Resurrecting my 3D Printer

A few years back I got myself a Monoprice Mini Delta 3d printer. I chose it because it was inexpensive, and self-leveling, so seemed like a great way to get started with the hobby, and it really delivered.

My first print a few years ago:

I started out printing parts to organize my electronics tool bench, and you can see (a lot of the prints I made on thingiverse)[https://www.thingiverse.com/rickspencer3/makes].

I haven't printing in a while though, and I have some free time, and there are a few simple things I wanted to print, so I pulled the printer out of the closet, all covered in dust and everything. First problem, the spool of black PLA that I had left on it had turned rather brittle. So I pulled out the old PLA, and put on a spool of glow in the dark PLA that I happened to have kept in a plastic back with a silicon moisture absorbing pack, so it still seemed good.

In installed Octoprint on my OpenSuse Leap machine and attached it, but I couldn't make it connect. This turned out to be a common problem with my printer and Linux in general (not a Suse-specific issue). On a side note, installing Octoprint with pip3 on Suse was dead easy, a real please.

In any case, I had Octopi running on rpi that is still attached to my workbench, so I scrounged up a power supply for it, attached a tiny monitor, booted it up and ... it still works!

You can see that I was printing out ear savers for face masks, so that gives you a sense of the last time I printed. Since the ear savers are very fast prints, I decided it was a good test print to do, so I decided to start with that, and it worked!

Here you can see the printed ear saver with some of the black PLA still sort of mixed in:

Here's the whole set up printing away:

Overall, I am really happy with the printer and set up. Considering this has all been collecting dust for years, and that I was easily able to get it up and running again with such little drama made me really happy. Now I can move on to getting Cura working and printing some of the new things I wanted to print.

Barcelona, Naples, Rome

It's 6:30am and I am sitting with my morning cup of coffee rocking the sweet sweet jetlag after 10 full days in Europe, mostly Italy.

What was I doing there? The motivation for the trip is that I got a new job. Even though I don't start until January 2nd, they invited me out to join their annual Sales Kick Off event in Barcelona. So, I had a ticket in hand to Europe anyway, and I had some free time.

Barcelona?

I arrived in at the airport in Barcelona after an easy flight, thanks to having a "lie flat" seat on United. I was, of course, totally jet-lagged, so I took only 2 photos over the 3.5 days that I was in Spain. The first day, before the event started, I took a metro ride into the city and visited a Christmas market, but didn't take any pictures. The real purpose of the trip was to keep from falling asleep.

As you can see from the above photo, it was a largish event. While I hadn't officially started yet, the event was real work for me.

I was absorbing as much information about the company, customers, and products that I could. Second, I got to meet a few of the people on my new team.

I left the event feeling very confident in my choice to join. I especially appreciated meeting the folks from my new team, as they were all top notch in terms of capabilities, but also I found them very easy to get along with.

Also, the event wasn't really in Barcelona, it was off season in this crazy family theme park.

Naples

Herculaneum

My primary goal of visiting Italy was to visit Herculaneum. I have been wishing to visit for years. I prepared for this part of the trip by reading as much as I could about the site, and watched some college level lectures and tours. So when I went, I was already well acquainted with the major parts of it.

I was so engrossed with the site, that I didn't end up taking any pictures. I figure that this is one of the most well documented sites in the world anyway, and I wanted to stay in the moment.

Here is one of the videos that I watched in preparation for the tour that I found very helpful.

I visited the site twice, once alone, and then again with my wife. Let me say that the site did not disappoint. You can really get the feel of the city and what life was like when you are there. The experience is quite different than Pompeii, which we also visited.

Naples

I chose a hotel for it's location, being quite close to Herculaneum. We did, however, take the quick train ride into the city to visit the Christmas market, and to eat at a restaurant that my brother in law, Craig, recommended.

Naples was insanely crowded. The city was crushed with people in the region in town for shopping and visiting the Christmas market. People in Naples seem to really really love Christmas.

The Christmas markets (Christmas Ally was the one we visited) were loaded with elaborate models for making different kinds of nativity scenes. It was way too crowded and hectic to get pictures, but I did get this video (for you Craig):

We had a super nice dinner at Mimi alla Ferrovia.

We got there a little early, and there was one other couple waiting. After we ate, we noticed that there was quite a line of folks waiting to get in.

I got the Pasta alla Genovese and a glass of red wine. Both delicious. I even made a big batch of Pasta alla Genovese when I got home, but it didn't compare of course. But it was fun to make, and I have the time to wait hours for things to cook.

Overall, the crowds in Naples were way too much for me. The only bigger crowds I have ever seen were at Queen's Day in Amsterdam, but that was a different vibe.

Pompeii

If the crowds in Naples were overwhelming, our day in Pompeii was an amazing antidote. It was a very easy train ride from our hotel, and it was a nice sunny dat.

Unlike Herculaneum, I did no research about Pompeii specifically, though I had watched various documentaries about it and such in the past. The city, for various reasons, was much more "ruined" than Herculaneum, so it was harder to get a feel for what it was like when it was a functioning city.

Due to being less engrossed from my previous research, I was more tuned into taking pictures, though. Pompeii is probably one of the most photographed places in the world, but here are a couple of pictures to evoke what the day was like.

Rome

I loved our time in Naples and Herculaneum, so we decided to extend our trip with a few days in Rome. My wife had been many times, but I had never been there. I was interested in seeing the ruins, especially, the Forum.

We stayed at a hostel called The Beehive, though, in reality, we had a hotel room sort of embedded in the hostel. The location near the train station was great. The room was very comfortable, and the people were very nice. Having access to the shared kitchen and living room was a huge benefit as well.

Getting to Rome was quite easy with the fast train from Naples. About 1h15 trip, and very smooth. On our first day there I did some laundry, but we also visited the city.

Here we are the Trevi Fountain.

There was an amazing Gelato place not too far from the Beehive, we ate there a few times.

That first night we also ate another restaurant Craig recommended, Urbana47. We had a great night there. We drank delicious wine. My wife had the rabbit, but I had the simple pasta with butter and anchovies. Positively delicious.

We stumbled out of there after great food, wine, and whiskey.

Colosseum and Forum Tour

The next morning we did some hard core site seeing. We hired a tour guide to take us through the Colosseum and to take us through a quick tour of the Forum. They recently unlocked the highest level of the Colosseum, but you had to buy special tickets for it, which our tour guide showed us how to buy. It was amazing to see the place from that vantage point.

We also did a quick run through of the Forum and especially Palatine Hill, but this was largely in preparation for a return visit in a couple of days.

Heart of Rome Tour

• map of tour
• a pic or two
• more food: Pinsere

Back to the Forum

• map of tour
• more pics

Dear Tumbleweed users and hackers,

Full steam ahead to the end of the year. It seems nothing makes Tumbleweed slow down. The number of requests coming in keeps being high and you had the chance to upgrade your machine 7 times this week.

The seven snapshots (1207…1213) of this week brought you these changes:

• KDE Plasma 5.27.10
• KDE Gear 23.08.4
• Late-comers of GNOME 45.2 (i.e mutter)
• Tar 1.35
• util-linux 2.39.3
• Mozilla Firefox 120.0.1
• Linux kernel 6.6.6

The next snapshot is already on the way to the mirrors, Stagings are ready to move on and we can confirm the following changes being worked on:

• KDE Frameworks 5.113.0
• Boost 1.84.0
• cURL 8.5.0
• RPM 4.19.x
• cmake 3.28.1 (ceph still failing to build)
• Ruby 3.3 tests have started (yast failures identified so far)
• libxml 2.12.x: slow progress
• openSSL 3.2.0
• c-ares 1.21.0: breaks nodejs
• wxWidgets 3.2.3: breaks wxPython bindings
• dbus-broker: no progress: openQA fails to launch the network stack in the installer
• Addition of Kalpa to the regular Tumbleweed deliverables

The past few weeks have been an exciting time for the openSUSE Project as discussions about the visual identity of the project offers a glimpse into people’s various views about the project and its brand identity.

The recent conclusion of the openSUSE logos contest has sparked extensive discussions among both members actively engaged in the openSUSE Project and those participating in it.

Our logo contest has provided us with a wealth of creative input and diverse perspectives that lay a strong foundation for deliberations on the future direction for the project.

The contest provided a voice for the many who aren’t as vocal as some about selecting a new logo. While there were some who were vocal on various platforms, the contest gave openSUSE Project members an opportunity to gauge how the broader community perceives the project.

The submissions and voting outcomes offered a glimpse into the collective vision of open-source enthusiasts who may not be directly involved in the project but are crucial stakeholders nonetheless.

As efforts move forward with the outcome of this, inclusivity and community involvement remain at the core of the decision-making process.

During the community meeting this week where the results were discussed, participants expressed the view that members of the openSUSE Project have an opportunity to participate in the selection of our new logo, and that SUSE, which holds the trademark to the openSUSE logo, be involved with the process for selecting a branding decision with regard to the results. After all, this decision impacts the collective identity.

To facilitate this, there is a plan to organize a vote between the current logo and the proposed new design, allowing our community to have a say in this important decision. Furthermore, members of the project are collaborating with SUSE on the implications of the branding initiatives and some have expressed the desire for SUSE’s input to ensure there is an aligned vision for the future of openSUSE.

A two-step approach to spearhead the discussions and decision-making processes with key stakeholders is crucial in driving a plan of action forward and implementing any changes to our branding strategy.

Outlined below are the proposed steps that will guide the project through this journey:

Step 1:

• Evaluation of Contest Results (completed)
• Assessing the Path Forward (completed)
• Engaging with SUSE for Brand Consideration & Assessing Contributions
• Presentation of Branding Strategy
• Community Voting Engagement
• Organizing a voting process for openSUSE Project members to choose between the Old and New Logo

Step 2:

• Collaboration with Stakeholders
• Aligning Logo Ownership with SUSE
• Trademarking and Implementation

The aim is to ensure transparency, inclusivity, and alignment with the collective goals of the openSUSE Project throughout this process.

For a detailed review of the survey results from the logo contest, visit our Logo Contest page.

People interested in becoming a member of openSUSE should visit our wiki on How to become a member.

Thank you for your continued support and enthusiasm. A big thank you to all the people who submitted a design and those who voted. Winners of the contests have been contacted about winning and will be shipped a Geeko Mystery Box.

The winners of the openSUSE logo contest across various categories are as follows:

• openSUSE: AO01

• Tumbleweed: Three-way tie AO31, AO05, and AO11

• Leap: AO01

• Slowroll: AO03

• Kalpa: AO03

This report is about a range of predictable /tmp path issues in various applications in the budgie-extras repository. This repository contains a range of helper applications for the Budgie desktop environment.

During a routine review of applications that are autostarted in X11 environments I found the issues 1) to 4) outlined below. Upstream found two additional cases of predictable /tmp path uses that they addressed, as outlined in items 5) and 6). Upstream released version 1.7.1 today which fixes all the issues.

Introduction

The affected programs are mostly written in the Vala programming language, some are also scripted in Python. In all cases predictable paths in /tmp containing only the username or no variable components at all are used. In these paths regular files or directories are created. The paths are often used as a kind of inter-process-communication between two or more budgie-extras components.

The impact of the issues differs a lot depending on the actual affected program and ranges from denial-of-service to information leaks to integrity issues through manipulation of the data which is used e.g. for displaying images on the desktop. All the issues are restricted to local attackers, naturally.

Without the Linux kernel’s protect symlink sysctl setting the severity of the issues will in some cases be worse. Even with this protection enabled it is often possible to pre-create the files or directories as another local user, granting world read and write access, which will cause the budgie-extras applications to use them even though they are attacker controlled.

Without the Linux kernel’s symlink protection many of these findings where files are created look like they might allow symlink attacks to have files created in arbitrary locations. The Vala file creation calls I looked into are mostly translated into the following system call, though:

openat(AT_FDCWD, <path>, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0666)

Even tough this is missing the O_NOFOLLOW flag, symlinks would not be followed, due to the combination of O_CREAT and O_EXCL. I will point out cases where symlink attacks might still be possible in spite of this.

As a quick fix for all of these issues I suggested to use $XDG_RUNTIME_DIR instead of /tmp. This directory is private to the logged in user and cannot be manipulated by other users in the system. In the instances where these files are used as a simple communication mechanism (“trigger” logic) it could be considered using sockets, the D-Bus session bus or named FIFOs instead - also placed in safe locations, of course.

Following is a detailed listing of all individual issues based on the budgie-extras Git repository tag for version 1.7.0.

1) budgie-window-shuffler (CVE-2023-49344)

1.1) Path /tmp/shufflerapplettrigger_<user>

In src/shuffler_control.vala line 1740 first an attempt is made to delete this path. Then it starts monitoring the path, reacting to its creation, by automatically selecting (popping up) the “Applet” listbox GUI entry.

The counterpart to this is found in applet/src/ShufflerApplet.vala line 91, where this file is created to let the settings dialog open.

The worst that can happen here is likely confusing the victims GUI so it is low severity.

1.2) Path /tmp/<user>_shufflertriggers/layoutspopup

In src/toggle_layouts_popup.vala line 62 first an attempt is made to create the directory, ignoring any potential errors - considering it to already exist. Then the “layoutspopup” file is created within the directory. Depending on program evaluation logic the string “fromcontrol” is written to the file, otherwise the file remains empty.

In src/layouts_popup.vala line 1384 monitoring for this file is setup, its content is read (it is checked whether it contains “fromcontrol”) and then a popup window is either created or destroyed, depending on the current program state.

Another user in the system can pre-create this directory and then control the creation and destruction of the popup dialog, thereby confusing the victim’s GUI. By placing a FIFO instead of a regular file at “layoutspopup”, the layout popup will be subject to denial-of-service (either by blocking it indefinitely or by feeding it large amounts of data, leading to an out-of-memory situation).

Without the Linux kernel’s symlink protection the issue can be used to make the layouts_popup program read from arbitrary files, or to operate in arbitrary directories.

1.3) Path /tmp/<user>_running_layout

In src/run_layout.vala line 203 this file is created to “temporarily disable possibly set windowrules”. In line 379 this path is (needlessly) constructed again and passed to function create_busyfile(), although this parameter remains unused by the function. In line 478 stat() and unlink() are attempted on the file.

In src/windowshufflerdaemon.vala line 831 an existence check for this file is made. If it exists then the run_rule program will not be executed for any windows.

This path allows a local attacker to prevent the victim’s run_rule ever to be executed.

1.4) Path /tmp/<user>_gridtrigger

In src/togglegui.vala line 33 an existence check is made for this path and depending on the outcome it is either created as an empty file, or deleted.

In src/windowshufflerdaemon.vala line 992 in function actonfile() there is a reaction to the creation and deletion of this path. Depending on this the gridguiruns boolean is set to true or false respectively. If it is set to false then a window will be destroyed in line 1148.

In src/gridwindow.vala line 637 a monitor is setup for this file and depending on it being created or being deleted the gridwindow is being displayed or destroyed.

This path basically allows a local attacker to make the “grid window” managed by the gridwindow program appear, thereby confusing the victim’s GUI. The other way around windowshufflerdaemon can be caused to destroy its “preview window” if this state file is under a local attacker’s control.

1.5) Path /tmp/shuffler-warning.png

In src/windowshufflerdaemon.vala line 1017 in function create_warningbg() this path is used to write a programmatically created PNG image into. In function show_awarning() in line 338 the program sizeexceeds_warning is executed which in turn in src/sizeexceeds_warning.vala line 68 displays the generated PNG image on the desktop.

A local attacker can attempt to place arbitrary PNG data in this path and have it displayed on the victim’s desktop. Placing crafted PNG data could allow to exploit further security issues in image processing libraries.

1.6) Path /tmp/<user>_istestingtask

This path is potentially created in src/layouts_popup.vala line 492. The file receives data from the GUI interface. In src/run_layout.vala line 407 this path is picked up again and its content is interpreted in extractlayout_fromfile().

Since this file’s content is evaluated and used for further program logic there is a chance for a local attacker to massively break the run_layout program’s logic or maybe even achieve code execution. The Linux kernel’s protected_regular sysctl setting comes to the rescue here, though. The open() with O_CREAT will fail. It can then still present a denial-of-service vector, though.

Upstream Fix

This is fixed in upstream commit 11b0201. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

2) budgie-wpreviews (CVE-2023-49347)

2.1) Path /tmp/<user>_window-previews

This path is used for a directory. In src/separate_shot.vala line 43 it is created, errors are ignored. In line 105 screenshots of certain X11 windows are placed in the directory following the name scheme <window-id>.<workspace-name>.png.

In src/previews_creator.vala line 74 an attempt to create the directory the same way is found. In line 241 the directory is iterated over and each file found there, independently of its name, will be assembled in a file list. This file list is luckily only used for removing files of non-existent windows in this program.

In src/previews_daemon.vala line 719 there is another attempt to create the directory the same way as in the other two locations. In line 523 the directory is again iterated over and a list of the contained filenames is assembled, independently of their names. In line 404 the filenames are interpreted and split into X11 window IDs and workspace names again. It seems the code expects all filenames to match the pattern, if this is not the case then the program will likely crash. The resulting file list is (luckily) matched against the existing X11 window IDs in line 421.

Even without exploiting the fixed temporary directory path this directory has security issues, since it is created world-readable. Any other users in the system can access the window screenshots that are created there and thus this is an information leak.

Since all errors trying to create the directory are ignored, another local user can pre-create this directory world-writable, and the wpreviews applications will still use the directory which is now under attacker control. The attacker can place additional PNG image files there, trying to confuse the victim’s GUI experience. A local DoS against the previews_daemon seems also possible by placing non-conforming files into the directory. Since the previews_daemon only uses files from the directory for which an existing X11 window is found, the complexity for a local attacker to inject arbitrary PNG files into the preview logic is raised. It can still be possible by observing the PNG files created by e.g. the separate_shot program and replacing them with crafted data.

Without the Linux kernel’s symlink protection a local attacker can place a symlink there instead of a directory, causing the programs to operate in arbitrary other directory locations.

2.2) Paths /tmp/<user>_prvtrigger_*, /tmp/<user>_previoustrigger, /tmp/<user>_nexttrigger

This long list of trigger files:

/tmp/<user>_prvtrigger_all
/tmp/<user>_prvtrigger_current
/tmp/<user>_prvtrigger_all_hotcorner
/tmp/<user>_prvtrigger_curr_hotcorner
/tmp/<user>_previoustrigger
/tmp/<user>_prvtrigger_all
/tmp/<user>_nexttrigger

is used both in src/previews_triggers.vala line 43 and src/previews_daemon.vala line 664.

The previews_triggers program selects one of these trigger paths depending on command line arguments, various logical evaluations and depending on whether some of the paths already exist. The selected path is then simply created with empty content.

In previews_daemon these paths are monitored and their existence is evaluated in a complex fashion to display previews of existing windows.

In conjunction with the issues in 2.1) this can be used to display attacker controlled images on the victim’s screen at arbitrary times, provided that the victim user is running the previews_daemon.

Apart from the security related problems this group of files for controlling a daemons behaviour seems ill devised. Instead proper IPC mechanisms should be used.

Upstream Fix

This is fixed in upstream commit 588cbe6. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

3) budgie-takeabreak (CVE-2023-49345)

3.1) Path /tmp/nextbreak_<user>

This file is read in budgie_takeabreak.py line 245 and the resulting string is split on “.”, the first element resulting from this is used as the new “time” displayed in the GUI.

In takeabreak_run line 80 this path is created and the next “break time” is written to it.

A local attacker can pre-create this file and have arbitrary string content displayed instead of the actual “next time”. A denial-of-service will also be possible e.g. by placing a FIFO there.

Upstream Fix

This is fixed in upstream commit 588cbe6. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

4) budgie-weathershow (CVE-2023-49346)

4.1) Path /tmp/<username>_weatherdata

In src/weathershow/WeatherShow.vala line 354 the current “weather data” is written to this location. Before this an attempt is made to delete an already existing file. Errors for both, deletion and creation of the file, are ignored unconditionally.

In line 236 the content from this file is read and interpreted for updating GUI window data.

A local attacker can pre-create this file and thus manipulate the data displayed by the weather applet. Also a denial-of-service will be possible e.g. by placing a FIFO there.

Upstream Fix

This is fixed in upstream commit 0092025. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

5) budgie-clockworks (CVE-2023-49342)

This issue was not discovered by me but by upstream while working on the fixes for the other issues I reported. For completeness I mention it in this report as well.

5.1) Path /tmp/<user>_clockworks

This path is used as a directory in the Python script cwtools.py. It is reused if it already exists. The scripts generates SVG vector graphics in there, converts them to the PNG image format and saving them in the users home directory in ~/.config/budgie-extras/clockworks.

Here, again, the image data can be manipulated by a local attacker by pre-creating this directory. In this case the data will even be persisted in the user’s home directory. Crafted SVG of PNG data could be placed in the directory to try attacking the image processing libraries used.

Upstream Fix

This is fixed in upstream commit d030837. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

6) budgie-dropby (CVE-2023-49343)

Like issue 5), this issue was not discovered by me but by upstream while working on the other issues I reported. For completeness I mention it in this report as well.

6.1) Path /tmp/<user>_keepdropbywin

This path is used as a “timer” file in the checkonwin and dropover Python scripts. The file’s content is not evaluated, but the checkonwin script runs wmctrl -c dropby_popup if the file doesn’t exist for more than six seconds.

The Python openat() call uses O_CREAT | O_EXCL flags so symlink attacks are not a problem even without kernel symlink protection. Other users in the system can shorten the “timer” logic of the checkonwin script, though, by creating the file path at an arbitrary time.

6.2) Path /tmp/<user>_call_dropby

The script budgie_dropby.py creates this file as a trigger for the dropover script which reacts to the creation of this path by scanning the current list of USB block devices and their mount points in the system. A GUI dialog is displayed or updated as a reaction to this.

A local attacker can cause this dialog to be displayed by creating this file. It can also be used as a kind of local DoS vector to keep the dropover script busy all the time, iterating over block devices.

6.3) Path /tmp/<user>_dropby_icon_copy

This is used as a trigger file in budgie_dropby.py. If the file is created then a GUI dialog is changed and updated. In the copy_flash Python script this trigger is created to signal that some files have been copied.

A local attacker can cause this dialog to be displayed by creating this file at arbitrary times.

Upstream Fix

This is fixed in upstream commit e75c94a. The public /tmp directory has been replaced by the user’s private $XDG_RUNTIME_DIR, with a fallback to the user’s home directory.

7) Timeline

8) References

• budgie-extras GitHub repository
• budgie-extras v1.7.1 bugfix release
• budgie-extras v1.7.0 tag: this was the code based used in this review
• bugfix commit for window-shuffler application
• bugfix commit for the wpreviews application
• bugfix commit for the takeabreak application
• bugfix commit for the weathershow application
• bugfix commit for the clockworks application
• bugfix commit for the dropby application

One of my favorite instruments is the church organ. A few weeks ago we already listened to organ and drums, but those were just covers of some popular songs. However, the church organ is also used in original music, including some really well-known songs.

Next to Bach, probably the best-known appearance of a church organ is in Andrew Lloyd Webber’s The Phantom of the Opera. As a kid, first, I copied it from vinyl to tape, after which I also bought it on CD. It was one of the very few CDs I ever sold from my collection: after a while, I started listening almost purely to instrumental music, and it did not fit that world… But, as a high school student I still listened to it a lot – at close to maximum volume :-)

TIDAL: https://listen.tidal.com/album/619259/track/619270

Talking about instrumental music. When I first visited my favorite CD shop, I was asked what kind of music I liked. When I told them I listened mostly to instrumental, I was told I was missing out on the really good part. But I also got some fantastic recommendations, one of which was the album “The Eight Wives Of Henry VI” by Rick Wakeman (did I mess up the numbers again?). It is one of my most listened to albums of all time. I have it on CD, and now also as high resolution FLAC files from HDtracks.

TIDAL: https://listen.tidal.com/album/40992779

Finally, one of my recent discoveries: music by Gary Ginsberg and Vitalij Kuprij. All songs have piano in them, and some even the church organ. Unfortunately, while it is available on YouTube and TIDAL, I could not find a CD version or downloadable FLAC files.

TIDAL: https://listen.tidal.com/album/104821378

As much as I like the church organ, there isn’t much contemporary music featuring it. A few more songs by Rick Wakeman,Gary Ginsberg, and Vitalij Kuprij. If you know any others, let me know! You can reach me on Twitter / Mastodon / etc., the links are in the upper right corner of my blog.

Dear Tumbleweed users and hackers,

The last two weeks have been filled with Tumbleweed snapshots! A staggering 13 releases (1123…1206, without 1125) found their way over the ether to your computers. Even if you don’t do daily updates, you get all the updates whenever you want.

The following changes were applied to your system in this period:

• Python 3.11.6
• PHP 8.2.13
• Mozilla Firefox 120.0
• Pipewire 1.0.0
• Perl 5.38.2
• gpgme 1.23.2
• systemd: permissions tightened on DRM render nodes
• LLVM 17.0.6
• MariaDB 11.1.2
• Qt 6.6.1
• GNOME 45.2
• SQLite 3.44.1
• the package cnf-rs was renamed to cnf (matching the command name)
• Sudo/polkit changes introduce configurations for the sudo/wheel group to self auth. Use the two packages sudo-policy-sudo-auth-self and sudo-policy-wheel-auth-self to configure your system

Many things from the last review are still pending in the staging projects – and are likely to stay there for quite a bit longer unless somebody starts fixing the issues identified

• KDE Plasma 5.27.9
• KDE Gear 23.08.4
• cmake 3.28.0: breaks libzypp (fix in progress) and ceph
• libxml 2.12.0 – I can’t even start to list what is not building
• openSSL 3.2.0
• RPM 4.19
• c-ares 1.21.0: breaks nodejs
• wxWidgets 3.2.3: breaks wxPython bindings
• Testing of the two compiler flags -fcf-protection=full and -ftrivial-auto-var-init=pattern: not compatible with gcc13 on i586
• dbus-broker: no progress: openQA fails to launch the network stack in the installer