I wish I had BastilleBSD twenty years ago. I had a part-time sysadmin job - running web servers. PHP started to become popular by the turn of the century. Using jails on FreeBSD seemed to be a safe environment to run PHP-enabled web servers. However, there were no tools yet to work with jails. I had to write many scripts to build and update jails.

A bit of history

At first, I had a single server. Adding a new client every other month by hand was not a big overhead. However, after a year or so, the service became popular. First, I automated adding new users, then creating jails, migrating jails between servers. Later, the service gained central management, an LDAP and Windows-based management application, and almost everything was automated. At its peak, my system served tens of thousands of domains.

Of course, my scripts were not so universally useful as BastilleBSD. They were single purpose: creating FreeBSD jails with various PHP versions. Later some extra utilities were added, like ImageMagick, used by many popular PHP applications. As disk space was a premium, these scripts made sure that only the absolutely necessary files stayed in the jails. Removing all shells and apps with extra privileges also helped in reducing the attack surface. The way how my jails were created also meant that package management was not an option. The jails could not be updated. Any security update meant compiling a new base system and new ports.

Why BastilleBSD?

BastilleBSD has a very different approach to jails. Of course, not all functionalities of my scripts are covered, for example migrating jails between hosts is missing. However, they are more generic and make it easy to maintain jails.

Compiling an updated jail and updating jails was a painful process even with my scripts. With BastilleBSD, updating the base system without touching any of the ports is easy:

bastille update 13.0-RELEASE

And it is updated with the latest security updates in all jails utilizing this base system.

I spent a lot of time removing files from jails. This way I could spare hundreds of megabytes for each jail. BastilleBSD solves this problem in a different way: the base system is installed only once and mounted under each jail in read-only mode. This saves even more space and makes the system even more tamper-proof.

To add an application to a jail, I had to compile everything from scratch. Once everything was installed, the scripts removed much of the files. BastilleBSD has full package management within jails. If a user needs an extra app, it can easily be installed. And all ports in a jail can be updated easily, almost the same way as on the host:

bastille pkg alcatraz update
bastille pkg alcatraz upgrade

What’s more, BastilleBSD has a template system. Instead of installing all applications by hand from ports, templates can automate the process. It’s a bit like Dockerfile on Linux, but there is no central registry to store images. You can download the templates using git and apply the template to a jail locally.

bastille template alcatraz BastilleBSD-Templates/syslog-ng

I do not want to list here all BastilleBSD advantages, so here are just some highlights: it can configure PF firewall rules, use ZFS, and there is even some experimental support for Linux-based jails.

What is next?

If you want to learn more about BastilleBSD, check their website: https://bastillebsd.org/. For a very simplified introduction, you can also read my blog, where I use the syslog-ng template of BastilleBSD to setup a couple of syslog-ng servers: https://www.syslog-ng.com/community/b/blog/posts/running-syslog-ng-in-bastille-revisited

De nos jours, nous avons souhaitons que l’on respecte notre vie privée surtout en naviguant sur le www. Le navigateur Web Brave fait justement cela tout en bloquant pratiquement toute publicité sur Internet. Brave paie pour chaque site Web que vous visitez pour l’affichage de publicités. Si le blocage des annonces ne vous dérange pas, …

Le navigateur Brave pour protéger notre vie privéeRead More »

The post Le navigateur Brave pour protéger notre vie privée appeared first on Cybersécurité, Linux et Open Source à leur plus haut niveau | Network Users Institute | Rouen - Normandie.

Amidst the holidays that perhaps aren't turning out exactly as hoped, one can take comfort in small tokens of continuity – like the fact that xsnow is still being actively maintained.

Thanks, everyone, for all the good software. Let's extract the best from the year to come.

March 5th, 2022 update: Sigh.

Como estoy comentando estos días, estamos ante un nuevo lanzamiento masivo de actualizaciones de las aplicaciones KDE, en esta ocasión previas a las fiestas de final de año, con el que los desarrolladores de la Comunidad KDE siguen mostrando al mundo que tienen claro que su objetivo es ofrecer los mejor del Software Libre para todos de forma continua, constante y sin cambios revolucionarios. Y como siempre voy a dedicar algunos artículos a repasar las buenas nuevas, así que hoy toca hablar de las novedades de Konsole para KDE Gear 21.12, siguiendo la estela de las novedades de Dolphin, de Spectacle y Kdenlive de días anteriores.

Novedades de Konsole para KDE Gear 21.12

Debo reconocer, y siempre lo comento en mis charlas, que solía tener miedo atroz a la consola. Y digo tenía porque cada vez la uso más y más, y le veo una utilidad brutal. Se ha convertido en una herramienta para hacer acciones rápidas y efectivas, a la vez que me permite donde hay errores en las aplicaciones.

Además, si se utiliza terminal como Konsole, la cosa no hace más que mejorar gracias a las multitud de opciones que nos proporciona: pestañas, ventanas múltiples, vistas previa de diversos ficheros como las imágenes, búsqueda de frases directamente en el navegador web, opciones de personalización en cuanto a su aspecto, etc.

Y, como no puede ser de otra manera, Konsole no para de mejorar gracias al trabajo constante de los desarrolladores de la Comunidad KDE. De esta forma en este KDE Gear 21.12 esta aplicación nos ofrece casi 100 mejoras, algunas de las cuales son las siguientes (extraídas del changelog):

• Nuevo icono «edit-copy-path» para el elemento de menú.
• Ahora la barra de desplazamiento se adapta al esquema de colores del terminal para el estilo del widget Breeze.
• Actualizado el manual para los nuevos menús.
• Optimizado el guardado de los accesos directos del perfil.
• Añadida una opción «establecer como predeterminado» al diálogo de edición de perfiles.
• Cambio en el comportamiento con los plugins: en lugar de ocultar el menú de Plugins, mostrar una acción de «no hay plugins disponibles

Más información: KDE Gear 21.12

Year 2021 comes to an end, but not before the YaST Team publishes another development report covering areas as diverse as:

• Improvements in the installer self-update mechanism
• Better error reporting in storage analysis
• More consistent management of UEFI
• Better handling of the installer boot arguments
• More intuitive representation of thin logical volumes

Let’s check every one in detail.

Fast Self-Update for All

As you may know, YaST has the ability to update itself at the very beginning of the installation of the operating system. That makes possible to correct the installation process in case errors are detected after publishing a given release of SUSE Linux Enterprise.

Recently we found there was room for improving the speed and also to simplify how the mechanism works in some scenarios. It’s hard to explain exactly what we did in only a few words… so we will not try. ;-) But if you don’t mind reading quite some words and watching a couple of animations, go and check the description of this pull request.

Apart from the already mentioned improvements, we also extended the YaST self-update to support relative URLs. Check the details in this separate pull request.

Better Error Reporting Regarding Storage Devices

One of the most important phases of the execution of YaST, both during installation and when running some of the available configuration modules, is the analysis of the storage setup of the system. That includes checking the available disks and how they are organized into partitions, RAIDs, LVM volume groups and many other storage technologies recognized by YaST. If something goes wrong during that process, YaST stops and asks the user whether it should abort the current process.

That’s fine for most cases. But what happens if a system presents a problematic setup… replicated in more than 60 disks? Those kinds of setups are not unusual in enterprise environments and having to click “continue” 60 times is not exactly fun. So we decided to improve how YaST reports those errors, adding also the possibility of easily reviewing them all at any later point in time from the Partitioner. Check this description of the feature, containing dozens of screenshots!

This new mechanism will be used in future releases of Leap and SLE and is already available in openSUSE Tumbleweed.

More Consistent Management of UEFI

A lot of modern systems use UEFI firmware for booting. But correctly checking if a given system uses that technology or which UEFI features are available may not always be that straightforward. During this sprint we did some internal reorganization of the YaST code which deals with UEFI to make it more robust. Why an internal reorganization may be relevant for our blog readers? Because we took the opportunity to document how the detection works and how it can be overridden for YaST to setup UEFI from a system booting in legacy x86 mode and vice versa.

Better Handling of the Installer Boot Arguments

What do self-update, error reporting and UEFI detection have in common in YaST? Of course, that all of them have been mentioned on this blog post. But also that their behavior can be influenced passing some boot parameter to the installer. That’s a powerful tool for advanced users that provides great flexibility but that had a tiny drawback… until it was fixed during this sprint.

Intuitive Visualization of LVM Thin Volumes

The last change we want to highlight in this report is something that may be considered cosmetic and that affects only those using such an expert tool as LVM thin logical volumes. But it represents the kind of details we really enjoy improving when we have some spare development cycles. The small UI adjustment you can see in this pull request is already available at openSUSE Tumbleweed and will be also there in future releases of SLE and openSUSE Leap.

That’s all for this year

As we always point, this is only a small sample of everything we have done during the sprint. But we don’t want to keep you busy reading about bug-fixes and small code reorganizations. After all, year 2022 is around the corner and it’s already vacation season in many areas around the globe. So go and enjoy the celebrations. The YaST Team will be here next year with more news to share. Take care!

Parece que este fin de año viene cargado de novedades. Al lanzamiento de KDE Gear 21 (con su aluvión de novedades en aplicaciones), otro aniversario, que se suma a los 25 años de KDE, que anunciaré pronto, las continuas mejoras de Plasma y a la mega actualización de aplicaciones de Plasma Mobile, se le une que ha sido lanzado GCompris 2.0 con una aplicación que sigue ofreciendo verdaderas maravillas para niñas y niños.

Lanzado GCompris 2.0, otro regalo de la Comunidad KDE

Como nos tiene acostumbrado el equipo de desarrolladores de GCompris, cada nuevo lanzamiento de esta suite de juegos educativos nos ofrece una buena colección de novedades.

Este GCompris 2.0 no es una excepción y a las típicas correcciones de errores y actualizaciones en el paquete de idiomas que forman parte de la suite nos ofrece nuevas módulos que hacen que mi serie de GCompris deba revisarse.

Para verlas todas, os emplazo al artículo de GCompris, aquí solo pondré un par de pinceladas:

• Baby Mouse: para los niños que están aprendiendo a utilizar un ordenador por primera vez. Les presenta un entorno amigable con patos de colores brillantes en el que pueden utilizar un ratón, una pantalla táctil o cualquier otro dispositivo de entrada para mover un pato, hacer clic en una parte en blanco de la pantalla, o hacer clic en otros elementos de la pantalla y recibir información visual y sonora. Esta actividad es ideal para ayudar a desarrollar la coordinación mano-ojo y la destreza.

• Ordenar números y Ordenar letras: los niños familiarizados con los números y el alfabeto pueden practicar la ordenación dentro de varios rangos. Un paso más allá es Ordenar frases, en el que los niños pueden practicar la lectura y la gramática clasificando las partes de las frases.

• Posiciones: otra actividad que ayuda a los niños a practicar la comprensión lectora y la localización espacial al mismo tiempo, el jugador ve las imágenes de un niño y una caja y tiene que elegir la palabra que mejor describa el lugar en el que se encuentran uno respecto del otro.

Quisiera destacar que en mi opinión esta aplicación debería estar presente en todas las comunidades educativas, como lo está en muchos centros logopédicos.

Recordad que GCompris tiene versión también para Android aunque limitada en algunas de sus aplicaciones, además se está preparando un instalador para Raspberry Pi para principios de 2019. Además las versiones actualizadas para MacOS e iOS aún no están disponibles pero se espera poder lanzarlas durante el próximo año.

Más información: KDE News | GCompris

¿Qué es GCompris?

GCompris es un colección de aplicaciones educativas que contiene diferentes actividades para niños entre 2 y 10 años de edad. Originalmente GCompris estaba escrito lenguaje C y Python utilizando las herramientas de GTK+ pero a principios de 2014, desde que sus desarrolladores anunciaron que pasaban a ser un proyecto de la Comunidad KDE, se ha reescrito en a C++ y QML utilizando las herramientas Qt.

Más información: GCompris

Une nouvelle release de Kali Linux est sortie au début de décembre 2021. Un excellent outil pour le pentesting. Une MAJ simplifiée:$ sudo apt update
$ sudo apt full-upgrade -y Un cat /etc/os-release Neuf nouveaux outils à découvrir : * Dufflebag : pour la recherche de secrets dans les volumes EBS exposés.* Maryam : framework pour …

MAJ KaliLinux 21.04Read More »

The post MAJ KaliLinux 21.04 appeared first on Cybersécurité, Linux et Open Source à leur plus haut niveau | Network Users Institute | Rouen - Normandie.

openSUSE Advent Calendar の 19日目です。今年はすっかり力尽きてしまいました。クリスマス前にはもう少し投稿できるようにしたいと思います。

2年ぶりの Geeko Magazine Special Edition を発行します。最初の頒布はコミックマーケット C99 で、スペースは 2日目 東テ14b です。今年のコミックマーケットは事前チケットや、ワクチン接種証明書または PCR 検査結果が必要ですので、参加される方はご注意下さい。

今回の記事は次の通りです。久しぶりにも関わらず、例年通り集まりました。

• SLE とパッケージがバイナリレベルで同じに！openSUSE Leap 15.3 リリース
• これは使える！？パッケージの説明一覧から見つけた面白そうなソフトウェアはこれだ！？
• OmegaT + TexTra で、Weblate による packages の説明を翻訳
• マニフェストデバッグから入る Kubernetes 入門
• 小説: 女子高生アイドルがギーコと戯れる忙しい日々

コミックマーケット以降の頒布機会は未定です。当面 OSC はオンラインの予定ですので、どうするか検討します。

I drafted a post on how the Dirtywave M8 is an amazing synth, but given the time and the growing scope of that post, I’ll sum it up in a short blurb instead. For a single man project, this synth is a miracle. Very geeky, all shortcut driven, standing on the shoulders of tracker giants, particularly LSDJ, it has a solid workflow and most definitely isn’t a gimmick. You’ll have to do without any visual aid. This is what I love on the Elektron boxes, where the display really helps you understand what you’re doing when filtering or creating an LFO. All you have here are hex numbers and consistent shortcuts. But it sounds absolutely marvelous and allows you to create music anywhere.

I’d like to share two tracks I’ve learned the ropes of the device on, but also the genre itself. I’ve listened to DNB mainly through Noisia/Vision radio podcast that made my runs possible (I hated running all my life, but it’s really the best way to combat the negative effects of sitting behind a computer all day). But I’ve never actually tried producing a track within that DNB realm.

While I lean on samples for the beats, the base is all the internal FM (with multiple oscilator types, not just sine) and macrosynth engines.

I’ve also been learning the ropes of Blender’s geometry nodes recently. While only scratching the surface, I created this visualizer for the track. The heavy lifting is done with baking the sound to f-curves, which is then somewhat tweaked to acceptable ranges with f-curve modifiers.

I also have to mention the absolutely bonkers amazing visual identity of the M8 project. It just couldn’t be more hip. This is also my very last gear acquisition. For sure.

Previously, Previously, Previously, Previously, Previously, Previously, Previously.

10th of my 21-day quarantine*! And to celebrate, I'm going to release a new version of geewallet. It's not that I blog about geewallet releases often (or blog at all, lately), but this one is a special one for me. We decided to call it 0.4.300.0

The highlights:

• We fixed the GTK theme for our snap package. (Long version of the story: ever since we upgraded our snap generation process to take place in Ubuntu 20.04 instead of Ubuntu 18.04, the theme stopped working so the app was not showing anymore with the default theme of the system, but with the default Gtk theme, which is very plain. Even if you might consider this issue important, we haven't had time to look at it because we've been very busy finishing Lightning support. Sorry.)
• The chart rendering doesn't use SkiaSharp anymore, but good-old Cairo. This fixes some UI glitches that we had in the GTK frontend. (Long version: for this, we didn't just draw the chart using Cairo in our Gtk frontend, we actually wrote an implementation of the Shapes API for the Xamarin.Forms' GTK backend, and we contributed the work upstream: https://github.com/xamarin/Xamarin.Forms/pull/14235 . Hopefully they merge it soon so that we don't need to use our own forked repo/nuget anymore.)
• Fixed a crash when pairing with a cold-storage wallet. (Long version: user might not know that pairing is only allowed against another geewallet instance; low-hanging fruit bugfix which I shouldn't have neglected for so long, I know.)
• Fixed a crash when scanning some QR-codes that contained unknown parameters in the bitcoin URI. (Long version: I was actually in El Salvador and when trying to use a BTM, I found this bug! Apparently some BTMs here add an extraneous "chivo" param in the URI's querystring, in case the wallet being used is the one from the government; not sure why. In this case, geewallet was failing fast instead of ignoring the unexpected intruder.)