openSUSE Tumbleweed – Review of the weeks 2021/40 & 41
Dear Tumbleweed users and hackers,
Due to my slacking off last Friday, I have to write the review over two weeks again. But that might turn out even better this time, as otherwise, the review might be a bit short (we struggled a bit this week with ‘openQA being slower in testing than OBS with building’). During the last two weeks, we have released a total of 6 snapshots (0929, 1001, 1005, 1008, 1011, and 1012).
The main changes included in those snapshots were:
- GNOME 41.0
- Mozilla Firefox 92.0.1 & 93.0
- Mesa 21.2.3
- Pipewire 0.3.38
- Apache 2.4.51
- Linux kernel 5.14.9
- Samba 4.15.0 (See special info message)
- Squid 5.2
- meson 0.59.2
- LibreOffice 126.96.36.199
- openSSH 8.8p1
- PostgreSQL 14.0
- Rust 1.55
- LLVM 13
In the staging projects we are currently preparing these updates:
- KDE Plasma 5.23
- KDE Frameworks 5.87.0
- RPM 4.17
- Coreutils 9.0: causes issues with 32bit archs (intel, arm, ppc)
- gpg 2.3.2
- openssl 3.0
- bison 3.8.2
OpenSSH, Squid, PostgreSQL Update in Tumbleweed
Mozilla Firefox, Thunderbird, nano, and PostgreSQL were all in the latest 20211012 snapshot. A new major version of Firefox 93.0 added support for the optimised image format AVIF, which offers a significant file size reduction as opposed to other image formats. The browser also improved web compatibility for privacy protections and fixed more than a handful of Common Vulnerabilities and Exposures. Thunderbird 91.2.0 addressed many of the same CVEs, fixed some issues with the calendar and fixed the new mail notifications that did not properly take subfolders into account. The 5.9 version of text editor nano added syntax highlighting for YAML files and fetchmail 6.4.22 added a few patches, addressed a CVE related to an IMAP connections and now highlights being compatible with OpenSSL 1.1.1 and 3.0.0. The new major version of postgresql 14 provided improvements for heavy workloads, enhanced distributed workloads and added a couple more predefined roles like
pg_database_owner. Other packages to update in the snapshot were GNOME’s document viewer evince 41.2, Flatpak 1.12.1, graphics library gegl 0.4.32, glusterfs 9.3 and many RubyGems and YaST package updates.
Snapshot 20211011 also added several RubyGems like style guide package rubygem-rubocop 1.22.1, which added new features like a Safety section to documentation for all cops that are
Safe: false or
SafeAutoCorrect: false. Another gem update was made to rubygem-spring 3.0, which added new Ruby and Rails dependencies. The update of ImageMagick 188.8.131.52 squashed “a dump truck load of VisualStudio compiler warnings” and had an impressive amount of CVE fixes. The update of libreoffice 184.108.40.206 made a change to add poppler as a vendor for all codestreams except Tumbleweed. OpenSSH 8.8 added some new features and security fixes; the release disables RSA signatures using the SHA-1 hash algorithm by default since the SHA-1 hash algorithm is cryptographically broken, according to the changelog. A major version of the openSUSE package checkmedia updated from version 5.4 to 6.1, which provided an add version option to tag media and fixed the auto-detect of a suitable signature location for Red Hat media. Other packages in the snapshot to update were libvirt 7.8.0, libzypp 17.28.5, firewalld 1.0.1 and more.
The new 5.2 major version of caching proxy squid was among the many packages updated in snapshot 20211008. The Web supporting package for HTTP, HTTPS and FTP added a Kerberos Group Helper and Loop Detection in Content Delivery Networks. The new version also fixes issues with Web Cache Communication Protocol that could have led to information being disclosed based on CVE-2021-28116. Linux Kernel 5.14.9 provided multiple USB additions and added a Memory Tagging Extension support check to thread switching and syscall entry/exit for AArch64. CVE-2021-42013 was fixed with the apache2 2.4.51 update. The update of redis 6.2.6 focused on fixing bugs that involved behavior changes and made some improvements by adding a latency monitor sample when a key is deleted via a lazy expire. Samoa has made the decision to no longer observe Daylight Saving Time and Jordan shifted its DST to the last Thursday of February, which was reflected in the timezone 2021c package update. Other packages to update in the snapshot were libsolv 0.7.20, Samba 4.15.0, libstorage-ng 4.4.43 and the 21.08.1 versions of KDE Gear’s umbrello and yakuake packages.
Respin of openSUSE Leap Images are Coming
These respins allow users to take advantage of the latest bug fixes and updates immediately, which reduces the bandwidth for online updates after an installation of the General Availability (GA) release. Amended ISO images can update packages like GRUB and shim to improve these bootloader and firmware packages for users.
The updated ISO images, which contain a number extension in the filename like 15.3-X to distinguish from the GA release, will have a different checksum than the previously released images. The old ISO image found on get.opensuse.org will be removed and replaced with an up-to-date respin image.
With the completion of the setup process and initial rebuilds, the test results are showing little difference from the orginal GA release of Leap 15.3; the work continues and a respin will be available soon.
Users can expect a respin of Leap after any rebuild of SUSE Linux Enterprise for similar reasons as both Leap and SLE are connected.
Similar to the openSUSE Tumbleweed blogs, each respin of Leap is expected to have an article published on news.opensuse.org giving people information on what the rebuild changed or fixed, which will also be available in the changelog on download.opensuse.org.
Twenty-Five Years of KDE
It's KDE's birthday today. Twenty-five years ago Matthias Ettrich called for programmers to create a GUI for end users of Linux. They came and did. I wrote about the first Twenty Years of KDE five years ago. What I wrote there is still true, but there is more.
|The table where KDE was founded|
KDE started with tremendous ambition and momentum. Creating this unified graphical user interface, this integrated desktop for Linux, this vision drove hundreds and hundreds of amazing people to put together a massive amount of code, the desktop and tons of applications to cover all needs. And they succeeded, KDE's desktop represents the state of the art for many years now, on par with the best alternatives out there.
Over the years, with a growing community, the focus shifted. KDE was not only about this integrated desktop anymore, it turned into an umbrella for dedicated sub-communities working on specific parts and applications. The community got bigger and more diverse and created applications such as Kontact, Kate, Okular, Krita, GCompris or Kdenlive. All of them are at the top of their category.
|KDE Plasma 5.22|
I use KDE software for more than two decades now. I read my mail with KMail, I operate my shell with Konsole, I edit my texts with Kate, I manage my desktop with Plasma. It's special for software to stand this test of time. KDE's software is stable, it's durable, it's reliable, it's carefully adapted to deal with changes in its environment, so that it stays fresh and familiar at the same time. Some may remember the heat we got for breaking things with KDE 4.0. That was thirteen years ago. It has been much smoother sailing since then. So maybe this is what I learned to appreciate the most over the last years: KDE creates sustainable software.
The same is true for the community. The community always was KDE's finest features for me and, as I know, for many others as well. I met many very good friends there, and it's still great to also meet new people. People join, people leave, people stay around. It's a very healthy mix. KDE creates sustainable community.
|Akademy 2021 group photo by Akademy Team (CC-BY)|
There is a very strong feeling which keeps this together, the feeling of doing meaningful things together. It's an experience which is tremendously strong in KDE, but also in many other Free Software projects. Being free and empowered to do these changes you want to see in the software you use. Having people around you who support you, praise and criticise your work, and work with you on a shared purpose. This can be an incredibly strong source of motivation and satisfaction and happiness. It definitely has been for me.
Thanks, KDE, for a wonderful twenty-five years, and all the best for many more to come.
Google Analytics: the gold standard?
Ever since I started this personal blog site, I was curious if people actually read what I write. Luckily, based on the responses I received on Twitter, LinkedIn and in private, there is no problem with that. Next I wanted to see numbers. I was told, that Google Analytics is the gold standard of measurement. Well…
Lets start it with the basic problem: even my own visits are not counted. The reason is simple: uBlock Origin. I need to use my tablet to get my visit counted, the only device where I do not use an ad blocker. According to Google Analytics, my most popular blog is about listening to music, while my IT and security related blogs are barely read by anyone. When I check the raw logs, the picture is quite different. My estimate is, that depending on the topic, 20 to 80 percent of visitors fly under the radar, when it comes to Google Analytics.
Once upon a time I used webalizer to analyze my logs. Awffull is a fork of webalizer, but also has been dead for a long time. But while 20 years ago its output was considered to be rich and beautiful, it is like a time capsule now. A bit of nostalgia, but otherwise not much useful. It includes all results, including search and other bots.
Last week I asked around what should I use to replace Google Analytics. Quite a few people suggested that I keep using GA, as even if it is not much use, it is still the gold standard. However it is a personal blog without any ads. It is not a business site and I am more curious about real usage than how many ads I can serve.
Another frequent suggestion was Matomo. It is available both on-premise and as a cloud service. When used from the cloud it has the same problems as GA. Probably a bit more accurate results, but still blocked by ad blockers. And some posts suggest that on-premise installations are also effectively blocked.
To a lesser extent, but it seems to have the same problem as Matomo and GA.
I plan to experiment a bit. I might even try Matomo and/or Plausible. But first I plan to setup syslog-ng with Elasticsearch and Kibana, and see, what I can do with the raw logs myself. A couple of ideas:
- syslog-ng can parse Apache access log and store the results in Elasticsearch
- based on the User-Agent I can label some traffic as RSS, search engine and probably a few more categories
- probably the closest to the truth in terms of human visitors: check CSS downloads with a page referrer
I hope that I’ll learn not just about my website traffic, but also more about syslog-ng, Elasticsearch and Kibana. And as many of my friends are in information security, working with raw logs promises to be the most effective.
If you have any suggestions, you can reach me on Twitter or LinkedIn (links in the upper right corner).
Sending logs to Panther using syslog-ng
Panther is an open-source log management system, which is also available as a service for a time-limited trial. It is still in beta phase, but it looks promising. You can see the “beta” sign on its opening page: https://app.panther.support/ I tested the time-limited cloud service version, but you can also install it locally, either from Dockerhub, or you can build the containers locally from the source.
Even if it is still in beta phase, Panther comes with detailed documentation. There is a notable exception: while syslog-ng is shown on some of the figures, documenting it is still to be done. This blog helps you to get started with sending logs to Panther, using syslog-ng. You can use either legacy syslog with TLS encryption (still a bit problematic) or the http() destination to send logs to the Panther HTTP API.
Oct 8th, 2021
GNOME, Salt Update in Tumbleweed
Mesa’s 21.2.3 update focused on bug fixing, which arrived in snapshot 20211005. The 3D graphics package fixed a significant performance drop on the Radeon HD 8400 graphics card. Mozilla Thunderbird 91.1.2 now warns if an S/MIME encrypted message includes BCC recipients. The email client update also fixed delivery status notifications, which were only showing for the first recipient. Another email package, mailutils, updated to version 3.13 and fixed semantics of mail sending and saving commands. PipeWire 0.3.38 made various bluetooth compatibility improvements and the audio/video package for Linux now has better description service files for systemd. The only major-version update in the snapshot was sysvinit 3.00. The sysvinit package, which is for controlling the startup, running, and shutdown of a system, now provides better device detection of
bootlogd. The btrfs file system updated to 5.14.1; the updated version fixes parsing of compression
(option -c) and added a workaround for old kernels when reading zone sizes. Other packages to update in the snapshot were exim 4.95, Kernel-firmware 20210928 and more.
A minor update of Firefox came on the first of the month in snapshot 20211001. The 92.0.1 web-browser update fixed an issue where audio playback was not working on some Linux systems. An update of salt 3003.3 added an enormous amount of patches and made a fix to periodically restart the fileserver update process to avoid leaks, according to the changelog. The update of audit 3.0.5 fixed various issues when dealing with corrupted logs. Roughly 10 other packages were updated in the snapshot.
GNOME 41 arrived in snapshot 20210929. The new release provides significant improvements for developers, a new developer documentation website, new features in the Builder IDE and GTK4 enhancements. The software center has a new look and makes it easier to browse and discover apps. GNOME’s new remote desktop client Connections replaces the remote desktop functionality that was previously found in Boxes. The CD/DVD burner brasero made translation improvements and added some
Help improvements in version 3.12.3. There was an update to glib2 2.70.0 in the snapshot and a major update of libsoup 3.0.1 removed unused dependency on libxml. The 18.8.16 version of NetworkManager-openvpn fixed the parsing of incomplete IPv6 configurations pushed by a server. Other packages to update in the snapshot were upower 0.99.13, rubygem-bundler 2.2.27, gupnp 1.4.0, vte 0.66.0 and several other GNOME-related libraries.
Sudo 1.9.8: intercepting commands
A month ago, when sudo 1.9.8 was still under development, we checked out the new log_subcmds option. It allows you log all commands (with some limitations) that are executed by a command started through sudo. For example, you can see if a shell was started through a text editor. The intercept option brings this one step further: you can prevent sub-commands from even running.
Read the rest of my blog at https://blog.sudo.ws/posts/2021/10/sudo-1.9.8-intercepting-commands/
New Survey Aims to Gain Packager, Maintainer Insights
There are tools to monitor the health of packages, but the project doesn’t have tools to monitor the health of packagers.
Giving the floor to packagers, who are the dedicated working hands behind the betterment of distributions, will illuminate areas the openSUSE Project can improve upon to gain new contributors. The project wants to give the floor to the packagers so they can express as a group the challenges and complexities they face.
The aim is to take this information and find ways to make their contributions more pleasant and rewarding. Apart from the typical demographics questions, there are questions about tooling, contributions and contributor satisfaction.
Visit https://survey.opensuse.org/ to take the survey today.