Behold, My First RPM

I've written tons and tons of software, but was never much for packaging it. If I did any packaging, it was typically sticking a server into a container.

Yesterday morning I realized it has been something like 25 or 30 years since I wrote any functional C code, so I decided to do a refreshing, with the help of some AI. After reviewing the syntax and pointers, I wrote a CLI version of a Python app that I wrote a while back.

Python GUI Version

The problem is that I travel for work, but when I do, openSUSE doesn't seem to pick up on my new timezone, and it was a complex set of commands that I could not remember easily to set the new timezone. So I wrote a little GUI tool.

CLI C Version

So I basically did the same thing, but for the CLI, and in C. I made sure that I understood all of the code as I wrote, that I have to admit, I sort of glossed over the code for iterating through the directories and files.

This version does basically the same thing, but doesn't require the GUI.

Packaging

But wait! There is more. With some more AI assistance, I was able to put up a package that I can install on my machines.

Conclusion

I fully get that there are "official" ways of setting the timezone. The point is that I was able to go from not having written any C code in decades, to having a package in less than 2 hours! I also think my tool is a bit sweeter than timedatectl, etc...

In 2020, the Python foundation declared Python 2 as not maintained anymore.

Python 2 is really old, not maintained and should not be used by anyone in any modern environment, but software is complex and python2 still exists in some modern Linux distributions like Tumbleweed.

The past week the request to delete Python 2 from Tumbleweed was created and is going through the staging process.

The main package keeping Python 2 around for Tumbleweed was Gimp 2, that doesn't depends directly on Python 2, but some of the plugins depends on it. Now that we've Gimp 3 in Tumbleweed, we are able to finally remove it.

Python 2

The first version of Python 2 was released around 2000, so it's now 25 years old. That's not true, because software is a living creature, so as you may know, Python 2 grew during the following years with patch and minor releases until 2020 that was the final release 2.7.18.

But even when it was maintained until 2020, it was deprecated for a long time so everyone "should" have time to migrate to python 3.

Py3K

I started to write python code around the year 2006. I was bored during a summer internship at my third year of computer science, and I decided to learn something new. In the following months / years I heard a lot about the futurist Python 3000, but I didn't worry too much until it was officially released and the migration started to be a thing.

If you have ever write python2 code you will know about some of the main differences with python3:

• print vs print()
• raw_input() vs input()
• unicode() vs str
• ...

Some tools appeared to make it easier to migrate from python2 to python3, and even it was possible to have code compatible with both versions at the same time using the __future__ module.

You should have heard about the six package, 2 * 3 = 6. Maybe the name should be five instead of six, because it was a Python "2 and 3" compatibility library.

Python in Linux command line

When python3 started to be the main python, there were some discussion about how to handle that in different Linux distributions. The /usr/bin/python binary was present and everyone expect that to be python2, so almost everyone decided to keep that relation forever and distribute python3 as /usr/bin/python3, so you can have both installed without conflicts and there's no confusion.

But python is an interpreted language, and if you have python code, you can't tell if it's python2 or python3. The shebang line in the executable python scripts should point to the correct interpreter and that should be enough like #!/usr/bin/python3 will use the python3 interpreter and #!/usr/bin/python will use python2.

But this is not always true, some distributions uses python3 in /usr/bin/python like Archlinux or if you create a virtualenv with python3, the python binary points to the python3 interpreter, so a shebang like #!/usr/bin/python could be something valid for a python3 script.

In any case, the recommended and safest way is to always use python3 binary because that way it'll work correctly "everywhere".

Goodbye

It's time to say goodbye to python2, at least we can remove it now from Tumbleweed. It'll be around for some more time in Leap, but it's the time to let it go.

The first beta versions of SUSE Linux Enterprise Server 16 are almost around the corner and openSUSE Leap 16 is already at alpha phase. So the YaST Team (or should we already say the Agama Team?) has focused during the last couple of weeks on providing a better installation experience for both families of distributions. Agama 11 is the result, so let's see what's new on this release.

Bear in mind that some minor revisions of Agama 11 could be released in the following days to correct issues detected during the testing of SLES 16 Beta and openSUSE Leap 16 Alpha. We will update this blog post if any of those changes affect significantly any of the features listed below.

Agama can install Slowroll now​

Let's start welcoming a new member to the family of operating systems Agama can install. Thanks to WesFun now it is possible to select openSUSE Slowroll when using the Agama testing iso for openSUSE.

Keep the contributions coming!

Changes in the web interface​

Agama 11 also comes with a small reorganization of the workflow of the web interface. In previous versions, it was always necessary to visit the "Users" section to configure the root authentication and then go back to the "Overview" page in order to proceed with the installation. That happened because authentication is the only aspect of the system configuration for which Agama cannot infer any reasonable setup. You surely don't want Agama to choose a root password for you!

Starting with Agama 11, a screen to configure the root authentication is presented to the user right away after selecting the operating system to install.

After configuring the root password the user lands in the main Agama screen, where the general layout has been reorganized to ensure the "install" button is always accessible from all sections of the interface.

Additionally, the new install button can show a exclamation mark if there are issues preventing the installation and provides a summary of those issues pointing to the corresponding section that can be used to solve the situation.

The changes in the web interface go far beyond the new location of the install button. We encourage you to explore yourself to find all the small improvements!

Product registration​

As you all know, one of the main goals of Agama is to become the official installer for SUSE Linux Enterprise Server 16. The development of that operating system, and its sibling product SLES for SAP Application, is progressing nicely with some preliminary versions being already available to SUSE Partners.

Installing those systems requires the user to register in order to gain access to the repositories. Agama can detect whether registration is necessary and then offer a convenient user interface for the process, as seen below.

Of course, this feature is irrelevant for openSUSE users since the openSUSE repositories are fully public and they will always be.

License agreement​

Another difference between openSUSE and a corporate distribution like SLES is that users needs to explicitly accept a license agreement to use the latter. In the case of the Agama web interface, that means presenting the license as soon as possible in the process. Thus, the corresponding EULA must be accepted already when selecting any of the products that require to do so.

Of course, the screenshot above belongs to a SLES installation media and openSUSE users will not notice this new feature.

Allow remote usage of the command-line interface​

As convenient as an interactive installation with the web interface can be, you know that the command-line interface and the unattended installation process are also first-class citizen for Agama. Thus, they also received some love on this release.

Agama's CLI (command-line interface) offers an alternative way to control the installation process useful in various situations like installing in machines that cannot serve the web interface (eg. due to limited resources), using scripts and other automation techniques or simply when the user prefers good old terminal over graphical interfaces. Now Agama's CLI offers a new global parameter --api that allows to run the tool (and any script based on it) on a different machine from that being effectively installed. Bear in mind the new argument is still not honored by all Agama subcommands. Support for it will be extended on subsequent releases.

Scripting support in unattended installation​

Years of AutoYaST experience has taught us that, no matter how flexible an installer is, users of unattended installations always want to go further. And embedding scripting capabilities into the installer configuration has turned to be an awesome tool for that. So, similar to AutoYaST profiles, Agama configuration files now offer a "scripts" section. It makes possible to run scripts both before and after the installation process and also on the first boot of the new system.

Below you can see a Jsonnet configuration file for Agama including scripts. Note it would also work with plain JSON but, since that format does not support multi-line strings, each script would need to be provided as a long string with "\n" marking the end of each line (not so nice for a blog post 😉).

{
  scripts: {
    pre: [
      {
        name: "activate-multipath",
        body: |||
          #!/usr/bin/bash
          systemctl start multipathd.socket multipathd.service
        |||
      }
    ],
    post: [
      {
        name: "enable-sshd",
        chroot: true,
        body: |||
          #!/usr/bin/bash
          systemctl enable sshd.service
        |||
      }
    ],
    init: [
      {
        name: "run-ansible",
        url: "https://192.168.1.1/provisioning.sh"
      }
    ]
  }
}

For more details see the scripts section of the Agama documentation site.

Storage management for unattended installation​

The Agama configuration format offers a very convenient and powerful approach to configure the storage setup of the new system, way more consistent and concise that the corresponding <partitioning> section of the AutoYaST profile (which is still fully supported for migration purposes).

Agama 11 adds the possibility to define the physical volumes of an LVM volume group by simply specifying the disk (or disks) that will be used as a base for the LVM. Agama will take care of creating all the needed partitions, honoring any other aspect of the configuration in the process. Find a more detailed explanation with examples at the corresponding section of the Agama documentation.

On the other hand, now it is possible to specify TPM-based unlocking of the encrypted devices as part of the Agama storage configuration. Thus, users of unattended installation can also deploy fully encrypted systems based on TPMv2.

Automatic generation of documentation and shell completion​

A comprehensive and up-to-date documentation is key for a project like Agama, especially for users of the command-line interface and the HTTP API. And the best way to ensure the documentation is always in sync with the current version of Agama is to generate it automagically from the source code.

In the case of the CLI, the manual pages, its Markdown variant and also the files needed for shell completion are all generated from sources. You can see the always current result of the Markdown version at the corresponding section of the Agama web page.

The HTTP API is also automatically documented via an OpenAPI specification. This will help anyone interested in integrating Agama into any solution or infrastructure or even in creating its own client application for Agama, especially taking into account that the Agama HTTP is still not stable and changes on every release.

More changes under the hood​

As you can imagine, the above list of features is far for representing everything that has changed from Agama 10. As usual, the new version also includes many bug fixes and small improvements. And we took the opportunity to update to the latest version of the three programming languages used in Agama, including all used libraries.

We also gave some love to the Agama Live ISO. On the one hand, we revisited the list of included drivers, resulting in a smaller image that actually supports more hardware setups. On the other hand we tried to switch the graphical stack from X11 to Wayland. Although we didn't succeed due to technical problems related to Firefox's kiosk mode, we will keep trying (of course, any help is welcome).

Other Agama change that may not be obvious to all users is the introduction of some changes to ease the creation of automated integration test. That helps the openSUSE and SUSE QA teams in their invaluable effort to ensure a smoother experience to all users.

Just another step​

We are already working on the next version of Agama and your feedback may be useful to decide in which aspects we should focus. So do not hesitate to give Agama a try using our latest Live ISO images and to report bugs through Bugzilla. You can also contact us at the Agama project at GitHub. Of course, if you prefer to chat, you can find us as always at our #yast channel at Libera.chat.

And don't forget to have a lot of fun!

Dear Tumbleweed users and hackers,

This week was filled with snapshots – in just 7 days, we have published 8 snapshots; ok, there is just the co-incidence that the snapshot that was in QA from Thursday to Friday finished much quicker this week than last week – so we ended up having the latest one already on the mirrors at the time of my writing. We have not (yet) invented the time compression machine to publish more snapshots in a week. But honestly, I also don’t think anybody would care for more snapshots. Let alone: the numbering scheme does not support more than one snapshot ‘built’ per day (in rare cases, QA can be speedy and we had seen 2 snapshots syncing out on the same day).

Now, the curious one doesn’t care about the number of snapshots, but rather what changes those snapshots contained. Here are the changes delivered in the snapshot 0116…0123:

• Gimp 3.0 RC2: we are aware of the rc state, and the fact that some plugins are not ported to gimp 3. But that finally allows us to eliminate Python 2 and allows you to test it to make it as good as possible for future Leap versions.
• gpg 2.5.3
• GNOME 47.3
• Samba 4.21.3
• SQLite 3.48.0
• util-linux 2.40.4
• Mozilla Firefox 134.0.1
• LLVM 19.1.7
• PHP 8.3.16
• RSync 3.4.1
• Coreutils 9.6
• Linux kernel 6.12.10 & 6.13.0
• libxml 2.13.5

That’s quite an impressive list for just one week. Let’s look into the future and see what is planned to come:

• Removal of nscd
• Mesa 24.3.4
• Wine 10.0
• Systemd 257
• Timezone 2025a: breaks test suite of PostgreSQL
• Removal of Python 2 – It was nice as long as it lasted, but now it’s over (and we’re amazed at how many wrong dependencies we detected just the last few days)
• RPM 4.20
• KDE Plasma 6.3: beta 2 is currently staged, but that’s merely to detect errors early and allow shipping swiftly after the release
• Change of default LSM from AppArmor to SELinux is progressing, status is tracked at https://bugzilla.opensuse.org/show_bug.cgi?id=1230118.

Table of Contents

• 1) Introduction
• 2) Authentication Bypass Issue
• 3) Reproducers
  • D-Bus Method without Polkit
  • D-Bus method using Polkit
• 4) Affected D-Bus Interfaces
• 5) Suggested Bugfix
  • a) Dropping Privileges
  • b) Reimplementing Authentication Checks
  • c) Implementing Legacy Interfaces in the Affected Services
• 6) Upstream Bugfix
• 7) Possible Workarounds
• 8) CVE Assignment
• 9) Timeline
• 10) References

1) Introduction

We received a review request for the Deepin api-proxy D-Bus service which is part of the Deepin desktop environment. During the review we discovered a major authentication flaw in the design of this D-Bus service which allows local users to escalate privileges in various ways.

We reported this issue privately to Deepin security in December and did not receive a reply for a month. As we were preparing for publication, upstream became alive and quickly released a bugfix which is, sadly, still incomplete.

This report is based on dde-api-proxy version 1.0.17. The findings still apply to release 1.0.18. Upstream has attempted to fix these findings in release 1.0.19, but the bugfix is insufficient as outlined in section 6).

2) Authentication Bypass Issue

Dde-api-proxy runs as root and provides various D-Bus services on the D-Bus system bus. It sticks out since it ships a lot of D-Bus configuration files but only little code. The reason for this is that the service only forwards D-Bus requests between its clients and the actual Deepin D-Bus services. We believe this is for backward compatibility due to changes in Deepin D-Bus interface names, alas the component’s GitHub repository provides little insight into its purpose.

During startup the proxy service proactively registers the requested legacy D-Bus interface and creates a connection to the actual Deepin D-Bus service, to which messages will be forwarded to. When a client sends a message to one of the legacy service names, the proxy synchronously forwards the message (see handleMessage()) via its existing connection and returns the reply to the client.

This rather straightforward approach of proxying D-Bus messages has a major security flaw, however:

• the proxy runs as root.
• the proxy forwards messages from arbitrary local users to the actual D-Bus services without any authentication requirements.
• the actual D-Bus services don’t know about the proxy situation, they believe that root is asking them to perform operations.

Consequently with the help of dde-api-proxy, legacy D-Bus methods that normally wouldn’t be accessible to non-root users will become accessible without authentication.

3) Reproducers

D-Bus Method without Polkit

Following is a simple demonstration of the issue based on the Deepin Grub2 service. This service simply checks the UID of the D-Bus client for authentication of privileged operations. In the first command shown below the actual D-Bus service name is used, and the service rejects the operation, because the caller is not privileged:

user$ gdbus call -y -d org.deepin.dde.Grub2 \
    -o /org/deepin/dde/Grub2 -m org.deepin.dde.Grub2.SetTimeout 100
Error: GDBus.Error:org.deepin.dde.DBus.Error.Unnamed: not allow :1.167 call this method

In the next command the legacy D-Bus service name is used, and this time the target service performs the operation, because it believes the request originates from a privileged UID 0 client (dde-api-proxy):

user$ gdbus call -y  -d com.deepin.daemon.Grub2 \
    -o /com/deepin/daemon/Grub2 -m com.deepin.daemon.Grub2.SetTimeout 10
()

D-Bus method using Polkit

In the previous example Polkit authentication was not involved. When it is involved then the caller is treated as “admin”, resulting in a similar escalation of privileges. We found a suitable example using Polkit in the Deepin accounts service. This service offers a large range of system operations, among them the possibility to add users to groups. It checks the authorization of the “org.deepin.dde.accounts.user-administration” Polkit action, which is by default only allowed for users in a local session if they provide admin credentials.

The following gdbus call attempts to add the unprivileged user with UID 1000 to the root group. The call only works this way when it runs from within a (Deepin) graphical session. The actual accounts service interface is invoked here, thus the operation fails (it would require entering a root password).

user$ gdbus call -y -d org.deepin.dde.Accounts1 -o /org/deepin/dde/Accounts1/User1000 \
    -m org.deepin.dde.Accounts1.User.AddGroup root
Error: GDBus.Error:org.deepin.dde.DBus.Error.Unnamed: Policykit authentication failed

When switching to the legacy accounts service interface offered by dde-api-proxy, the operation succeeds without any authentication request, because the accounts service again believes root with UID 0 is the client asking for this:

user$ gdbus call -y -d com.deepin.daemon.Accounts -o /com/deepin/daemon/Accounts/User1000 \
    -m com.deepin.daemon.Accounts.User.AddGroup root
()

4) Affected D-Bus Interfaces

We did not look into all the privileged D-Bus methods that become available to unauthenticated local users via dde-api-proxy. On some of the proxied interfaces only a certain set of “filtered methods” is allowed to be invoked. The rest of the interfaces don’t put restrictions on the methods invoked, though. On first look, interesting attack surface seems to be found in the following D-Bus interfaces offered by dde-api-proxy:

• Accounts services (no method filter list)
• network proxy settings (no method filter list)
• PasswdConf1 WriteConfig method
• Lastore service (Apt backend, no method filter list)
• Lastore manager install package method

5) Suggested Bugfix

The authentication bypass is deeply rooted in the design of dde-api-proxy, thus fixing it is difficult. Possible approaches to addressing it are presented in the following sub-sections.

a) Dropping Privileges

The proxy could temporarily drop privileges to the unprivileged caller’s credentials, create a new D-Bus connection and forward the message to the proper service. This still won’t work properly if the D-Bus service in question is using Polkit for authentication, because Polkit differentiates whether the caller is in an active session or not. The D-Bus proxy service will never be in a session, though. This means that authentication requirements could be stronger than necessary. At least this approach would be safer than what currently happens.

b) Reimplementing Authentication Checks

The proxy could implement all necessary authentication checks on its own. This would result in the proper authentication being performed, but would lead to duplication of a lot of code. It would also add the danger that the authentication requirements of the proxy service and the actual service get out of sync.

c) Implementing Legacy Interfaces in the Affected Services

Finally dde-api-proxy could be dropped completely and the backward compatibility could be implemented in every one of the affected services. This is a less generic approach than what dde-api-proxy attempts to achieve, of course.

6) Upstream Bugfix

After a longer period of silence, upstream unexpectedly replied to our report and a short embargo period was established until a bugfix was published on January 17. The bugfix is found in upstream commit 95b50dd which made its way into release 1.0.19.

For the bugfix upstream went in the direction of our suggestion outlined in section 5.b), by implementing redundant Polkit authorization checks in the proxy service. A list of sensitive D-Bus methods offered by the proxy is now maintained in the source code. All of these methods are protected by a single, newly introduced Polkit action “org.deepin.dde.api.proxy” which requires admin authentication.

The bugfix introduces a new problem, though. The Polkit authorization check is implemented as follows:

bool checkAuthorization(const QString &actionId, const QString &service,const QDBusConnection &connection) const
{
    auto pid = connection.interface()->servicePid(service).value();
    auto authority = PolkitQt1::Authority::instance();
    auto result = authority->checkAuthorizationSync(actionId,
                                                    PolkitQt1::UnixProcessSubject(pid),
                                                    PolkitQt1::Authority::AllowUserInteraction);
    /* snip */
}

This code forwards the client’s process ID (PID) to the Polkit service for authentication. This way of using the Polkit UnixProcessSubject has been deprecated for a long time, because it is subject to a race condition that allows to bypass such authorization checks. This issue was discovered in 2013 by former SUSE security engineer Sebastian Krahmer, and was assigned CVE-2013-4288.

Upstream did not share the bugfix with us before publication, thus we were not able to prevent this incomplete bugfix. It should be possible to amend the incomplete bugfix by switching to the SystemBusName subject for authentication.

Even with an improved fix we believe this approach is not ideal, since it requires proper maintenance of all the proxied methods by upstream. If new methods are added at a later time, security issues could sneak in again. Also the newly introduced Polkit action makes the proxy service less transparent and could hamper the user experience. There is no more fine-grained control over the authentication requirements of individual D-Bus methods, and the authentication message for all of these proxied D-Bus methods is generic and unhelpful for end users.

7) Possible Workarounds

We don’t see any viable ways to work around this issue, except for removing dde-api-proxy from the system.

8) CVE Assignment

This finding is a bigger design issue in dde-api-proxy that allows for a local root (group) exploit and likely more similar attack vectors. We decided to request a CVE from Mitre to make the community aware of the issue. Mitre assigned CVE-2025-23222 to track this issue.

Formally another CVE would need to be assigned for the new security issue introduced by the incomplete bugfix described in section 6), but we refrained from doing so at this time.

9) Timeline

10) References

• Deepin Website
• dde-api-proxy GitHub repository
• Incomplete bugfix commit
• Release 1.0.19 containing incomplete bugfix

The call for papers for openSUSE Conference 2025 is open.

The conference is scheduled to take place June 26 to 28 in Nuremberg, Germany.

Until April 30, people can submit proposals for a talk or workshop to share insights and their expertise.

People have 97 days to submit a talk for the conference and are encouraged to submit talks based on the following length and topics:

Presentations can be submitted for the following length of time:

• Lightning Talk (10 mins)
• Short Talk (30 mins)
• Virtual Talk (30 mins)
• Long Talk (45 mins)
• Workshop (1 hour)

The following tracks are listed for the conference:

• Cloud and Containers
• Community
• Embedded Systems and Edge Computing
• New Technologies
• Open Source
• openSUSE
• Open Source for Business: Beyond Code into Sustainability Track

Volunteers who would like to help the with the organization of the conference are encouraged to email ddemaio@opensuse.org or attend a weekly community meetings.

Conferences need sponsors to support community driven events to keep events free and open to new contributing members. Companies can find sponsorship information or donate to the Geeko Foundation to assist with funds that will go toward the conference.

Members of the openSUSE Election Committee have informed the project that Board elections are underway.

Four candidates are running for three open seats.

The final candidate list is:

• Chuck Payne
• Ish Sookun
• Jeff Mahoney
• Rachel Schrader

Key Dates

• Jan. 19, 2025: Voting opens
• Feb. 2, 2025: Voting closes
• Feb. 3, 2025: Results announced

For more information about the candidates and the election, visit the project mailing list where candidates are answering questions and informing members of their platform.

Board members serve as guides for the community, handle key project functions, facilitate initiatives, organize meetings, and manage openSUSE domains and trademarks. They also uphold community standards, including overseeing complaints and ensuring compliance with the openSUSE Code of Conduct.

Per the Election Rules, only current members are eligible to run for board positions. New members joining during the membership drive can participate in voting but cannot stand as candidates.

The election is overseen by committee members Edwin Zakaria, and Ariez Vachha. Their responsibilities include finalizing the candidate list and ensuring a smooth election process.

Dear Tumbleweed users and hackers,

The year is in full swing, people mostly seem back from their deserved holiday break and submissions keep coming. Based on all the submit requests, we picked what we could and published 5 snapshots out of that (20250109, 0112, 0113, 0114, and 0115)

The most relevant changes delivered during the last week were:

• GStreamer 1.24.11
• Dracut 059+suse.672: rework timeout for devices added via –mount and –add-device (bsc#1231792)
• Mozilla Firefox 134.0
• KDE Gear 24.12.1
• KDE Frameworks 6.10.0
• fwupd 1.9.27
• Poppler 25.01.0
• sssd 2.10.1
• Linux kernel 6.12.9
• shadow 4.17.2
• All python 3.10 modules have been removed. The interpreter is (for now) still in the repository, but probably not for long.

The next snapshot is already in QA, and looks good to be released later today (no promise given though – we only know at the end of QA). This snapshot, and the next ones in planning, will likely bring these changes:

• GIMP 3 (RC2)
• GNOME 47.3
• gpg 2.5.3
• util-linux 2.40.4
• SQLite 3.48.0
• Systemd 257
• RPM 4.20
• KDE Plasma 6.3: Beta is currently staged to get preliminary QA results