After almost a month of radio silence, the YaST Team is back with another development report. The two latest sprints brought:

• New features like:
  • More general LUKS2 support in the Partitioner
  • Mechanisms to detect if the system boots using EFI both in AutoYast rules and ERB templates
  • Enhanced handling of NTLM authentication in linuxrc
• Usability improvements in several areas of YaST
• Dropping some legacy features to have a more sane code-base
• More internal refactoring in the area of software management
• Many fixes here and there

So let’s dive into the details.

New Features

As already explained in this same blog quite some time ago the YaST Partitioner can be used to set up several kinds of encryption, but “Regular LUKS2” was not one of those. That was intentional because using LUKS2 comes with many challenges, as summarized in this Bugzilla comment. But now the time has come to start introducing experimental support for general LUKS2 encryption. Initially it will be available in openSUSE Tumbleweed and pre-releases of SLE-15-SP4 but only if the environment variable YAST_LUKS2_AVAILABLE is set. Check the description of this pull request for screenshots and more information.

Support for LUKS2 in AutoYaST will have to wait a bit, until we have received some feedback from interactive installations and ironed out all the details. But AutoYaST users can meanwhile test and enjoy another new feature available also in Tumbleweed and 15.4 pre-releases - support for identifying EFI systems in dynamic profiles, which includes both rules and ERB templates. Learn more and see some examples in the description of the corresponding pull request.

The last feature for Tumbleweed and the upcoming 15.4 that we want to highlight in this report is the brand new support for NTLM authentication in linuxrc. The authentication process is actually delegated to curl. Passing credentials to curl through the linuxrc parameters is as easy as you can see in the following examples:

  install=https://user:password@example.com/the_repo
  proxy=https://user:password@example.com

Usability Improvements

Sometimes, you don’t need to introduce a whole new shiny functionality to enhance the life of the end users. Small improvements can also have a big impact… although “small” doesn’t always mean “easy to implement”. In that regard we would like to highlight that:

• We improved filtering and sorting in the list of DASD devices in s390 mainframes
• The installation on that architecture will run in graphical mode if executed in QEMU and a Virtio GPU is detected
• Configuring the custom boot partition in YaST2 Bootloader is now more robust and intuitive

Less Code, Fewer Problems

Going even further, enhancing the software is sometimes not even a matter of adding or polishing functionality but a matter of cleaning up features that are not longer useful, removing code and infrastructure in the process. Simpler usually means more robust and maintainable.

In that regard, you can check this pull request about management of group passwords or this other about the obsolete format to configure the partitioning proposal.

Internal Changes and Fixes

If you are interested in technical details and having a look to the YaST internals, we also have a couple of pull request that could be interesting, like this fix for the detection of duplicated LVM structures and this improvement in the way YaST manages the initialization of its user interface.

Talking about internals, we mentioned several times our ongoing effort to restructure how software management works in YaST. You can see some more technical details in this gist if you have an interest in the design of computer programs and APIs.

Winter is coming

It’s less than one month to the official start of winter in the Northern Hemisphere. We keep working hard and we hope to give you at least another update of the YaST status before that date. Meanwhile we can only remind you, no matter in which part of the world you are, to have a lot of fun!

Recently MicroOS gained some new options in relation with security. The distribution has now integrated Keylime, an open source project for doing remote attestation with TPMs.

If you follow the news about Windows 11, you are aware of what is a TPM. The Trusted Platform Module (TPM) is a cryptoprocessor, described by the Trusted Computing Group (TCG) in a specification that has been standardized in a ISO/IEC document. You can find the TPM already soldered in the mainboard of your computer, but they can also be found as a service in the firmware, or inside your CPU.

This co-processor can be used for many tasks related with security. For example, we can use it to generate symmetric and asymmetric keys, encrypt some memory blocks (not too big, as they are a bit slow), or to as storage for keys that can be used only for us (or applications that have permissions).

Because the TPM from the factory has a unique key (known and Endorsement Key or EK), it can also be useful to generate other keys that can later be used to check if some information comes from this specific machine or not. That is something very handy when we want to validate the source of some communication (like for example, when login into a VPN)

Another main use of TPM is for health attestation: we want to know if the system is in a good state, i.e, there is no change in the software that it is running since we turn it on.

That means that we need to measure all the software that has been running in the system since the very initial stages in the firmware, until the load of the Linux kernel and the initrd. Later we compare those measurements with the values that we known that are the good ones, and if they match we will know that no change has been made in our system.

We can do that using the TPM. Each stage in the boot chain will need to load the next stage before delegating the execution to it. Before doing so we need to calculate a hash function (like SHA256, for example) of it, and report it back to the TPM to track the measurements.

After the boot has concluded, we can ask the TPM about those hashes, and compare them to the expected values. If they match our expectations, it is safe to assume that no change has been made in the software used since the initial boot stages, and the system is in good shape.

For security reasons, we want to do the comparison between the expected measures and the current one in a remote machine. This machine can ask about the current measurements, and request that this report has to be signed by the TPM. We can later validate the signature and do the comparison of the hashes with the expected values.

Keylime is the tool that can do this for us in a more rich and secure way. We can install an agent service in all the machines of our network, which will collect all the measurements and signatures and report it to the verifier service that will do the attestation.

MicroOS now has two new system roles that will install Keylime agents our systems, and we can select one node to install the verifier role.

If you like the idea, you can find more information in the MicroOS blog and in the MicroOS portal. In there you will find technical details about how the TPM is really working and how to use Keylime with measured boot and IMA, all of which are using the TPM as a root of trust.

Estos días, buena parte de la Comunidad KDE española está de resaca. El domingo cerramos otra edición de nuestro evento principal y es hora de las reflexiones. Por eso quiero expresar mis primera impresiones de Akademy-es 2021 en línea de forma pública.

Primera impresiones de Akademy-es 2021 en línea

En primer lugar debo compartir con vosotros mi pesar por no poder estar de forma proactiva en la organización del evento. No es que no haya hecho cosas como publicar artículos en el blog, animar a ponentes, preparar páginas de la web de KDE España o promocionar el evento en redes sociales, pero no he podido estar moviendo las acciones de la organización, con lo cual siempre he ido a remolque.

Afortunadamente los organizadores han suplido mi falta de empuje multiplicando el suyo, por lo que no puedo estar más que agradecido a ellos por el trabajo realizado.

En segundo lugar destacar que aunque técnicamente parece que ya tenemos superados los problemas técnicos derivados de la virtualización y que ésta soluciona los t´ípicos problemas de agenda y desplazamiento, la presencialidad se nota mucho a faltar. Como mínimo, yo como ponente necesito el feedback que me ofrece el público para poder realizar charlas más dinámicas y enriquecedoras.

No obstante, y como comenté en otro sitio, espero que esta experiencia nos anime a dejar abierta siempre la puerta a virtualizar de forma predeterminada nuestros eventos, aunque este sea presencial, para poder llegar así a más gente. El streaming que era una anomalía se va a convertir a partir de ahora en algo básico en cualquier evento.

Ya entrando a las charlas, me parece esta Akademy-es que este año (siguiendo la estela del año pasado) han vuelto a ser de lo más variadas (solo Albert Astals y Daniel Gutiérrez han hecho doblete en esta ocasión) lo cual nos muestra que esta modalidad ayuda a la gente a llegar a eventos que de otra forma no sería posible.

Y, dejando de lado la variedad, la calidad de las charlas ha sido también muy elevada, no queriendo destacar ninguna por encima de las otras pero dejando claro que el desarrollo del Software Libre es imparable.

Todo esto hace que esté muy feliz por la celebración de esta Akademy-es 2021 en línea, que de nuevo me ha servido para recargar pilas en un momento de mi vida que lo necesito … y mucho.

I love photography. I started taking photos four decades ago using a camera called Lubitel, a cheap Russian knock off of Rolleiflex. I switched from film to digital photography back in 2000, which was quite a bit earlier than most. I always treated mobile photography with strong skepticism (small sensor, too much processing, etc.) and have a dedicated camera with me everywhere.

Well, the problem is with the words “always” and “everywhere”. There can be many reasons why I do not have my camera with me:

• doing grocery shopping
• doing some sports
• extreme weather
• visiting a neighborhood where I’m afraid to take a camera and lenses worth thousands of dollars

However, I do not leave my eyes at home together with my camera. I never know when I’ll see some beautiful scenes while walking to the shop. Earlier I just took a deep breath that it’s a helpless situation and I went on, as I did not have a dedicated camera with me. Nowadays my view changed. Even if I do not have a real camera with me, I always have my mobile with me. As usual, there are exceptions here too: when I accidentally leave it in the charger :-)

Some of my favorite photos during the past few weeks were taken by my mobile phone. Yes, these photos are far from perfect from the technical point of view. But still, they captured the mood of the moment perfectly. And without my mobile I would have missed some nice moments of Autumn. So, using my mobile phone to take photos is still better than nothing.

You can find some of my photos on Gurushots

No solo de Akademy-es vive el gnu/linuxero. Hoy quiero invitaros a asistir a la Conferencia GNU Taler, Sistema de pago socialmente responsable una charla presencial que se celebrará el miércoles 24 y que está organizada por la asociación GNU/Linux València y Valenciatech.

Conferencia GNU Taler, Sistema de pago socialmente responsable

Estos tiempos las monedas virtuales se están volviendo más y más famosas, empezando a tener su hueco en nuestro día a día de forma más palpable. ¿son fiables? ¿ son seguras? ¿son éticas?

Todas estas preguntas, y alguna más nos responderá Javier Sepúlveda, director técnico y administrador de sistemas GNU/Linux en VALENCIATECH, voluntario en GNU.org, y presidente de la Asociación GNU/Linux València, en su conferencia «GNU Taler, Sistema de pago socialmente responsable» que se celebrará el miércoles 24 de noviembre a las 18:30 horas en las Las Naves, aunque para abrir boca desde las 17:00 estarán realizando networking con antiguos y nuevos  soci@s.

En la descripción de la charla podemos leer que:

GNU Taler es un sistema de pagos libre cuyo principio fundamental es mantener la privacidad del consumidor a la vez que evite la evasión fiscal, sea eficiente y a prueba de pagos fraudulentos.

No obstante, seguro que querréis saber muchas más cosas sobre este sistema de pagos, así que os perdáis la charla.

Más información: Charla – GNU Taler – Sistema de pago electrónico

¡Únete a GNU/Linux València!

Aprovecho para recordar que desde hace unos meses, los chicos de GNU/Linux Valencia ya tienen su menú propio en el blog, con lo que seguir sus eventos en esta humilde bitácora será más fácil que nunca, y así podréis comprobar su alto nivel de actividades que realizan que destacan por su variedad.

Y que además, GNU/Linux València ha crecido y se ha ¡¡¡convertido en asociación!!! Así que si buscas una forma de colaborar con el Software Libre, esta asociación puede ser tu sitio. ¡Te esperamos

Some here might not know it, but some teams from the 'SUSE Quality Engineering Linux Systems Group' use the Redmine installation here at https://progress.opensuse.org/ to track the results of the test automation for openSUSE products. Especially openQA feature requests are tracked and coordinated here.

As the plain Redmine installation does not provide all wanted features, we included the "Redmine Agile plugin" from RedmineUP since a while now. Luckily the free version of the plugin already provided nearly 90% of the requested additional features. So everybody was happy and we could run this service without problems. But today, we got some money to buy the PRO version of the plugin - which we happily did :-)

There is another plugin, named Checklist, for which we also got the GO to order the PRO version. Both plugins are now up and running on our instance here - and all projects can make use of the additional features.

We like to thank SUSE QE for their sponsoring. And we also like to thank RedmineUP for providing these (and more) plugins to the community as free and PRO versions. We are happy to be able to donate something back for your work on these plugins. Keep up with the good work!

I’ve created a couple of minisites for key OS components, built using no frameworks, but plain CSS. Just having CSS grid and variables made it viable for me to avoid using frameworks recently. Having includes/imports one wouldn’t even need Jekyll.

The founding stone on all of these is the pixel art, which is now becoming my favorite art form.

If you maintain an upstream OS component and are looking to replace a wiki or a markdown readme with a simple site, I’ve created a template to get you started quickly.