I had a mild annoyance when trying to browse the Steam store on multiple machines. The screen was just blank. I didn’t do anything about it immediately because I could browse the store on Firefox. What was also weird is that although the Community and my user page were also blank, the library was not. […]

A few weeks ago I was in Lille, France for Pass the SALT, a conference focused on open-source software and security, and gave a training on sudo. Ever since the conference, I’ve been approached by people asking if I could give sudo training(s) for or through their organization. Instead of writing a short answer to everyone in private, here is more detailed public response.

The short answer: it depends :-)

The long answer is a bit more complicated, but it’s well summarized in the short answer. Why?

First of all: I am not a trainer. Yes, I taught various subjects at university level, both as a graduate and as a PhD student. Along the way, I also provided introductory Linux training for banks and various certificate preparations. However, it was a long time ago in the galaxy. Yes, I can teach, but it is not my primary focus.

I am an open-source contributor, evangelist, and product guy. Sharing knowledge, training, teaching, name it whatever you want, is just a small part of my job and my interests. Both as an evangelist and product guy, learning from my audience equally important. Visitors of the Pass the SALT conference are very open to discussions, both during the training and in the hallway. Many of the sudo 1.9 features were born from discussions at this conference. Unfortunately, a traditional teacher-student setup, especially if it is in a virtual classroom, makes this two way communication and learning impossible. I am more of a product guy than a teacher, so I’m not that interested in simply teaching. You can find my article on the evangelist mindset at: https://opensource.com/article/21/1/open-source-evangelist

Secondly: I am not a sudo expert. Yes, I know some of the most advanced sudo features. I helped in designing, testing and issue reporting some of them. However, I’m not a practicing sysadmin anymore. I know the basics of sudo, and some of the most advanced or most recent features, but not much in-between. Over 90% of the people at my sudo talks and training have never heard about the advanced features I talk about, and most of them go home planning to test at least some of them in their environments. On the other hand, unlike me, they have some solid sudo foundations. They are interested in the advanced stuff.

TL;DR: I am very happy to go to conferences in real life, where I have a chance to have a two way communication with the audience. Where I do not have to teach the basics, and it is not just teaching, but also a discussion with active sudo users.

If you still think that I can be of any help for you, you can contact me on LinkedIn, Twitter, and Mastodon. You can find more details in the upper right corner of my blog.

PS: if you are a BSD guy, come to my training session at the EuroBSD conference: https://events.eurobsdcon.org/2024/talk/FLCHU3/

We kicked off a new feature in OBS. The goal is to have a unified way of listing requests for all the different places like packages, projects and what is currently found under “Tasks”. We started this by porting some of the core functionality of the “Tasks” page to the new unified version with a couple of search and filter options. The Request Index feature is part of the beta program and the requests list...

The Freedesktop.org Specifications directory contains a list of common specifications that have accumulated over the decades and define how common desktop environment functionality works. The specifications are designed to increase interoperability between desktops. Common specifications make the life of both desktop-environment developers and especially application developers (who will almost always want to maximize the amount of Linux DEs their app can run on and behave as expected, to increase their apps target audience) a lot easier.

Unfortunately, building the HTML specifications and maintaining the directory of available specs has become a bit of a difficult chore, as the pipeline for building the site has become fairly old and unmaintained (parts of it still depended on Python 2). In order to make my life of maintaining this part of Freedesktop easier, I aimed to carefully modernize the website. I do have bigger plans to maybe eventually restructure the site to make it easier to navigate and not just a plain alphabetical list of specifications, and to integrate it with the Wiki, but in the interest of backwards compatibility and to get anything done in time (rather than taking on a mega-project that can’t be finished), I decided to just do the minimum modernization first to get a viable website, and do the rest later.

So, long story short: Most Freedesktop specs are written in DocBook XML. Some were plain HTML documents, some were DocBook SGML, a few were plaintext files. To make things easier to maintain, almost every specification is written in DocBook now. This also simplifies the review process and we may be able to switch to something else like AsciiDoc later if we want to. Of course, one could have switched to something else than DocBook, but that would have been a much bigger chore with a lot more broken links, and I did not want this to become an even bigger project than it already was and keep its scope somewhat narrow.

DocBook is a markup language for documentation which has been around for a very long time, and therefore has older tooling around it. But fortunately our friends at openSUSE created DAPS (DocBook Authoring and Publishing Suite) as a modern way to render DocBook documents to HTML and other file formats. DAPS is now used to generate all Freedesktop specifications on our website. The website index and the specification revisions are also now defined in structured TOML files, to make them easier to read and to extend. A bunch of specifications that had been missing from the original website are also added to the index and rendered on the website now.

Originally, I wanted to put the website live in a temporary location and solicit feedback, especially since some links have changed and not everything may have redirects. However, due to how GitLab Pages worked (and due to me not knowing GitLab CI well enough…) the changes went live before their MR was actually merged. Rather than reverting the change, I decided to keep it (as the old website did not build properly anymore) and to see if anything breaks. So far, no dead links or bad side effects have been observed, but:

If you notice any broken link to specifications.fd.o or anything else weird, please file a bug so that we can fix it!

Thank you, and I hope you enjoy reading the specifications in better rendering and more coherent look!

The votes are in, and the openSUSE Asia Summit Organization Committee is pleased to announce the winner of the openSUSE.Asia Summit 2024 logo competition.

The openSUSE Asia Summit Organization Committee would like to extend our heartfelt gratitude for invaluable contribution to the openSUSE.Asia Summit 2024 Logo Competition.

Choosing this year’s logo was tough because every submitted work was excellent, and the top three received equal votes.

We have finally decided to select Bayu Aji’s work from Indonesia as the logo of openSUSE.Asia Summit 2024.

Congratulations, Bayu! The winner will receive a special “Geeko Mystery Box”.

This year’s competition attracted 7 fantastic submissions from around the globe. The designs were all exceptional, and the votes were cast by the openSUSE.Asia Committee and Local Team. We sincerely thank everyone who participated in the voting process.

We would also like to express our appreciation to all the participants in the logo competition: Haruo Yoshino, Goofy Scalar, Kukuh Syafaat, Nikita Tripathi, and Daniel Galleguillos Cruz. We look forward to seeing you at the Summit!

Dear Tumbleweed users and hackers,

As it happens every now, there are weeks when we build more snapshots than we publish. That’s exactly what happened during this week. We held back two snapshots – one due to kernel 6.10 which behaved very strange on QXL graphics, and the 2nd one due to sstemd 256 vs kiwi fights, where initrd is now extra protected and made some kiwi features misbehave, incl. self-install on MicroOS. So these were at least some things openQA could protect our users. Unfortunately, some issues with systemd and Aeon have remained unnoticed; see https://bugzilla.opensuse.org/show_bug.cgi?id=1228659)

Besides all this, we have released 4 snapshots during this week (0726, 0730, 0731, and 0801), containing these updates:

• Qemu 9.0.2
• bind 9.20.0
• AppArmor 4.0.2
• cURL 8.9.0
• Linux kernel 6.10.2
• 389-ds 3.1.1
• Mozilla Firefox 128.0.3
• git 2.46.0
• sysuser-tools 3.3
• cryptsetup 2.7.4

The staging areas are currently filled with these packages, many of them almost ready to be shipped:

• Mesa 24.1.5
• GStreamer 1.24.6
• GCC 14.2.0
• cURL 8.9.1: breaks test suites of libzypp and python-tornado6
• glibc 2.40: The only build failure left is samba
• Rust 1.80: virtiofsd is the one holding up here
• nftables 1.1.0: openQA is far from happy; nftables’ python bindings seem not to work
• go 1.22 as default: only transactional-update-notifier seems to be blocking
• Switch the default ffmpeg version from 6 to 7: mostly xine-lib and qt*-webengine failing; forcibly using older versions is still possible, as many packages are explicitly still on ffmpeg-4
• dbus-broker: some networking issue after upgrades left to work out
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7

Welcome to the monthly update for openSUSE Tumbleweed for July 2024. Last month was busy with events like the Community Summit in Berlin and the openSUSE Conference. Both events were productive and well-received. Despite the busy schedule and follow on discussion from the conference about the Rebranding of the Project, a number of snapshots continued to roll out to users this month.

Stay tuned and tumble on!

Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

• Linux Kernel 6.9.9: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include the introduction of devm_mutex_init() for mutex initialization in multiple components, addressing issues in the Hisilicon debugfs uninit process, and resolving shared IRQ handling in DRM Lima drivers. Fixes in the PowerPC architecture avoid nmi_enter/nmi_exit in real mode interrupts, while networking improvements prevent unnecessary BUG() calls in net/dql. Enhancements in WiFi drivers such as RTW89 include improved handling for 6 GHz channels. Updates in DRM/AMD drivers address multiple issues, from uninitialized variable warnings to ensuring proper timestamp initialization and memory management. The RISC-V architecture receives a fix for initial sample period values, and several BPF selftests see adjustments for better error detection. These updates collectively enhance system stability, performance, and security. Snapshot 20240730 updated the Linux Kernel to version 6.10.2 after this blog was first published.
• KDE Plasma 6.1.3: Discover now auto-handles Flatpak rebases from runtimes and properly uninstalls EOL refs without replacements. In Kglobalacceld, invalid keycodes are explicitly processed. Kpipewire introduces proper cleanup on deactivate and fixes thread handling for PipeWireSourceStream. KScreen now uses ContextualHelpButton from Kirigami, and Kscreenlocker adds a property to track past prompts. KWin sees numerous improvements: relaxed nightlight constraints, simplified Wayland popup handling, better input method windows, and enhanced screencast plugins. Plasma Mobile enhancements improve home screen interactions, translation issues, and swipe detection. Plasma Networkmanager and Plasma Workspace benefit from shared QQmlEngine and various bug fixes, including avatar image decoding and pointer warping on Wayland.
• Frameworks 6.4.0: Attica updates its gitignore to include VS Code directories. Baloo reverts a QCoreApplication change and ports QML modules. Breeze Icons introduces a ColorScheme-Accent and fixes data-warning icons. KArchive now rejects tar files with negative sizes and fixes crashes with malformed files. KAuth and KBookmarks add VS Code directories to gitignore. KCalendarCore adds missing QtCore dependencies and QML bindings for calendar models. KIO improves systemd process handling and deprecates unused features. Kirigami enhances navigation and dialog components. KTextEditor adds a tool for testing JavaScript scripts and ensures even indent sizes, fixing multiple bugs.
• KDE Gear 24.05.2: Akonadi-calendar adds missing change notifications. Dolphin updates Meta-Object Compiler generation. Filelight enables appx building and ensures hicolor icon presence while Itinerary fixes calendar permissions, corrupted notes, and the package introduces new extractors. Kdenlive addresses timeline, aspect ratio, and compilation issues. Okular fixes a crash with certain PDF actions.
• Supermin 5.3.4: This update introduces several key enhancements, including support for OCaml 5 and kylinsecos. It improves package management by detecting dnf5 and omitting missing options. The update also refines OCaml compilation by using -output-complete-exe instead of -custom that fixes kernel filtering for the aarch64 architecture, and enables kernel uncompression on RISC-V. The update removes previously applied patches now included in the new tarball, helping to streamline the codebase and improve maintainability.
• Checkpolicy 3.7: The latest update brings support for Classless Inter-Domain Routing notation in nodecon statements, enhancing SELinux policy definition capabilities. Error messages are now more descriptive, and error handling has been improved. Key bug fixes include handling unprintable tokens, avoiding garbage value assignments, freeing temporary bounds types and performing contiguous checks in host byte order.

Key Package Updates

• NetworkManager 1.48.4: This update introduces support for matching Open vSwitch (OVS) system interfaces by MAC address, enhancing network interface management. Additionally, NetworkManager now considers the contents of /etc/hosts when determining the system hostname from reverse DNS lookups of configured interface addresses, improving hostname resolution accuracy. Subpackages updated include NetworkManager-bluetooth, NetworkManager-lang, NetworkManager-tui, NetworkManager-wwan, libnm0, and typelib-1_0-NM-1_0. These enhancements contribute to more robust and precise network configuration handling in Linux environments.
• libguestfs 1.53.5: This update includes significant enhancements and fixes. The --chown parameter is now correctly split on the ‘:’ character, and a new checksum command is supported. Detection for Circle Linux and support for the LoongArch architecture have been added, including file architecture translation fixes. The update allows nbd+unix:// URIs and reimplements GPT partition functions using sfdisk. DHCP configuration improvements and a new virt-customize --inject-blnsvr operation enhance usability. Deprecated features include the removal of gluster, sheepdog, and tftp drive support. New APIs such as findfs_partuuid and findfs_partlabel improve functionality, while inspection tools now resolve PARTUUID and PARTLABEL in /etc/fstab. These updates enhance compatibility, performance, and functionality across various environments.
• glib2 2.80.4: The latest update backports key patches: mapping EADDRNOTAVAIL to G_IO_ERROR_CONNECTION_REFUSED, handling files larger than 4GB in g_file_load_contents(), and correcting GIR install locations and build race conditions. Additionally, improvements in gthreadedresolver ensure returned records are properly reference-counted in lookup_records().
• ruby3.3 3.3.4: This release addresses a regression where dependencies were missing in the gemspec for some bundled gems such as net-pop, net-ftp, net-imap, and prime. Other fixes include preventing Warning.warn calls for disabled warnings, correcting memory allocation sizes in String.new(:capacity) and resolving string corruption issues.
• libgcrypt 1.11.0: The latest update introduces several new interfaces and performance enhancements. New features include an API for Key Encapsulation Mechanism (KEM), support for algorithms like Streamlined NTRU Prime sntrup761, Kyber, and Classic McEliece, and various Key Derivation Functions (KDFs) including HKDF and X963KDF. Performance improvements feature optimized implementations for SM3, SM4, and other cryptographic operations on ARMv8/AArch64, PowerPC, and AVX2/AVX512 architectures. Other changes include various enhancements for constant time operations and deprecates the GCRYCTL_ENABLE_M_GUARD control code.

Bug Fixes

• orc 0.4.39:
  • CVE-2024-40897 was solved with versions before 0.4.39, which had a buffer overflow vulnerability in orcparse.c.
• java-21-openjdk 21.0.4.0:
  • CVE-2024-21131 was a difficult-to-exploit vulnerability allowing unauthorized data modifications.
  • CVE-2024-21138 was a vulnerability causing partial denial of service.
  • CVE-2024-21140 was a vulnerability allowing unauthorized data access and modification;
  • CVE-2024-21145 was similar.
  • CVE-2024-21147 was the same, but for more critical data.
• ovmf 202402 had three months of CVE patches in its quarterly update.
• Mozilla Firefox 128.0: This release fixes 16 CVEs. The most severe was CVE-2024-6604; this was a memory safety bug in Firefox 128, Firefox ESR 115.13, Thunderbird 128 and Thunderbird 115.13. These bugs showed evidence of memory corruption that potentially allowed arbitrary code execution.
• ghostscript 10.03.1)
  • CVE-2024-33869 allowed bypassing restrictions via crafted PostScript documents.
  • CVE-2023-52722
  • CVE-2024-33870 allows access to arbitrary files via crafted PostScript documents.
  • CVE-2024-33871 allowed arbitrary code execution via crafted PostScript documents using custom Driver libraries in contrib/opvp/gdevopvp.c.
  • CVE-2024-29510 allowed memory corruption and SAFER sandbox bypass via format string injection in a uniprint device.
• xwayland 24.1.1 3:
  • CVE-2024-31080 had a vulnerability that could allow attackers to trigger the X server to read and transmit heap memory values, leading to a crash.
  • CVE-2024-31081 could cause memory leakage and segmentation faults, leading to a crash.
  • CVE-2024-31083 allowed arbitrary code execution by authenticated attackers through specially crafted requests.
• libreoffice 24.2.5.2:
  • CVE-2024-5261 allows fetching remote resources without proper security checks.
• GTK3 3.24.43:
  • CVE-2024-6655 allowed a library injection into a GTK application from the current working directory under certain conditions.
• netpbm 11.7.0:
  • CVE-2024-38526: doc, which provides API documentation for Python projects, had a vulnerability where pdoc –math linked to malicious JavaScript files from polyfill.io.

Conclusion

The month of July 2024 was marked by significant updates, security fixes and enhancements. The Linux Kernel 6.9.9 update introduced several key fixes and improvements across various subsystems, enhancing overall stability and performance. KDE Plasma 6.1.3 brought numerous UI improvements and better handling of Flatpak rebases. The updates to Frameworks 6.4.0 and KDE Gear 24.05.2 provided additional enhancements and bug fixes, improving user experience and system reliability. Critical security vulnerabilities were addressed in various packages, including Firefox, ghostscript, and xwayland, ensuring Tumbleweed remains secure, efficient, and feature-rich for all users. Additionally, the Aeon team announced the release of Aeon Desktop to Release Candidate 3 status that came from the release of a Tumbleweed snapshot last week.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

_{^{(Image made with DALL-E)}}

Last week One Identity released version 4.8.0 of its open-source log management application. Learn about some of the new features and bug fixes: why upgrade to the latest syslog-ng version, not only on FreeBSD :-)

Read more at https://www.syslog-ng.com/community/b/blog/posts/version-4-8-0-of-syslog-ng-improves-freebsd-and-macos-support

This is a quick fix, should you find you have a ghosted entry in your application menu on KDE Plasma. This may work for other desktop environments but I have not tested against anything else. If you run into this and you are running GNOME, Cinnamon, XFCE or anything else, please let me know. Sometimes […]

The Aeon team is very happy to announce that with the release of Snapshot 20240726, Aeon Desktop is now officially at Release Candidate 3 (RC3) Status!

The biggest change with this release is the introduction of Full Disk Encryption by default, configured automatically as part of the installation.

Depending on your hardware, Aeon will automatically configure Full Disk Encryption in one of two modes:

• Default Mode with strong verification of bootloader via the Trusted Platform Module version 2.0 (TPM2 for short), initrd and kernel before automatically decrypting your system
• Fallback Mode with no verification of boot components and requiring a Passphrase on boot to decrypt your system

For more details, please read our Encryption Documentation..

Please download Aeon from aeondesktop.org and install it following our Installation Guide.

Existing users who want the RC3s Encryption feature, people will need to re-install their system.

Pro tip: it’s recommended to use “a large” USB stick for the automatic backup/restore feature of the existing users data & configuration. Ensure it provides enough space to complete this transition.

#RC3 is expected to be the last RC that will require a reinstallation. Users who install RC3 can expect to be automatically upgraded to any future RC versions and the official Aeon Release automatically while RC4 doesn’t appear to be nececcary at this point in testing.

Behind the Scenes

RC3 has also brought some nice technical and community improvements preparing for Aeon’s official release:

• tik (Aeon’s installer) now uses systemd-repart instead of dd for deploying images. This is what enabled Full Disk Encryption. to be offered as you now see it in RC3
• Aeon now has an official Brand Guide covering logos, colours, and advice toward how to use these when spreading the word about Aeon.
• Aeon now has an official Subreddit for announcements like this, development blogs, and can be used by the community for discussions, technical help or anything else related to Aeon.

What’s Coming Next

RC3 may be the final Release Candidate before Aeon’s official release. There are no major structural changes planned to the core Aeon OS, just regular improvements as upstream versions develop and our community contributes to new features and packages.

The main difference between RC3 and the official release will be the writing of openQA, which is a noteworthy for CrowdStrike to consider, to test Aeon’s installation and basic functionality.

We would appreciate help in this area, which can now begin in earnest using RC3 as a reference.

There is a possibility of an RC4, which is currently being investigated.

If it occurs, RC4 will use tik’s new systemd-repart functionality to act as a ‘Self Installer’.

Users will see no practical difference between RC3, except for a significantly smaller download size as the Installer will not need a separate embedded Aeon image to deploy.

For that approach to work however, we will depend on features we haven’t tested yet from systemd v256. This was only submitted to openSUSE Factory recently, so it’s very cutting edge.

If RC4 does not occur, users can expect smaller more efficient images to come sometime after the release.

Our hope is everyone has a lot of fun with Aeon RC3, and would like to thank everyone who helped to get Aeon toward its release schedule.

The Aeon Team