One and a half year is now gone since I posted about my work for ARM support in the OBS and the work for a port of openSUSE to ARM. Lots of things had happened in the meantime that are related, from my limited view most notably Nokia and Intel joining Moblin and Maemo to MeeGo (MeeGo is currently working on a number of Atom and ARM based devices), chosing to use OBS as build system and last but not least myself joining The Linuxfoundation (you will be not surprised to hear that I work at LF on OBS). In the meantime there had also been a major new OBS release 1.8/2.0 with a bunch of new features.

Interesting is the fact that we adapted the cross build system for OBS to MeeGo, first developed for use in Maemo and openSUSE @ ARM. An improved version for the standard MeeGo releases, and for the MeeGo weekly snapshots is used in the MeeGo OBS System to build all ARM releases of MeeGo (the cross toolchain will later get part of the MeeGo SDK @ ARM), thanks to Jan-Simon Möller (In the openSUSE ML, the issue of reactivating openSUSE:Factory ARM builds were brought up. So it might be a good variant to backport Jan-Simons new solution back into openSUSE @ ARM for that purpose). All the MeeGo related OBS installations will move sooner or later to OBS 2.1.

But now to the most recent work, Access Control support. A preview was shipped with OBS 1.8. Now an own OBS version, 2.1, will be dedicated to the introduction of this single new feature into the OBS mainline: Access Control (or abbrevated ACL for Access Control Lists). ACL means that there is control by the user on a per project or per package basis to protect information, source and binaries from the read access of other users in an OBS system and to hide projects or packages.

What is the intended audience of ACL? ACL is intended for installations of OBS that require protection of projects or packages during work. This can be but is not limited to commercial installations of OBS, or semi public installations of OBS.

How does ACL work? ACL sits on top of two features introduced with OBS 2.0: Role and Permission Management as well as freely definable user groups. ACL uses 4 specifically defined permissions (‘source_access’ for read access to sources, ‘private_view’ for viewing package and project information, ‘download_binaries’ for read access to binaries and ‘access’ permission to protect and hide everything and all from read access and viewing) on a user or group in the Role and Permission management. Also, the preexisting roles “maintainer”, “reader” and “downloader” had been modified with specific predifined permissions (which can at any time changed with the role and permission editor dynamically). And last but not least 4 new flags (namely ‘sourceaccess’ to signal a project/package has read protected source code, ‘binarydownload’ to signal it has read protected packages, ‘privacy’ to signal information/logfiles or status cannot be read and ‘access’ to hide and protect a project or package completely in all possible OBS API calls) had been added to the project and package descriptions to signal that some information is only readable by specific users or groups, or that information is hidden.

How do I use ACL? There are 4 steps to use ACL (a part of them a optional and can only be performed by the Administator of an OBS instance). Step one is to assign the listed permissions to a role, user or group (this step can be done only by the admin, and is not needed for the predefined roles “maintainer”, “reader” and “downloader”). Step two is to add a group for special users to projects which are intended to be run with ACL (this operations can only be performed by the admin). Step three is to protect a project with appropriate protection flags at project creation by adding them to the project meta. Step four is to add other users or groups with one of the new predefined roles that has ACL permissions added to the project meta.

What information can be protected by ACL? The protected information is grouped into 4 categories. Category 1 (flag ‘sourceaccess’) is source code. Category 2 (flag ‘binarydownload’) is binary packages or logfiles or builds. Category 3 (flag ‘privacy’) is project or package information like build status. Category 4 (flag ‘access’) is all viewable or accessable information to any project or package (full blocking of all access and information).

Example of a project configuration using ACL:

<user userid="MartinMohring" role="maintainer" />
<!-- grant user full write and read access -->

<group groupid="MeeGo-Reviewer" role="maintainer" />
<!-- grant group full write and read access -->

<group groupid="MeeGo-Developers" role="reader" />
<!-- grant group full source read access -->

<group groupid="MeeGo-BetaTesters" role="downloader" />
<!-- grant group access to packages/images -->

  <sourceaccess>
    <disable/>
  </sourceaccess>
  <!-- disable read access - unless granted explictely.
          This flag will not accept arch or repository arguments. -->

  <binarydownload>
    <disable/>
  </binarydownload>
  <!-- disable access - unless granted explictely -
          to packages/image and logfiles -->

  <access>
    <disable/>
  </access>
  <!-- disable access - unless granted explictely-,
          project will not visible or found via search,
          nor will any source or binary or logfile be accessable.
          This flag will not accept arch or repository arguments. -->

  <privacy>
    <enable/>
  </privacy>
  <!-- project will not visible.
          This flag will not accept arch or repository arguments. -->

What is the current status of the ACL implementation? The current status is that the complete API of the OBS git master had been instrumented with ACL code, critical portions of the API controllers had been code inspected and a big portion of these API calls now have a testcase in the OBS testsuite. Work is ongoing to make ACL as secure as possible. A code drop of current git master is under test in some bigger OBS systems, most notably the openSUSE Buildsystem. You can find snapshots of this codebase as usual in the OBS project openSUSE:Tools:Unstable. Adrian Schröter updates these “Alpha Snapshots” relatively often, on a 1-2 weekly basis, and runs the testsuite on git master daily. Thanks to Jan-Simon Möller for putting in many of the testcases into the testsuite for the ACL checks. On OBS Testing in general, read also Development and Test.

What is next? Code is tested and debugged against granting unwanted access due to some concepts inside OBS that are “working against ACL”, like project or package links, aggregates or kiwi imaging. We will inform you interested user of course about beta releases and an official 2.1 release.

Stay tuned.

Многие слышали о таких сервисах как boot.kernel.org и netboot.me
(позволяют запускать минималистичные сборки ОС без предварительной загрузки).

Когда я о них услышал я загорелся идеей сделать их установку в opensuse максимально простой - "в 1 клик", для чего собственно и собрал следующие пакеты:

netbootme-for-os-bootloader
bootkernelorg-for-os-bootloader

После установки, в загрузочном меню появится возможность выбрать соответствующий сервис.

Данные пакеты будут полезны если нужно изменить системные разделы диска ("/"), или как еще один инструмент для восстановления системы в случае сбоя, или...

---

Ссылки:  на проект, на spec-файл.

Да, можно было бы обойтись и без создания пакета, а просто:

cd /boot
wget http://static.netboot.me/gpxe/netbootme.lkrn
/sbin/update-bootloader --add --image /boot/netbootme.lkrn --name "netboot.me
#(и то же самое для bootkernelorg)

но мне показалась удобней сделать это в виде пакета, just for fun).

While I'm in the mood for posting solutions to technical problems, here's another. I have a OBD interface cable for my VW Bora so that I can run a piece of software called VCDS (sometimes known as VAG-COM) and read the error codes from my car's ECU. However, when I plug in the cable (it's the USB version), it is usually assigned to COM7. Unfortunately, the VCDS programme only supports COM1-4.

Weirdly, the solution for me is to plug the cable in and run VCDS settings. If I choose COM3 then it successfully detects a COM port - I think it's used by the built in model. I save the settings, and then bring up the Device Manager and change the port used by the interface cable to COM3. It says the port is already in use, but lets you change it anyway. Then I just use the VCDS software and it works. This seems completely wrong, and to be honest, I'm sure there's probably a better way of doing it than this, but at least it works.

I just installed openSUSE 11.3 on my desktop computer, and I have to say it's pretty much awesome. Almost everything has worked straight out of the box, including my Wacom graphics tablet and my wireless card. One thing that's been annoying me is that whenever I make a mistake (such as trying to delete some text that isn't there), my computer makes the most almighty buzz. Or maybe it could be described as a belch. It's pretty horrible, however you describe it, and makes me jump out of my skin every time. I think it's supposed to be the System Bell.

I spent some time trying to work out how to stop this, and eventually managed to stop it by doing this: I opened up KMix, clicked on the 'Mixer' button to bring up the full mixer. The selected tab was HDA Intel, and I clicked on Settings > Configure Channels, and then dragged the item called 'Beep' from 'Available channels' to 'Visible channels' and clicked OK. Then I muted the Beep channel.

I just thought I'd post that in case anyone else has a similar problem and is searching for a solution some time in the future.

So Stage 1 of the next openSUSE Conference is complete (submission deadline), and we are moving forward with Stage 2 (scheduling talks). I personally wasn’t privvy to last year’s submissions, but we have well over 80 submissions covering a huge range of topics this year which is brilliant.

One of the nice things this year is we have submissions from other distributions and projects, which is great The submissions from all parties cover a wide variety of topics from very technical to very fun, and it isn’t going to be easy to select which ones to accept.

Thank you to all who submitted a proposal and we will let you know on 20th August whether you are succesful or not.

[](http://flavio.castelli.name/wp-content/uploads/2010/08/van-halen- jump.jpeg)Let me introduce a small project I’ve been working on with a friend of mine, Giuseppe Capizzi. The project is called jump and allows you to quickly change directories in the bash shell using bookmarks.

Thanks to Jump, you won’t have to type those long paths anymore.

You can find jump’s source code, detailed documentation and installation instructions here.

SUSE packages can be found here.

Sometime ago I had a little problem with Zypper at the time of adding some packages. The same problem extended to YaST and well, the end of the world.

Possibly there was a integrity problem between the updater and the database RPM, or whatever, the true thing is that the error goes like:

Tamaño total a descargar: 174,1 MiB. Después de la operación se utilizarán 565,0 KiB adicionales.
¿Desea continuar? [s/n/?] (s): s
Descargando paquete graphviz-2.20.2-45.4.1.i586 (1/153), 868,0 KiB (2,2 MiB desempaquetado)
Descargando delta: ./rpm/i586/graphviz-2.20.2-45.3_45.4.1.i586.delta.rpm, 30,0 KiB
Obteniendo: graphviz-2.20.2-45.3_45.4.1.i586.delta.rpm [hecho (19,6 KiB/s)]
Aplicando delta: ./graphviz-2.20.2-45.3_45.4.1.i586.delta.rpm [hecho]
Instalando graphviz-2.20.2-45.4.1 [error]
La instalación de graphviz-2.20.2-45.4.1 ha fallado:
(con –nodeps –force) Error: Subprocess failed. Error: RPM fallido: error: db4 error(-30987) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: error(-30987) getting “” records from Requireversion index
error: db4 error(-30987) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found
error: error(-30987) getting “” records from Requireversion index
error: db4 error(-30987) from dbcursor->c_get: DB_PAGE_NOTFOUND: Requested page not found

If you have some error like this one, the solution its extremely simple, just run in the command line interface:

sudo rpm --rebuilddb && sudo zypper clean -a && sudo zypper ref

This will rebuild the RPM database and then refresh the repos.

This post is showing naked women packaged as a present (for openSUSE's 5th birthday) and asks Ah... who does not want such a gift, eh.

I believe that the female users and contributors of openSUSE don't. It reduces them to pretty things, judged on their looks instead of their contribution.

Raul, please stop such sexist postings. Your blog is your own, but keep it out from Planet openSUSE.

Just in case common sense is not enough, let me quote for reference the relevant section of the openSUSE Guiding Principles:

We value... respect for other persons and their contributions, for other opinions and beliefs. We listen to arguments and address problems in a constructive and open way. We believe that a diverse community based on mutual respect is the base for a creative and productive environment enabling the project to be truly successful. We don't tolerate social discrimination and aim at creating an environment where people feel accepted and safe from offense.

and the activities in order to excel in our goals: Emphasize the value of communication and recognize cultural diversity within our community.