Better late than never I just put online the November syslog-ng newsletter. Topics include:

• syslog-ng version 3.35.1 is now available
• Sending logs from syslog-ng store box to Splunk
• MacOS support
• Syslog-ng 3.34: MQTT destination with TLS and WebSocket support

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2021-11-3-35-ssb-macos-mqtt-destination-updates

Dear Tumbleweed users and hackers,

Winter has come – at least that’s what I heard some colleagues talk about these days. Luckily, for me, there is no snow out yet and Tumbleweed has sufficient grip to roll ahead without getting stuck. As such, we have published 7 snapshots this week (1118…1124).

The main changes published as part of those snapshots were:

• Linux kernel 5.15.2 & 5.15.3
• Mesa 21.3.0
• Node.JS 16.13.0
• Firewalld 1.0.2
• php 7.4.26
• util-linux 2.37.2
• cURL 7.80.0
• git 2.34.0
• systemd 249.7
• icu 70.1
• Rust 1.56.1
• tbb 2021.4.0

That’s quite a big bunch of what was in the stagings over the last few days/weeks. Some things are still left, and other new stuff has landed for testing:

• Linux kernel 5.15.5
• Mozilla Firefox 94.0.2
• Virtualbox 6.1.30
• Poppler 21.11.0
• Automake 1.16.5: strict on not calling twice AM_AUTOMAKE_INIT in configure.ac
• GCC 11: Enable the full cross compiler, cross-aarch64-gcc11 and cross-riscv64-gcc11 now provide a fully hosted C (and C++) cross compiler, not just a freestanding one
• cmake 3.22.0
• Moving default php version from php7 to php8
• pipewire 0.3.40, with a move to from pipewire-media-session to wireplumber; currently failing openQA
• Bash: moving away from update-alternatives to handle /bin/sh; To allow busybox to step in as ‘sh’ provider. We are switching to a package replacement model (e.g. bash-sh, busybox-sh). Those packages will install the relevant /bin/sh symlinks
• openSSL 3.0: No visible progress in the staging. Main blockers so far seems to be python 3.6 and python-cryptography

openSUSE Tumbleweed gave rolling release users a snapshot every day this past week.

The latest snapshot to be released was 20211124. This snapshot brought systemd 249.7, which focused on package tests and updated dependencies for the testsuite. The text editor vim had a minor update to version 8.2.3640, but it was filled with many fixes; some of the fixes included taking care of a memory leak, crashes and performance issues related to GTK. The removal of a redundant script header was made in the update of dracut and optimal compression parameters were made for zstd in the Linux-boot process package. Other packages to update in the snapshot were autoyast2 4.4.22, embedded Linux library ell 0.46, GNOME’s document viewer evince 41.3 and gtk-vnc 1.3.0.

Snapshot, 20211123, updated git 2.34.0, which removed the --preserve-merges option of git rebase. The package also adjusted git add, git mv, and git rm to avoid updating paths outside of the sparse-checkout definition unless the user specifies a --sparse option. The C client libary mariadb-connector-c 3.2.5 removed a callback function because it could not be cleared; this affected versions equal to or less than OpenSSL 1.0.2. Also updated in the snapshot were yast2-packager 4.4.14, yast2-schema 4.4.6 and yast2-trans; the latter had updated translations for Japanese, Slovak and Catalan.

The second Linux Kernel update of the week arrived in snapshot 20211122. With the kernel-source 5.15.3 update, Advanced Linux Sound Architecture for Clevo computers were fixed. KVM had a few changes to include one for the handling of dynamic Model-Specific Register (MSR) intercept toggling. Daniel Stenberg provided video content about the updates for curl 7.80.0; the release, which is the 204th, added SHA256 fingerprint support and fixed a memory leak if an SSL session cannot be added to the cache. An update of xfsprogs to version 5.14.0 introduced liburcu support. The yast2-bootloader 4.4.8 package configured the custom boot partition and made it more robust and intuitive. Other openSUSE packages to change were snapper, which was retrograded from version 0.9.1 to 0.9.0, and transactional-update 3.6.2, which fixed several applications that failed to run if a mount point has the unbindable mount flag set. Web framework package python-falcon had a minor release of a major upgrade to 3.0.1; the upgrade from the previous 2.0.0 version that Tumbleweed had now includes ASGI-based asyncio and WebSocket support; the package brings better error handling with enhancements to existing features. A few pypi packages were updated in this and the previous day’s snapshot.

The pypi packages that arrived in snapshot 20211121 were python-requests 2.26.0, python-importlib-resources 5.4.0 and python-packaging 21.2, which dropped support for Python 2.7, Python 3.4 and Python 3.5. A backport of upstream commits became available with the update of systemd-rpm-macros 14. The other two package to update in the snapshot were util-linux 2.37.2 and util-linux-systemd 2.37.2.

The update of systemd 249.6 arrived in snapshot 20211120 and there are a complete list of changes available on GitHub; there was a mass amount of documentation improvements in the package update as well. An update of firewalld 1.0.2 fixed some typos and classifications related to nftables. An update of yast2-storage-ng 4.4.14 from a YaST Sprint in October adapted the way YaST references LUKS devices in the fstab file to make it easier for systemd to handle some situations. Other packages updated in the snapshot were php7 7.4.26, libstorage-ng 4.4.57, ncurses 6.3 and more.

Mesa 21.3.0 was one of the packages to update in snapshot 20211119. The Meda update makes the Panfrost driver officially GLES 3.1 conformant. The update of nodejs16 16.13.0 brought in an experimental ESM Loader Hooks Application Programming Interface. Fixes to stack overflow when parsing malicious ps image files were made in the update of ImageMagick 7.1.0.14. The image editor will no longer copy the profile of the PSD file to all the images; only the first returned image will contain the profile. To re-enable the old behavior add -define psd:replicate-profile=true. The update of snapper to version 0.9.1 looked to fix some systemd sandboxing before being retrograded in a later snapshot. Many YaST packages were updated in the snapshot like yast2 4.4.22, autoyast2 4.4.21, yast2-installation 4.4.22, yast2-packager 4.4.13 and yast2-update 4.4.4. The updates for these packages are regularly described in YaST blogs.

Starting out the week, snapshots 20211118 gave users a reason to smile with an update of GNOME’s webcam application cheese 41.1, which updated the description of the project along with translations. An update of iproute2 5.15 added Link Aggregation Control Protocol active support and python-argon2-cffi 21.1.0 was modified to skip building for Python 2 because it is not supported anymore. The Linux Kernel updated from version 5.14.14 to version 5.15.2 in Tumbleweed to start a continuous week of joyful snapshots. Have a lot of fun!

After almost a month of radio silence, the YaST Team is back with another development report. The two latest sprints brought:

• New features like:
  • More general LUKS2 support in the Partitioner
  • Mechanisms to detect if the system boots using EFI both in AutoYast rules and ERB templates
  • Enhanced handling of NTLM authentication in linuxrc
• Usability improvements in several areas of YaST
• Dropping some legacy features to have a more sane code-base
• More internal refactoring in the area of software management
• Many fixes here and there

So let’s dive into the details.

New Features

As already explained in this same blog quite some time ago the YaST Partitioner can be used to set up several kinds of encryption, but “Regular LUKS2” was not one of those. That was intentional because using LUKS2 comes with many challenges, as summarized in this Bugzilla comment. But now the time has come to start introducing experimental support for general LUKS2 encryption. Initially it will be available in openSUSE Tumbleweed and pre-releases of SLE-15-SP4 but only if the environment variable YAST_LUKS2_AVAILABLE is set. Check the description of this pull request for screenshots and more information.

Support for LUKS2 in AutoYaST will have to wait a bit, until we have received some feedback from interactive installations and ironed out all the details. But AutoYaST users can meanwhile test and enjoy another new feature available also in Tumbleweed and 15.4 pre-releases - support for identifying EFI systems in dynamic profiles, which includes both rules and ERB templates. Learn more and see some examples in the description of the corresponding pull request.

The last feature for Tumbleweed and the upcoming 15.4 that we want to highlight in this report is the brand new support for NTLM authentication in linuxrc. The authentication process is actually delegated to curl. Passing credentials to curl through the linuxrc parameters is as easy as you can see in the following examples:

  install=https://user:password@example.com/the_repo
  proxy=https://user:password@example.com

Usability Improvements

Sometimes, you don’t need to introduce a whole new shiny functionality to enhance the life of the end users. Small improvements can also have a big impact… although “small” doesn’t always mean “easy to implement”. In that regard we would like to highlight that:

• We improved filtering and sorting in the list of DASD devices in s390 mainframes
• The installation on that architecture will run in graphical mode if executed in QEMU and a Virtio GPU is detected
• Configuring the custom boot partition in YaST2 Bootloader is now more robust and intuitive

Less Code, Fewer Problems

Going even further, enhancing the software is sometimes not even a matter of adding or polishing functionality but a matter of cleaning up features that are not longer useful, removing code and infrastructure in the process. Simpler usually means more robust and maintainable.

In that regard, you can check this pull request about management of group passwords or this other about the obsolete format to configure the partitioning proposal.

Internal Changes and Fixes

If you are interested in technical details and having a look to the YaST internals, we also have a couple of pull request that could be interesting, like this fix for the detection of duplicated LVM structures and this improvement in the way YaST manages the initialization of its user interface.

Talking about internals, we mentioned several times our ongoing effort to restructure how software management works in YaST. You can see some more technical details in this gist if you have an interest in the design of computer programs and APIs.

Winter is coming

It’s less than one month to the official start of winter in the Northern Hemisphere. We keep working hard and we hope to give you at least another update of the YaST status before that date. Meanwhile we can only remind you, no matter in which part of the world you are, to have a lot of fun!

Recently MicroOS gained some new options in relation with security. The distribution has now integrated Keylime, an open source project for doing remote attestation with TPMs.

If you follow the news about Windows 11, you are aware of what is a TPM. The Trusted Platform Module (TPM) is a cryptoprocessor, described by the Trusted Computing Group (TCG) in a specification that has been standardized in a ISO/IEC document. You can find the TPM already soldered in the mainboard of your computer, but they can also be found as a service in the firmware, or inside your CPU.

This co-processor can be used for many tasks related with security. For example, we can use it to generate symmetric and asymmetric keys, encrypt some memory blocks (not too big, as they are a bit slow), or to as storage for keys that can be used only for us (or applications that have permissions).

Because the TPM from the factory has a unique key (known and Endorsement Key or EK), it can also be useful to generate other keys that can later be used to check if some information comes from this specific machine or not. That is something very handy when we want to validate the source of some communication (like for example, when login into a VPN)

Another main use of TPM is for health attestation: we want to know if the system is in a good state, i.e, there is no change in the software that it is running since we turn it on.

That means that we need to measure all the software that has been running in the system since the very initial stages in the firmware, until the load of the Linux kernel and the initrd. Later we compare those measurements with the values that we known that are the good ones, and if they match we will know that no change has been made in our system.

We can do that using the TPM. Each stage in the boot chain will need to load the next stage before delegating the execution to it. Before doing so we need to calculate a hash function (like SHA256, for example) of it, and report it back to the TPM to track the measurements.

After the boot has concluded, we can ask the TPM about those hashes, and compare them to the expected values. If they match our expectations, it is safe to assume that no change has been made in the software used since the initial boot stages, and the system is in good shape.

For security reasons, we want to do the comparison between the expected measures and the current one in a remote machine. This machine can ask about the current measurements, and request that this report has to be signed by the TPM. We can later validate the signature and do the comparison of the hashes with the expected values.

Keylime is the tool that can do this for us in a more rich and secure way. We can install an agent service in all the machines of our network, which will collect all the measurements and signatures and report it to the verifier service that will do the attestation.

MicroOS now has two new system roles that will install Keylime agents our systems, and we can select one node to install the verifier role.

If you like the idea, you can find more information in the MicroOS blog and in the MicroOS portal. In there you will find technical details about how the TPM is really working and how to use Keylime with measured boot and IMA, all of which are using the TPM as a root of trust.

I love photography. I started taking photos four decades ago using a camera called Lubitel, a cheap Russian knock off of Rolleiflex. I switched from film to digital photography back in 2000, which was quite a bit earlier than most. I always treated mobile photography with strong skepticism (small sensor, too much processing, etc.) and have a dedicated camera with me everywhere.

Well, the problem is with the words “always” and “everywhere”. There can be many reasons why I do not have my camera with me:

• doing grocery shopping
• doing some sports
• extreme weather
• visiting a neighborhood where I’m afraid to take a camera and lenses worth thousands of dollars

However, I do not leave my eyes at home together with my camera. I never know when I’ll see some beautiful scenes while walking to the shop. Earlier I just took a deep breath that it’s a helpless situation and I went on, as I did not have a dedicated camera with me. Nowadays my view changed. Even if I do not have a real camera with me, I always have my mobile with me. As usual, there are exceptions here too: when I accidentally leave it in the charger :-)

Some of my favorite photos during the past few weeks were taken by my mobile phone. Yes, these photos are far from perfect from the technical point of view. But still, they captured the mood of the moment perfectly. And without my mobile I would have missed some nice moments of Autumn. So, using my mobile phone to take photos is still better than nothing.

You can find some of my photos on Gurushots