing I had certain other items. The other extreme is carrying my EDC backpack full of gear and a sore back after a couple of days. Carrying the smaller backpack is probably the better decision, but I can’t say I’m always known for making the best decisions.

It may seem a bit anachronistic, but I also suggest carrying a small notebook (I’m quite partial to Field Notes with Dot-Graph paper) and pen. To this day, I still find it easier to make quick notes on pen and paper than on my phone, especially if I need a diagram or drawing of any sort. (It also requires no recharging.)


Stay Healthy

Addressing the elephant in the room, there is still a pandemic going on, and new variants all the time. Everyone has already made up their mind on vaccinations, so I’m not going to try to push anyone on that, but I will strongly suggest bringing some tests with you to Las Vegas. If you test positive, please don’t come to the conferences and infect others. Yes, missing out on part of con will suck, but it’s still the right thing to do. DEF CON and BSidesLV are both requiring masking at all times (consider ear savers), except when eating, drinking, or presenting. Neither is requiring proof of vaccination.

Even prior to the pandemic, Hacker Summer Camp posed its own health challenges. Inadequate sleep is nearly universal, and drinking, heat, and dry air can quickly lead to dehydration. Drinking water is absolutely critical. I strongly recommend bringing an insulated water bottle, and you can refill from water fountains in the conference space. Bottled water in the hotels is extremely expensive (I believe most people would call it a “rip-off”) but if you want to get bottled water, I suggest going to CVS, or the ABC convenience stores on the Strip. (Fun fact, those stores also sell alcohol at pretty reasonable prices if you want to have a drink in your room. Hotel rules would definitely preclude carrying a flask in the conference space, so no hackers would ever do that.)

I particularly hate the heat, so I also bring a couple of “cooling towels” – you dampen them, and the evaporating water causes them to cool off, consequently cooling you off. They also make a great basic towel for wiping sweat away or any other quick use. I was skeptical when I first heard of them, but they really work to make you feel cooler.

Physical Safety

Las Vegas is a bit of a unique city in that it’s built entirely around the tourism industry. This is even more true on or near “The Strip”, the section of Las Vegas Boulevard from The STRAT to Mandalay Bay (just north of Reid Airport). Every scam you can imagine is being played here as well as many you won’t even have thought of. Your Social Engineering instincts should be on high alert.

Pickpocketing and theft of anything unattended are both commonplace on the strip, but robbery less so on the strip. It’s more your belongings than you yourself that are at risk. Stay in a group if you can.

Know that the street performers have an expectation of getting paid if you take a photo with them. This ranges from a guy in a poor Mickey Mouse costume to women dressed up as Las Vegas showgirls. It may get confrontational if you take a photo and try not to tip them at all, but also don’t let them rip you off if you decide to do this.

Electronic Safety

If you have fully up-to-date (patched) devices, I do not believe the risk of compromise to be especially high. Consider the value of 0-day exploits in modern platforms along with the number of reverse engineers and malware analysts present who might get a copy, resulting in the 0-day being “burned”. To the best of my knowledge, no device I’ve ever taken has been compromised. (And yes, I used to take “burner” devices, my views on this have evolved over the years.)

If you have a device that can’t run the latest available OS (i.e., no longer receives Android or iOS Updates), I strongly recommend upgrading, whether or not you plan to bring it to DEF CON. Unfortunately there are enough browser and similar bugs that affect older OSs that they’re basically unsafe on any public network, not just the ones at these conferences.

At DEF CON, they provide both an “open” network (on which there are plenty of shenanigans, but not modern OS 0-day as far as I’m aware) and a “secure” network that uses 802.1x authentication with certificates (make sure you verify the network certificate) and also prevents client-to-client traffic.

I do recommend not bringing any particularly sensitive data, and having a thorough backup before your trip.

VPNs are a bit of a controversial topic in the security space right now. Too many providers pretend they can offer things they can. At a simple level, your traffic is eventually egressing onto the public internet, and it’s not end-to-end encryption. If you’re in the security space and not familiar with how commercial VPNs work, now might be a great time to look more into it. I do think they have value on open wireless networks because the opportunity for meddler-in-the-middle attacks is less on a VPN than on the open WiFi. I personally use Private Internet Access but there are many options out there.


What’s a Goon?

DEF CON Goons are the volunteer army that help make sure DEF CON occurs as successfully and safely as possible. While they have a bit of a reputation for their loudness and directness, their goal is to keep things moving and do so safely. They can be identified by their red DEF CON badges.

Where can I learn more about the history of DEF CON?

I’m hardly a historian, but I can recommend checking out the DEF CON documentary produced by Jason Scott at DEF CON 20 in 2012.

What is Badgelife?

The official DEF CON badges eventually inspired other creators to get into the space of making badges as well. These may be electronic, laser cut, hand crafted, and more. Some will be sold publicly, others are given out to friends, and still others may be associated with an activity in one of the villages. These are often called “unofficial badges” since they are not associated with the DEF CON organizers and they don’t gain you access to the conference. (Some may gain you access to parties and events run by their creators, however.)

The electronic component shortage associated with the pandemic has slowed things down a bit, but this space appears poised to make a come back this year or so. At the end of the day, Badgelife is just a particularly nerdy form of art. (I’ve been a small-volume badgelife creator for a few years, so I feel well positioned to acknowledge the nerdiness.)

Where Can I See Past Talks?

The DEF CON Media Server has all the media from every DEF CON held, but not every DEF CON had talks recorded. Many of the videos have also been uploaded to YouTube.

Black Hat posts some of the videos from their conferences to their YouTube page. Likewise, BSidesLV has a YouTube page with their talks. Finally, The Diana Initiative has also uploaded their videos from 2021. (Though apparently none from before that time, at least that I could locate.)

What is the Rule on Photography?

Until about 10 years ago, the rule was no photography allowed but now that basically everyone carries a camera with them wherever they go (my phone actually has 4 separate cameras), it’s been updated a bit:

Everyone in the photo must consent to having their photo taken at both DEF CON and BSidesLV. (And, quite frankly, this is good advice for life in general.) This includes individuals in the background, etc. There may also be areas (Skytalks, Mohawkcon) that absolutely prohibit photography. I have personally witnessed individuals removed from events for violating this rule.

At DEF CON 15, an undercover reporter was chased from the event. While the events do allow press, they are required to register as such (which earns them a specially-colored badge) and the policies require they identify themselves as press to participants.

A reporter coming “undercover” hoping to catch individuals openly discussing criming in the hallways is likely to be very disappointed. You’re far more likely to catch people mocking the security industry itself.

I Don’t Know Anyone – How Do I Meet People?!

I struggle with this myself, but the Lonely Hackers Club has a great guide.


I hope some of these tips have been helpful to at least some of you. :) Feel free to reach me on Twitter with any feedback you might have. If you want to get into the right mindset, I highly recommend checking out the music CDs or live recordings from past DEFCONs or checking out Dual Core Music.

on July 20, 2022 07:00 AM

Tobacconists hate him.

It’s that time of the year. I never really know who this sort of post is for. Maybe it’s for you, maybe for it’s for me one dark day in the future, but…

🎉  I stopped smoking ten years ago!

If somebody as flimsy-willed as me can stop smoking, you can stop smoking too. I’m not going to labour the “it kills you” thing, but it is so here’s the financial breakdown for any fellow cheapskates.

  10 years =  3,652 days
@13/day = 47,476 cigs
= 2,374 packs

2012 price = £7.10 /pack
2022 price = £12.50 /pack
Mean price = £9.80 /pack

I’ve not smoked £23,265.20.

If I’d regularly deposited that into an investment account, a 2% return that would be £25k and 5% would be almost £30k.

I’d say I feel fantastic but I am also ten years older. I gained two children a dog, and everything hurts. But I don’t smoke. I don’t feel the urge to smoke, and haven’t for years. I never have to stand outdoors on cold, wet nights to smoke. I don’t panic when I’m running out of cigarettes. And that means a lot.

It’s easier to just not smoke

You might not be convinced and that’s because we’re all told it’s really hard to stop smoking. All the time. Even by people who want smokers to quit, as if it’s something that takes a run-up, an intake of bravery and team-cajoling. It’s not hard; just stop smoking the bloody things.

The rest is understanding your body and addiction, that smoking never made you feel better, it only made not smoking feel worse. As soon as you cut that cycle, your body recalibrates. As soon as you realise that, the infinitesimal cost of quitting seems worth it.

If you’re trying to quit and you’re not finding it easy, stick with it. If you need help understanding addiction, Allen Carr’s Easy Way to Stop Smoking has an eerily convincing narrative that plods through the feelings every smoker goes through. I never finished it —I convinced myself I didn’t want to quit— but it was absolutely the basis for the voice in my head that let me quit later on.

on July 20, 2022 12:00 AM

July 14, 2022

As of July 14, 2022, all flavors of Ubuntu 21.10, including Ubuntu Studio 21.10, codenamed “Impish Indri”, have reached end-of-life (EOL). There will be no more updates of any kind, including security updates, for this release of Ubuntu.

If you have not already done so, please upgrade to Ubuntu Studio 22.04 LTS via the instructions provided here.

No single release of any operating system can be supported indefinitely, and Ubuntu Studio has no exception to this rule.

Regular Ubuntu releases, meaning those that are between the Long-Term Support releases, are supported for 9 months and users are expected to upgrade after every release with a 3-month buffer following each release.

Long-Term Support releases are identified by an even numbered year-of-release and a month-of-release of April (04). Hence, the most recent Long-Term Support release is 22.04 (YY.MM = 2022.April), and the next Long-Term Support release will be 24.04 (2024.April). LTS releases for official Ubuntu flavors (not Desktop or Server which are supported for five years) are three years, meaning LTS users are expected to upgrade after every LTS release with a one year buffer.

on July 14, 2022 12:00 PM

July 13, 2022

Happens that I spent today (Finally) a good few hours trying to figure out why my autocompletion was broken on my new shiny MacBook Pro M1 Pro…

despite Homebrew’s brew doctor giving me the All OK.

foursixnine@pakhet ~ % brew doctor
Your system is ready to brew.

turns out that it was just the shell:

foursixnine@pakhet ~ % echo $FPATH

My user’s shell is still being set to osx’s 5.8.1 zsh…

So after hours of searching on the internet to no avail, and scratching my head, I came back to my initial idea of just switching the shell::

echo "export PATH=/opt/homebrew/bin:$PATH" >> ~/.zshenv
sudo sh -c "echo $(which zsh) >> /etc/shells"
chsh -s $(which zsh)
on July 13, 2022 12:00 AM

July 07, 2022

GitHub Action အကြောင်း နဲ့ ဘာလို့ ARC သုံးဖြစ်သွားလဲ?  ကျနော့် အလုပ်မှာ လိုလို့ လိုက်ရှာရင်း သုံးဖြစ်တဲ့ GitHub Action  Runner Controller (ARC) ဆိုတဲ့ open source project အကြောင်းလေး ပြန်မျှဝေချင်ပါတယ်။ ဒါက သူရဲ့ GitHub link ပါ။ GitHub Action ဆိုတာ software development process မှာ ရေးပြီးသား code တွေ test ဖို့ software release တွေ automate လုပ်ဖို့တို့ container image တွေ သုံးတဲ့ organization တွေဆိုရင် software release လုပ်ပြီးတာနဲ့ တပြိုင်နက် […]

on July 07, 2022 06:43 AM

July 04, 2022


It was a last-minute request that led me to Fusion this year. One act unfortunately needed to cancel, so Tuesday night I packed things to play at Dubstation the next day.

It was a great experience for me … thanks so much to everyone who turned up and to the lovely team of organisers as well! 💖

  1. Cocotaxi - Cactus
  2. JÇÃO & Caracas Dub - Suena la decadente
  3. Masia One - Warriors Tongue (An-ten-nae Remix)
  4. coss - Come Into My Room
  5. Noema - Twilight (Xique-Xique Nightglow Remix)
  6. Smoke City - Underwater Love (Bendix Edit)
  7. Xique-Xique - Xaxoeira
  8. Ana Tijoux - 1977 (106er Edit)
  9. VON Krup Feat. Alekzal - Fosfenos (jiony Remix)
  10. Xique-Xique - Pirilampos (House Mix 2016 Remaster)
  11. Eartha Kitt - Angelitos Negros (Billy Caso’s Sliced Sky Remix)
  12. The Tribe Of Good - Heroes (edit)
  13. Satori - Days Without You (Crussen Remix)
  14. Dombrance - Taubira (Prins Thomas Diskomiks)
  15. Emanuelle - Italove
  16. 9EYE - Orisa (Dario Klein Remix)
  17. Canu, Nu, Alejandro Castelli - Mariposa (VIKEN ARMAN Remix)
  18. Tunnelvisions - Guava (Extended Mix)
  19. DjeuhDjoah & Lieutenant Nicholson - El Niño
  20. RSS Disco - Pie Pie Pie
  21. LeSale - (I’ve Had) The Time Of My Life (Le Sale’s Second Base Edit) [Dirty Dancing Remix]
  22. hubbabubbaklubb - Mopedbart (Barda Edit)
  23. Crussen - Bufarsveienen
  24. Renegades Of Jazz - Beneath This African Blue (Paradise Hippies Remix)
  25. Takeshi’s Cashew - Akihi (Surv Remix)
  26. Mina & Alberto Lupo - Paroles, Paroles (Gaviño Edit)
on July 04, 2022 07:00 AM

July 03, 2022

Given news that ISC's DHCP suite is getting deprecated by upstream and seeing how dhclient has never worked properly for DHCPv6, I decided to look into alternatives. ISC itself recommends Roy Maple's dhcpcd as a migration path. Sadly, Debian's package had been left unattended for a good 2 years. After refactoring the packaging, updating to the latest upstream and performing one NMU, I decided to adopt the package.

Numerous issues were exposed in the process:

  • Upstream's ./configure makes BSD assumptions. No harm done, but still...
  • Upstream's ./configure is broken. --prefix does not propagate to all components. For instance, I had to manually specify the full path for manual pages. Patches are welcome.
  • Debian had implemented custom exit hooks for all its NTP packages. Since then, upstream has implemented this in a much more concise way. All that's missing upstream is support for timesyncd. Patches are welcome.
  • I'm still undecided on whether --prefix should assume / or /usr for networking binaries on a Debian system. Feedback is welcome.
  • The previous maintainer had implemented plenty of transitional measures in maintainer scripts such as symbolically linking /sbin/dhcpcd and /usr/sbin/dhcpcd. Most of this can probably be removed, but I haven't gotten around verifying this. Feedback and patches are welcome.
  • The previous maintainer had created an init.d script and systemd unit. Both of these interfere with launching dhcpcd using ifupdown via /etc/network/interfaces which I really need for configuring a router for IPv4 MASQ and IPv6 bridge. I solved this by putting them in a separate package and shipping the rest via a new binary target called dhcpcd-base along a logic similar to dnsmasq.
  • DHCPv6 Prefix Delegation mysteriously reports enp4s0: no global addresses for default route after a reboot. Yet if I manually restart the interface, none of this appears. Help debuging this is welcome.
  • Support for Predictable Interface Names was missing because Debian's package didn't Build-Depends on libudev-dev. Fixed.
  • Support for priviledge separation was missing because Debian's package did not ./configure this or create a system user for this. Fixed.
  • I am pondering moving the Debian package out of the dhcpcd5 namespace back into the dhcpcd namespace. The 5 was the result of an upstream fork that happened a long time ago and the original dhcpcd package no longer is in the Debian archive. Feedback is welcome on whether this would be desirable.

The key advantage of dhcpcd over dhclient is that works as a dual-stack DHCP client by design. With privilege separation enabled, this means separate child processes handling IPv4 and IPv6 configuration and passing the received information to the parent process to configure networking and update /etc/resolv.conf with nameservers for both stacks. Additionally, /etc/network/interfaces no longer needs separate inet and inet6 lines for each DHCP interface, which makes for much cleaner configuration files.

A secondary advantage is that the dual-stack includes built-in fallback to Bonjour for IPv4 and SLAAC for IPv6. Basically, unless the interface needs a static IP address, this client handles network configuration in a smart and transparent way.

A third advantage is built-in support for DHCPv6 Prefix Delegation. Enabling this requires just two lines in the configuration file.

In the long run, I feel that dhcpcd-base should probably replace isc-dhcp-client as the default DHCP client with priority Important. Adequate IPv6 support should come out of the box on a standard Debian installation, yet dhclient never got around implementing that properly.

on July 03, 2022 08:57 AM

June 24, 2022

As part of the continuing work to replace 1-element arrays in the Linux kernel, it’s very handy to show that a source change has had no executable code difference. For example, if you started with this:

struct foo {
    unsigned long flags;
    u32 length;
    u32 data[1];

void foo_init(int count)
    struct foo *instance;
    size_t bytes = sizeof(*instance) + sizeof(u32) * (count - 1);
    instance = kmalloc(bytes, GFP_KERNEL);

And you changed only the struct definition:

-    u32 data[1];
+    u32 data[];

The bytes calculation is going to be incorrect, since it is still subtracting 1 element’s worth of space from the desired count. (And let’s ignore for the moment the open-coded calculation that may end up with an arithmetic over/underflow here; that can be solved separately by using the struct_size() helper or the size_mul(), size_add(), etc family of helpers.)

The missed adjustment to the size calculation is relatively easy to find in this example, but sometimes it’s much less obvious how structure sizes might be woven into the code. I’ve been checking for issues by using the fantastic diffoscope tool. It can produce a LOT of noise if you try to compare builds without keeping in mind the issues solved by reproducible builds, with some additional notes. I prepare my build with the “known to disrupt code layout” options disabled, but with debug info enabled:

$ OUT=gcc
$ make $KBF O=$OUT allmodconfig
$ ./scripts/config --file $OUT/.config \
$ make $KBF O=$OUT olddefconfig

Then I build a stock target, saving the output in “before”. In this case, I’m examining drivers/scsi/megaraid/:

$ make -jN $KBF O=$OUT drivers/scsi/megaraid/
$ mkdir -p $OUT/before
$ cp $OUT/drivers/scsi/megaraid/*.o $OUT/before/

Then I patch and build a modified target, saving the output in “after”:

$ vi the/source/code.c
$ make -jN $KBF O=$OUT drivers/scsi/megaraid/
$ mkdir -p $OUT/after
$ cp $OUT/drivers/scsi/megaraid/*.o $OUT/after/

And then run diffoscope:

$ diffoscope $OUT/before/ $OUT/after/

If diffoscope output reports nothing, then we’re done. 🥳

Usually, though, when source lines move around other stuff will shift too (e.g. WARN macros rely on line numbers, so the bug table may change contents a bit, etc), and diffoscope output will look noisy. To examine just the executable code, the command that diffoscope used is reported in the output, and we can run it directly, but with possibly shifted line numbers not reported. i.e. running objdump without --line-numbers:

$ ARGS="--disassemble --demangle --reloc --no-show-raw-insn --section=.text"
$ for i in $(cd $OUT/before && echo *.o); do
        echo $i
        diff -u <(objdump $ARGS $OUT/before/$i | sed "0,/^Disassembly/d") \
                <(objdump $ARGS $OUT/after/$i  | sed "0,/^Disassembly/d")

If I see an unexpected difference, for example:

-    c120:      movq   $0x0,0x800(%rbx)
+    c120:      movq   $0x0,0x7f8(%rbx)

Then I'll search for the pattern with line numbers added to the objdump output:

$ vi <(objdump --line-numbers $ARGS $OUT/after/megaraid_sas_fp.o)

I'd search for "0x0,0x7f8", find the source file and line number above it, open that source file at that position, and look to see where something was being miscalculated:

$ vi drivers/scsi/megaraid/megaraid_sas_fp.c +329

Once tracked down, I'd start over at the "patch and build a modified target" step above, repeating until there were no differences. For example, in the starting example, I'd also need to make this change:

-    size_t bytes = sizeof(*instance) + sizeof(u32) * (count - 1);
+    size_t bytes = sizeof(*instance) + sizeof(u32) * count;

Though, as hinted earlier, better yet would be:

-    size_t bytes = sizeof(*instance) + sizeof(u32) * (count - 1);
+    size_t bytes = struct_size(instance, data, count);

But sometimes adding the helper usage will add binary output differences since they're performing overflow checking that might saturate at SIZE_MAX. To help with patch clarity, those changes can be done separately from fixing the array declaration.

© 2022, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

on June 24, 2022 08:11 PM

June 20, 2022

Log4Shell was arguably the biggest vulnerability disclosure of 2021. Security teams across the entire world spent the end of the year trying to address this bug (and several variants) in the popular Log4J logging library.

The vulnerability was caused by special formatting strings in the values being logged that allow you to include a reference. This reference, it turns out, can be loaded via JNDI, which allows remotely loading the results as a Java class.

This was such a big deal that there was no way we could let the next BSidesSF CTF go by without paying homage to it. Fun fact, this meant I “got” to build a Java webapp, which is actually something I’d never done from scratch before. Nothing quite like learning about Jetty, Log4J, and Maven just for a CTF level.

Visiting the given application, we see a basic page with options to login and register along with a changelog:


The changelog notes that the logger was “patched for Log4Shell” and that there was previously support for sub-users in the format “user+subuser”, but it has alledgedly been removed.

Registering an account, we’re requested to provide only a username. The password is given to us once we register. Registering the username “writeup”, we get the password “7fAFsdYlz-oH”. If we login with these credentials, we now see a link to a page called “Flag”, as well as a “Logout” link. Could we just get the flag directly? Let’s check.

Login4Shell Flag

Unfortunately, no such luck. We’re presented with a page containing the following:

Oh come on, it wasn’t going to be that simple. We’re going to make you work for this.

The flag is accessible at /home/ctf/flag.txt.

Oh yeah, your effort to get the flag has been logged. Don’t make me tell you again.

Noting the combination of the logging bug mentioned on the homepage (and the hint from the name of the challenge), as well as the message here about being logged, perhaps this is a place we could do something. Let’s look for anywhere accepting user input.

Other than the login and register forms, we find nothing interesting across the entire app. Attempting to put a log4shell payload into the login and register forms merely obtains an error:

Error: Username must be lowercase alphanumeric!

Taking a look at the login process, we see that we get handed a cookie (logincookie) for the session when we login:


It might be an opaque session token, but from experience, I know that ey is the base64 encoding of the opening of a JSON object ({"). Let’s decode it and see what we get:


Interestingly enough, our session cookie is just a JSON object that contains the plaintext username and password for our user. There’s no obvious signature or MAC involved. Maybe we can tamper directly with the cookie. If I change the username by adding a letter, it effectively logs me out. Likewise, changing the password gives me the logged-out experience.

Looking back at the “subuser” syntax mentioned on the homepage, I decided to try that directly with the cookie. Setting the username to writeup+a with the same password, the site seems to recognize me as logged-in again. To check if this field might be vulnerable without needing to setup the full exploit ourselves, we can use the Huntress Log4Shell test. Inserting the provided payload gives us the following cookie:


If we set our cookie to that value, then visit the /flag page again so our attempt is logged, we should trigger the vulnerability, as we understand it so far. Doing so, then refreshing our page on Huntress shows the callback hitting their server. We’ve successfully identified a sink for the log4shell payload! Now we just need to serve up a payload.

Unfortunately, this requires an internet exposed server. There’s a couple of ways to do this, such as port forwarding on your router, a service like ngrok, or running a VPS/Cloud Server. In this case, I’ll use a VPS from Digital Ocean.

I grabbed the log4j-shell-poc from kozmer to launch the attack. This, itself, depends on the marshalsec project. This requires exposing 3 ports: LDAP on port 1389, a port for the reverse shell, and a port for an HTTP server for the payload. The LDAP server will point to the HTTP server, which will provide a class file as the payload, which launches a reverse shell to the final port. We launch the PoC with our external IP:

python3 ./poc.py --userip

[!] CVE: CVE-2021-44228
[!] Github repo: https://github.com/kozmer/log4j-shell-poc

[+] Exploit java class created success
[+] Setting up LDAP server

[+] Send me: ${jndi:ldap://}

After starting a netcat listener on port 9001, we send the provided string in our username within the cookie and load the flag page again:


Upon reloading, we see our netcat shell light up:

nc -nvlp 9001
Listening on 9001
Connection received on 36856
uid=2000(ctf) gid=2000(ctf) groups=2000(ctf)
cat /home/ctf/flag.txt
on June 20, 2022 07:00 AM

June 17, 2022

Help the CMA help the Web

Stuart Langridge

As has been mentioned here before the UK regulator, the Competition and Markets Authority, are conducting an investigation into mobile phone software ecosystems, and they recently published the results of that investigation in the mobile ecosystems market study. They’re also focusing in on two particular areas of concern: competition among mobile browsers, and in cloud gaming services. This is from their consultation document:

Mobile browsers are a key gateway for users and online content providers to access and distribute content and services over the internet. Both Apple and Google have very high shares of supply in mobile browsers, and their positions in mobile browser engines are even stronger. Our market study found the competitive constraints faced by Apple and Google from other mobile browsers and browser engines, as well as from desktop browsers and native apps, to be weak, and that there are significant barriers to competition. One of the key barriers to competition in mobile browser engines appears to be Apple’s requirement that other browsers on its iOS operating system use Apple’s WebKit browser engine. In addition, web compatibility limits browser engine competition on devices that use the Android operating system (where Google allows browser engine choice). These barriers also constitute a barrier to competition in mobile browsers, as they limit the extent of differentiation between browsers (given the importance of browser engines to browser functionality).

They go on to suggest things they could potentially do about it:

A non-exhaustive list of potential remedies that a market investigation could consider includes:
  • removing Apple’s restrictions on competing browser engines on iOS devices;
  • mandating access to certain functionality for browsers (including supporting web apps);
  • requiring Apple and Google to provide equal access to functionality through APIs for rival browsers;
  • requirements that make it more straightforward for users to change the default browser within their device settings;
  • choice screens to overcome the distortive effects of pre-installation; and
  • requiring Apple to remove its App Store restrictions on cloud gaming services.

But, importantly, they want to know what you think. I’ve now been part of direct and detailed discussions with the CMA a couple of times as part of OWA, and I’m pretty impressed with them as a group; they’re engaged and interested in the issues here, and knowledgeable. We’re not having to educate them in what the web is. The UK’s potential digital future is not all good (and some of the UK’s digital future looks like it could be rather bad indeed!) but the CMA’s work is a bright spot, and it’s important that we support the smart people in tech government, lest we get the other sort.

So, please, take a little time to write down what you think about all this. The CMA are governmental: they have plenty of access to windy bloviations about the philosophy of tech, or speculation about what might happen from “influencers”. What’s important, what they need, is real comments from real people actually affected by all this stuff in some way, either positively or negatively. Tell they whether you think they’ve got it right or wrong; what you think the remedies should be; which problems you’ve run into and how they affected your projects or your business. Earlier in this process we put out calls for people to send in their thoughts and many of you responded, and that was really helpful! We can do more this time, when it’s about browsers and the Web directly, I hope.

If you feel as I do then you may find OWA’s response to the CMA’s interim report to be useful reading, and also the whole OWA twitter thread on this, but the most important thing is that you send in your thoughts in your own words. Maybe what you think is that everything is great as it is! It’s still worth speaking up. It is only a good thing if the CMA have more views from actual people on this, regardless of what those views are. These actions that the CMA could take here could make a big difference to how competition on the Web proceeds, and I imagine everyone who builds for the web has thoughts on what they want to happen there. Also there will be thoughts on what the web should be from quite a few people who use the web, which is to say: everybody. And everybody should put their thoughts in.

So here’s the quick guide:

  1. You only have until July 22nd
  2. Read Mobile browsers and cloud gaming from the CMA
  3. Decide for yourself:
    • How these issues have personally affected you or your business
    • How you think changes could affect the industry and consumers
    • What interventions you think are necessary
  4. Email your response to browsersandcloud@cma.gov.uk

Go to it. You have a month. It’s a nice sunny day in the UK… why not read the report over lunchtime and then have a think?

on June 17, 2022 10:33 AM

June 15, 2022

Dev Ops job?

Bryan Quigley

Dev Ops Job?

Are you looking for a remote (US, Canada, or Phila) Dev Ops job with a company focused on making a positive impact?

on June 15, 2022 04:00 PM

But what will people download Chrome with now?

Raise a glass, kiss your wife, hug your children. It’s finally gone.

IE11 Logo

It’s dead.

Internet Explorer has been dying for an age. 15 years ago IE6 finally bit it, 8 years ago I was calling for webdevs to hasten the death of IE8 and today is the day that Microsoft has finally pulled regular support for “retired” Internet Explorer 11, last of its name.

Its successor, Edge, uses Chrome’s renderer. While I’m sure we’ll have a long chat about the problems of monocultures one day, this means —for now— we can really focus on modern standards without having to worry about what this 9 year old renderer thinks. And I mean that at a commercial, enterprise level. Use display: grid without fallback code. Use ES6 features without Babel transpiling everything. Go, create something and expect it to just work.

Here’s to never having to download the multi-gigabyte, 90 day Internet Explorer test machine images. Here’s to kicking out swathes of compat code. Here’s to being able to [fairly] rigourously test a website locally without a third party running a dozen versions of Windows.

The web is more free for this. Rejoice! while it lasts.

on June 15, 2022 12:00 AM