Dear Tumbleweed users and hackers,

We are slowly but surely reaching the end of the year 2023 with just six more weeks to go. This week we had some minor glitches on the publishing side: snapshot 1109 had been marked for publishing, but the syncing never happened. As this was just over the weekend, nobody noticed this until Monday, when the next snapshot was already pending in the publisher queue (and also not going out). The issue was then swiftly rectified with the help of the build service team. As a consequence, only the four snapshots 1110, 1113, 1114, and 1115 have been published. The changes from 1109 are not lost: they were still present in the subsequently published snapshots.

The most relevant changes to report during this week are:

• Linux kernel 6.6.1
• KDE Gear 23.08.2
• KDE Frameworks 5.112.0
• Binutils 2.41
• gAWK 5.3.0
• PostgreSQL 16.1
• Mozilla Firefox 119.0.1
• libeconf 0.6.0

In the future – near or far – you can count on those changes to reach you:

• GStreamer 1.22.7
• sudo: optional addon configuration for groups wheel or sudo (asking for current user’s password)
• RPM 4.19
• dbus-broker as the default dbus daemon

A large amount of software updates made it into openSUSE Tumbleweed snapshots this week.

Most snapshots came with several new versions for those who used their command line to zypper dup.

While snapshot 20231114 was as enormous as snapshots starting off the week, there were a significant amount of software updates. The open-source client for Enterprise Identity Management sssd updates to version 2.9.3. This update empowers the proxy provider to handle certificate mapping and matching rules. Users managed by the proxy provider can now be configured for local Smartcard authentication, which improves authentication options. An update of xterm 388 enhances the disallowPasteControls function by adding a category for special characters known to stty. The new version also includes the updating of config.guess and config.sub. Improved messages in the configure script were made with the ncurses 6.4.20231111 update, and it had a patch that modified the reset command to avoid altering clocal when the terminal employs a modem. Color management package argyllcms updates to 3.0.2 fixes a typo in a module that affected retail i1D3 functionality and fixes crashes with the device link profiles and an update of libstorage-ng 4.5.156 merges a specific GitHub issue and extends the testsuite. Several RubyGems updated in the snapshot. There was an arm image 20231114 snapshot that updates for packages released from earlier in the week. Linux Kernel 6.6.1 and both KDE Frameworks 5.112.0 and KDE Gear 23.08.3 became available for the arm rolling release’s contributors and users.

Frameworks 5.112.0 was released for other architectures in snapshot 20231113. An update of NetworkManagerQt fixed an incorrect signal signature, removed an inaccurate comment and adjusted event listening to accommodate both DBus service registration events and interface added events. There was a replacement of slow with fsType in naming conventions for KIO and KConfig made adjustments in kconfigwatcher to avoid asserting absolute paths and had modifications in dbussanitizer preventing trailing slashes; the update enhances security measures by preventing attempts to send or receive DBus notifications on absolute paths. The ffmpeg-6 6.0.1 version make improvements to AVCodecs, AVformat, and AVfilters a patch was dropped as it was resolved upstream. Mozilla Firefox 119.0.1 had critical bugs affecting HTML elements’ functionality and resolves issues related to color application. The 23.2 version of python311-packaging had changes to parsing markers and improves support for enriched metadata, documentation updates and addressing vulnerabilities by updating the pip. The 41.0.5 version of python-cryptography focuses on enhancements and adjustments related to its integration with OpenSSL. This update has a new function to support an upcoming release of pyOpenSSL. An update of createrepo_c 1.0.2 made changes that prevent building without zstd and removes the dependency on libmagic. An update of the mail transfer agent (MTA) for email handling, postfix, updated to version 3.8.3. The package update addresses a defect in the Postfix SMTP server related to client certificate verification errors in TLS wrapper mode. The update also resolves syntax errors in the update_postmaps script and adjusts permissions caused by config.postfix. Several other packages were updated in the snapshot.

While KDE Gear 23.08.3 was later updated in the 20231114 arm image, it was released in snapshot 20231110. The Ark compression/decompression utility n resolves some file format issues and MIME type handling. It also has fixes related to opening AppImage files, checks using outdated ISO mimetypes, and adjusted hardcoded bzip2 mimetypes in tests for greater flexibility. Dolphin made updates reflecting the relocation of KActivities from Frameworks to Plasma. The modifications contribute to improved functionality and alignment within the file manager. There were an enormous amount of changes with Kdenlive in the Gear update. The update fixes timeremap, ensures proper audio handling during clip replacement, addresses project duration inaccuracies, prevents subtitle styling losses, enhances rendering and improves keyframe handling and clip resizing functionalities. Linux Kernel 6.6.1 arrived in the snapshot also before the arm image snapshot and it had bug fixes for several driver modules and compatibility enhancements for specific hardware devices to include adjustments for serial, USB, Advanced Linux Sound Architecture, Bluetooth, and more. An update of gimp 2.10.36 includes support for ASE (Adobe Swatch Exchange) and ACB (Adobe Color Book) palettes and a new gradient option. This is enhanced support for non-square ratio GIFs and an improved text tool formatting behavior. An update of postgresql16 16.1 adds support for LLVM 16 and 17. It also had some security fixes including handling unknown-type arguments and preventing an integer overflow when computing new array dimensions. Update of binutils 2.41, gawk 5.3.0 and more arrived in the snapshot.

I love the melodies of Metallica songs. However, I strongly prefer instrumental music. That’s why I was very happy, when someone brought Apocalyptica to my attention: they played Metallica on four cellos. Over the years I discovered that metal or any other music sounds nice on cellos, as I learned about two more bands: 2cellos and Mozart Heroes.

But I should not rush so far ahead. In the year 2000 someone introduced me to Metallica. I loved the melodies, but I’m not a great fan of singing. A few months later another friend introduced me to Apocalyptica, when learned about my problem. The same wonderful melodies, but purely instrumental music. First I bought their first album: “Apocalyptica plays Metallica by Four Cellos” and soon after also the second one: “Inquisition Symphony”.

TIDAL: https://listen.tidal.com/album/248123832 and https://listen.tidal.com/album/109813970

The next album I heard from Apocalyptica also featured a singer. That’s not something for me. That’s when I learned from a colleague about 2Cellos, a Croatian cellist duo. They played a wide variety of arrangements, everything from classical, through rock to pop. I quickly listened to all of their albums on TIDAL, and watched some of their videos on YouTube. This is my favorite:

TIDAL: https://listen.tidal.com/album/38440446/track/38440450

I learned about Mozart Heroes from a friend who’s son plays the cello. It is not purely cello music, as the other member of the band plays the guitar. Still, it was instant love. They also play arrangements, often combining a classical piece with something modern in the very same song. Sometimes the transition from one melody to the other is completely seamless. In the video below they combine Mozart and Metallica in a song:

TIDAL: https://listen.tidal.com/artist/9200105

For almost two decades I did not follow Apocalyptica, as the new music I heard from them was not purely instrumental. As Covid broke out, many concert tours were canceled. Some of these were replaced by free on-line streaming. I do not remember how I learned that Apocalyptica would also be performing an online concert, but as I did not have anything better to do, I watched it. It was pure instrumental, and love at first sight, so I bought the new album as soon as it became available in Hungary. Below I link the whole concert, which I watched live 3.5 years ago.

TIDAL: https://listen.tidal.com/album/125174900

Nobody is perfect, so there is a little twist in my story. The original reason I fell in love with cello arrangements was that they were all instrumental. There was no singing. A good friend mentioned that Apocalyptica is coming in our part of Europe, but unfortunately playing together with another band, and there is singing. I listened to it, and to my greatest surprise, despite the vocals, it was absolutely beautiful. To me, anyway :-)

TIDAL: https://listen.tidal.com/album/261401831

Version 1.9.15 of sudo gives more detailed information when using the -ll option. For commands, it adds the rule that allows it. Without a command parameter, it lists rules affecting a given user. It also prints which file contains the given rule, making debugging easier.

You can read more about it at https://www.sudo.ws/posts/2023/11/more-info-with-ll-in-sudo-1.9.15/

The November syslog-ng newsletter is now on-line:

• Sending logs to Splunk using syslog-ng
• Developing a syslog-ng configuration
• Systemd-journald vs. syslog-ng

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2023-11-splunk-configuration-journald

Hello LibreOffice Planet!

This is my first blog post on the topic of LibreOffice. Let me quickly explain my link to LibreOffice. I work for a data protection authority in the EU and help navigate the digital transformation of our office with about 100 staff members. While many of our partner organisations adopt Microsoft 365, our office decided to pilot Nextcloud with Collabora Office Online.

In the future, I want to blog (in my personal capacity) about my thoughts related to the use of alternative word processing software in the public sector in general and in our specific case.

As there are no dedicated resources for training, preparation of templates etc., during the pilot of LibreOffice, the experience so far covers a large spectrum of user satisfaction. Generally, our staff has been spent years of their life using Microsoft Office and has the expectation that any other software works the same way. If it does not, they send an email to me (best case) or switch back to Microsoft Office.

During the week, I discussed again some smaller LibreOffice bugs. Then, I showed this weekend some FOSS Blender animated short videos to family members. It seems that Blender is more successful in its domain than LibreOffice. Is that possible? Or are animated short videos just more capturing due to their special effects? 😅

You can watch the 1min Blender animated short movie “CREST” on Youtube or the making-off. The latter you find here below.

I find it very inspiring to see what talented artists can do with Blender. For my part, I have once installed Blender and deinstalled it. Back then it was not easy to use for people not familiar with video animation software. Blender competes with proprietary software such as Maya or Cinema 4D. The latter is about 60 USD per month in the annual subscription plan. Not exactly cheap.

Then, I read in the fediverse about people working with LibreOffice:

I just tried to use #LibreOffice #Draw to draw some arrows and boxes onto JPEG images for emphasizing stuff.

The UX is really bad for somebody not working with Draw all the time.

Whatever I do, instead of drawing onto the image, the image gets selected instead.

Could not find any layer-sidebar.

Could not scale text without starting the “Character …” menu, modifying font size blindly + confirming > just to see its effect and then start all over.

Dear #FOSS, we really should do better.

— Author Karl Voit (12 November 2023 at 14:51)

In my past, I have worked on online voting systems. They are not very good yet despite years of efforts. xkcd dedicated a comic to voting software

Elections seem simple—aren’t they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers.

— Author Matthew Bernhard et al. in their paper Public Evidence from Secret Ballots from 2017

What is the unique challenge of developing word processing software? Happy to hear back from you in the blog comments or on the companion fediverse post!

Today, 12 years after the meeting where AppStream was first discussed and 11 years after I released a prototype implementation I am excited to announce AppStream 1.0!

Check it out on GitHub, or get the release tarball or read the documentation or release notes!

Some nostalgic memories

I was not in the original AppStream meeting, since in 2011 I was extremely busy with finals preparations and ball organization in high school, but I still vividly remember sitting at school in the students’ lounge during a break and trying to catch the really choppy live stream from the meeting on my borrowed laptop (a futile exercise, I watched parts of the blurry recording later).

I was extremely passionate about getting software deployment to work better on Linux and to improve the overall user experience, and spent many hours on the PackageKit IRC channel discussing things with many amazing people like Richard Hughes, Daniel Nicoletti, Sebastian Heinlein and others.

At the time I was writing a software deployment tool called Listaller – this was before Linux containers were a thing, and building it was very tough due to technical and personal limitations (I had just learned C!). Then in university, when I intended to recreate this tool, but for real and better this time as a new project called Limba, I needed a way to provide metadata for it, and AppStream fit right in! Meanwhile, Richard Hughes was tackling the UI side of things while creating GNOME Software and needed a solution as well. So I implemented a prototype and together we pretty much reshaped the early specification from the original meeting into what would become modern AppStream.

Back then I saw AppStream as a necessary side-project for my actual project, and didn’t even consider me as the maintainer of it for quite a while (I hadn’t been at the meeting afterall). All those years ago I had no idea that ultimately I was developing AppStream not for Limba, but for a new thing that would show up later, with an even more modern design called Flatpak. I also had no idea how incredibly complex AppStream would become and how many features it would have and how much more maintenance work it would be – and also not how ubiquitous it would become.

The modern Linux desktop uses AppStream everywhere now, it is supported by all major distributions, used by Flatpak for metadata, used for firmware metadata via Richard’s fwupd/LVFS, runs on every Steam Deck, can be found in cars and possibly many places I do not know yet.

What is new in 1.0?

API breaks

The most important thing that’s new with the 1.0 release is a bunch of incompatible changes. For the shared libraries, all deprecated API elements have been removed and a bunch of other changes have been made to improve the overall API and especially make it more binding-friendly. That doesn’t mean that the API is completely new and nothing looks like before though, when possible the previous API design was kept and some changes that would have been too disruptive have not been made. Regardless of that, you will have to port your AppStream-using applications. For some larger ones I already submitted patches to build with both AppStream versions, the 0.16.x stable series as well as 1.0+.

For the XML specification, some older compatibility for XML that had no or very few users has been removed as well. This affects for example release elements that reference downloadable data without an artifact block, which has not been supported for a while. For all of these, I checked to remove only things that had close to no users and that were a significant maintenance burden. So as a rule of thumb: If your XML validated with no warnings with the 0.16.x branch of AppStream, it will still be 100% valid with the 1.0 release.

Another notable change is that the generated output of AppStream 1.0 will always be 1.0 compliant, you can not make it generate data for versions below that (this greatly reduced the maintenance cost of the project).

Developer element

For a long time, you could set the developer name using the top-level developer_name tag. With AppStream 1.0, this is changed a bit. There is now a developer tag with a name child (that can be translated unless the translate="no" attribute is set on it). This allows future extensibility, and also allows to set a machine-readable id attribute in the developer element. This permits software centers to group software by developer easier, without having to use heuristics. If we decide to extend the developer information per-app in future, this is also now possible. Do not worry though the developer_name tag is also still read, so there is no high pressure to update. The old 0.16.x stable series also has this feature backported, so it can be available everywhere. Check out the developer tag specification for more details.

Scale factor for screenshots

Screenshot images can now have a scale attribute, to indicate an (integer) scaling factor to apply. This feature was a breaking change and therefore we could not have it for the longest time, but it is now available. Please wait a bit for AppStream 1.0 to become deployed more widespread though, as using it with older AppStream versions may lead to issues in some cases. Check out the screenshots tag specification for more details.

Screenshot environments

It is now possible to indicate the environment a screenshot was recorded in (GNOME, GNOME Dark, KDE Plasma, Windows, etc.) via an environment attribute on the respective screenshot tag. This was also a breaking change, so use it carefully for now! If projects want to, they can use this feature to supply dedicated screenshots depending on the environment the application page is displayed in. Check out the screenshots tag specification for more details.

References tag

This is a feature more important for the scientific community and scientific applications. Using the references tag, you can associate the AppStream component with a DOI (Digital object identifier) or provide a link to a CFF file to provide citation information. It also allows to link to other scientific registries. Check out the references tag specification for more details.

Release tags

Releases can have tags now, just like components. This is generally not a feature that I expect to be used much, but in certain instances it can become useful with a cooperating software center, for example to tag certain releases as long-term supported versions.

Multi-platform support

Thanks to the interest and work of many volunteers, AppStream (mostly) runs on FreeBSD now, a NetBSD port exists, support for macOS was written and a Windows port is on its way! Thank you to everyone working on this

Better compatibility checks

For a long time I thought that the AppStream library should just be a thin layer above the XML and that software centers should just implement a lot of the actual logic. This has not been the case for a while, but there was still a lot of complex AppStream features that were hard for software centers to implement and where it makes sense to have one implementation that projects can just use.

The validation of component relations is one such thing. This was implemented in 0.16.x as well, but 1.0 vastly improves upon the compatibility checks, so you can now just run as_component_check_relations and retrieve a detailed list of whether the current component will run well on the system. Besides better API for software developers, the appstreamcli utility also has much improved support for relation checks, and I wrote about these changes in a previous post. Check it out!

With these changes, I hope this feature will be used much more, and beyond just drivers and firmware.

So much more!

The changelog for the 1.0 release is huge, and there are many papercuts resolved and changes made that I did not talk about here, like us using gi-docgen (instead of gtkdoc) now for nice API documentation, or the many improvements that went into better binding support, or better search, or just plain bugfixes.

Outlook

I expect the transition to 1.0 to take a bit of time. AppStream has not broken its API for many, many years (since 2016), so a bunch of places need to be touched even if the changes themselves are minor in many cases. In hindsight, I should have also released 1.0 much sooner and it should not have become such a mega-release, but that was mainly due to time constraints.

So, what’s in it for the future? Contrary to what I thought, AppStream does not really seem to be “done” and fetature complete at a point, there is always something to improve, and people come up with new usecases all the time. So, expect more of the same in future: Bugfixes, validator improvements, documentation improvements, better tools and the occasional new feature.

Onwards to 1.0.1!

Dear Tumbleweed users and hackers,

This week was all in the name of Hackweek, which means some people diverged their efforts a bit away from Factory/Tumbleweed and others have finally found the time they craved and could submit what they had on their wish-list. The Release Team was trying to keep up with the submissions while also having their own time dedicated to hackweek. Seeing that we published 6 snapshots (1102, 1103, 1105, 1106, 1107, and 1108) I dare say this worked out pretty well.

The six delivered snapshots contained these changes:

• GNOME-Shell/Mutter 45.1
• libxml 2.11.5
• Pipewire 0.3.84
• systemd: disabled utmp support
• Libvirt 9.9.0
• xfconf 4.18.3
• fwupd 1.9.7
• VLC 3.0.20
• BlueZ 5.70
• LLVM 17.0.4
• SQLite 3.44.0

Snapshot 1109 is already in QA, 1110 is building, and stagings are getting ready. All in all, you can expect these changes to happen soon-ish:

• Linux kernel 6.6 (Snapshot 1109+)
• gAWK 5.3.0
• Binutils 2.41 (Snapshot 1110+)
• KDE Gear 23.08.3
• Mozilla Firefox 119.0.1
• RPM 4.19: Some preparation work has happened to ensure packages still build (e.g. %patch with unnumbered patches is no longer supported)
• dbus-broker as the default dbus session manager

Coincidentally I have had multiple needs for serving websites from behind containers instead of directly from the host. After some practicing, which can be also described as ”hacking without carefully documenting what I did”, I decided not to explicitly describe my setup but how I achieved (towards) my goal of serving my web sites (3 on the same server) from behind containers. This will enable me to consider using things like PHP or other notorious pieces of software thanks to a level of sandboxing.

Here in this rant paragraph I note that I'm not overtly fan of pulling random images from the web even if not quite as bad as using curl-sudo ”install method”. Containers are at least sandboxed, but coming from Linux distribution background perspective I somewhat dislike all software vendors acting as OS image providers. I will need to learn more about the aspects of where the images come from, what is the trust model, and what happens if eg Official Nginx (tm) image or Official Certbot (tm) image or Docker Hub gets compromised. I do mostly trust Debian, SUSE, Ubuntu etc infrastructure, so it will take some time until I construct my trust towards alternatives. One possible option could be of course to use my pre-trusted vendors via some alternative image registry, and do a bit more work with Ansible for example to utilize them instead of trusting Nginx or Certbot via Docker Hub.

My setup is looking like ending up like this, involving docker-compose, nginx as a proxy, several web host containers, and a Certbot container that is used to renew certificates via a cronjob:

But before I ended up with that I said hello to Search Engine. One result showed the general idea of sharing directories. Another reminded how to serve acme-challenge in nginx since I’ve been mainly Apache user. There were several guides about Apache and Let’s encrypt too, without proxy. I probably read this when figuring out the actual nginx proxy setup. At some point I needed to check that nginx is ”nginx” while certbot is ”certbot/certbot”. I was happy to find certbot command line option ideas although I learned the hard way to use --dry-run as well especially in the case of forgetting restart option in docker-compose.yml. I did not need any kind of bootstrap phase since I already had existing Let’s Encrypt certificates.

Finally, in practice what I have done so far is a proof that it works and can be used as drop in replacement for my on-host Apache. I have served all of the web sites from inside a container (pointed to the same content as the on-host), and Certbot container works to renew the certificate, replacing acme-tiny I have used before. Currently however the setup is not complete for simultaneous serving of all the 3 sites, cronjobs are not set up (or tested to be functional). I can’t have my on-host Apache and containerized Nginx proxy competing for ports 80 and 443 at the same time, so I can really enable the setup only when everything is fully complete. It’s nice however how easy switching between the two already is!

Finally², I can’t say it would be 100% complete even then! At some point in the past I have largely but not completely ”ansibled” my host when I sadly moved from a really old quad-core ARM server to x86_64 server. I like different architectures, but the ARM servers were decommissioned by Scaleway. Anyway, regarding Ansible this kind of containerization obviously increases ”Ansible debt” further by a fair amount, and that would be a different story to get that fully done…

But it has been some nice hacking!

During Hack Week this weeek, openSUSE’s rolling release Tumbleweed still manages to send out four snapshots.

Software packages like LLVM, the Linux Kernel’s firmware, VLC and fwupd were just a few that landed on peoples’ systems after a zypper dup.

The arrival of kernel-firmware 20231107 in snapshot 20231108 enhances various hardware, including Intel Bluetooth firmware updates for several devices like AX201, AX203, AX210, AX211, and more. A update of sqlite3 3.44.0 brings the addition of aggregate functions like string_agg(), concat(), and concat_ws(), which aligns compatibility with other SQL projects. Some error handling table statements were refined that contribute to a more immediate error-identification process. Data compression package brotli updates to 1.1.0 and the build process now incorporates optimal flags and introduces a new command-line option --dictionary. Another package to update was libgusb 0.4.8 that introduces a new device error code for busy that enhances its capability to handle device errors more effectively.

Snapshot 20231107 updates the Linux Bluetooth protocol stack bluez to version 5.70. The update fixes problems related to Generic Attribute Profile (GATT) confirmations and it introduces support for Media Independent Command Protocol profile and the Mesh Independent Control Service while adding a patch to address a regression when pairing with game controllers. An update of gupnp 1.6.6 makes improvements to the resilience in handling unusual formatting during introspection, along with the addition of a new Application Programming Interface for creating actions in ServiceProxy. It also addresses memory leaks. An update of llvm17 17.0.4 was updated to ensure compatibility with 17.0.0 version along with maintaining API and Application Binary Interface consistency. The package did include libomptarget.devicertl.a in libomp*-devel for pivotal GPU offloading functionality. A few other packages were updated in the snapshot.

An update of yast2-trans in snapshot 20231106 involving translations via Weblate includes updates for Slovak, Czech, Dutch, Catalan, Japanese, and Indonesian languages among others. A new POT files for text domains like storage, installation, and update have been introduced. An update of jasper 4.1.0 introduces support for building various JasPer application programs for the WebAssembly target with WASI support. The update also resolves an integer overflow bug. A few other packages updated including openSUSE’s tool to manage systemd-boot sdbootutil. This git+ update focuses on enhancing the sdboot in snapper hooks, installing commands with specific snapshots and refining the behavior of sdbootutil within RPM scriptlets.

The 20231105 snapshot updates the super-thin layer on the DBus interface - fwupd. The 1.9.7 version includes additions such as child device requirements in metadata, new hardware support for Logitech Rally System devices. The update adds new security attributes for BIOS capsule updates, and expanded support for parsing Extended Display Identification Data and Concise Software Identifier payload sections. An update of VLC 3.0.20 was mainly focusing on bug fixes and improvements. There were some notable changes like addressing crashes associated with some older versions of AMD drivers and fixing event propagation problems on double-clicking with the mouse wheel. The 2.42.1 version update of git addresses issues related to the exit code handling in git diff and refines the behavior of rebase -i in scenarios where the command is interrupted by conflicting changes. A few other packages like openldap2 2.6.6 and redis 7.2.3 were updated along with several RubyGems packages, which saw rubygem-pairing_heap update from version 1.0.0 to version 3.0.1.