Thu, Dec 12th, 2024

Lanzado KDE Gear 24.12, edición fondos 2024

Pasados seis meses desde el Megalanzamieto de KDE 6, las distintas ramas ya llevan su ritmo de trabajo habitual. Hoy, jueves 12 de diciembre, ha sido lanzado KDE Gear 24.12, la cuarta gran actualización de la rama de aplicaciones de la Comunidad que se lanza justo antes las fiestas navideñas y que quiere centrarse en la recaudación de fondos, algo básico para seguir creciendo y ofrecer software de calidad para todos y todas.

Lanzado KDE Gear 24.12, edición fondos 2024

Una vez más esta entrada es muy sencilla de realizar gracias al gran trabajo del Equipo de Promo, con la colaboración del resto de desarrolladores, de la Comunidad KDE ya que cada vez realizan mejores anuncios.

Lanzado KDE Gear 24.12, edición fondos 2024

Gracias al apoyo continuado de generosos donantes, cada 4 meses KDE lanza una larga lista de nuevas versiones de aplicaciones, todas al mismo tiempo.

Hoy lanzamos KDE ⚙️ Gear 24.12 con nuevas versiones de clásicos de KDE como Dolphin, nuestro gestor de archivos y explorador repleto de funciones; Kate, el editor de texto fácil de usar para desarrolladores; Itinerary, un asistente de viaje que le llevará sano y salvo a su destino. …¡y mucho, mucho más!

Estas aplicaciones existen gracias a los voluntarios y donantes de KDE. Tú también puedes contribuir y expresar tu apoyo a tus aplicaciones favoritas adoptándolas.

Esto es todo hoy, en cuanto pueda empiezo la serie para ir repasando las novedades de KDE Gear 24.12 en el que veremos las mejoras en múltiples aplicaciones. Si estáis impacientes y queréis ver una lista completa de todas las mejoras podéis consultar el registro de cambios completo.

Y, recuerda, todo este software es gratuito y sin publicidad en todos los sentidos: no te cuesta ni un euro y no se cobra en en forma de datos personales. No obstante, si quieres ayudar a su desarrollo siempre puedes participar en su campaña de recaudación de fondos.

La entrada Lanzado KDE Gear 24.12, edición fondos 2024 se publicó primero en KDE Blog.

Wed, Dec 11th, 2024

Aprende HTML desde cero y crea tu propio sitio web

El lenguaje HTML es el lenguaje con el que se construye internet. Empieza a aprender desde cero creando tu propio sitio web y dándole el aspecto que desees

Al principio en aquel internet primigenio, hace más de 30 años, se creó lo que se ha llamado el lenguaje HTML con el que contruir aquellas primera páginas y que sigue totalmente funcional hoy en día.

Un navegador accede a un equipo remoto y este le sirve una página creada en este tipo de documento almacenada en dicho equipo. Un texto escrito con un lenguaje de marcado sencillo que le añade unos extras: texto en cursiva, texto en negrita, añadir una imagen, por ejemplo.

Y lo más novedoso, enlaces que apuntan a otro equipo al que acceder y que este sirve su propia página al navegador del visitante, tejiendo así un red o web en inglés…

Este lenguaje HTML a pesar de tener más de 30 años sigue siendo vigente. Podríamos abrir una de aquellas páginas escritas en HTML en nuestro más reciente navegador y seguiría siendo legible.

El lenguaje HTML es la herramienta primigenia y principal con la que se construye la web e internet. Después ha derivado en «modernidades» a veces no tan duraderas y menos respetuosas con los visitantes.

Así que aprender HTML desde cero sin conocimientos previos y poder crear nuestra propia página web totalmente funcional, es como una recuperación de un trabajo artesanal rescatado. Y eso no tiene que estar reservado para personas más versadas en tecnología.

El HTML está creado para las personas, así que cualquier persona puede empezar a aprender el lenguaje HTML y para eso es este libro web libre y gratuito que hoy te presento:

HTML para personas es mi traducción de la web HTML for people creada por Blake Watson y publicadas ambas bajo una licencia libre CC-by-nc-sa 4.0.

Cuando lo conocí hace ya unos meses me pareció un gran trabajo, a nivel personal para leerlo y aprender cosas nuevas, nuevos conceptos, explorar cosas que sabía un poco por encima y aprender.

Como siempre me pasa, con el tiempo, me pareció que la mejor manera de «obligarme» a leerlo a fondo era traducirlo al español. Esto haría que lo leyese, y comprendiese y al mismo tiempo estaría ofreciendo ese trabajo en español, para que sirviera como recurso a todas aquellas personas que les resultara útil.

Así que manos a la obra. Puse mis editores de texto Kate y Vim a trabajar y descargados los archivos me dediqué a la tarea de traducir, adaptar y publicar mi versión en español de este libro web para aprender HTML desde cero.

En él empezamos creando nuestro primer archivo HTML desde un editor de texto sencillo y lo abrimos en nuestro navegador. Y poco a poco vamos repasando las etiquetas del lenguaje de marcado HTML para dar formato al texto.

Durante el proceso veremos cómo poder crear nuestra propia página web, incluyendo una página de información persona, un currículum en línea e incluso nuestro propio blog, y cómo hacer que nuestra página web forme parte de la red de redes que es internet. En concreto serás capaz de realizar una web como esta:

Iremos aprendiendo los códigos más frecuentes de HTML, veremos cómo darles diseño con CSS y cómo crear contenido. Además servirá para abrirnos la curiosidad a aprender más cosas.

También contiene 3 capítulos extra para dar un paso más allá del propio HTML. Veremos qué es eso de CSS, crearemos nuestro propio estilo CSS para aplicarlo a nuestra web y unas nociones someras para iniciarnos en PHP y expandir y complementar esa iniciación a HTML.

No te asustes, de primeras puede sonar muy abrumador, pero verás que el método seguido empieza desde cero y va ganando en conocimientos, pero siempre accesibles. Además es muy gratificante seguir el ejemplo y ver cómo vamos dando forma a nuestra propia página web.

Puedes crear tu web de pruebas, o personal o para algún proyecto en el que participes. HTML dará visibilidad a tus ideas en internet. Sé parte activa, no seas un mero espectador, sé un actor dentro de internet.

Ojalá te resulte útil y te animes a aprender HTML y este libro sea esa chispa inicial que salta para que ahondes en ello.

HTML para personas, podrá ser útil en ese aprendizaje personal, o quizás lo quieras utilizar en un pequeño taller que impartas, o para usarlo con tus alumnos en clase. Eres libre de usarlo como quieras siempre que respetes la licencia de compartir de igual manera, dar reconocimiento y no usarlo de manera comercial.

He pasado muchas horas traduciendo, corrigiendo, haciendo capturas de pantalla, publicando, haciendo pruebas, etc. Si te apetece puedes donarme mediante LiberaPay, o al autor original mediante Ko-fi. Ya dones o no, dispones del libro de forma totalmente libre y gratuita.

El libro no está libre de errores y siempre son bien recibidas las mejoras a la hora de traducir, redactar, correcciones tipográficas, etc. Por eso no dudes en hacérmelas saber, ya sea desde el repositorio git del proyecto o por otro medio de contacto.

Utiliza ese medio de contacto (o comentando en este artículo) para decirme si te gustó o compartir de manera respetuosa y constructiva tu opinión. Siempre es de agradecer ese feedback.

Espero que disfrutéis del libro, espero que sea útil y espero que recuperemos un internet más artesanal que conecte personas, no simples usuarios de 4 grandes empresas tecnológicas que monopolizan la red.

Enlaces de interés

Lanzado KPhotoAlbum 6, organiza tus fotos de forma sencilla

Esta es una aplicació que tardó más de diez años en aparecer en el blog, algo que hace 5 años remedié… aunque no del todo bien porque ha vuelto a caer en el ostracismo. De nuevo es hora de volver a sacar este programa ya que ha sido lazando KPhotoAlbum 6.0, , un organizador de fotos sencillo y eficiente que te ayudará a mantener tu colección de recuerdos digitales ordenada y accesible.

Lanzado KPhotoAlbum 6.0, organiza tus fotos de forma sencilla

Antes de nada quiero recordar que ya existe un más que completo gestor de imágenes en KDE llamado digiKam que puede manejar con precisión milimétrica tus imágenes, pero en ocasiones necesitamos algo más sencillo. En otras palabras, tenemos a Gimp para trabajar con imágenes pero en ocasiones con Tux Paint o KolourPaint nos basta y sobra.

Así es donde entra KPhotoAlbum, una aplicación para los que no quieren toda la complejidad de digiKam. Pues bien, el pasado 7 de diciembre ha sido anunciado que se ha lanzado la sexta versión, una versión importante ya que da el salto a Qt6/KF6. Pero mejor que lo explique uno de sus desarrolladores:

Hemos portado KPhotoAlbum a Qt6/KF6. Eso es todo 😉

El port en sí ha sido hecho por Johannes y yo, commits adicionales han sido aportados por Randall Rude y Fabian Würfl. ¡Gracias por trabajar en KPA con nosotros!

Una cosa que vale la pena mencionar es que para la funcionalidad de mapas/geodatos, necesitamos Marble. La versión Qt5/KF5 de Marble no se puede co-instalar con la versión Qt6/KF6, y ésta aún no está liberada. Pero Marble 24.12.0 (que será la primera versión oficial Qt6/KF6) saldrá en unos días. Así que espera a que salga antes de actualizar a KPA 6, para no perder las partes del mapa.

Quizás, la versión Qt6/KF6 contenga algunas regresiones. El código base está bastante avanzado en años en algunas partes, y hemos tenido que meternos con bastantes problemas heredados para hacer que todo encaje en Qt6/KF6. Así que si notas algo, por favor, presenta un informe de error respectivo y/o ponte en contacto con nosotros a través de nuestra lista de correo o canal Matrix (cf. Soporte al usuario → Comunicación). Gracias por tu participación (esperemos que no sea demasiado necesaria).

Que te diviertas mucho con KPhotoAlbum 6 🙂

Tobias

Lanzado KPhotoAlbum 6.0

Como vemos, una buena noticia porque a partir de ahora su desarrollo será mucho más fluído ya que estará integrada con el resto de aplicaciones del ecosistema KDE.

Más información: KPhotoAlbum

La entrada Lanzado KPhotoAlbum 6, organiza tus fotos de forma sencilla se publicó primero en KDE Blog.

Linux, openSUSE ready for Everyday Users

Most people don’t give much thought to their operating system, but with Windows 10 support ending in October 2025, many will start searching for alternatives that keep them secure without spending more than $100 for a software upgrade or on hardware that still works perfectly.

User-friendly Linux distribution like openSUSE and others offer an excellent solution for everyday tasks like social media, video conferencing, web browsing and more.

If you’re a casual computer user wondering whether you can accomplish the same tasks on Linux that you’ve been doing on Windows, the answer is a resounding YES!

From messaging apps like Telegram to video conferencing with Zoom, openSUSE has you covered. This guide will show you how easy it is to get started with Linux and continue using the apps and tools you’re familiar with.

Get the below applications as a Flatpak in the software center of your desktop environment.

Web Browsing: Chrome, Firefox, Brave, and More

Browsing the web on Linux is just as simple as it is on Windows or macOS. openSUSE supports a wide range of web browsers, including some of the most popular names in the market.

  • Mozilla Firefox comes pre-installed with most Linux distributions, including openSUSE. It’s fast, privacy-focused, and supports all major web standards, making it perfect for everything from casual browsing to online shopping and video streaming.
  • Google Chrome is available on Linux and can be installed easily on openSUSE. If you’re used to Chrome’s features, including syncing bookmarks and settings across devices, you’ll feel right at home.
  • Brave is another great option for privacy-conscious users. It blocks trackers and ads by default and gives people a fast and secure browsing experience. Brave is also easy to install on openSUSE. All these browsers support extensions and features you’re already familiar with, so switching to Linux won’t feel like a big leap.

Social Media Apps: Telegram, Discord, and More

Staying connected on social media is easy, especially getting your favorite apps for messaging, video calls and group chats. Whether as a native downloadable app or as Flatpak app, you will hardly know a difference.

  • Telegram is available for Linux and can be installed directly from the openSUSE software repositories. It works just like the version you’re used to. It allows you to chat, make voice calls and share media with your contacts.
  • Discord, a popular platform for gamers and communities, this also works seamlessly on Linux. You can download the Linux version from the Discord website or install it as a Flatpak for easy updates. Whether you’re chatting with friends or joining online communities, Discord on openSUSE is just as powerful as its Windows counterpart.
  • Signal, a privacy-focused messaging app, is available for Linux and ensures that your chats are secure with end-to-end encryption. It’s a great alternative to WhatsApp for privacy-conscious users.

Video Conferencing: Zoom and Alternatives

Video conferencing has become a staple for work and personal use, and openSUSE has strong support for popular platforms like Zoom and others.

  • Zoom offers a Linux version that works just like the Windows app. You can download it from Zoom’s official website or use the Flatpak version. Whether you’re attending work meetings, online classes or virtual hangouts with friends, Zoom on openSUSE is fully functional and reliable.

  • Jitsi Meet is a free, open-source alternative to Zoom that doesn’t require any installation. You can use it directly from your web browser. The project even uses it for its online bar making it a quick and easy option for video conferencing without the need for additional software. Visit the openSUSE Bar and the may be some people there ready to explain how easy it is to move to Linux.
  • Google Meet and Microsoft Teams are also fully supported on Linux via web browsers like Chrome or Firefox, so you can join meetings without any issues. There is even an unofficial Flatpak app for Teams.

Email: Thunderbird, Evolution, and More

Managing your email is easy through the browser or on with several great apps to choose from.

  • Mozilla Thunderbird is a popular email client that comes pre-installed on many Linux distributions, including openSUSE. It supports multiple email accounts, calendars and task management, which makes it great for everyday use.
  • Evolution is another feature-rich email client that supports Microsoft Exchange, Google accounts, and more. It’s an option if you need advanced email, calendar, and task management features.
  • Gmail, Outlook, and other web-based email services are fully accessible via your preferred browser, just as they are on Windows.

Streaming and Multimedia: Spotify, VLC and More

Linux supports popular platforms for streaming music, videos and other media.

  • Spotify has an official Linux client that you can install on openSUSE. It works the same as it does on other operating systems, giving you access to your playlists, podcasts and favorite music.
  • VLC Media Player is the go-to app for playing virtually any media file. Whether you’re watching movies, TV shows or home videos, VLC’s powerful playback features make it a top choice on a Linux distribution.
  • YouTube and other streaming services, such as Netflix, Hulu, and Disney+, are fully supported on Linux via web browsers like Chrome or Firefox.

File Sharing and Cloud Storage: Dropbox, Google Drive, and Nextcloud

Managing your files and cloud storage is simple on openSUSE.

  • Nextcloud is a popular open-source alternative to commercial cloud storage services. It allows you to host your own cloud storage solution, giving you full control over your files.
  • Dropbox has a Linux client that integrates seamlessly with your desktop and allows you to sync files just as you would on Windows or macOS.
  • Google Drive can be accessed through the web browser.

How to Install

Users transitioning from Windows 10 to openSUSE should know it has the same functionality for common tasks like browsing, messaging, video conferencing, and media streaming, but without the need for expensive hardware and software upgrades. Here is an easy step-by-step guide to downloading software on your openSUSE Linux distribution:

KDE Plasma: Using Discover Software Center

KDE Plasma’s default software center is called Discover, which provides an easy way to search for and install applications.

Plasma Step 1: Open Discover

  1. Click on the Application Launcher (bottom-left corner of your screen, represented by a green chameleon logo or KDE logo).
  2. Type Discover in the search bar, and click on the Discover app to open it.

Plasma Step 2: Search for Software

  1. Once Discover is open, you’ll see a search bar at the top.
  2. Type the name of the software you’re looking for, such as “Firefox,” “Telegram,” or “Zoom.”

Plasma Step 3: Install the Application

  1. Click on the application from the search results.
  2. Click the Install button.
  3. Wait for the installation process to complete. Once done, the Install button will change to Launch.

Plasma Step 4: Launch the Application

  1. You can launch the newly installed application from the Discover window by clicking Launch, or find it in your Application Launcher.

GNOME: Using GNOME Software Center

GNOME’s default software center is called GNOME Software, which functions similarly to an app store.

GNOME Step 1: Open GNOME Software

  1. Click on Activities in the top-left corner of your screen.
  2. Type Software in the search bar, and click on GNOME Software to open it.

GNOME Step 2: Search for Software

  1. At the top of the GNOME Software window, there’s a search bar.
  2. Type the name of the software you want to install, such as “Brave,” “Signal,” or “Spotify.”

GNOME Step 3: Install the Application

  1. Select the application from the search results.
  2. Click the Install button.
  3. GNOME Software will handle the download and installation. Once finished, you can launch the app directly from the software center.

GNOME Step 4: Launch the Application

  1. After installation, you can click the Launch button in the software center, or find the app in the Activities overview by searching for it.

Whether you’re using KDE Plasma or GNOME, installing software on openSUSE is straightforward with the software centers. Both Discover (KDE) and GNOME Software provide user-friendly interfaces that allow you to search for, install, and manage your applications just like you would in an app store. This makes it easy for users transitioning from Windows 10 to feel comfortable using their new Linux system for everyday tasks.

This is part of a series on Upgrade to Freedom where we offer reasons to transition from Windows to Linux.

Tue, Dec 10th, 2024

Personalizando KDE con el tema Marge de Seducción Linux por OpenShield

Hace mucho tiempo que no presento un vídeo personalizando KDE. Para retomar esta sección nada mejor que una creación de la Comunidad OpenShield en el que personaliza su ArchLinux con el tema Marge de Seducción Linux, todo explicado paso a paso desde el inicio hasta el resultado final. ,

Personalizando KDE con el tema Marge de Seducción Linux por OpenShield

Se ha comentdo muchas veces, una de las fortalezas del entorno de trabajo Plasma de la Comunidad KDE es los cientos de opciones que tenemos para personalizarlo. Esto nos lleva a poder realizar verdaderas transformaciones que lo dejan visual y funcionalmente muy alejado de su aspecto inicial o miméticamente parecido a cualquier otro entorno de trabajo (lease escritorio Gnome, Windows, Mac, etc.)

Pero claro, hacerlo significa «jugar» un poco con el sistema, requeriendo tiempo y conocimientos, sobre todo si quiero que quede perfectamente harmonioso. Es por ello que el vídeo que os presento hoy es muy interesante si quieres llegar a tener un entorno de trabajo minimalista como el de la imagen inferior.

Personalizando KDE con el tema Marge de Seducción Linux por OpenShield

Se trata de una vídeo realizado por OpenShield, en el que lo de menos es el resultado final, que es cuestión de gustos, sino todo el proceso explicado al detalles, incluyendo los pequeños inconvenientes que a veces aparecen, como el de tener que seleccionar alguna versión antes que otra o la de restaurar un icono que no se ha cargado de forma correcta.

Respecto al aspecto visual, decir que la idea es optimizar el tema oscuro Marge, creado por el gran Jomada (X, Telegram, Mastodon, Youtube), que utiliza la misma paleta de colores del tema Otto, pero incluyendo un color azul oriental, siguiendo la sugerencia que le dejó un usuario de la kde store.

¿Qué es OpenShield?

Gracias a mi participación al III Seminario Anual GNU/Linux estoy acercándome a la Comunidad OpenShield , una comunidad centralizada en Youtube pero con extensiones en muchas otras redes. De hecho se definen como un canal de esta red de vídeos, pero creo que es mucho más:

KDE edu estuvo presente en el III Seminario Anual GNU/Linux

Canal de YouTube dedicado a crear contenido sobre GNULinux y Ciberseguridad. Ayudar y hacer llegar la oportunidad de las personas puedan escoger que usar y como usar, todo con una sola visión, la mejora de la calidad y educación de las personas. También tenemos en este proyecto nuestra Academia GNULinux que está orientada por ahora a creación de webinars y próximamente ya a la enseñanza propiamente dicha. Encuéntranos en:

Mastodon Academia GNULinuxsocial.linux.pizza/@academiagnulinux

Mastodon Personalmasto.es/@javitech

Bluesky iMundo Digitalbsky.app/profile/imundodigital.bsky.social

Linkedinlinkedin.com/in/javienrique

Threadsthreads.net/@imundo_digital

X – Openshieldx.com/OpenshieldX

X – Academia GNULinuxx.com/AcademiaOct23

Podcast: open.spotify.com/show/3I4rQMQT7deWTeAxzpXvvP?si=5ce2cb0b51b8449a

Element – Matrix matrix.to/#/!EhURanMsNCReVGrOjq:matrix.org/$xHO_niA5npdFFOhR2JoDTA_xG-izbOa7-x_JTPNk6Jc?via=matrix.org&via=t2bot.io

La entrada Personalizando KDE con el tema Marge de Seducción Linux por OpenShield se publicó primero en KDE Blog.

Mon, Dec 9th, 2024

Eliminar toots antiguos de Mastodon de manera nativa

Mastodon nos permite eliminar toots que hemos publicado pudiendo elegir qué lapso de tiempo y características permitimos

Allá por el prescindible 2020 escribí un artículo sobre esto mismo, borrar toots antiguos de tu cuenta de Mastodon. Por aquel entonces mencionaba dos herramientas que a día de escribir este ya no están disponibles.

Lo bueno, es que Mastodon ha evolucionado lo suficiente para incorporar esta funcionalidad de manera nativa. Así que vamos a actualizarnos y ver cómo lo podemos hacer.

En primer lugar quizás te preguntes ¿Por qué iba a querer yo borrar toots antiguos? Mi respuesta a eso es: ¿Por qué no ibas a quererlo?

Los toots ocupan espacio en el servidor donde están alojados, y ¿realmente te interesa mantener algo que dijiste hace un tiempo?

Quizás ya no pienses lo mismo sobre aquello que dijiste hace medio año, quizás sí piensas lo mismo pero no crees que esto pueda ser importante a día de hoy para nadie más. O quizás simplemente eres consciente de la imperdurabilidad de las cosas en el continuo espacio tiempo y más en algo tan efímero como es internet.

Bueno, en todo caso y sea cual sea las razones, os voy a explicar cómo configurar la fecha de caducidad de tus toots en Mastodon y que estos desaparezcan.

Desde la interfaz web de Mastodon, abrimos el menú de configuración de tu cuenta pinchando sobre los tres puntitos al lado de tu avatar y de todas las opciones escogemos «Eliminación automática de publicaciones».

En la pantalla que nos aparece tenemos distintas opciones que podemos configurar. Son bastante intuitivas y está todo bien explicado, así que no faltaría más que escoger las opciones que queremos para nuestro caso y aplicar los cambios.

En mi caso, tengo configurado que elimine mis toots más antiguos de 2 meses, pero que mantenga los toots que he marcado como fijados, los que me he marcado como favoritos, los mensajes directos que envío a otros usuarios y a los que he añadido un marcador (marcador que no he utilizado en la vida).

También puedes hacer que se mantengan aquellos toots tuyos que hayan tenido cierta relevancia, haciendo que no se borren los que han llegado un número determinado de impulsos o favoritos. Haciendo así perennes aquellos toots que a tus seguidores más les ha gustado y recreándote de ser un «influencer» del fediverso.

Establece (o no) el borrado de tus toots y configúralo a tu gusto en Mastodon de manera nativa en las opciones. Y si te gusta lo que escribo en Mastodon, disfrútalo, porque en dos meses (más o menos) se perderán como lágrimas en la lluvia…

Users of

Users of openSUSE can now rely on the built-in switcherooctl tool for GPU switching, which is already integrated into our distributions with major desktop environments like GNOME and KDE Plasma.

This is a game changer because it eliminates the need for additional tools and simplifies multi-GPU management while enhancing compatibility and performance with users’ systems.

For years, tools such as suse-prime and bbswitch have been staples in managing NVIDIA Optimus laptops and multi-GPU systems, but advancements in kernel drivers and desktop environments have made these tools unnecessary in most cases.

Installations of openSUSE now handle these configurations out of the box, whether using the open-source Nouveau driver or NVIDIA’s proprietary drivers.

In a recent update on multi-GPU systems, users are encouraged to move away from legacy tools like suse-prime, bbswitch, and bumblebee, as they can cause more harm than good on modern systems.

The recommended solution is switcherooctl, which is a lightweight userspace utility designed to manage GPU switching on systems with multiple GPUs. It integrates well with Wayland and Xorg; its functionality extends across both Intel + NVIDIA and AMD + NVIDIA setups. By using switcherooctl, users can easily select which GPU to use for specific applications and eliminate the need for complex scripts or environment variables.

Benefits of switcherooctl

  • Seamless Integration: Unlike older tools, switcherooctl is designed to work natively with modern Linux systems and desktop environments. This ensures a smoother user experience without requiring complex configurations.

  • Improved Performance: Users can specify which GPU to use for specific tasks, so switcherooctl enables optimal performance. Compute-heavy applications, such as gaming or 3D rendering, can utilize the discrete GPU, while less intensive tasks default to the integrated GPU to save power.

  • Enhanced Power Management: Switching back to the integrated GPU when the discrete GPU is not needed conserves battery life and makes it ideal for laptops and portable systems.

  • Wayland and Xorg Compatibility: With increasing adoption of Wayland, having a tool that supports both Wayland and Xorg ensures compatibility across a broad range of systems and setups.

  • Cross-Vendor Support: The Intel + NVIDIA or AMD + NVIDIA configuration make the systems more versatile for all users.

Users should being embracing switcherooctl for multi-GPU management as some of the older tools like suse-prime, bbswitch and bumblebee are likely to be phased out.

GPU Switching: A Multi-GPU Game Changer

Users of openSUSE can now rely on the built-in switcherooctl tool for GPU switching, which is already integrated into our distributions with major desktop environments like GNOME and KDE Plasma.

This is a game changer because it eliminates the need for additional tools and simplifies multi-GPU management while enhancing compatibility and performance with users’ systems.

For years, tools such as suse-prime and bbswitch have been staples in managing NVIDIA Optimus laptops and multi-GPU systems, but advancements in kernel drivers and desktop environments have made these tools unnecessary in most cases.

Installations of openSUSE now handle these configurations out of the box, whether using the open-source Nouveau driver or NVIDIA’s proprietary drivers.

In a recent update on multi-GPU systems, users are encouraged to move away from legacy tools like suse-prime, bbswitch, and bumblebee, as they can cause more harm than good on modern systems.

The recommended solution is switcherooctl, which is a lightweight userspace utility designed to manage GPU switching on systems with multiple GPUs. It integrates well with Wayland and Xorg; its functionality extends across both Intel + NVIDIA and AMD + NVIDIA setups. By using switcherooctl, users can easily select which GPU to use for specific applications and eliminate the need for complex scripts or environment variables.

Benefits of switcherooctl

  • Seamless Integration: Unlike older tools, switcherooctl is designed to work natively with modern Linux systems and desktop environments. This ensures a smoother user experience without requiring complex configurations.

  • Improved Performance: Users can specify which GPU to use for specific tasks, so switcherooctl enables optimal performance. Compute-heavy applications, such as gaming or 3D rendering, can utilize the discrete GPU, while less intensive tasks default to the integrated GPU to save power.

  • Enhanced Power Management: Switching back to the integrated GPU when the discrete GPU is not needed conserves battery life and makes it ideal for laptops and portable systems.

  • Wayland and Xorg Compatibility: With increasing adoption of Wayland, having a tool that supports both Wayland and Xorg ensures compatibility across a broad range of systems and setups.

  • Cross-Vendor Support: The Intel + NVIDIA or AMD + NVIDIA configuration make the systems more versatile for all users.

Users should being embracing switcherooctl for multi-GPU management as some of the older tools like suse-prime, bbswitch and bumblebee are likely to be phased out.

NAS CUBE de Slimbook, un servidor compacto y potente

Sigo con entradas de mi marca de ordenadores favorita: Slimbook. Y es que me he dado cuenta que algunos de sus dispositivos no habían sido presentados en el blog. Como podemos ver en su página web ofrecen su nuevo NAS CUBE, un pequeño servidor ideal para pequeñas empresas que no quieran perder su información y centralizar sus servicios.

NAS CUBE de Slimbook, un servidor compacto y potente

Antes de empezar quiero destacar no penséis que hago toda esta publicidad porque reciba una compensación económica, simplemente porque confio en esta empresa que no olvida que el Software Libre es algo más que Software y que busca ofrecer no solo productos sino un excelente servicio post-venta, algo que en muchas ocasiones olvidamos que es importante.

Dentro de la gama de ordenadores de sobremesa, la empresa valenciana Slimbook presentó hace poco su NAS CUBE, un compacto pero potente servidor, que según ellos mismos es:

el servidor que toda PYME necesita, ideal para compartir ficheros, con una CPU potente que permite ejecutar contenedores, máquinas virtuales y servicios. Incluye redundancia con cuatro puertos de red de 2.5 Gbps

NAS CUBE de Slimbook, un servidor compacto y potente

Algunas de las características de este NASS CUBE son las siguientes:

  • Procesador: AMD Ryzen™ 7 8845HS
  • 8 núcleos 16 hilos, hasta 5.1GHz
  • Gráficos: AMD Radeon 780M
  • Puertos: 1x USB-C USB 4.0
  • Puertos: 3x USB-A 3.2 Gen1
  • Conectividad: 4x RJ45 2.5Gb
  • Wi-Fi 7 (opcional)
  • Material: aluminio
  • Memoria RAM: hasta 96GB DDR5
  • Hasta 8 discos SATA 3 con 2 conectores SFF-8643
  • Hasta 2 NVMe PCIe 4.0 con RAID 0 y 1
  • Compacto 23’3 x 26’2 x 29’8 cm
  • Flujo de aire optimizado con 4 ventiladores
  • Gran cantidad de puertos I/O
  • Indicadores LED 8 discos
  • Modular fácilmente ampliable
  • Hardware RAID 0 / 1 / 10
  • Red fibra óptica SFP
  • Sistema operativo: Linux/Windows/TrueNas

Más información: Slimbook NAS Cube | Tienda

La entrada NAS CUBE de Slimbook, un servidor compacto y potente se publicó primero en KDE Blog.

SUSE Security Team Spotlight Autumn 2024

Table of Contents

Introduction

Welcome to the second edition of our new spotlight series. With these posts we want to give you an insight into activities of the SUSE security team beyond major security findings for which we are publishing dedicated reports. Autumn is always a busy time at SUSE, when new service pack releases and new products are prepared. This results also in an increased amount of review requests arriving for the SUSE security team. This time we will be looking at various D-Bus interfaces, Polkit authentication, temporary file handling issues, a small PAM module and setgid-binary, Varlink IPC in systemd as well as some other topics.

Keepalived Follow-up Review

In bsc#1218688 we looked into Keepalived, a load-balancing software written in C. A colleague in the team noticed suspicious handling of temporary files in /tmp and asked for a more in-depth review.

Temporary File Handling

The creation of temporary files in Keepalived is indeed a bit peculiar. The make_tmp_filename() helper function takes the basename of a temporary file and returns a path to this file in $TMPDIR. An example use would be make_tmp_filename("keepalived.json") and the function will return /tmp/keepalived.json. This can easily lead to unsafe temporary file creation.

In the code the resulting filenames are always coupled with another utility function fopen_safe(), though. This function intercepts attempts to open files for writing ("w" mode) and calls the mkostemp() function behind the scenes to safely create a temporary file. The resulting file will then not be used as-is, though, but will be rename()‘d to the expected predictable filename. This is safe, because rename() will not follow symlinks or otherwise reuse the target path, but simply replace it.

D-Bus Implementation

Keepalived also implements a D-Bus system service running as root. Our team reviewed this component many years ago, which led to multiple CVE assignments. Therefore it seemed like a good idea to have a fresh look at the current situation, while we’re at it. We couldn’t find any problems, though. The code is non-trivial but robust. The D-Bus methods can only be called by root. Only some D-Bus properties can be accessed by unprivileged users, but they are not sensitive in nature.

DKIMproxy Symlink Attack

Our team is monitoring changes to systemd services across all of openSUSE Tumbleweed. One such change occurred in DKIMproxy and led us to bsc#1217173. DKIMproxy is a proxy designed for the Postfix mail server. It implements the DKIM standard for signing outgoing email or verifying incoming email.

The package’s systemd service is not part of the upstream sources, but has been added by the package maintainer on packaging level in the Open Build Service. In this service unit a shell script is executed via ExecStartPre with root privileges, while the actual service runs with the lowered privileges of a dedicated service user and group. The shell script performs naive write operations in a directory owned by the unprivileged user. Therefore the unprivileged user can prepare symlink attacks to cause arbitrary file overwrite in the system, as soon as the script is executed again. The content that is written is not controlled by the attacker, therefore this only has denial-of-service impact and does not allow to raise privileges.

We can observe a number of aspects in this case that, based on our experience, represent typical patterns. In the following sections we will look at these in more detail.

Files Added on Packaging Level

Assets like configuration files, scripts or code that are added on packaging level have an increased probability of introducing problems. Some of the reasons for this could be:

  • there are less people that review such contributions.
  • the process for adding these files is less formalized than e.g. in a GitHub project.
  • packagers that add such files might be lacking knowledge about the upstream project.
  • packagers might accept such files from others that want a certain feature or behavior and don’t know exactly what it does.
  • packagers might take over such files from other Linux distributions, assuming that they are of high quality.

Since we identified that such packaging assets carry an increased risk for issues, we are monitoring additions of and changes to such files in the Open Build Service to look out for problems proactively.

Pre- or Post-Scripts in systemd Services

When privilege separation is in place for a systemd service, we can often find such ExecStartPre and ExecStartPost scripts that are run with raised privileges. This mixture of two different security domains can easily introduce local security issues. This risk is further increased by the fact that these programs are often shell scripts that offer no built-in mechanisms to safely access files owned by unprivileged users as root.

Privilege Separation added after the Fact

Especially in older software that was initially designed to run with full root privileges, privilege separation is sometimes only added as an afterthought, or an unofficial downstream add-on on packaging level. On the surface, such setups often seem to provide privilege separation, i.e. one or more components are running as non-root accounts. This privilege separation can often be easily circumvented as soon as the unprivileged account is compromised, however.

Such weak privilege separation can still offer some level of protection and is usually an improvement over services running as full root. Still, the lack of robustness means that a false promise is given to administrators: namely, that strong separation of privileges exists for such services. The defense in depth is lacking, though, and a change of security scope can happen. Thus, such issues are usually considered worthy of a CVE assignment. In our team we assign or request CVEs for such issues on a case-by-case basis, depending on the severity of the issue, the popularity of the affected software and so on. In the case of DKIMproxy only a denial-of-service can happen and the software is not that widespread, thus we decided not to assign a CVE for it.

Handling of a Vulnerability Report in MirrorCache (CVE-2024-49505)

We have been privately approached by security researcher Erick Fernando about a reflected XSS vulnerability in the openSUSE MirrorCache repository. MirrorCache is a web server that redirects download requests to a mirror according to configuration. We handled the report in bsc#1232341 and assigned CVE-2024-49505 to it. The responsible maintainer applied a fix for the issue and our team member Paolo Perego verified the patch.

Luckily the MirrorCache project is not part of any official products or server side infrastructure of SUSE. We want to thank Erick Fernando again for reaching out to us and reporting this issue.

Issues with Temporary Files in Hardinfo2

Hardinfo2 is a utility to obtain hardware information on Linux, create reports from that data and compare different systems for benchmarking. Hardinfo2 has been newly packaged for openSUSE Tumbleweed in October, and the following lines showed up in our systemd monitoring:

RPM: hardinfo2-2.1.14-1.1.x86_64.rpm on x86_64
Package: hardinfo2
Service path: /usr/lib/systemd/system/hardinfo2.service
Runs as: root:root
Exec lines:
    ExecStart=/bin/sh -c "
        cat /proc/iomem >/tmp/hardinfo2_iomem;
        chmod a+r /tmp/hardinfo2_iomem;
        cat /proc/ioports >/tmp/hardinfo2_ioports;
        chmod a+r /tmp/hardinfo2_ioports;
        chmod a+r /sys/firmware/dmi/tables/*;
        modprobe -q spd5118;modprobe -q ee1004;modprobe -q at24 || true"

The use of fixed temporary file paths sticks out right away, so we created bsc#1231839 to handle the issues resulting from this. By default, kernel protections like protected_symlinks prevent more severe issues like overwriting system files, which would lead to denial-of-service. Even with these protection measures, a local user can pre-create these files and Hardinfo2 will then use the attacker controlled data found in them, causing integrity violation.

Furthermore this logic causes information leaks. The data from /proc/ioports is made world-readable via the temporary file /tmp/hardinfo2_ioports. By default this information is already public in /proc on openSUSE. But it seems on some systems this was not the case, because Hardinfo2 performs these steps to allow unprivileged processes to access that data in /tmp. Another information leak is the chmod a+r operation for /sys/firmware/dmi/tables/*. The permissions of pseudo files should not be altered in a drive-by fashion by system services this way.

We reported the issues to upstream, which quickly worked on improvements in these areas. The shell code has been moved into a proper script named hwinfo2_fetch_sysdata. The problematic files in /tmp are now placed into a dedicated directory in /run/hardinfo2. Users that want to use hardinfo2 now need to be a member of a newly introduced “hardinfo2” group to be able to access the data placed into this directory. The permissions of files in /sys are no longer changed.

Upstream created a new release 2.2.1 containing the changes. We did not request a CVE for these issues, since the biggest impact they can have by default is integrity violation of Hardinfo2 itself.

Aeon-Check Encryption Key in Fixed Temporary File (CVE-2024-49506)

Aeon-Check is a small utility used in openSUSE Aeon. Currently it consists only of a simple bash script invoked via a systemd unit. This script can detect a bug in the TPM-based LUKS disk encryption setup and fix it. To this end, an additional LUKS key slot is temporarily added to the root LUKS device:

keyfile=/tmp/aeon-check-keyfile
dd bs=512 count=4 if=/dev/urandom of=${keyfile} iflag=fullblock
chmod 400 ${keyfile}

<snip>

# Writing keyfile to slot 31 (end of the LUKS2 space) to avoid clashes with any customisation/extra keys
cryptsetup luksAddKey --token-only --batch-mode --new-key-slot=31 ${rootdev} ${keyfile}

The temporary file used to store the ephemeral LUKS key has a fixed filename in /tmp. Fortunately the script has the errexit option set; combined with the protected_regular and protected_symlinks kernel features, no unsafe use of an already existing file in that path will succeed. Without the kernel protection, though, another local user could pre-create this file, and intercept or stage the data used as temporary LUKS key. Even then the chances for exploitation are small, since this systemd service typically only runs once during boot, and the time window during which the temporary LUKS key is valid is short.

Since LUKS encryption is a sensitive area, we still decided to assign a CVE for the issue. We handled the problem in bsc#1228861, and a simple bugfix has been made by the author of the script to use mktemp for safe creation of the temporary file holding the LUKS key data.

SDDM Follow-Up Review of D-Bus Interface

The openSUSE package for the SDDM display manager has been forked for the openSUSE Kalpa flavour. This made a new D-Bus service whitelisting necessary, which was requested in bsc#1232647. The sddm-kalpa package is a Wayland-only version of SDDM, but the sources used in the package are the same as for regular SDDM.

We still used this opportunity to take a fresh look at the situation in SDDM. The D-Bus service shipped with it is practically only a skeleton without implementation. Only a single D-Bus method SwitchToGreeter() is implemented. There is no Polkit authorization, which means that any user can trigger the logic to switch to the greeter. While this situation is not ideal, it is not critical. Therefore we accepted the new package.

Libcgroup Revisited

Libcgroup is a library and set of utilities for using control groups on Linux systems. These days systemd is taking care of this job and, since libcgroup upstream was unmaintained, the package was dropped from openSUSE in 2018. We received a request to reintroduce libcgroup in bsc#1231381. Upstream is active again and there seem to exist some use cases for the package.

Our team was involved because the package contains a setgid binary and a PAM module. We also had a look at the main daemon cgrulesengd, which is running as root. At startup, the daemon iterates over all running processes in /proc and assigns them to control groups according to configuration. Then a netlink socket is set up to obtain events from the kernel about newly created processes and exec() events. These new processes will also be placed into control groups based on configuration.

The approach taken by the daemon is subject to race conditions by design, which is also kind of documented in the upstream repository. Entries in /proc/<pid> can disappear or change security scope e.g. when setuid-root binaries are involved. The configuration is matched to processes based on their name as found in /proc/<pid>/status and the process’ effective uid and gid. We can imagine that a dedicated local attacker will be able to have the libcgroup daemon wrongly assign an unprivileged process to a control group destined only for privileged processes e.g. by exploiting race conditions and using setuid-root binaries like sudo. Since this is by design, we did not approach upstream about this possibility. Users of the package should be aware that this could result in local DoS attack vectors, though.

The setgid program cgexec found in the package is a simple program that only forwards an IPC request to the libcgroup daemon, asking it to mark the calling process as “sticky”. The binary requires special group permissions to be allowed to connect to the UNIX domain socket of the libcgroup daemon. The extra privileges are dropped right after connecting to the socket. The socket is also closed right after sending the request. So escalating group privileges, leaking the socket file descriptor or otherwise influencing the IPC communication done by cgexec is not a concern.

The PAM module shipped with the package only implements a PAM session type hook. It calls into the libcgroup library to assign the calling process to an appropriate control group, thereby placing new sessions into control groups according to configuration.

Supergfxctl D-Bus Service

Supergfxctl is a D-Bus daemon that takes care of low level kernel settings in NVIDIA hybrid GPU systems. The software has been newly packaged in November and we’ve been asked to whitelist it in bsc#1232776.

There are some worries with this daemon, mostly with regards to local denial-of-service attack surface. For example there is some racy logic in the daemon that looks up and kills all processes that have /dev/nvidia0 open. The D-Bus methods allow to completely control the daemon’s configuration and are by default accessible to all members of the sudo, users, adm and wheel groups. This selection of groups is rather broad and surely targeted towards maximum compatibility with various Linux distributions. It is unlucky, because there is a possibly large range of users that are allowed to control the supergfxctl daemon this way.

To make the new service acceptable for openSUSE we asked the packager to limit access to the D-Bus service to members of the video group instead. Users that are in the video group have increased privileges with regards to accessing the video hardware in the system, thus it is a better match for supergfxctl than just the users group, for example. An even better approach would be to add Polkit authentication in this D-Bus service, but this is something that would require larger efforts by upstream and is not currently in sight.

Systemd v257 Polkit for Varlink IPC

We routinely review additions to the D-Bus and Polkit interfaces in new systemd releases. This time we have been asked to check a few new Polkit actions in systemd-containerd, systemd-homed, systemd-networkd, and systemd-resolved. Interestingly these daemons have all been migrated from using D-Bus to using Varlink for Inter-Process-Communication (IPC).

In our experience, the code quality of systemd components is generally high. These additions were no different. All new Polkit actions are limited to auth_admin authorization, thus no additional attack surface is made available to unprivileged local users.

At first sight the switch to Varlink doesn’t change much security-wise: there are still individual methods in a service that can be invoked by clients and some or all of them can be protected by Polkit authentication. The switch to Varlink requires new glue code for the authorization against Polkit, however. Thus we looked deeper into how this is done in systemd.

When using D-Bus the SystemBusName Polkit subject is used, which identifies a client process by its D-Bus sender address. This way polkitd can securely identify the credentials of the client process by asking the dbus-daemon about the credentials of the owner of the UNIX domain socket used by the client to connect to D-Bus.

With Varlink this is no longer possible. Instead the UnixProcess subject is used to identify the client. This made us a bit nervous at first, because the UnixProcess subject is deprecated and often used insecurely. The problem here is that polkitd needs to use racy logic to lookup the process by PID in the /proc file system and extract its credentials. Former SUSE security team member Sebastian Krahmer discovered this in 2014, and it affected a lot of programs that implemented Polkit actions using this subject. The use of this subject in systemd to authenticate Varlink methods is robust, though. The client’s credentials are obtained from the UNIX domain socket underlying the Varlink connection, and thus via the kernel. Also a pidfd can be passed to Polkit nowadays, which allows polkitd to operate in a race-free fashion on the client process.

As the Polkit glue code turned out all right we accepted the changes and whitelisted the additions in systemd v257.

Miscellaneous

The following reviews didn’t yield much of interest, so we’re just providing a short listing here for reference:

  • GNOME Remote Desktop follow-up review (bsc#1230406). Last time we looked into GNOME Remote Desktop, we found a couple of issues in its D-Bus implementation. Another D-Bus service “org.gnome.RemoteDesktop.Configuration.service” has been added in the meantime and we have been asked to take a look. The new service is rather small and all of its methods are protected by a single Polkit action “org.gnome.remotedesktop.configure-system-daemon”, which requires Polkit auth_admin authentication. So there shouldn’t be additional attack surface for local non-privileged users in the system. Overall the complexity of GNOME in this area continues to grow, though, and it is a challenge to review it fully without being an expert in GNOME and the remote desktop protocols.
  • Additional D-Bus and Polkit features in the UPower Daemon (bsc#1232835). This just adds a boolean switch to control whether a battery charging threshold should be active or not. It is allowed for users in a local session without authentication.
  • Added “memoryinformation” D-Bus Method in kinfocenter6 (bsc#1231659). Our packager backported this feature from a newer upstream version. This new action allows users in a local session to obtain the output of dmidecode --type 17, which contains some low-level information about physical RAM in the system. The implementation of this is straight-forward and we had no worries accepting this change.

Conclusion

We hope that with this post we have been able to give you some additional insights into our daily review work for openSUSE and SUSE products. Feel free to reach out to us if you have any questions about the content discussed in this article. We expect the winter issue of the spotlight series to be available in about three months from now.