Project Link: CNCF – Kubescape: Release engineering: add Kubescape to commonly-requested package managers

kubescape is a Cloud Native Computing Foundation (CNCF) sandbox project. It is an open-source Kubernetes security platform and includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities.

List of things I have done

Documentations:

• Publishing

Repo and Packages created:

• kubescape/packaging
• OpenSUSE Open Build Service home:kubescape/kubescape
• Ubuntu Launchpad PPA kubescape/kubescape
• Chocolatey kubescape
• Snapcraft Store kubescape
• Arch Linux AUR
• SARIF for Reviewdog

PRs opened:

• (merged) kubescape/kubescape #1095 fix(build): LICENSE file in release tarballs
• (merged) kubescape/kubescape #1105 fix(README): broken links
• (merged) kubescape/kubescape #1140 ci(release): fix publishing krew plugin; add ‘.exe’ extension to Windows binary
• (merged) kubescape/kubescape #1147 Change installation path to ~/.kubescape/bin
• (merged) kubescape/kubescape #1148 arm64 release binaries for CI and Krew
• (merged) kubescape/kubescape #1169 Add kubescape.exe to the release assets
• (merged) kubescape/kubescape #1184 feat(sarif): add fix object in generated reports
• (merged) kubescape/kubescape #1185 fix(fix): mixed up change summary list
• (merged) kubescape/kubescape #1186 Invoke packaging workflow to update after release
• (merged) kubescape/kubescape #1196 Move building instructions to wiki, add more installation instructions
• (merged) kubescape/kubescape #1199 Update installation script
• (merged) kubescape/kubescape #1210 ci: update before install packages
• (merged) kubescape/kubescape #1213 Deprecate kubescape-windows-latest
• (merged) kubescape/kubescape #1214 Add ref to workflow dispatch
• (merged) kubescape/kubescape #1216 Make powershell Windows installation user path available immediately
• (merged) kubescape/kubescape #1236 Deprecate kubescape-windows-latest and fix CI
• (merged) kubescape/kubescape #1238 Fix downloading arm64 binary for kubescape
• (merged) kubescape/github-action #32 Support for code reviews instead with PRs
• (merged) kubescape/github-action #34 Fix start new PR with own repo
• (merged) kubescape/github-action #37 Add exceptions parameters back
• (merged) kubescape/github-action #38 Keep kubescape github-action workflow up to date
• (merged) kubescape/github-action #41 Intergrate fix with comments
• (merged) kubescape/github-action #42 Version bumps start PRs instead of committing directly
• (merged) kubescape/github-action #43 Split the suggest fix workflow and update docs
• (merged) kubescape/vscode-kubescape #11 Remove platformPackages config
• (merged) kubescape/vscode-kubescape #12 Bump kubescape version into v2.3.1
• (merged) kubescape/lens-extension #16 Bump kubescape version into v2.3.1
• (merged) kubescape/node-kubescape #3 Support for ARM64 binaries as well as kubescape.exe
• (merged) kubescape/homebrew-tap #7 Add Auto Release CI
• (rejected) kubernetes-sigs/controller-runtime #2266 Support get config inside snap with SNAP_REAL_HOME
• (rejected) kubernetes/kubernetes #117165 client-go: support detect homedir with SNAP_REAL_HOME and os/user.HomeDir
• (merged) ScoopInstaller/Main #4757 kubescape: Update url and binary naming
• (pending) gentoo/gentoo #30595 sys-cluster/kubescape: new package, add 2.3.3
• (merged) chocolatey-community/chocolatey-packages #2226 (kubescape) Add Kubescape package

Issues opened/helped with:

• (resolved) kubescape/kubescape #195 Provide ARM64 release binaries
• (resolved) kubescape/kubescape #400 Add Kubescape to packages management for easier installation
• (reviewed) kubescape/kubescape #720 Error Fixed when downloading on azure cloud vm environment
• (reviewed) kubescape/kubescape #1014 Package manager support: homebrew
• (resolved) kubescape/kubescape #1015 kubescape installed in first directory in $PATH under $HOME
• (helped) kubescape/kubescape #1033 Generate SLSA provenance for builds
• (reviewed) kubescape/kubescape #1112 can’t install Kubescape with krew on Apple Silicon Mac
• (resolved) kubescape/kubescape #1142 Package manager support: RPM
• (resolved) kubescape/kubescape #1143 Package manager support: deb
• (resolved) kubescape/kubescape #1168 Add kubescape.exe to the release assets to replace kubescape-windows-latest
• (resolved) kubescape/kubescape #1183 Add fix object in Kubescape generated SARIF reports when available
• (reviewed) kubescape/kubescape #1215 Fix issue 11552
• (helped) kubescape/kubescape #1237 Download and Installing Wrong Binary For Apple M1
• (reviewed) kubescape/kubescape #1239 Added instructions to setup kubescape locally
• (resolved) kubescape/k8s-interface #46 Kubescape supports getting packed as a snap app
• (closed) kubernetes/client-go #1261 Get HomeDir from os/user.Current().HomeDir and fallback with $HOME
• (pending response) github/community #52156 Support code auto-fixes for GitHub Code Scanning
• (resolved) chocolatey-community #2186 Migrate kubescape package
• (resolved) chocolatey-community/chocolatey-packages #2190 (kubescape) Migrate package
• (resolved) snapcraft/store-requests #34661 Request for classic confinement and name change for cli-kubescape
• (pending response) snapcraft/snapd #34683 Feature Request: Stop using $SNAP_REAL_HOME to visit real home files

Project summaries

Packaging

• OpenSUSE Build Service (DEB and RPM)
• RPM
• Ubuntu Launchpad PPA
• Homebrew Tap
• Chocolatey
• Snapcraft
• AUR
• Gentoo Portage

Other packages managers that have already been available and not introduced by me during this project period:

• OpenSUSE Zypper
• Homebrew
• Krew (I added the ARM64 support for Krew)
• Nix-pkgs
• Scoop

GitHub Actions Release CI

I helped improve the Kubescape GitHub Actions release CI process, where I added the ARM64 build and tested for the GitHub Actions release CI workflow. I use QEMU with Docker to simulate the Linux ARM64 environment for building and testing the binaries. For macOS M1/M2, I investigated how to cross-build libgit2 C code and use Golang cross-compilation to build the binaries.

I also helped add the auto version bumping CI for kubescape/homebrew-tap, kubescape/packaging, and kubescape/github-action. After the release is made, we trigger these CIs so that the kubescape versions in these repositories can get upgraded automatically.

GitHub Actions Code Review

I helped improve the Kubescape GitHub Actions fix suggestions code review process, where I created the workflow which works by collecting the SARIF (Static Analysis Results Interchange Format) file that kubescape generates. Then, with the help of HollowMan6/sarif4reviewdog, convert the SARIF file into RDFormat (Reviewdog Diagnostic Format) and generate reviews for code fix suggestions on GitHub Actions using Reviewdog. I also helped add the “fix” object support for the Kubescape-generated SARIF report.

In addition to the main project, I also helped the community with other issues like bug-fixing as well as feature-adding.

The May syslog-ng newsletter is now on-line:

• Learning syslog-ng, the easier way
• Why syslog over UDP loses messages and how to avoid that
• Upgrade problems from syslog-ng 3 to 4

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2023-05-learning-udp-upgrading

Dear Tumbleweed users and hackers,

This week, timing is on our side – and we pushed out 8 snapshots in 7 days. Of course, this could only happen because openQA was so very swift in testing yesterday’s snapshot – it passed the entire QA run in just a bit over 3 hours (314 test runs).

The snapshots published were numbered 0427 through 0504 and they contained these changes:

• openSUSE:Factory is now using suse_version 1699 (unless you need to distinguish it from ALP, keep using > 1500 or >= 1550 as done in the past. No need to use the new version just yet in normal cases
• Mozilla Firefox 112.0.2
• OpenVPN 2.6.3
• gnome-shell / mutter 44.1 (late joiners for GNOME 44.1)
• Boost 1.82
• postfix 3.8.0
• Mesa 23.0.3
• Wayland 1.22.0
• Linux kernel 6.3.1
• libvirt 9.3.0

Staging projects are quite busy, most relevant changes happening at the moment are:

• Adjustments for packaging guidelines: packages with more than one spec file (multispec) must now mention the additional spec files in _multibuild. This is needed for future changes to git-based source management, where package links are not supported.
• systemd 253.4
• PHP 8.2.5
• libxml2 2.11.1: breaks quite a few things. Users that have the package installed from the devel project (no Tumbleweed QA runs!) experience issues with zypper failing to cache repositories
• Switching default from ffmpeg-5 to ffmpeg-6 (only chromaprint blocks this by now)
• openSSL 3.1: still a few broken packages – see https://bugzilla.opensuse.org/show_bug.cgi?id=1209430
• ICU 73.1: breaks libqt5-qtwebengine

I recently automated the installation of updates on my openQA development instance. The goal was to make the instance updates itself over night, but only if it is idle, i.e. there are no running jobs. Sometimes when I’m busy, the instance needs to work overnight and despite openQA being able to restart cancelled jobs from a reboot, I prefer to avoid situations where this might result in problems in times, where I really can’t have that.

Snapshot updates of openSUSE Tumbleweed were frequent and consistent this week while another development project seeks to get things moving.

A post to developers on the Factory mailing list titled openSUSE ALP: Call for Volunteers aims to gain contributors for rebuilding an openSUSE Leap 15 successor based on a forthcoming commercially available ALP distribution being pioneered by SUSE.

While the call for volunteer post has gained interest and still needs more, Tumbleweed released Linux Kernel 6.3 in snapshot. 20230503. The update from kernel-source 6.2.12 to 6.3.1 went through a considerable amount of testing before finally being released in the snapshot. A Btrfs change for the kernel fixed an uninitialized variable warning and a patch for a regression in the 6.3 version was added to the update. There was an update to enable armv7hl and arm64 configurations. The 9.3 version of libvirt was released in the snapshot. Improvements made to the release include better validation of watchdog devices related to qemu, and arm and RISC-V architectures now use the virt machine types by default. There were also several bug fixes; one was related to UEFI firmware and another related to NVMe drivers concerning locked memory. Just a few documentations improvements and updated translations were made in the spellcheck library gspell 1.12.1. The update of gtk3 3.24.37+70 was made to fix a crash. A Common Vulnerability and Exposure was fixed with the vim 9.0.1504 text editor update. CVE-2023-2426, which used an out-of-range pointer offset with the GitHub repository, won’t bug users anymore.A few other packages to update in the snapshot included GNOME’s amtk 5.6.1, gucharmap 15.0.4 and more.

The team of audacity contributors was very active this week as the second version of the week was released in snapshot 20230502. Audacity 3.3.1 fixed a calculation error when trying to upload to audio.com. The audio editor fixed crash reporting being disabled and fixed custom sample rates from being uneditable. Xfce users will be happy to feel less CPU usage thanks to a reversion that prevents this in thunar 4.18.6. The file manager also improved error handling of undo and redo. Community package serd, which is a lightweight C library for working with RDF data, updated to version 0.30.16 and addressed memory consumption when reading documentation as well as fixes spelling mistakes for manpages. An update of yast2-trans provided updates for Portuguese and Swedish languages. A few other packages were updated in the snapshot include docbook-xsl 1.79.2.1, libsoup 3.4.2, guestfs-tools 1.50.1, libupnp 1.14.17 and more.

The lightweight C library for loading and wrapping LV2 plugin User Interfaces was the only package to update in snapshot 20230501. The suil 0.10.18 version had some fixes for MacOS, but fixed issues with newer toolchains and removed Qt 4 support and some of its dead code.

Snapshot 20230430 was large, but updated a few libraries. The Wayland 1.22.0 update added explicit events for the preferred buffer scale. The display server included a few new convenience functions and bug fixes. The 3d graphical package Mesa had changes in several areas of the 23.0.3 version. There was an overlay fix that was unable to launch titles on Steam and a crash for a slicer was fixed for GNOME. Some incorrect settings were also fixed for RADV and yast2-country 4.6.2 did some configuration modules cleanup related to the keymap for Russia.

Another audio package, JACK, arrived in snapshot. 20230429. JACK 1.9.22 dropped dependencies used for the example client and fixed the build with Python 3.11+. The libzypp 17.31.11 package fixd an endless loop if the wrong credentials are stored and the package introduces a timeout in the configuration. The Perl modules package for various bootloaders eloquently perl-Bootloader reached its first major version. It updated from version 0.941 to 1.0 and removed the legacy parts. The spec file was moved to git repository and changes were made to distinguish between 32 bit and 64 bit UEFI platforms. Other packages to update in the snapshot were libxmlb 0.3.11, makedumpfile 1.7.3, postfix 3.8.0 and xdpyinfo 1.3.4.

Packages to update from last Friday’s snapshot, 20230428, were audacity 3.3.0, which now supports ffmpeg 6, and ModemManager 1.20.6, which adds additional support for 5G modems and fixed the unsolicited message with LTE. An update of gnome-shell 44.1 fixed several aspects of the package. This includes fixing placeholder alignment in the bluetooth menu, accessible names in the VPN menu and various improvements to the light theme variant. Another GNOME package to update was its window manager mutter 44.1. The update fixed some resizing windows via keyboard, an anchor position when dragging a window and the package also fixed a plugged leak. Several other packages update in the snapshot.

Version 4 of syslog-ng was released last December. Quite a few people use it already in production. How can you install it for a test drive? It might be already available in your Linux distribution. There are also several unofficial repositories with the latest syslog-ng.

From this blog, you can learn how to check your syslog-ng version, where to check if it is not yet installed, and a few additional resources, if you want to install the latest version from unofficial repositories.

Read more at https://www.syslog-ng.com/community/b/blog/posts/getting-syslog-ng-4

Build version 2021.9.0 and update the latest version of the oneTBB is a flexible C++ library that simplifies the work of adding parallelism to complex applications, even if you are not a threading expert. The library lets you easily write parallel programs that take full advantage of the multi-core performance.

Add repository and install manually

zypper addrepo https://download.opensuse.org/repositories/home:cabelo:intel/15.4/home:cabelo:intel.repo
zypper refresh
zypper install intel-oneapi-tbb

More information : HERE

Build and update 3.1 version of the oneAPI Deep Neural Network Library (oneDNN) is an open-source cross-platform performance library of basic building blocks for deep learning applications. oneDNN is part of oneAPI. The library is optimized for Intel(R) Architecture Processors, Intel Processor Graphics and Xe Architecture graphics.

Add repository and install manually

For standard run the following as root:

zypper addrepo https://download.opensuse.org/repositories/home:cabelo:intel/15.4/home:cabelo:intel.repo
zypper refresh
zypper install intel-oneapi-dnn

More information : HERE

This post is very unlikely for you. It’s for future me.

The little magic box that is the Dirtywave M8 tracker is pretty well supported in Linux. It works great as an audio device (input and output), it does usb midi and you can also use its remote display using laamaa’s m8c which now also does audio monitoring.

M8c isn’t an app, so it’s a bit of a hassle to build it and use it from within a toolbx. Regular Linux distro chore. In addition, to update its firmware, which Timothy pushes very frequently and brings amazing new functionality, requires adding udev rules to have the device writable by a user. Which is what this post is about. I have no clue what I’m doing, but having this config in /etc/udef/rules.d/50-myusb.rules (first is the regular device for m8c and the latter is the second stage of the firmware update using tytools):

SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="048a", GROUP="users", MODE="0666"
KERNEL=="hidraw*", ATTRS{idVendor}=="16c0", GROUP="users", MODE="0666"

Enjoy my last track, Sines of our fathers if you don’t care of any of the above ;)