1. Planet
  2. Global
  3. Page 2

Wed, May 7th, 2025

Novedades de Kate en KDE ⚙️ Gear 25.04

Os presento las novedades de Kate en KDE Gear 25.04, un nuevo artículo de la serie de la última actualización del ecosistema de aplicaciones de KDE, otro paso adelante en la mejora continua del proyecto. Nunca está de más recordar que Kate es un editor de texto rápido, multidocumento y multivista para todo el mundo.

Novedades de Kate en KDE ⚙️ Gear 25.04

Dentro del lanzamiento de KDE Gear 25.04 muchas aplicaciones han recibido mucho cariño, y una de ellas es el sencillo pero potente Kate, un editor de texto rápido, multidocumento y multivista que incluye compatibilidad con LSP (Protocolo de servidor de lenguaje), proyectos, múltiples cursores y selecciones, integración de git, búsqueda en carpetas, divisiones horizontales y verticales, modo vi, resaltado de sintaxis para más de 300 idiomas lenguajes, terminal integrado, ajuste de palabras dinámico y mucho más.

Esta nueva versión de Kate de KDE ⚙️ Gear 25.04 nos ofrece novedades como la nueva compatibilidad con el servidor de lenguaje debputy, que se usa para escribir paquetes de Debian.

Novedades de Kate en KDE ⚙️ Gear 25.04

Además, ahora se pueden añadir rutas a la variable de entorno PATH que usa Kate, lo que resulta de utilidad cuando se usan servidores LSP, formateadores o analizadores no presentes en la variable PATH predeterminada.

Para finalizar las novedades comentar que el complemento de compilación, que le permite iniciar una recompilación desde la interfaz de Kate, admite ahora múltiples proyectos abiertos al mismo tiempo sin tener que volver a cargar constantemente la lista de objetivos cada vez que cambia de proyecto.

Más información: KDE Gear 25.04

Y, recuerda, todo este software es gratuito y sin publicidad en todos los sentidos: no te cuesta ni un euro y no se cobra en en forma de datos personales. No obstante, si quieres ayudar a su desarrollo siempre puedes participar en su campaña de recaudación de fondos.

La entrada Novedades de Kate en KDE ⚙️ Gear 25.04 se publicó primero en KDE Blog.

Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation

Table of Contents

1) Introduction

The Deepin desktop environment (DDE) is part of the Deepin Linux distribution. It focuses on usability, a polished graphical presentation and support for the Chinese language. It is also available on a number of other Linux distributions, openSUSE among them.

Recently we noticed a policy violation in the packaging of the Deepin desktop environment in openSUSE. To get around security review requirements, our Deepin community packager implemented a workaround which bypasses the regular RPM packaging mechanisms to install restricted assets.

As a result of this violation, and in the light of the difficult history we have with Deepin code reviews, we will be removing the Deepin Desktop packages from openSUSE distributions for the time being.

In this blog post we will look at the exact nature of the policy violation, the review history of Deepin components in openSUSE and the conclusions we draw from all of this. Finally, we will give an outlook on how this situation could be resolved, and how users of openSUSE can continue to opt-in to use Deepin in the future.

2) Bypass of the openSUSE Packaging Policy via a “License Agreement” Dialog

The SUSE security team enforces a number of packaging restrictions for openSUSE distributions. Among others, the installation of D-Bus system service configuration files and Polkit policies requires a review by us. When we are satisfied with a package’s security, then we whitelist the respective components. From there on, the package can be submitted to the openSUSE:Factory project in the Open Build Service, which is the base for the openSUSE Tumbleweed rolling release distribution.

For a large software suite like Deepin, which contains a significant number of D-Bus services, this can be a difficult initial hurdle to overcome. We have been in contact with the openSUSE Deepin packager ever since 2017, and have whitelisted various Deepin D-Bus components in the meantime. A number of remaining Deepin review bugs have seen little progress in recent years, however, because the issues we pointed out have not been addressed properly.

Perhaps tired of waiting, the packager decided to try a different avenue to get the remaining Deepin components into openSUSE skirting the review requirements. In January 2025, during routine reviews, we stumbled upon the deepin-feature-enable package, which was introduced on 2021-04-27 without consulting us or even informing us. This innocently named package implements a “license agreement dialog” which basically explains that the SUSE security team has doubts about the security of Deepin, but to properly use Deepin, certain components need to be installed anyway. Thus, if the user does not care about security then “the license” should be accepted. If the user accepts, the missing D-Bus configuration files and Polkit policies are automatically extracted into system directories from tarballs found in the deepin-daemon-dbus and deepin-daemon-polkit packages. The license text also contains a hint suggesting to manually install the deepin-file-manager-dbus and deepin-file-manager-polkit packages and run a script to sideload further configuration files that are needed for the Deepin file manager D-Bus component to work.

The 'license agreement' dialog presented by deepin-feature-enable
The "license agreement" dialog presented by deepin-feature-enable.

For end users, this effectively means that typing “y” once during the installation of the Deepin pattern is enough to opt in to activating components with questionable security which have not been accepted by the SUSE security team.

Given the number of reviews that happened over many years, with some decline in frequency and activity, we had wrongly assumed that by now the bulk of Deepin D-Bus components had managed to enter openSUSE:Factory after being whitelisted by us (apart from some optional utility packages). Instead we had to find out that core components, which are found in the deepin-daemon package, had never been submitted for our review, but had been smuggled into openSUSE.

A review bug has been running for Deepin file manager since 2019 without the package reaching a satisfying state. Offering users the ability to run a script to activate the problematic components is less critical than automatically doing so via a crafted “license dialog”, but is still an unclean and questionable approach.

3) Review History of Deepin Components

This section gives an overview of the long history of review requests for Deepin components in openSUSE. This should give an insight into the effort that already went into checking Deepin’s security, and the difficulties that we often encountered in attempting to arrive at a good solution.

2017-12-04: deepin-api: Initial Review of D-Bus Service and Polkit Actions

This was the first review request we received for Deepin. It reached us during a time of restructuring in our team, which caused a delay of about half a year before we found time to work on it. deepin-api contained a D-Bus service which ran as root, offering a miscellaneous collection of D-Bus methods on the D-Bus system bus e.g. for playing audio files.

We found various issues in the D-Bus method implementations. Most prominently, any user in the system was allowed to run various commands like rfkill with arbitrary parameters as root. Polkit authentication was only implemented in some of the D-Bus methods, while others merely had a TODO: marker to add authentication. Furthermore, the Polkit authentication that was implemented for some methods was subject to a race condition allowing authentication bypass.

The Deepin packager involved upstream and we started a discussion in the review bug about how to address the issues. A first attempt to fix them produced incomplete results. We asked for a formal security contact at the Deepin project to offer coordinated disclosure, since we found problems in other Deepin components as well in the meantime. We did not receive an answer to this, though.

After this initial activity there was no more progress for six months, which is why we closed the bug due to inactivity in December 2019. In April 2021 the Deepin packager reopened this bug assigning it to an upstream developer. In July 2021 we were finally pointed to the proper fixes for the issues, and we granted a whitelisting for this specific Deepin component in August 2021.

2019-03-25: deepin-clone: Polkit Action com.deepin.pkexec.deepin-clone

deepin-clone is a backup utility for the Deepin desktop. In March 2019 we received a review request for a Polkit action contained in the package. We found a large number of issues in the implementation of this Polkit action, such as problematic predictable /tmp file uses, a world-readable log file in a fixed path in /tmp and the possibility to prevent the unmounting of temporarily mounted block devices.

We reported these issues to the packager in April 2019. In July 2019 we were pointed to a couple of fixes, but we found that some issues had still not been addressed and the code in general still looked unclean. The more severe issues had been fixed at least, thus we requested CVEs for them and published a report on the oss-security mailing list.

We never heard back about the remaining concerns we had, thus the whitelisting for this component was never granted.

2019-05-05: deepin-file-manager: D-Bus Service and Polkit Actions

In May 2019 we received review requests for the D-Bus part and the Polkit part of the deepin-file-manager package. This application is a file manager similar to Dolphin in KDE or Nautilus in GNOME. The D-Bus service implemented in the package offers methods to perform actions like mounting Samba network shares or managing the UNIX group membership for user accounts in the system. This is one of the packages for which the Deepin packager eventually implemented a whitelisting bypass, as explained in section 2).

After reviewing the main D-Bus service, we could not help ourselves but call it a security nightmare. The service methods were not only unauthenticated and thus accessible to all users in the system, but the D-Bus configuration file also allowed anybody to own the D-Bus service path on the system bus, which could lead to impersonation of the daemon. Among other issues, the D-Bus service allowed anybody in the system to create arbitrary new UNIX groups, add arbitrary users to arbitrary groups, set arbitrary users’ Samba passwords or overwrite almost any file on the system by invoking mkfs on them as root, leading to data loss and denial-of-service. The daemon did contain some Polkit authentication code, but it was all found in unused code paths; to top it all off, this code used the deprecated UnixProcess Polkit subject in an unsafe way, which would make it vulnerable to race conditions allowing authentication bypass, if it had been used.

Other Polkit policies found in the package were at least being used. One Polkit action allowed locally logged-in users to run /usr/bin/usb-device-formatter as root without authentication. The program allowed to determine the existence of arbitrary files in the system, and to unmount or format non-busy file systems. A Deepin developer joined the discussion in the bug and again we tried to bring to upstream’s attention the overarching security situation in Deepin, but to no avail.

A couple of bugfixes appeared for the Polkit issues but once more they were incomplete. By December 2019 we did not receive any further responses, thus we closed the bug without whitelisting the Polkit policies. In March 2021 the Deepin packager reopened the bug but only pointed us to supposed fixes later in October 2022. We moved the discussion for the Polkit parts into the other bug for the D-Bus service component at this time.

For the D-Bus service issues we did not receive any response at all, and thus also closed the bug in December 2019 without whitelisting the service. Meanwhile we published our findings on the oss-security mailing list in August 2019. In April 2021 the Deepin packager reopened the bug, stating that upstream would be working on the issues. In August 2021 an upstream developer was assigned to the bug, who pointed to a partial bugfix but at the same time stated that Deepin developers had “different opinions” about the reported security issues, without providing further details, however.

In October 2022 the Deepin packager pointed us to more fixes and a new release packaged for openSUSE. The D-Bus interface received major changes at this point. Polkit authentication was added to some D-Bus calls now, but it again used the deprecated UnixProcess subject in an unsafe manner, which would allow to bypass authentication by winning a race condition. Newly added D-Bus methods also introduced new issues, such as lacking path validation when unmounting Samba shares. Some other methods again were left completely unauthenticated.

In November 2023 the Deepin packager informed us about another new release that was supposed to contain more bugfixes. This time some of the problematic D-Bus methods disappeared completely, but some of the original issues as well as confusing and broken Polkit authentication attempts remained.

In April 2024 the Deepin packager informed us again about a new release containing bugfixes. Some more D-Bus methods simply disappeared, some now actually used proper Polkit authentication based on the D-Bus system bus name. The D-Bus service configuration still allowed any user in the system to impersonate the service, however. Also, once more, a bunch of newly added D-Bus methods introduced new problems. One of them, for example, allowed any user in the system to start the Samba system daemons nmbd and smbd. A lot of path verification issues also lingered in the new APIs.

We did not get further responses for these reviews, and the components are still not whitelisted for openSUSE. Due to the frequent alteration of the D-Bus methods in the Deepin file manager daemon, which led to partial bugfixes and new issues appearing, we also refrained from assigning further CVEs for the issues. Formally, each incomplete bugfix would need a dedicated CVE, which would have led to a confusingly long list of CVEs revolving around the same topic: that the Deepin file manager daemon has major security issues, some of them likely still unfixed.

2019-05-23: deepin-anything: D-Bus Service

In May 2019 we received a review request for the deepin-anything package. This component acts as the back end for a desktop search engine. Given the number of unsolved Deepin related reviews we already faced at this time, we refused to work on this additional review until the others would have been resolved.

Still, just from taking a quick look at the package we noticed yet another issue: the D-Bus service configuration allowed any user in the system to register the deepin-anything service on the system bus.

In September 2024 the Deepin packager approached us again pointing to changes in the upstream D-Bus configuration. We did not get around to looking more closely into it again, as we treated Deepin with lower priority at that time.

2021-02-01: dtkcommon: FileDrag D-Bus Service

Another review request arrived in February 2021. This time it was about a “com.deepin.dtk.FileDrag” D-Bus interface, but the actual implementation of this D-Bus service remained a mystery to be found. In the end, upstream moved this interface to the D-Bus session bus in July 2021 and no whitelisting on our end was necessary after all.

Interestingly the Deepin packager stated in the bug that upstream finds itself unable to respond to security bug reports, which is rather worrying for such a big project with such an amount of security issues uncovered.

2021-02-06: deepin-system-monitor: Polkit Policy

This request also arrived in February 2021. It is one of the few Deepin reviews that was completed quite quickly and without any major worries. The Polkit policy only allowed execution of programs like kill, renice and systemctl via the pkexec utility. This was only allowed with admin authentication. We whitelisted the policy in May 2021.

2023-05-13: deepin-app-services: dde-dconfig-daemon D-Bus Service

Here we see a gap of about two years since the last Deepin review request. This might be due to the fact that the offending deepin-feature-enable package had meanwhile been introduced in May 2021 to circumvent the whitelisting requirements. It seems the packager was still willing to involve us in newly added Deepin packages that contained D-Bus components, however.

Sadly the review of deepin-app-services was another chaotic case, one that is actually still unfinished. Even understanding the purpose of this D-Bus service was difficult, because there wasn’t really any design documentation or purpose description of the component. From looking at the D-Bus service implementation, we judged that it is a kind of system wide configuration store for Deepin. Contrary to most other Deepin D-Bus services, this one is not running as root but as a dedicated unprivileged service user.

We quickly found one class of issues in this D-Bus service, namely the crafting of relative path names by adding ../ components to various D-Bus input parameters that are used for looking up configuration files. It seemed the D-Bus service should only allow the lookup JSON configuration files from trusted paths in /usr. By constructing relative paths, however, the D-Bus service could be tricked into loading untrusted JSON configuration from arbitrary locations. We were not completely sure about the impact of this, given the abstract nature of the configuration store, but it seemed to have security relevance, since upstream reacted to our report of the issue.

It took three passes and a year of time, however, for upstream to fix all combinations of input parameters that would allow construction of arbitrary paths. Upstream did not verify and solve these on their own. Instead they only fixed the concrete issues we reported and, when we returned to the review, we found yet more ways to escape the /usr path restriction.

In December 2024 we were close to whitelisting this D-Bus service. With this much time passed, however, we thought it would be better to have a fresh look at the current situation in the D-Bus interface. This led to a series of new concerns, partly again in the area of path lookup, but also due to the fact that arbitrary users could read and store configuration for arbitrary other users. There was a lack of Polkit authentication and user separation in the interface.

2023-05-13: deepin-api: Follow-up Review of D-Bus and Polkit

In parallel to the deepin-app-services review described in the previous section, we also received a follow-up review request for deepin-api. The trigger for this review was that upstream renamed their D-Bus interface and Polkit action names from com.deepin.* to org.deepin.*.

Luckily, this time the implementation of the D-Bus service did not change much compared to the last time and we could not identify any new security issues. For this reason we quickly accepted the changes and finished the review.

2024-08-29: deepin-api-proxy: D-Bus Service

After a longer time of standstill regarding Deepin reviews, a request for the addition of deepin-api-proxy arrived. This package greeted us with over two dozen D-Bus configuration files. Again, upstream’s description of what the component is supposed to do was very terse. From looking at the implementation we deduced that the proxy component seems to be related to the renaming of interfaces described in the previous section.

We found a design flaw in the proxy’s design which allowed a local root exploit. You can find the details in a dedicated blog post we published about this not too long ago.

It is noteworthy that the communication with upstream proved very difficult during the coordinated disclosure process we started for this finding. We did not get timely responses, which nearly led us to a one-sided publication of the report, until upstream finally expressed their wish to follow coordinated disclosure at the very last moment. The actual publication of the upstream fix was not communicated to us and neither was the bugfix shared or discussed with us. This resulted in a follow-up security issue, since upstream once again relied on the unsafe use of the deprecated Polkit UnixProcess subject for authentication.

The review of this component was also what led us to the discovery of the deepin-feature-enable whitelisting bypass, since we installed the full Deepin desktop environment for the first time in a long time, which triggered the “license agreement” dialog described above. After finding out about this, we decided that it was time to reassess the overall topic of Deepin in openSUSE based on our long-standing experiences.

2024-09-02: deepin-system-monitor: added D-Bus service and new Polkit actions

The deepin-system-monitor received additions in the form of a new D-Bus service and additional Polkit actions. We accepted the D-Bus service although it contained some quirks. We did not find time to fully complete the review of the Polkit actions until now, however. A second look that we had at the D-Bus service showed that it was once more using the deprecated UnixProcess subject for Polkit authentication in an unsafe way. This is something that we had previously overlooked.

4) Conclusions about the Future of Deepin in openSUSE

The experience with Deepin software and its upstream during the code reviews that we performed has not been the best. More than once, security issues we reported have been replaced by new security issues. Other times, upstream did not invest the effort to fully analyze the issues we reported and fixed them insufficiently. Generally the communication with upstream proved difficult, maybe also due to the language barrier. While upstream stated at times that they don’t have enough resources to deal with security reports, which is worrying enough, the design and implementation of Deepin D-Bus components often changed radically in unrelated ways. This makes the security assessment of Deepin components a moving target. Building trust towards Deepin components has thus been extremely difficult over the years.

The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing. Although we only looked at a small fraction of the code Deepin consists of, we found security issues nearly every time we looked at one of its components. Based on these experiences, we expect further security issues to linger in the rest of the Deepin code that does not stick out, as the D-Bus services do (as they run with raised privileges). Given the experiences we have gathered with Deepin D-Bus services, we consider it likely that they break user isolation. These components are certainly not fit for multi-user systems; even on single user systems they will be weakening defense-in-depth significantly.

The discovery of the bypass of the security whitelistings via the deepin-feature-enable package marks a turning point in our assessment of Deepin. We don’t believe that the openSUSE Deepin packager acted with bad intent when he implemented the “license agreement” dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies. Beyond the security aspect, this also affects general packaging quality assurance: the D-Bus configuration files and Polkit policies installed by the deepin-feature-enable package are unknown to the package manager and won’t be cleaned up upon package removal, for example. Such bypasses are not deemed acceptable by us.

The combination of these factors led us to the decision to remove the Deepin desktop completely from openSUSE Tumbleweed and from the future Leap 16.0 release. In openSUSE Leap 15.6 we will remove the offending deepin-feature-enable package only. It is a difficult decision given that the Deepin desktop has a considerable number of users. We firmly believe the Deepin packaging and security assessment in openSUSE needs a reboot, however, ideally involving new people that can help get the Deepin packages into shape, establish a relationship with Deepin upstream and keep an eye on bugfixes, thus avoiding fruitless follow-up reviews that just waste our time. In such a new setup we would be willing to have a look at all the sensitive Deepin components again one by one.

This is a process that will take time, of course, and there are limits to what we as a security team can do. Given the size of the Deepin project we would also like to see other Linux distributions and the (security) community join us in trying to establish a better security culture with Deepin upstream.

5) How to Continue Using Deepin on openSUSE

Given the security record of Deepin and the concerns expressed in the previous section, we don’t recommend to use the Deepin desktop at this time. If you still would like to install (or continue using) the Deepin desktop on openSUSE Tumbleweed despite the existing security concerns, then you can add the Deepin devel project repositories to your system as follows:

# add the devel project repository for Deepin to zypper
# for other distributions you need to adjust the URL here to point to the proper repository for your case
root# zypper ar https://download.opensuse.org/repositories/X11:/Deepin:/Factory/openSUSE_Tumbleweed deepin-factory
# refresh zypper repositories
root# zypper ref
New repository or package signing key received:

  Repository:       deepin-factory
  Key Fingerprint:  EED7 FE07 D0FC DEF0 E5B4 D4A9 C0DA 4428 1599 EA1E
  Key Name:         X11:Deepin:Factory OBS Project <X11:Deepin:Factory@build.opensuse.org>
  Key Algorithm:    RSA 2048
  Key Created:      Sat Apr 29 01:27:01 2023
  Key Expires:      Mon Jul  7 01:27:01 2025
  Rpm Name:         gpg-pubkey-1599ea1e-644c5645



    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key\'s name. If
    you are not sure whether the presented key is authentic, ask the repository provider or check
    their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they
    are using.

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):

The current GPG key fingerprint for this project is EED7 FE07 D0FC DEF0 E5B4 D4A9 C0DA 4428 1599 EA1E. You can verify it yourself by downloading the public key , importing it via gpg --import and checking the output of gpg --fingerprint for the newly imported key.

Note that by doing this you will trust any packages originating from this devel project, which are neither vetted by the SUSE security team nor by the openSUSE package submission review teams.

For openSUSE Leap you need to adjust the repository URL to point to the proper Leap repository for your system.

6) References

Dedicated Security Reports

Review Bugs

Change History

2025-05-08 Minor clarifications in Section 3) 2019-05-05: deepin-file-manager and Section 3) 2023-05-13: deepin-app-services. Fixed a typo in Section 5).

Tue, May 6th, 2025

Victorhck posted in Español at 14:14

Recopilación del boletín de noticias de la Free Software Foundation – mayo de 2025

Recopilación y traducción del boletín mensual de noticias relacionadas con el software libre publicado por la Free Software Foundation.

¡El boletín de noticias de la FSF está aquí!

La Free Software Foundation (FSF) es una organización creada en Octubre de 1985 por Richard Stallman y otros entusiastas del software libre con el propósito de difundir esta filosofía, frente a las restricciones y abusos a los usuarios por parte del software privativo.

La Fundación para el software libre (FSF) se dedica a eliminar las restricciones sobre la copia, redistribución, entendimiento, y modificación de programas de computadoras. Con este objeto, promociona el desarrollo y uso del software libre en todas las áreas de la computación, pero muy particularmente, ayudando a desarrollar el sistema operativo GNU.

Mensualmente publican un boletín (supporter) con noticias relacionadas con el software libre, sus campañas, o eventos. Una forma de difundir los proyectos, para que la gente conozca los hechos, se haga su propia opinión, y tomen partido si creen que la reivindicación es justa!!

Puedes ver todos los números publicados en este enlace: http://www.fsf.org/free-software-supporter/free-software-supporter

¿Te gustaría aportar tu ayuda en la traducción y colaborar con la FSF? Lee el siguiente enlace:

Por aquí te traigo un extracto de algunas de las noticias que ha destacado la FSF este mes de mayo de 2025.

La Administración de la Seguridad Social de EE. UU. revierte la política de verificación de identidad que impide la libertad

Del 17 de abril

A mediados de marzo, la Administración del Seguro Social de EE. UU. (SSA) anunció el fin de completar cualquier proceso que requiera prueba de identidad por teléfono. Si esta política se hubiera implementado como se había planeado originalmente, habría obligado a las personas elegibles para el seguro social a elegir entre viajar a una oficina de la SSA posiblemente lejana o ejecutar JavaScript que no es libre.

Todas las personas que tienen derecho a la seguridad social deberían poder reclamar las prestaciones que les corresponden en libertad, y merecen reclamar estas prestaciones con facilidad. Si desea abogar por reclamar los beneficios del seguro social en libertad, consulte y modifique nuestro script para la SSA.

Google dejará de dar soporte a los primeros termostatos Nest el 25 de octubre

Del 26 de abril por Ryan Whitwam

Se espera (y se agradece) una fecha de caducidad para una barra de pan, pero ¿qué pasa con una fecha de caducidad para un dispositivo que sigue funcionando perfectamente? A partir del 25 de octubre de 2025, Google dejará de dar soporte a los dispositivos creados y vendidos antes de que Google fuera propietario del termostato Nest en las aplicaciones Nest y Home, transformándolos efectivamente en termostatos tontos normales.

Cuando un dispositivo depende de software privativo para ejecutarse, no hay garantía de que el proveedor de software pueda decidir en algún momento dejar de mantener el software o incluso venderlo a otra organización, como fue el caso de Nest Labs Inc. en 2014.

Si se hubiera utilizado software libre en los dispositivos Nest, los usuarios podían escribir actualizaciones ellos mismos (o pedirle a otra persona que lo hiciera). Puedes obtener más información sobre lo que significa la falta de libertad y control sobre los termostatos Nest más antiguos en el siguiente artículo.

Microsoft Copilot aparece incluso cuando no se desea

Del 18 de abril por Thomas Claburn

Los vampiros no solo se encuentran en las películas, sino también en el software privativo. Según informes recientes, el Copilot de Microsoft sigue resurgiendo de entre los muertos, sin importar cuántas veces algunos usuarios hayan intentado apagar el programa.

Este problema de no poder apagar un programa de aprendizaje automático (y evitar que use su trabajo e información sin su consentimiento) es alarmante. También es uno de los muchos problemas relacionados con la libertad con los sistemas operativos privativos como Windows.

Microsoft afirma que se trata de un error (que bien podría serlo), pero el hecho es que un ordenador con Windows instalado no puede ser controlado por su usuario.

Si usted o alguien que conoce tiene Windows instalado y se siente frustrado por la flagrante falta de respeto mostrada por Microsoft hacia sus usuarios y la libertad, ahora podría ser un buen momento para buscar un sistema operativo libre.

apoyo_fsf

Estas son solo algunas de las noticias recogidas este mes, ¡¡pero hay muchas más muy interesantes!! si quieres leerlas todas (cuando estén traducidas) visita este enlace:

Y todos los números del «supporter» o boletín de noticias de 2025 en español, francés, portugués e inglés aquí:

Support freedom

Episodio 43 de KDE Express: ¿Qué es KDE España? – Akademy-es 2024

Me congratula presentaros el episodio 43 de KDE Express, titulado «¿Qué es KDE España? – Akademy-es 2024» donde David Marzal, y en esta ocasión yo de forma indirecta, sigue llevando en solitario estas más que interesantes píldoras. Un hurra por él.

Episodio 43 de KDE Express: ¿Qué es KDE España? – Akademy-es 2024

Comenté hace ya bastante tiempo que había nacido KDE Express, un audio con noticias y la actualidad de la Comunidad KDE y del Software Libre con un formato breve (menos de 30 minutos) que complementan los que ya generaba la Comunidad de KDE España, aunque ahora estamos tomándonos un tiempo de respiro por diversos motivos, con sus ya veteranos Vídeo-Podcast que todavía podéis encontrar en Archive.org, Youtube, Ivoox, Spotify y Apple Podcast.

De esta forma, a lo largo de estos 43 episodios, promovidos principalmente por David Marzal, nos han contado un poco de todo: noticias, proyectos, eventos, etc., convirtiéndose (al menos para mi) uno de los podcast favoritos que me suelo encontrar en mi reproductor audio.

En palabras de David el nuevo episodio de KDE Express toca los siguientes temas:

Episodio 42 de KDE Express: Upgrade físico y puesta al día

Este episodio es el audio sacado de la charla que Baltasar dio en la AkademyES hace un año en valencia. Podéis verlo en https://tube.kockatoo.org/w/swcEieoZ4QU6nyXGxERNM3, pero nos ha parecido que su contenido es apropiado para poder escucharse solo. Y dado que aún estoy en recuperación parece una buena ocasión para compartiroslo en el podcast por si alguien no lo conocía.

  • ¿Para qué sirve KDE España?
  • ¿Hacemos código?
  • ¿Organizamos eventos?
  • ¿Nos reunimos mensualmente en algún sitio?
  • ¿Necesito ser programador para entrar?
  • Todas estas preguntas y muchas más se responderán en esta pequeña exposición de nuestros objetivos.

Os dejamos también el PDF de la presentación: https://archive.org/download/que-es-kde-espana/Que%20es%20KDE%20Espa%C3%B1a.pdf

Recordar que estáis a tiempo de presentar propuesta de charla para AkademyES o de preparar el viaje para asistir: https://www.kde-espana.org/akademy-es-2025

Y, como siempre, os dejo aquí el listado de los episodios. ¡Disfrutad!

Por cierto, también podéis encontrarlos en Telegram: https://t.me/KDEexpress

La entrada Episodio 43 de KDE Express: ¿Qué es KDE España? – Akademy-es 2024 se publicó primero en KDE Blog.

Get openSUSE Gear at oSC25

Heading to the openSUSE Conference 2025 in Nuremberg? Great news! The project will have a shop available at the conference venue where attendees can purchase openSUSE merchandise! Items available at the shop will include popular products from Freewear.org’s openSUSE section.

Between 100 to 125 items, mainly t-shirts, will be available as a preview of brand-new designs that emphasize Leap, Tumbleweed, Slowroll, Aeon and Kalpa and MicroOS. These new items aren’t yet listed on Freewear.org’s website, but there are plans to update the online shop with all of them after the conference.

If you’re particularly interested in specific items, sizes, or styles, we encourage you to email your request in advance to ddemaio@opensuse.org and ishwon@openSUSE.org with the subject line “oSC25 Shop Selection”. Please do this before June 4 since shipments will happen around this time. This helps us better prepare and ensure we have the most requested items available during the event.

Event Details

  • Conference Dates: June 26 – 28, 2025
  • Location: Z-Bau, Nuremberg, Germany
  • What to Expect: Talks, workshops, and community networking

The openSUSE Conference is a free, community-driven event that brings together contributors, developers and enthusiasts from across the globe to collaborate on open-source software development.

Pre-Party

Kick things off early! Join us for the pre-party on June 25 at Kater Murr.

Come by anytime after 6 p.m. and connect with fellow attendees ahead of the main event. 📍 Kater Murr on OpenStreetMap
📍 Google Maps Location

Stay tuned, get involved, and don’t forget to gear up at oSC25!

Mon, May 5th, 2025

Victorhck posted in Español at 16:15

Publicado Qactus 3.0 un cliente Qt para Open Build Service

Se ha publicado Qactus 3.0.0 el cliente en Qt para gestionar tus paquetes de software en Open Build Service

Javier Llorente, un usuario y colaborador de largo recorrido en openSUSE, acaba de publicar la versión 3.0 de Qactus, el cliente en Qt para Open Build Service que ha creado.

Si me retrotraigo hasta mis inicios en esto de GNU/Linux y por extensión en mi andadura en openSUSE, tengo que hacer una mención especial a Javier Llorente, un usuario y colaborador de openSUSE que cuando yo me iniciaba y estaba aprendiendo, le encontraba en las salas de IRC siempre varios pasos por delante y siempre con muy buena disposición a enseñar y orientar.

Pasamos muy buenos momentos en aquella sala IRC y tengo buenos recuerdos de aquellos tiempos que no volverán. Incluso llegamos a coincidir brevemente en la Akademyes de 2016 que se celebró en Madrid.

Aunque por mi parte ya no frecuento esas salas IRC, Javier Llorente sigue colaborando y contribuyendo con la comunidad de openSUSE en muchos aspectos, prueba de ello es la versión 3.0 que acaba de publicar de Qactus un cliente para la gestión de tus paquetes en Open Build Service escrito en Qt y que en esta nueva versión viene muy mejorado.

  • Rediseño de la interfaz de usuario, centrado en el paquete con un estilo moderno similar a Plasma
  • Código portado a Qt6
  • Uso de memoria mejorado
  • Nuevas funcionalidades
    • Barra de ubicación
    • Barra de búsqueda
    • Visión general del proyecto o paquete de software
    • Puedes obtener las revisiones
    • Puedes obtener las peticiones que te lleguen a tu paquete o proyecto
  • Nuevo logotipo
  • Múltiples correcciones de errores
  • Cambio a licencia Apache License 2.0

Muy bien pero ¿Qué es Open Build Services (OBS)?

Podemos leer en la Wikipedia:

es una plataforma de desarrollo para distribución abierta y completa diseñada para alentar a los desarrolladores a compilar paquetes para múltiples distribuciones de Linux, incluidos SUSE Linux Enterprise Server, openSUSE, Red Hat Enterprise Linux, Mandriva, Ubuntu, Fedora, Debian y Arch Linux. Por lo general, simplifica el proceso de empaquetado, por lo que los desarrolladores pueden empaquetar más fácilmente un solo programa para muchas distribuciones y sus versiones, haciendo que más paquetes estén disponibles para los usuarios independientemente de la distribución que utilicen.

Ahora con mis palabras (que espero no se desvíen mucho de la realidad): Es una plataforma en la que los empaquetadores de software, colaboradores, suben el software que quieren, le dan una serie de instrucciones y configuraciones a la plataforma y esta compila ese software para que esté disponible para distintos sistemas GNU/Linux.

Así si tienes un software que desarrollas o que mantienes, puedes subirlo a OBS y tener paquetes .deb o .rpm para distintas distribuciones y de esa manera que estén disponibles para poder instalarlo fácilmente sin que el usuario tenga que lidiar con compilaciones, dependencias, etc.

OBS en su instancia de openSUSE, es el sitio donde se compila todo el software de los repositorios y la propia distribución. Ahí puedes mantener un paquete que te interese tener al día, unirte al equipo de mantenimiento, hacer tus propias pruebas, etc. Y poner ese software a disposición de Leap, Tumbleweed, y otras distribuciones…

Para hacer todas esas tareas a la hora de mantener un software, cambiarle la versión, añadirle un parche, modificar alguna caracterísitica a la hora de compilar, etc. Se puede realizar mediante su interfaz web, su cliente para la línea de comandos y también con Qactus para tener un cliente que se conecte con el servidor y que tenga una interfaz Qt.

Qactus facilita todas esas tareas ofreciendo una interfaz gráfica Qt con la que interactuar con los paquetes en los que colabores. Esta versión 3.0.0 como hemos visto trae novedades, y mejoras en este software.

Gracias a Javier Llorente por seguir colaborando y al pie del cañón aportando a la comunidad después de tantos años.

Enlaces de interés

Upgrade to Freedom Campaign Shifts to End of 10

Microsoft will end support for Windows 10 on Oct. 14 and this will likely trigger a surge in unnecessary electronic waste (e-waste) on International E-Waste Day, which is a day designed to raise awareness about the global issue of e-waste and promote responsible recycling and disposal practices.

The openSUSE Project’s Upgrade to Freedom campaign urges people to extend the life of their device rather than becoming e-waste. Since millions of Windows 10 users may believe their devices will become useless and contribute to the waste of fully functional devices, installing a Linux operating systems like openSUSE or another Linux distribution is more reasonable.

A new initiative called End of 10 has launched that shares the purposes and origin of openSUSE’s Upgrade to Freedom efforts. As the #endof10 initiative also intends to help people extend the life of devices that would otherwise become e-waste, rather than dilute the messaging and narrative, members of openSUSE marketing have decided to transition the Upgrade to Freedom campaign to joining the End of 10 initiative.

The project will update all its previous Upgrade to Freedom content to reflect these changes.

Many articles in the media report that Microsoft demands new hardware or extended support payments for continued use of Windows. Many users own computers that still run well but fail to meet Windows 11 upgrade requirements.

Most computers built after 2010 can run Linux operating systems like openSUSE, Fedora, or Debian with excellent performance. The campaign encourages users to upgrade their software, not their hardware.

Volunteers developed endof10.org as a resource hub. Users can find local repair groups, download installation tools and offer support to others. The site connects people who want to switch away from Windows with those ready to help.

The End of 10 organizers have launched the first phase with outreach to FOSS communities, Repair Cafes, and media outlets. Over the next several months, they will promote install fests and coordinate local outreach events. They will continue promoting the campaign throughout 2025 as the Windows 10 deadline approaches.

Organizers encourage teachers, developers, and students to join the effort.

We encourage everyone to learn more about the campaign at endof10.org.

Additional Information

What does the “End Of 10” campaign have planned? At the moment, activities include traditional media outreach, social media campaigns, and in-person install events ramping up to 14 October. As an example, we are planning a “Lists of 10” campaign with the hashtag #EndOf10, with topics like:

  • “10 reasons to switch to Linux”
  • “10 Free & Open Source apps to try on your new Linux computer”
  • “10 Free & Open Source apps you may already use but didn’t know it”

Important: End Of 10 wants the larger FOSS universe to be at the center of everything the campaign does. The goal of the campaign is to speak as a big FOSS family and therefore there is no tolerance for negative messaging about other FOSS communities.

We hope you and other FOSS members will join us in the End Of 10 campaign, so we can promote Free & Open Source Software as a solution for Windows 10 users who wish to keep their devices safely in use, together.

This is part of a series on End of 10 where we advocate for Free & Open Source Software as a solution for Windows 10 users who wish to keep their devices rather than contributing to e-waste of functioning devices.

Qactus v3.0.0 is out!

Qactus 3.0.0 comes with many changes, such as:

  • UI redesign, package-centred with a modern style (Plasma-ish)
  • Code ported to Qt6
  • Improved memory usage
  • New features:
    • Location bar
    • Search bar
    • Project/package overview
    • Getting revisions
    • Getting requests per project/package
  • New logo
  • Multiple fixes (and some bugs? 😉
  • Switch to Apache License 2.0

RPM packages

I have also updated jOBS, a Java-based Open Build Service library and developed a basic GUI for it,
OBS FX; it is a JavaFX-based OBS client with a green touch 🙂

The rpm and zip are available at GitHub.
Download OBS FX

Mover por defecto al arrastrar y soltar – Esta semana en Plasma

Es increíble el trabajo de promoción que está realizando Nate en su blog, dese hace más del tiempo que puedo recordar. Cada semana hace un resumen de las novedades más destacadas, pero no en forma de telegrama, sino de artículo completo. Su cita semanal no falla y voy a intentar hacer algo que es simple pero requiere constancia. Traducir sus artículos al castellano utilizando los magníficos traductores lo cual hará que: la gente que no domine el inglés esté al día y que yo me entere bien de todo. Bienvenidos pues al primero de la serie «Esta semana en Plasma» que lleva por título «Mover por defecto al arrastrar y soltar». Espero que os guste y, sobre todo, que pueda mantener el ritmo de publicación de Nate Graham.

Mover por defecto al arrastrar y soltar – Esta semana en Plasma

Nota: artículo original en Blogs KDE. Traducción realizada utilizando deepl.com. Esta entrada está llena de novedades para Plasma 6.4. Mis comentarios están entre corchetes.

¡Bienvenido a un nuevo número de «Esta semana en Plasma»! Cada semana cubrimos lo más destacado de lo que está sucediendo en el mundo de KDE Plasma y sus aplicaciones asociadas como Discover, System Monitor, y más.
Esta ha sido otra gran semana, resultado de la suave congelación de características de Plasma 6.4 que se acerca rápidamente y que entrará en vigor hoy. Así que hay montones de cambios útiles e interesantes para el usuario. Creo que Plasma 6.4 se perfila como una gran versión. Compruébalo:

Novedades destacadas

Plasma 6.4.0

18 años después de que se solicitara por primera vez, ahora puedes configurar el sistema para que al arrastrar y soltar archivos y carpetas a otra ubicación del mismo disco se muevan automáticamente, en lugar de preguntar cada vez. (Sebastian Parborg, enlace) [Es que hay cosas que se tienen que repensar mucho].

Ahora puedes activar la función de zoom a pantalla completa de KWin con un gesto de pellizco con tres dedos (pulgar más dos dedos). (Xaver Hugl, enlace) [Importante mejora que responde a la intunición].

System Monitor ahora permite supervisar el uso de la GPU por proceso (sólo Intel y AMD por ahora; NVIDIA llegará más adelante). (David Redondo y Lenon Kitchens, enlace)

El Administrador de tareas ahora permite configurarlo de modo que al desplazarse por una tarea sólo se recorran sus ventanas, en lugar de todas las ventanas. (Theo Luschnig, enlace)

Se ha añadido una nueva página «Sensores» al Centro de información que permite ver los datos brutos de los sensores. (Thomas Duckworth, enlace) [Los amantes del control estarán satisfechos].

Mejoras notables en la interfaz de usuario

Plasma 6.4.0

La página Historial del Monitor del Sistema incluye ahora dos estilos de gráfico de CPU (total y por núcleo) y también incluye un gráfico de uso de GPU. (Arjen Hiemstra, enlace)

Mover por defecto al arrastrar y soltar

…Pero no se preocupe, si ha personalizado la página Historial en el pasado, su versión personalizada se conservará. [Esta es una de esas cosas que se agradecen cuando algo se actualiza].

Mejorado el nivel de calidad por defecto del servidor RDP, y aclarado el rango de niveles de respuesta/calidad entre los que se puede elegir para que sea más sensible. (Akseli Lahtinen, enlace)

El diálogo de autenticación ahora reproduce un sonido del tema de sonido cuando aparece. (Bogdan Cvetanovski Pašalić, enlace) [Esta mejora es interesante, a veces se pierde entre ventanas].

Frameworks 6.14

El cuadro de diálogo que te pregunta si quieres abrir o ejecutar un archivo es ahora mucho más elegante. (Kai Uwe Broulik, enlace)

Corrección de errores importantes

Plasma 6.3.5

Se ha corregido un error que provocaba que las notificaciones cuyo texto incluía el carácter < cortaran todo el texto siguiente. (Akseli Lahtinen, enlace)

Se ha corregido un error que provocaba que los widgets de notas adhesivas del escritorio olvidaran su tamaño personalizado si se cambiaba su tamaño. (Christoph Wolk, enlace)

Plasma 6.4.0

Eliminados los vídeos de la página de Efectos de Escritorio de la Configuración del Sistema, ya que todos estaban en varios estados de rotura, y básicamente no podrían funcionar a largo plazo porque nadie va a mantenerlos actualizados. Al eliminarlos se solucionan múltiples fallos. (Oliver Beard, enlace 1, enlace 2) [Es una lástima y es una cosa que estaría bien mantener. ¿nadie se anima a intentar recuperar esta funcionalidad?].

Ahora funciona el elemento «C» en las listas de idiomas de la página Región e idioma de la Configuración del sistema. (Han Young, enlace)

Se ha corregido un error que provocaba que los títulos de los cuadros de grupo temáticos de Breeze que utilizaban fuentes y tamaños de fuente no predeterminados no aparecieran correctamente. (Kai Uwe Broulik, enlace)

La página «Entradas» de la ventana de configuración de la bandeja del sistema es ahora más inteligente a la hora de saber cuándo un cambio realizado pero no aplicado antes de ser revertido no debe contarse como un ajuste modificado. (Christoph Wolk, enlace)

Se ha corregido un error por el que la configuración del modo de clic de la ventana «Activar, elevar y pasar clic» no siempre elevaba la ventana. (John Kizer, enlace)

Gear 25.08.0

El icono de la bandeja del sistema para KTeaTime respeta ahora correctamente el esquema de colores de tu estilo Plasma, y el indicador de remojo se muestra en un tamaño adecuado. (Fabian Vogt, enlace 1 y enlace 2)

Otra información de errores destacables:

Novedades técnicas y de rendimiento

Plasma 6.4

Si tienes un monitor que no se porta bien con DDC/CI (el mecanismo que permite a Plasma manipular los niveles de brillo de las pantallas), ahora puedes desactivarlo. (Jakob Petsovits, enlace 1 y enlace 2)

Implementado soporte para el protocolo Wayland «Relative tablet dials» (zwp_tablet_pad_dial_v2). (Nicolas Fella, enlace)

Implementado soporte para el protocolo Wayland «Toplevel tag» (xdg_toplevel_tag_v1). (Xaver Hugl, enlace 1 y enlace 2)

Soporte implementado para el protocolo Wayland «Color Representation» (color_representation_v1). (Xaver Hugl, enlace)

Mejorado el soporte del joystick del mando de juegos de varias maneras. (Jeremy Whiting, enlace)

El sistema de rastreo de fallos DrKonqi ahora utiliza mucha menos memoria mientras trabaja, haciendo menos probable que cause que tu sistema se quede sin memoria y lo termine. (Harald Sitter, enlace)

Cómo puedes ayudar

KDE se ha convertido en algo importante en el mundo, y tu tiempo y contribuciones nos han ayudado a conseguirlo. A medida que crecemos, necesitamos su apoyo para mantener KDE sostenible.

Puedes ayudar a KDE convirtiéndote en un miembro activo de la comunidad e involucrándote de alguna manera. Cada colaborador marca una gran diferencia en KDE – ¡no eres un número o un engranaje en una máquina!

Tampoco tienes que ser programador. Existen muchas otras oportunidades:

¡También puedes ayudarnos haciendo una donación! Cualquier contribución monetaria – por pequeña que sea – nos ayudará a cubrir los costes operativos, salarios, gastos de viaje de los colaboradores, y en general a mantener KDE llevando el Software Libre al mundo.

Para obtener una nueva característica de Plasma o una corrección de errores mencionada aquí, siéntase libre de enviar un commit a la solicitud de fusión correspondiente en invent.kde.org.

La entrada Mover por defecto al arrastrar y soltar – Esta semana en Plasma se publicó primero en KDE Blog.

Nathan Wolf posted in English at 01:30

Framework 2nd Gen Event | Blathering
Framework Computers' 2nd Gen Event showcased exciting announcements, including the Framework Desktop and Laptop 12, emphasizing modularity and repairability. The Desktop features high-speed performance with a compact design, while Laptop 12 targets students with a convertible format. Concerns about resource strain and parts availability were noted, but overall enthusiasm for Framework's innovation remains high.