This week in openSUSE Tumbleweed there was a change from a 2048 bit RSA to a 4096 bit RSA key and four snapshots were released so far.

The larger bit key was a security recommendation and can be found in /usr/lib/rpm/gnupg/keys. The key can be viewed with rpm -qi and the key name. More info about the topic can be found on the Facotry email thread.

The latest snapshot to arrive was 20230124. This snapshot updated apache2 2.4.55 and took care of a few Common Vulnerability and Exposures. CVE-2022-37436 describes a flaw where a malicious backend can cause the response headers to be truncated because they are not cleaned when an error is found while reading them. This could result in some headers being incorporated into the response body and not being interpreted by a client. CVE-2006-20001, which could result in a Denial of Service attack, was fixed. An update of gedit 44.2 fixed a plugin bug and updated translations. The gnome-desktop 43.1 version fixed a thumbnails issue and made the default es-US keyboard more sensible. Meanwhile, glib2 2.74.5 also updated translations and the package dropped a patch that was fixed by upstream. An update of dracut fixed missing entries from version 058 that were added in the 059+suse update; It also adds execute permissions for chore scripts. An update of sudo 1.9.12p2 fixes compilations errors, a potential crash and CVE-2023-22809, which had affected how sudoedit handles user-provided environment variables. The package for atomic updates for Linux operating systems, transactional-update, had some cleanup and small code optimizations in the 4.1.2 version. It also had a fix where previously internal mounts would potentially overwrite user bind mounts. Portuguese and Macedonian languages were updated in yast2-trans. Text editor vim 9.0.1234 and a few other packages were updated in the snapshot.

A few RubyGems and Python Package Index packages were updated in snapshot 20230123. The rubygem-rack updates to 2.2.6.2 and 3.0.4.1 fixes three CVEs all related to regular expression denial of service attacks. An update of python-future, which is a missing compatibility layer between Python 2 and Python 3, updated to version 0.18.3 and added a docker push to optimize continuous integration. The package also dropped a CVE-2022-40899 patch, which could have allowed a remote attack to cause a denial of service via a crafted Set-Cookie. Several other packages were updated in the snapshot including CoreFreq 1.95.1, which is CPU monitoring software designed for 64-bits processors; it adds support for AMD and Intel hardware.

A new major version of Mozilla Firefox arrived in snapshot 20230122. Firefox 109.0! The new version has changes to the WebExtensions Application Programming Interface that is termed Manifest V3 (MV3). The extension support is now enabled by default; it ushers an user interface changes in the form of the new extensions button that looks like a puzzle piece. Linux specific CVE-2023-23598, which was related to a GTK wrapper, was fixed and Spanish users got some changes. The browser builds for es-ES and es-AR locales now come with a built-in dictionary for the Firefox spellchecker. The update of git 2.39.1 took care of a log format and a parsing integer overflow. The update of iptables 1.8.9 supports more chunk types in the Stream Control Transmission Protocol extension; its administration space tool arptables also supports an --exac flag. An update of LibreOffice 7.4.4.2 fixes more than 110 bugs. Bugs like tdf#152495, which crashes Writer when dismissing a guide dialog with the escape button. A fix was also made that deletes paragraph breaks while moving text in ”track changes” mode. Several other packages updated in the snapshot like yast2 4.5.22, xfsprogs 6.1.1, icewm 3.3.0, llvm15 15.0.7 and more.

GNU Compiler Collection 13.0.1 was update in snapshot 20230119 and its added a patch to fix unwinding on AArch64 with pointer signing. The kernel-sourcel 6.1.7 update had less than a handful of Advanced Linux Sound Architecture fixes and Direct Rendering Manager optimizations. Line-oriented text editor ed 1.19 changed the long name of option -s to --script; the option -s now only suppresses byte counts. The adwaita-xfce-icon-theme 0.0.3 package also updated in the snapshot.

The first computer “love” is the Commodore 64 and I get real excited about new developments and uses of modern tech to allow the 40 year old computer to persist. it’s really quite amazing what is now an obscure, old, 8-bit machine has what is arguably a more flourishing existence than it ever has. I […]

This is the fifth part of my syslog-ng tutorial. Last time we had an overview of the syslog-ng configuration and had our first steps working with syslog-ng. Today we learn about syslog-ng source definitions and how to check the syslog-ng version and its enabled features.

You can watch the video on YouTube:

Or you can read the rest the tutorial as a blog at: https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-101-part-5-sources

Originally I was going to make a video of applying a screen protector to the SteamDeck but… why? It’s not like it would be all that interesting and would probably be another turd of a video so just a blathering is just as well. The production time for writing something out is far, far less […]

Collaboration is the heart of the OBS project. Therefore, we have been working on the request page redesign for a while, the page where most of the collaboration happens. This time, we have focused on improving the handling of requests with multiple actions, facilitating the review process by enhancing the code changes and helping out with decision-making, among others. The request redesign is part of the beta program. We started the redesign of the request...

The openSUSE Project was inspired by Fedora’s efforts to make Cisco’s OpenH264 codecs and FDK AAC available to its users that members reached out to Cisco’s open-source team to do the same for its user base.

An obstacle to overcome is the current limitation for free redistribution of the codecs is 100,000 users, so board member Neal Gompa and openSUSE’s Leap release manager Lubos Kocman proposed a way to simplify the codec installation in openSUSE.

The codec library, which supports H.264 encoding and decoding, is suitable for real-time-application use like WebRTC. The simplification of the installation will make out-of-the-box use much easier for openSUSE users.

Cisco, which the openSUSE Project is very thankful for their efforts, agreed to an approach on OpenH264 re-distribution via a Cisco-owned infrastructure to openSUSE users. A release workflow for OpenH264 was envisioned and a three-step approach handled via a set of scripts in openSUSE Release Tools. 

A workflow script triggers and sends Cisco an email with an archive containing OpenH264 rpm packages to Cisco; it makes a snapshot of data that is then sent or “POSTed” for manual extraction of a Cisco binaries. The process ensures that the project always has a set of related binaries in the Open Build Service. 

An archive is created and sent by one of multimedia:libs:cisco-openh264 project maintainers. 

The package is signed in OBS by the openSUSE key, so the origin of the package can be verified. The repository metadata is published by OBS under codecs.opensuse.org/openh264.

The archive must contain only packages with Cisco OpenH264 and related OpenH264 GStreamer plugins. Addition of any other content outside of the agreement, especially other codecs, under the agreement from Cisco would lead to a violation.  

Potential improvements have already been discussed to improve the existing workflow, but the initial efforts are set to provide openSUSE a more simplified experience after installation. 

Or enable repo manually by running the following:

Leap

sudo zypper ar http://codecs.opensuse.org/openh264/openSUSE_Leap repo-openh264

Tumbleweed or MicroOS  

sudo zypper ar http://codecs.opensuse.org/openh264/openSUSE_Tumbleweed repo-openh264

Installation

sudo zypper in gstreamer-1.20-plugin-openh264

The openh264 repository will be enabled by default on all new installations of openSUSE Tumbleweed starting with the next snapshot iso build. It will be also available as part of openSUSE Leap 15.5 Beta. 

Alternatively, using the openSUSE-repos for repository management will provide users an openh264 repo definition as part of the latest update. Users will need to remove old duplicate repo definitions manually as found in the project README file.

AAC has already been part of the distribution for several months.

I was doing some preparation for my weekly tutoring activity and when I realized I misspelled “science” on a particular file that I end up sharing with parents. Somehow, I spelled “scoence” and almost published the file spelled as such. I realized that somewhere along the line, Dolphin, the most amazing file manager wasn’t doing […]

The second Linux Saloon Live was a News Flight Night with a flight of topics sourced from all around the internet from the Linux Saloon bunch. The main topic of the show revolved around a Strawpoll that Aris made asking, “Have you ever built a desktop.” A simple question that made for some incredibly interesting […]

This week’s openSUSE Tumbleweed snapshots will switch the RPM and repository signing key of Tumbleweed from 2048 bit RSA to a 4096 bit RSA key.

This switchover was necessary to meet current security recommendations. If you are regulary updating your Tumbleweed installation, the key will already be imported to the RPM keyring, and also in the openSUSE-build-key package.

The GPG fingerprint of the new key:

pub   rsa4096/0x35A2F86E29B700A4 2022-06-20 [SC] [expires: 2026-06-19]
      Key fingerprint = AD48 5664 E901 B867 051A  B15F 35A2 F86E 29B7 00A4
uid   openSUSE Project Signing Key <opensuse@opensuse.org>

Note that openSUSE Leap 15.4 and 15.5 will also switch to using this key, and also the openSUSE Backports and SLE repositories will switch to 4096 bit RSA keys in 2023.

If you have questions about this, feel free to reach out to the Factory or Security mailing lists at Lists.

Here is the whole GPG key if you want to import it manually:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)

mQINBGKwfiIBEADe9bKROWax5CI83KUly/ZRDtiCbiSnvWfBK1deAttV+qLTZ006
090eQCOlMtcjhNe641Ahi/SwMsBLNMNich7/ddgNDJ99H8Oen6mBze00Z0Nlg2HZ
VZibSFRYvg+tdivu83a1A1Z5U10Fovwc2awCVWs3i6/XrpXiKZP5/Pi3RV2K7VcG
rt+TUQ3ygiCh1FhKnBfIGS+UMhHwdLUAQ5cB+7eAgba5kSvlWKRymLzgAPVkB/NJ
uqjz+yPZ9LtJZXHYrjq9yaEy0J80Mn9uTmVggZqdTPWx5CnIWv7Y3fnWbkL/uhTR
uDmNfy7a0ULB3qjJXMAnjLE/Oi14UE28XfMtlEmEEeYhtlPlH7hvFDgirRHN6kss
BvOpT+UikqFhJ+IsarAqnnrEbD2nO7Jnt6wnYf9QWPnl93h2e0/qi4JqT9zw93zs
fDENY/yhTuqqvgN6dqaD2ABBNeQENII+VpqjzmnEl8TePPCOb+pELQ7uk6j4D0j7
slQjdns/wUHg8bGE3uMFcZFkokPv6Cw6Aby1ijqBe+qYB9ay7nki44OoOsJvirxv
p00MRgsm+C8he+B8QDZNBWYiPkhHZBFi5GQSUY04FimR2BpudV9rJqbKP0UezEpc
m3tmqLuIc9YCxqMt40tbQOUVSrtFcYlltJ/yTVxu3plUpwtJGQavCJM7RQARAQAB
tDRvcGVuU1VTRSBQcm9qZWN0IFNpZ25pbmcgS2V5IDxvcGVuc3VzZUBvcGVuc3Vz
ZS5vcmc+iQI+BBMBAgAoBQJisH4iAhsDBQkHhM4ABgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRA1ovhuKbcApKRrEACJMhZhsPJBOkYmANvH5mqlk27brA3IZoM4
8qTzERebzKa0ZH1fgRI/3DhrfBYL0M5XOb3+26Ize0pujyJQs61Nlo1ibtQqCoyu
dvP/pmY1/Vr374wlMFBuCfAjdad4YXkbe7q7GGjo6cF89qtBfTqEtaRrfDgtPLx/
s9/WXLGo0XYqCCSPVoU66jQYNcCt3pH+hqytvntXJDhU+DveOnQCOSBBHhCMST3E
QvriN/GnHf+sO19UmPpyHH0TM5Ru4vDrgzKYKT/CzbllfaJSk9cEuTY8Sv1sP/7B
Z7YvOE0soIgM1sVg0u3R/2ROx0MKoLcq7EtLw64eE+wnw9bHYZQNmS+J/18p7Bo8
I7e+8WRi+m/pus5FEWsIH1uhxKLgJGFDTHHGZtW+myjnUzXVIkpJGrKoolzYjHdK
lRYM2fVuNI1eq6CZ6PFXg2UxovVczSnGMO33HZE09vpgkRDBrw1vF0o/Wnm02kig
V6xYHk5wJx8vL74wPvCbw73UNT9OSdxYAz7JPqGOD6cpKe7XcAH2sYmlGpggAIUz
Rq/lROEF5lx4SxB838JU4ezxD++BJXfBTE8JZmlGscXv74y9nCtSOZza8KOKj8ou
WRl739FMnx9jRd7HHj3TIyymoveODnZ7f3IElyyFsjBW3XuQ9XfpZrIkwHuaZV5M
6q2h+hgWNQ==
=nMh8
-----END PGP PUBLIC KEY BLOCK-----

Dear Tumbleweed users and hackers,

For Tumbleweed, things are steadily rolling. Updates come in (mostly pre-tested in devel projects), are staged, pass staging (most requests pass in a day), and are then added to a snapshot. Sounds rather unspectacular. Of course, this is the optimal case, which does not work in some cases (as seen on the ‘future changes’ that have been carried over for a few weeks already). But all that does not have an impact on users’ workstations, as we simply do not deliver those aspects which are known not to be ready.

With all this going on, we have again delivered 7 snapshots during the last week (0112…0118), containing the following, noteworthy changes:

• File 5.44
• Mesa 22.3.3
• Salt 3005.1
• NetworkManager 1.40.10
• Fuse 3.13.0
• Pipewire 0.3.64
• KDE Frameworks 5.102.0
• Linux kernel 6.1.6
• Node.JS 19.4.0
• python Sphinx 6.1.3
• libraw 0.21
• RPM: added support for x86_64 microarchitecture. This was the last bit missing to allow packages to start shipping hardware-optimized libraries (glibc hwcaps enabled loading)

In the staging areas, we are currently testing the impact of these changes:

• Linux kernel 6.1.7
• Mozilla Firefox 109.0
• Mesa adding support for Rusticl (See https://docs.mesa3d.org/rusticl)
• LibreOffice 7.4.4.2
• LLVM 15.0.7
• Boost 1.81.0: breaks libetonyek and LibreOffice
• GnuPG 2.4: breaks gpgme:qt
• Ruby 3.2 to become the default ruby version: YaST is failing
• Switch to openSSL 3: Progress tracked in Staging:N
• Initial tests to set GCC 13 as the system compiler

The openSUSE Tumbleweed repositories are scheduled to change their signing key from the now-used 2048 RSA key to a new 4096bit RSA key. The new public key has been rolled out to the systems since snapshot 20220811, which should make the migration to the new key transparent for all regularly updated systems. Please see the extra announcement on the mailing list

Besides all this, please keep in mind that the repositories for i586 installations are going to change. i586 is being split out from the main repositories and handled like the other ports (arm, powerpc, s390x). Anybody can already change the repo manually and perform tests, by end of January, we will deploy code that will switch the repositories automatically. By end of March, we expect all users to have migrated their repositories and we will remove all i586 RPMs from the published repositories (-32bit.x86_64 will remain for wine/steam). More details on this can be found in this post