Fedora People
Blog List

RSS 1.0 RSS 2.0 Atom 1.0 FOAF blogroll

Distrochooser, descarga fácilmente distros de Linux desde CLI

Posted by Alvaro Castillo ( Fedora Account System Username

netsys) on October 01, 2018 08:55 PM

Distrochooser es un pequeño script que he elaborado para descargar cualquier distribución popular pulsando un par de teclas evitando ir a los mirrors o páginas oficiales para descargarlos. Se puede obtener desde GitHub

git clone https://github.com/sincorchetes/distrochooser
chmod +x distrochooser/run.sh
./distrochooser/run.sh

Este script crea un directorio iso en la ruta de trabajo actual dónde descargar la imagen, para su descarga hace uso del comando wget utilizando el modificador -c...

Fedora 28 : Web development with Nikola and python.

Posted by mythcat ( Fedora Account System Username

mythcat) on October 01, 2018 02:51 PM

The development team comes with this info about Nikola:
Nikola is a static site and blog generator, written in Python. It can use Mako and Jinja2 templates, and input in many popular markup formats, such as reStructuredText and Markdown — and can even turn Jupyter Notebooks into blog posts! It also supports image galleries and is multilingual. Nikola is flexible, and page builds are extremely fast, courtesy of do it (which is rebuilding only what has been changed).
I tested today with Fedora 28 and python version 2.7.15.
If you take a look at Nikola handbook, you will see all the features, options and settings you need for web development.
The installation is very simple:

[mythcat@desk ~]$ pip install Nikola --user
Collecting Nikola
...
Installing collected packages: Nikola
Successfully installed Nikola-7.8.15

[mythcat@desk ~]$ nikola init mysite
[2018-10-01T14:09:02Z] WARNING: Nikola: In order to USE_BUNDLES, you must install the "webassets" Python package.
[2018-10-01T14:09:02Z] WARNING: bundles: Setting USE_BUNDLES to False.
Creating Nikola Site
====================

This is Nikola v7.8.15.  We will now ask you a few easy questions about your new site.
If you do not want to answer and want to go with the defaults instead, simply restart with the `-q` parameter.
--- Questions about the site ---
Site title [My Nikola Site]: my_website
Site author [Nikola Tesla]: catafest
Site author's e-mail [[email protected]]: [email protected]
Site description [This is a demo site for Nikola.]: website with Nikola static sit
Site URL [https://example.com/]: http://example.com
    The URL does not end in '/' -- adding it.
Enable pretty URLs (/page/ instead of /page.html) that don't need web server configuration? [Y/n] y
--- Questions about languages and locales ---
We will now ask you to provide the list of languages you want to use.
Please list all the desired languages, comma-separated, using ISO 639-1 codes.  
The first language will be used as the default.
Type '?' (a question mark, sans quotes) to list available languages.
Language(s) to use [en]: en

Please choose the correct time zone for your blog. Nikola uses the tz database.
You can find your time zone here:
https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

Time zone [Europe/Bucharest]: 
    Current time in Europe/Bucharest: 17:12:36
Use this time zone? [Y/n] y
--- Questions about comments ---
You can configure comments now.  Type '?' (a question mark, sans quotes) to list available comment systems.  
If you do not want any comments, just leave the field blank.
Comment system: 

That's it, Nikola is now configured.  Make sure to edit conf.py to your liking.
If you are looking for themes and addons, check out https://themes.getnikola.com/ and https://plugins.getnikola.com/.
Have fun!
[2018-10-01T14:12:54Z] INFO: init: Created empty site at mysite.

Now you can build and start the server with this command:

[mythcat@desk ~]$ cd mysite/
[mythcat@desk mysite]$ ls
cache  conf.py  conf.pyc  files  galleries  listings  pages  posts
[mythcat@desk mysite]$ nikola build
[2018-10-01T14:14:51Z] WARNING: Nikola: In order to USE_BUNDLES, you must install the "webassets" Python package.
[2018-10-01T14:14:51Z] WARNING: bundles: Setting USE_BUNDLES to False.
Scanning posts........done!
.  render_posts:timeline_changes
...
[2018-10-01T14:14:52Z] WARNING: Nikola: Python 2 is old and busted. Python 3 is the new hotness.
[2018-10-01T14:14:52Z] WARNING: Nikola: Nikola is going to deprecate Python 2 support in 2017. You already have Python 3
available in your system. Why not switch?

Please check http://bit.ly/1FKEsiX for details.

.  sitemap:output/sitemap.xml
.  sitemap:output/sitemapindex.xml
.  robots_file:output/robots.txt
[mythcat@desk mysite]$ nikola serve -b

Let's see the result of this running server:

To add a post just use this command:

[mythcat@desk mysite]$ nikola new_post
[2018-10-01T14:16:09Z] WARNING: Nikola: In order to USE_BUNDLES, you must install the "webassets" Python package.
[2018-10-01T14:16:09Z] WARNING: bundles: Setting USE_BUNDLES to False.
Creating New Post
-----------------

Title: New post
Scanning posts........done!
[2018-10-01T14:16:24Z] INFO: new_post: Your post's text is at: posts/new-post.rst

[mythcat@desk mysite]$ nikola build
[2018-10-01T14:16:34Z] WARNING: Nikola: In order to USE_BUNDLES, you must install the "webassets" Python package.
[2018-10-01T14:16:34Z] WARNING: bundles: Setting USE_BUNDLES to False.
Scanning posts........done!
.  render_posts:timeline_changes

The result will be this:

There are a few themes for Nikola available at the Themes Index.

[mythcat@desk mysite]$ nikola theme -l
[2018-10-01T14:21:20Z] WARNING: Nikola: In order to USE_BUNDLES, you must install the "webassets" Python package.
[2018-10-01T14:21:20Z] WARNING: bundles: Setting USE_BUNDLES to False.
Available Themes:
-----------------
blogtxt
bnw
bootblog
bootblog-jinja
bootstrap
bootstrap-jinja
bootstrap3-gradients
bootstrap3-gradients-jinja
cadair
canterville
carpet
detox
foundation6
hack
hemingway
hpstr
hyde
jidn
lanyon
libretto
lotabout
material-theme
maupassant
mdl
monospace
oldfashioned
planetoid
readable
reveal
reveal-jinja
slidemenu
srcco.de
yesplease
zen
zen-forkawesome
zen-ipython
zen-jinja

Millions of unfixed security flaws is a lie

Posted by Josh Bressers ( Fedora Account System Username

bressers) on October 01, 2018 01:26 PM

On a pretty regular basis I see claims that the public CVE dataset is missing some large number of security issues. I’ve seen ranges from tens of thousands all the way up to millions. The purpose behind such statements is to show that the CVE data is woefully incomplete. Of course almost everyone making that claim has a van filled with security issues and candy they’re trying very hard to lure us into. It’s a pretty typical sales tactic as old as time itself. Whatever you have today isn’t good enough, but what I have, holy cow it’s better. It’s so much better you better come right over and see for yourself. After you pay me of course.

If you take away any single thing from this post, make it this: There are not millions of unfixed security flaws missing from the CVE data.

If you’re not familiar with how CVE works, I’ll give you a very short crash course. Essentially someone (anyone) requests a CVE ID, and if it’s a real security issue, a CVE gets assigned. It really is fundamentally this simple. Using some sort of advanced logic, the obvious question becomes: “why not get a CVE ID for all these untracked security flaws?”

That’s a great question! There are two possible reasons for this. The first is the organizations in question don’t want to share what they know. The second is all the things they claim are security issues really aren’t security issues at all. The second answer is of course correct, but let’s understand why.

The first answer assumes their security flaw are some sort of secret information only they know. This would also suggest the security issues in question are not acknowledged by the projects or vendors. If a project has any sort of security maturity, they are issuing CVE IDs (note: if you are a project who cares about security and don’t issue CVE IDs, talk to me, I will help you). This means that if the project knows about a security issue they will release a CVE ID for it. If they don’t know about the issue, it not only doesn’t have a CVE ID but is also unfixed. Not telling projects and vendors about security issues would be pretty weaselly. It also wouldn’t make anyone any safer. In fact it would make us all a lot less safe.

This brings us to the next stop in our complex logical journey. If you are a company that has the ability to scan and track security issues, and you find an unknown security issue in a project, you will want to make some noise about finding it. That means you follow some sort of security process that includes getting a CVE ID for the issue in question. After all, you want to make sure your security problem is known to the public and what better way then the largest public security dataset?

This brings us to our logical conclusion about all these untracked security issues is that they’re not really security problems. Some are just bugs. Some are nothing. Some are probably design decisions. Fundamentally if there is a security issue that matters, it will get a CVE ID. We should all be working together to make CVE better, not trying to claim our secret data is better than everyone else’s. There are no winners and loser when it comes to security issues. We all win or we all lose.

As most of these sort of fantastical claims tend to end, if it sounds too good to be true, it probably is.

Announcing flickerfree boot for Fedora 29

Posted by Hans de Goede ( Fedora Account System Username

jwrdegoede) on October 01, 2018 12:11 PM

A big project I've been working on recently for Fedora Workstation is what we call flickerfree boot. The idea here is that the firmware lights up the display in its native mode and no further modesets are done after that. Likewise there are also no unnecessary jarring graphical transitions.

Basically the machine boots up in UEFI mode, shows its vendor logo and then the screen keeps showing the vendor logo all the way to a smooth fade into the gdm screen. Here is a video of my main workstation booting this way.

Part of this effort is the hidden grub menu change for Fedora 29. I'm happy to announce that most of the other flickerfree changes have also landed for Fedora 29:

There have been changes to shim and grub to not mess with the EFI framebuffer, leaving the vendor logo intact, when they don't have anything to display (so when grub is hidden)

There have been changes to the kernel to properly inherit the EFI framebuffer when using Intel integrated graphics, and to delay switching the display to the framebuffer-console until the first kernel message is printed. Together with changes to make "quiet" really quiet (except for oopses/panics) this means that the kernel now also leaves the EFI framebuffer with the logo intact if quiet is used.

There have been changes to plymouth to allow pressing ESC as soon as plymouth loads to get detailed boot messages.

With all these changes in place it is possible to get a fully flickerfree boot today, as the video of my workstation shows. This video is made with a stock Fedora 29 with 2 small kernel commandline tweaks:

Add "i915.fastboot=1" to the kernel commandline, this removes the first and last modeset during the boot when using the i915 driver.

Add "plymouth.splash-delay=20" to the kernel commandline. Normally plymouth waits 5 seconds before showing the charging Fedora logo so that on systems which boot in less then 5 seconds the system simply immediately transitions to gdm. On systems which take slightly longer to boot this makes the charging Fedora logo show up, which IMHO makes the boot less fluid. This option increases the time plymouth waits with showing the splash to 20 seconds.

So if you have a machine with Intel integrated graphics and booting in UEFI mode, you can give flickerfree boot support a spin with Fedora 29 by just adding these 2 commandline options. Note this requires the new grub hidden menu feature to be enabled, see the FAQ on this.

The need for these 2 commandline options shows that the work on this is not yet entirely complete, here is my current TODO list for finishing this feature:

Work with the upstream i915 driver devs to make i915.fastboot the default. If you try i915.fastboot=1 and it causes problems for you please let me know.

Write a new plymouth theme based on the spinner theme which used the vendor logo as background and draws the spinner beneath it. Since this keeps the logo and black background as is and just draws the spinner on top this avoids the current visually jarring transition from logo screen to plymouth, allowing us to set plymouth.splash-delay to 0. This also has the advantage that the spinner will provide visual feedback that something is actually happening as soon as plymouth loads.

Look into making this work with AMD and NVIDIA graphics.

Please give the new flickerfree support a spin and let me know if you have any issues with it.

GRUB hidden menu change FAQ

Posted by Hans de Goede ( Fedora Account System Username

jwrdegoede) on October 01, 2018 11:58 AM

There have questions about the new GRUB hidden menu Change in various places, here is a FAQ which hopefully answers most questions:

1. What is the GRUB hidden menu change?

See the Detailed Description on the change page. The main motivation for adding this is to get to a fully flickerfree boot.

2. How to enable hidden GRUB menu?

On new Fedora 29 Workstation installs this will be enabled by default. If your system has been upgraded to F29 from an older release, you can enable it by running these commands:

On a system using UEFI booting ("ls /sys/firmware/efi/efivars" returns a bunch of files):

sudo grub2-editenv - set menu_auto_hide=1
sudo grub2-mkconfig -o /etc/grub2-efi.cfg

On a system using legacy BIOS boot:

sudo grub2-editenv - set menu_auto_hide=1
sudo grub2-mkconfig -o /etc/grub2.cfg

Note the grub2-mkconfig will overwrite any manual changes you've made to your grub.cfg (normally no manually changes are done to this file).

If your system has Windows on it, but you boot it only once a year so you would still like to hide the GRUB menu, you can tell GRUB to ignore the presence of Windows by running:

sudo grub2-editenv - set menu_auto_hide=2

3. How to disable hidden GRUB menu

To permanently disable the auto-hide feature run:

sudo grub2-editenv - unset menu_auto_hide

That is it.

4.How to access the GRUB menu when hidden

If for some reason you need to access the GRUB menu while it is hidden there are multiple ways to get to it:

If you can get to gdm, access the top-right menu (the system menu) and click on the power [⏻] icon. Then keep ALT pressed to change the "Restart" option into "Boot Options" and click "Boot Options".

While booting keep SHIFT pressed, usually you need to first press SHIFT when the vendor logo is shown by the firmware / when the firmware says e.g. "Press F2 to enter setup" if you press it earlier it may not be seen. Note this may not work on some machines.

During boot press ESC or F8 while GRUB loads (simply press the key repeatedly directly after power on until you are in the menu).

Force the previous boot to be considered failed:
1. Press CTRL + ALT + DEL while booting so that the system reboots before hitting gdm
2. Press CTRL + ALT + F6 to switch away from gdm, followed by CTRL + ALT + DEL.
3. Press the power-button for 4 seconds to force the machine off.
Either of these will cause the boot_success grub_env flag to not get set and
the menu will show the next boot.

Manually set the menu show once flag by running: "grub-set-bootflag menu_show_once" This will cause the menu to show for 60 seconds before continuing with the default boot-option.

5. When is a boot considered successful ?

The boot_success grub_env flag gets set when you login as a normal user and your session lasts at least 2 minutes; or when you shutdown or restart the system from the GNOME system (top-right) menu.

So if you e.g. login, do something and then within 30 seconds type reboot in a terminal (instead of doing the reboot from the menu) then this will not count as a successful boot and the menu will show the next boot.

Stelvio, Mortirolo, Simplon and hacking Tiramisu

Posted by Daniel Pocock ( Fedora Account System Username

pocock) on October 01, 2018 07:24 AM

On Friday the adventure continued. A pit stop in Trento for fresh tyres and then north to the renowned Stelvio Pass, 2757m a.s.l., 75 challenging hairpin corners. There are plenty of helmet-cam videos of this ride online.

Mortirolo Pass

After Stelvio, I had to head south and the most direct route suggested by OpenStreetmap took me over the Mortirolo pass.

Dinner

At the end of all that, I had to hack my own Tiramisu but like the mountain passes, it was worth the effort:

Simplon Pass

Returned home using the Simplon Pass. It is a relatively easy road compared to the others, with nice views at the top and along the route.

[F29] Participez à la journée de test consacrée à la version Atomic / Cloud

Posted by Charles-Antoine Couret ( Fedora Account System Username

renault) on October 01, 2018 06:00 AM

Aujourd'hui, ce lundi 1er octobre, est une journée dédiée à un test précis : sur l'image Atomic / Cloud de Fedora. En effet, durant le cycle de développement, l'équipe d'assurance qualité dédie quelques journées autours de certains composants ou nouveautés afin de remonter un maximum de problèmes sur le sujet.

Elle fournit en plus une liste de tests précis à effectuer. Il vous suffit de les suivre, comparer votre résultat au résultat attendu et le notifier.

En quoi consiste ce test ?

La version Cloud de Fedora est un des trois produits officiels du projet avec Workstation et Server. Son but est d'être une image très minimale pour être instanciée de nombreuses fois dans le cadre d'un infrastructure Cloud afin de remplir le rôle d'un service. Cependant, contrairement aux deux autres produits, la version Cloud est mise à jour très régulièrement (de nouvelles images sont disponibles toutes les quelques semaines seulement, contre 6-7 mois en moyenne pour les autres).

Une nouveauté qui commence à s'installer est la mise à disposition de Fedora Workstation Atomic. Jusque là, seule l'image Cloud bénéficiait de ce système. Ce travail provient du projet Atomic qui repose lui même sur rpm-ostree dont l'un des buts est de versionner le système pour améliorer la fiabilité du système en cas d'installation ou de mise à jour d'un programme en autorisant un retour en arrière très simplement et avec des opérations qui sont atomiques (d'où le nom). Il est également aisé de voir ce qui a changé dans le système, notamment si l'utilisateur a changé des fichiers de configuration importants et ce qu'il a appliqué. Le système est également plus orienté utilisation d'applications dans un conteneur (comme les Flatpak) et les répertoires systèmes sont mieux isolés, par exemple /usr est par défaut en lecture seule.

Les tests du jour couvrent :

Est-ce que l'image démarre correctement, permet de se connecter et si les services se base se lancent bien et que SELinux remplit son rôle ;
Vérifier si la gestion de Docker ou Atomic (installation, mise à jour, retour en arrière) fonctionne correctement ;
Lancement des applications ;
Vérifier la compatibilité avec le cloud Amazon et OpenStack ;
S'assurer que l'image Atomic Workstation fonctionne avec ses spécificités : installation du système, Flatpak et GNOME Logiciels pour les notifications et installer des programmes.

Si vous êtes intéressés par l'aspect Cloud de cette image ou par l'ajout d'Atomic dans Fedora Workstation, je vous invite à les tester, elles bénéficient en effet de relativement peu de retours pour le moment. La moindre aide est appréciée, merci.

Comment y participer ?

Vous pouvez vous rendre sur la page des tests pour lister les tests disponibles et rapporter vos résultats. La page wiki récapitule les modalités de la journée.

Si vous avez besoin d'aide lors du déroulement des tests, n'hésitez pas de faire un tour sur IRC pour recevoir un coup de main sur les canaux #fedora-test-days et #fedora-fr (respectivement en anglais et en français) sur le serveur Freenode.

En cas de bogue, il est nécessaire de le rapporter sur le BugZilla. Si vous ne savez pas faire, n'hésitez pas à consulter la documentation correspondante.

De plus, si une journée est dédiée à ces tests, il reste possible de les effectuer quelques jours plus tard sans problème ! Les résultats seront globalement d'actualité.

Episode 116 - The future of the CISO with Michael Piacente

Posted by Open Source Security Podcast ( Fedora Account System Username

bressers) on October 01, 2018 12:01 AM

Josh and Kurt talk to Michael Piacente from Hitch Partners about the past, present, and future role of the CISO in the industry.

<iframe allowfullscreen="" height="90" mozallowfullscreen="" msallowfullscreen="" oallowfullscreen="" scrolling="no" src="https://html5-player.libsyn.com/embed/episode/id/7104119/height/90/theme/custom/autoplay/no/autonext/no/thumbnail/yes/preload/no/no_addthis/no/direction/backward/render-playlist/no/custom-color/6e6a6a/" style="border: none;" webkitallowfullscreen="" width="100%"></iframe>

Show Notes

Comment on Twitter with the #osspodcast hashtag

Como clonar discos duros en Linux usando Clonezilla

Posted by Alvaro Castillo ( Fedora Account System Username

netsys) on September 29, 2018 07:15 PM

Clonezilla es un proyecto de software libre muy conocido entre otras funciones como herramienta de clonación de dispositivos de almacenamiento como discos duros, memorias USB entre otros.

Este proyecto distribuye dos tipos de versiones, una live que nos permite hacer una copia de seguridad o una restauración en menos que canta un gallo, pero para una máquina.

Mientras que la versión para servidor permite hacer clonación de hasta 40 máquinas a la vez. Clonezilla cuenta con dos ramas de desarr...

Fedora 28 : Integrate tinymce editor with Fedora and Django.

Posted by mythcat ( Fedora Account System Username

mythcat) on September 29, 2018 06:02 PM

This is a raw tutorial about how to integrate the python module named django-tinymce with a django project.
I used the raw word because you need to have a working django project into your Fedora distro.
You can see my old tutorial about django to see how to build a django project.
About this python module you can read more here.
The django-tinymce is a django application that contains a widget to render a form field as a TinyMCE editor.
I have a project named trydjango with a django application named products into my django folder.
I used activate command to activate my virtual environment:

[mythcat@desk django]$ source bin/activate

I install this python module named django-tinymce:

(django) [mythcat@desk django]$ pip install django-tinymce4-lite
Collecting django-tinymce4-lite
...
Installing collected packages: jsmin, django-tinymce4-lite
Successfully installed django-tinymce4-lite-1.7.2 jsmin-2.2.2

Let's see my folder project django named src:

(django) [mythcat@desk django]$ cd src/
(django) [mythcat@desk src]$ ll
total 136
-rw-r--r--. 1 mythcat mythcat 135168 Sep 28 12:21 db.sqlite3
-rwxrwxr-x. 1 mythcat mythcat    541 Sep 23 18:56 manage.py
drwxrwxr-x. 4 mythcat mythcat    142 Sep 26 21:45 pages
drwxrwxr-x. 4 mythcat mythcat    142 Sep 28 18:30 products
drwxrwxr-x. 3 mythcat mythcat    112 Sep 28 12:04 templates
drwxrwxr-x. 3 mythcat mythcat     93 Sep 28 12:14 trydjango

The installation is simple and star with to your settings.py and url.py file:

(django) [mythcat@desk src]$ cd trydjango/
(django) [mythcat@desk trydjango]$ vim settings.py 

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'products',
    'tinymce',
]
(django) [mythcat@desk trydjango]$ vim urls.py

from django.contrib import admin
from django.urls import path, include

from pages.views import home_view, about_view, contact_view
from products.views import product_detail_view

urlpatterns = [
    path('', home_view, name='home'),
    path('about/', about_view),
    path('contact/',contact_view),
    path('admin/',admin.site.urls),
    path('product/',product_detail_view),
    path(r'^tinymce/', include('tinymce.urls')),

This is my change I used to add the tinymce editor into my django application named products.

(django) [mythcat@desk products]$ vim models.py
from django.db import models
from tinymce.models import HTMLField

# Create your models here.
class Product(models.Model):
    title = models.CharField(max_length=120)
#    description = models.TextField(blank=True, null=True)
    description = HTMLField()
    price = models.DecimalField(decimal_places=2, max_digits=1000)
    summary = models.TextField(default='this is cool!')

You can see I used HTMLField and default come is TextField.
The result of this changes can see into the next output:

PHP version 7.1.23RC1 and 7.2.11RC1

Posted by Remi Collet ( Fedora Account System Username

remi) on September 29, 2018 07:59 AM

Release Candidate versions are available in remi-test repository for Fedora and Enterprise Linux (RHEL / CentOS) to allow more people to test them. They are available as Software Collections, for a parallel installation, perfect solution for such tests (for x86_64 only), and also as base packages.

RPM of PHP version 7.2.11RC1 are available as SCL in remi-test repository and as base packages in the remi-test repository for Fedora 28-29 or remi-php72-test repository for Fedora 26-27 and Enterprise Linux.

RPM of PHP version 7.1.23RC1 are available as SCL in remi-test repository and as base packages in the remi-test repository for Fedora 26-27 or remi-php71-test repository for Enterprise Linux.

PHP version 7.0 is now in security mode only, so no more RC will be released. PHP version 7.3 is still under developement, see PHP on the road to the 7.3.0 release.

Installation : read the Repository configuration and choose your version.

Parallel installation of version 7.2 as Software Collection:

yum --enablerepo=remi-test install php72

Parallel installation of version 7.1 as Software Collection:

yum --enablerepo=remi-test install php71

Update of system version 7.2:

yum --enablerepo=remi-php72,remi-php72-test update php\*

Update of system version 7.1:

yum --enablerepo=remi-php71,remi-php71-test update php\*

Notice: version 7.2.11RC1 is also available in Fedora rawhide for QA.

EL-7 packages are built using RHEL-7.5.

RC version is usually the same as the final version (no change accepted after RC, exception for security fix).

The oci8 and pdo_oci extension now use the client library version 18.3.

Software Collections (php71, php72)

Base packages (php)

Not allowed to code? Really?

Posted by Harish Pillay 9v1hp ( Fedora Account System Username

harishpillay) on September 29, 2018 04:55 AM

[image from: http://cdn.blog.safe.com/wp-content/uploads/2013/11/no-coding.png]

Lots of interesting, but not surprising, information is being made public about the Singhealth data breach.

The Commitee of Inquiry has been told that there was an IHIS employee who found a bug in the Allscripts “Sunrise Clinic Manager” EMR in 2014 who then made the loophole known to a rival of Allscripts, Epic Systems Corporation. Both of these vendors products are closed, proprietary and, IMHO, unnecessarily and excessively expensive products.

From this report (again, this is MSM reporting, so take it with two pinches of salt – you have to read the court transcript which I am not sure if available, yet, if ever), says that the IHIS employee was “unhappy” that he could not do coding in the job role he was doing and so, he then decided to contact Epic to tell them of the issue so that it could “… leverage the vulnerability to gain a larger market share” (emphasis mine).

Larger market share? How so? The hospital clusters in Singapore are about evenly locked-in between these two proprietary vendors. Moving from one to another is not a simple thing. And one bug does not even start the thinking process. Who knows if the Epic product has similar issues?

Not being able to ascertain if the reason offered by the former IHIS employee is indeed valid, I find that it seems to be a fluffy afterthought. Having been caught out, the former IHIS employee is offering excuses.

Not Allowed To Code?

I find that reason to be intriguing. Did the job that the IHIS exmployee took on involve coding? No indication in the report. If that was what the person wanted to do, why not channel the skills an open source project that could use help? No one will stop you from doing that, unless, the terms of employment of IHIS says that a developer “cannot work on any software project other than what is part of the job”.

I have no insights on what the terms of employment are, but here is an example of an enlightened and correct way to encourage developers:

“Participation in an open source project, whether maintained by the Company or by another commercial or non-commercial entity or organization, does not constitute a conflict of interest even where such participant makes a determination in the interest of the project that is adverse to the Company’s interests.”

– taken from page 3 of https://investors.redhat.com/~/media/Files/R/Red-Hat-IR/governance-docs/code-of-business-conduct-and-ethics.pdf

Software developers are artists. Software development is an art form. One would not constraint a painter, so why would one shackle a software developer?

Bug Reporting, Fixing and Regression Testing

If a bug is reported – whether it is a “the button is of the wrong shape” or “this option dumps out the entire database”, assuming that proprietary vendors have a bug reporting process – nope, they don’t – then things can be moved along without too much excitement. All software have bugs. If a vendor (open or closed) does not offer a way to report bugs, you have to demand that there is a way to do it. Red Hat has both bugzilla.redhat.com and access.redhat.com to submit bug reports on all of the open source projects and open source products (go here for an understanding of the differences between open source projects and an open source products) that Red Hat is involved in and makes available to paying customers (access.redhat.com).

Maybe there is a some place at Allscripts and at Epic Systems that one can file bug reports, but it is not immediately evident.

Regardless of being able to report bugs, I do wonder how these vendor organizations manage bug reporting/fixing and regression testing. I have to assume that they do it properly (for some definition of properly) but it is telling that a trainer of Allscripts said this:

“Another witness, however, called the loophole “perfectly normal”. Mr Loo Yew Tuck, senior lead analyst at IHiS’ clinical care department, said that he had seen an Allscripts trainer demonstrate its use and method previously.”

Really? There is a “perfectly normal” loophole? Or did he mean, backdoor (of the NSA type)?

I particularly concerned with this paragraph – as reported in another MSM report –

“… She also did not know the details of the alleged loophole. Neither did she ask her staff for it to be verified. She also assumed that the problem would be rendered “irrelevant” as IHIS had just upgraded the EMR system architecture”.

If the bug is not reported, how would one know if it was really an issue and if so, if it was indeed fixed? Granted, we cannot all be on top of things all the time, but if there isn’t a process to track issues, what then?

“… did only what … was asked to …”

Leadership and empowerment failure. Whether it is real or otherwise it is hard to tell. Perhaps there is a culture of empowerment but not everyone got the memo. Of maybe not. I can’t tell.

A short note about posting links to facebook

Posted by Kevin Fenzi ( Fedora Account System Username

kevin) on September 28, 2018 11:57 PM

Just a short note to everyone out there that posts links to facebook pages or posts: Something you may not realize is that for those of us that do not have or want to use a facebook account the experience is pretty subpar.

You go to the page (without being logged in to facebook) and the page or post loads, you start to read it and then… BAM a gigantic popup appears, blocking all the page contents. It’s a dialog asking you to login to facebook or create a new account or (in small print on the bottom: “Not now”). So, not wanting to login (for whatever reasons), you click on ‘Not Now’. The dialog disappears… but is replaced by a wide bar on the bottom of the page asking you to login or create a new account. Thee is no close button on this bar, and it blocks about the bottom 25% of the content, so you get to page up and down and try and read around it.

I know all the reasons facebook is doing things this way, but I just wanted to mention it to those of you who do login to facebook and perhaps didn’t even know about this.

So, do think, next time you share a link, is there some more free place to share it?

FPgM report: 2018-39

Posted by Fedora Community Blog ( Fedora Account System Username

admin) on September 28, 2018 08:39 PM

Fedora Program Manager weekly report on Fedora Project development and progress

Here’s your report of what has happened in Fedora Program Management this week. The Fedora 29 Beta was released on 25 September.

I’ve set up weekly office hours in #fedora-meeting. Drop by if you have any questions or comments about the schedule, Changes, elections or anything else.

Help requests

Atomic and Cloud Test Day — October 1

Announcements

Packaging Guidelines moved to docs.fedoraproject.org
Pagure 5.0 was released and installed on pagure.io,
The CfP for DevConf.cz 2019 is open

Upcoming meetings

Blocker review meeting: 1600 UTC on Monday in in #fedora-blocker-review
FPgM office hours: 1300 UTC on Wednesday in #fedora-meeting
Council (tickets and ongoing): 1400 UTC on Wednesday in #fedora-meeting-1

Schedule

Fedora 29

Final freeze will begin October 9.
Final release date is set for 23 October.

Fedora 29 Status

Beta was released on 2018-09-25
Blocker bugs and freeze exceptions

Fedora 30 Changes

Fedora 30 includes a Change that will cause ambiguous python shebangs to error. A list of failing builds is available on Taskotron.

Announced

PHP 7.3

The post FPgM report: 2018-39 appeared first on Fedora Community Blog.

gnome-software mini hackfest

Posted by Kalev Lember ( Fedora Account System Username

kalev) on September 28, 2018 02:18 PM

I am in London this week visiting Richard Hughes. We have been working out of his home office and giving some much needed love to GNOME Software.

Here is the main thing we’ve been working on:

Source selection drop down

GNOME Software now has a drop down list for choosing which source to use for installing an app. This is useful when someone has multiple repos enabled that all provide the same app, e.g. GIMP being available both as an RPM package from Fedora and a Flatpak from Flathub.

Previously, GNOME Software treated each version as a separate app and all the apps that were available from both Fedora and Flathub suddenly showed up twice: once for each source. This made browsing through featured apps and categories annoying as there was much repetition. Now instead GNOME Software consolidates them together into one entry and makes it possible to choose which one to install.

Richard worked mostly on the backend code and I did the user facing stuff. Allan Day helped us over the IRC with all the design (thanks Allan! you rock). It was so nice to be together in once office and be able to bounce ideas back and forth. We are hoping we can maybe start doing this more often.

This work is now on GNOME Software git master and will be in Fedora 30 as part of GNOME 3.32. If you are maintaining a Flathub app where it has its desktop file renamed, please check to make sure it has X-Flatpak-RenamedFrom correctly set in the .desktop file. This is needed for GNOME Software to correctly match renamed apps in Flathub to non-renamed ones available from distros. If the key is not there, it should be just the matter of rebuilding the app and it should automatically appear.

Some apps that have renamed desktop files in Flathub need https://github.com/flatpak/freedesktop-sdk-images/pull/122 to land for this to correctly work. Hopefully we can get this part sorted out next week.

It was a fun week and thanks to Richard for letting me stay at his place, and thanks to Red Hat for sponsoring my travels!

Happy 35th Birthday GNU!

Posted by Harish Pillay 9v1hp ( Fedora Account System Username

harishpillay) on September 28, 2018 03:46 AM

The GNU project was officially announced on 27 September 1983 by Richard Stallman. Thirty-five years of a project that has now become the fundamental building block of everything we use and see in technology in 2018. I would not be wrong to say that there isn’t a single proprietary piece of software that anyone is still using from 35 years ago – please post comments if there is something still being used.

There is only one reason for this longevity: the GNU project was built upon the premise that the code is available to anyone, anywhere with the only restriction that whatever is done to the code, it shall always be available to anyone, forever. Richard Stallman’s genius in crafting the copyleft license is the GNU General Public License is probably the best hack of the 20th century software industry.

What was I doing in 1983? I was working at the Computer Systems Advisors (no longer around, after being bought up by CSC). I was working on a system from DEC – the PDP-11/44 running RSX-11. We were creating software using Digital’s DIBOL – a variant of COBOL. DIBOL was, IMHO, the sink-hole of GOTO statements. I truly did not like that language. I can’t pinpoint why, but it just did not appeal to me. I had learned FORTRAN and BASIC before and they were so much more expressive. Editing the code in the PDP-11 was using some editing tool (perhaps teco or something) on a VT-100 terminal that was attached to the RSX-11 system. I think I was working on some insurance company’s bespoke code – but, frankly, those are all wishy-washy to me now.

The IBM PC was becoming an interesting offering and CSA’s sister organization, Automated Systems, got the distributorship of the Corona Data Systems PC. I got asked to take on the Corona PC as a main product person, I began my involvement with the PC-DOS/MS-DOS/CP/M world. I was learning a lot about this world with the ISA cards, Interrupts, RAM cards, RS-232 terminal connectivity, writing Interrupt Service Routines, terminate-and-stay-routines, and later 3Com‘s network cards – 3C501, 3C509 etc) with coaxial cables (yes, you better terminate the end of the bus with a terminator plug or else the network freezes). I recall that there was some networking software to share files (perhaps 3+Share or the like).

In parallel, the reason for the PC (including the Apple ][) getting traction in the early 1980s, was the famous spreadsheet product called VisiCalc created by VisiCorp. Their success encouraged VisiCorp to create something else called Visi On. This was an interesting product that provided a GUI for the IBM PC.

Automated Systems managed to get the distributorship of Visi On and I was then tasked with understanding the product and helping to get the training/sales going. There were many things I liked about it, but there was a lot more I could not understand because of the lack of documentation – or rather, insufficient documentation – on how to program in it etc. I recall a training session for a customer who specifically asked about creating macros for Visi On like one could with VisiCalc. To whoever that asked me then, I still don’t know.

I am sad to note that none of those closed, proprietary products are around. The loss of all of the good work done by the developers of those products is disappointing. If they had the foresight of Richard Stallman and made the code available, we might be on a different trajectory with technology than where we are now.

All systems go

Posted by Fedora Infrastructure Status ( Fedora Account System Username

admin) on September 28, 2018 12:33 AM

Service 'Package Updates Manager' now has status: good: Everything seems to be working.

There are scheduled downtimes in progress

Posted by Fedora Infrastructure Status ( Fedora Account System Username

admin) on September 27, 2018 11:15 PM

Service 'Package Updates Manager' now has status: scheduled: planned outage

Warning and Sanitizer Retrospective

Posted by Tom Tromey ( Fedora Account System Username

mjw) on September 27, 2018 10:47 PM

One of my hobbies in GDB is cleaning things up. A lot of this is modernizing and C++-ifying the code, but I’ve also enabled a number of warnings and other forms of code checking in the last year or two. I thought it might be interesting to look at the impact, on GDB, of these things.

So, I went through my old warning and sanitizer patch series (some of which are still in progress) to see how many bugs were caught.

This list is sorted by least effective first, with caveats.

-fsanitize=undefined; Score: 0 or 10

You can use -fsanitize=undefined when compiling to have GCC detect undefined behavior in your code. This series hasn’t landed yet (it is pending some documentation updates).

We have a caveat already! It’s not completely fair to put UBsan at the top of the list — the point of this is that it detects situations where the compiler might do something bad. As far as I know, none of the undefined behavior that was fixed in this series caused any visible problem (so from this point of view the score is zero); however, who knows what future compilers might do (and from this point of view it found 10 bugs). So maybe UBSan should be last on the list.

Most of the bugs found were due to integer overflow, for example decoding ULEB128 in a signed type. There were also a couple cases of passing NULL to memcpy with a length of 0, which is undefined but should probably just be changed in the standard.

-Wsuggest-override; Score: 0

This warning will fire if you have a method that could have been marked override, but was not. This did not catch any gdb bugs. It does still have value, like everything on this list, because it may prevent a future bug.

-Wduplicated-cond; Score: 1

This warning detects duplicated conditions in an if-else chain. Normally, I suppose, these would arise from typos or copy/paste in similar conditions. The one bug this caught in GDB was of that form — two identical conditions in an instruction decoder.

GCC has a related -Wduplicated-branches warning, which warns when the arms of an if have identical code; but it turns out that there are some macro expansions in one of GDB’s supporting libraries where this triggers, but where the code is in fact ok.

-Wunused-variable; Score: 2

When I added this warning to the build, I thought the impact would be removing some dead code, and perhaps a bit of fiddling with #ifs. However, it caught a couple of real bugs: cases where a variable was unused, but should have been used.

-D_GLIBCXX_DEBUG; Score: 2

libstdc++ has a debug mode that enables extra checking in various parts of the C++ library. For example, enabling this will check the irreflexivity rule for operator<. While the patch to enable this still hasn’t gone in — I think, actually, it is still pending some failure investigation on some builds — enabling the flag locally has caught a couple of bugs. The fixes for these went in.

-Wimplicit-fallthrough; Score: 3

C made a bad choice in allowing switch cases to fall through by default. This warning rectifies this old error by requiring you to explicitly mark fall-through cases.

Apparently I tried this twice; the first time didn’t detect any bugs, but the second time — and I don’t recall what, if anything, changed — this warning found three bugs: a missing break in the process recording code, and two in MI.

-Wshadow=local; Score: 3

Shadowing is when a variable in some inner scope has the same name as a variable in an outer scope. Often this is harmless, but sometimes it is confusing, and sometimes actively bad.

For a long time, enabling a warning in this area was controversial in GDB, because GCC didn’t offer enough control over exactly when to warn, the canonical example being that GCC would warn about a local variable named “index“, which shadowed a deprecated C library function.

However, now GCC can warn about shadowing within a single function; so I wrote a series (still not checked in) to add -Wshadow=local.

This found three bugs. One of the bugs was found by happenstance: it was in the vicinity of an otherwise innocuous shadowing problem. The other two bugs were cases where the shadowing variable caused incorrect behavior, and removing the inner declaration was enough to fix the problem.

-fsanitize=address; Score: 6

The address sanitizer checks various typical memory-related errors: buffer overflows, use-after-free, and the like. This series has not yet landed (I haven’t even written the final fix yet), but meanwhile it has found 6 bugs in GDB.

Conclusion

I’m generally a fan of turning on warnings, provided that they rarely have false positives.

There’s been a one-time cost for most warnings — a lot of grunge work to fix up all the obvious spots. Once that is done, though, the cost seems small: GDB enables warnings by default when built from git (not when built from a release), and most regular developers use GCC, so build failures are caught quickly.

The main surprise for me is how few bugs were caught. I suppose this is partly because the analysis done for new warnings is pretty shallow. In cases like the address sanitizer, more bugs were found; but at the same time there have already been passes done over GDB using Valgrind and memcheck, so perhaps the number of such bugs was already on the low side.

Fedora 28 : Add the Fedora logo to the Google document.

Posted by mythcat ( Fedora Account System Username

mythcat) on September 27, 2018 04:45 PM

I've been able to progress with Google Apps Script.
The latest tutorial with number 008.
This tutorial is about adding a logo and creating an add-on to a document in google drive.
See the full tutorial here, and result of this addon:

Fedora 28 : Show a video with Google Apps Script.

Posted by mythcat ( Fedora Account System Username

mythcat) on September 27, 2018 04:45 PM

It's not a tutorial specific to Fedora's distribution, but many users of this are programmers or developers and its tutorial is very useful.
The tutorial is about how to display a video in a sidebar on a Google document.
I used Google Apps Script to do this.
You can see the tutorial here.
This is a screenshot with the output of this tutorial:

Programming a game on the ZX81

Posted by Richard W.M. Jones ( Fedora Account System Username

rjones) on September 27, 2018 12:24 PM

This took me back as it was my first ever computer and I had no games so I had to program it. I would recommend that David buys a RAMPACK.

5 cool tiling window managers

Posted by Fedora Magazine ( Fedora Account System Username

admin) on September 27, 2018 08:00 AM

The Linux desktop ecosystem offers multiple window managers (WMs). Some are developed as part of a desktop environment. Others are meant to be used as standalone application. This is the case of tiling WMs, which offer a more lightweight, customized environment. This article presents five such tiling WMs for you to try out.

i3

i3 is one of the most popular tiling window managers. Like most other such WMs, i3 focuses on low resource consumption and customizability by the user.

You can refer to this previous article in the Magazine to get started with i3 installation details and how to configure it.

Getting started with the i3 tiling window manager

sway

sway is a tiling Wayland compositor. It has the advantage of compatibility with an existing i3 configuration, so you can use it to replace i3 and use Wayland as the display protocol.

You can use dnf to install sway from Fedora repository:

$ sudo dnf install sway

If you want to migrate from i3 to sway, there’s a small migration guide available.

Qtile

Qtile is another tiling manager that also happens to be written in Python. By default, you configure Qtile in a Python script located under ~/.config/qtile/config.py. When this script is not available, Qtile uses a default configuration.

One of the benefits of Qtile being in Python is you can write scripts to control the WM. For example, the following script prints the screen details:

> from libqtile.command import Client
> c = Client()
> print(c.screen.info)
{'index': 0, 'width': 1920, 'height': 1006, 'x': 0, 'y': 0}

To install Qlite on Fedora, use the following command:

$ sudo dnf install qtile

dwm

The dwm window manager focuses more on being lightweight. One goal of the project is to keep dwm minimal and small. For example, the entire code base never exceeded 2000 lines of code. On the other hand, dwm isn’t as easy to customize and configure. Indeed, the only way to change dwm default configuration is to edit the source code and recompile the application.

If you want to try the default configuration, you can install dwm in Fedora using dnf:

$ sudo dnf install dwm

For those who wand to change their dwm configuration, the dwm-user package is available in Fedora. This package automatically recompiles dwm using the configuration stored in the user home directory at ~/.dwm/config.h.

awesome

awesome originally started as a fork of dwm, to provide configuration of the WM using an external configuration file. The configuration is done via Lua scripts, which allow you to write scripts to automate tasks or create widgets.

You can check out awesome on Fedora by installing it like this:

$ sudo dnf install awesome

Fedora 29 Atomic and Cloud Test Day 2018-10-01

Posted by Fedora Community Blog ( Fedora Account System Username

admin) on September 27, 2018 12:04 AM

Why test Atomic and Cloud

Fedora 29 Atomic and Cloud provides latest version of packages from Fedora 29.
Both Fedora Cloud Base and Atomic Host provide the latest available versions of packages in Fedora 29 containing all features and bug fixes done in individual packages like the kernel, cockpit and more. Additionally, Fedora Atomic Host includes the latest version of podman, which provides the ability to use OCI containers and runc.

When

On October 01 2018, Atomic WG, Cloud SIG and Fedora QA are holding a Test Day for users to try out the new changes in Fedora 29 Atomic and Cloud.

Where

The wiki page for the Test Day has a lot of good information on what and how to test. After you’ve done some testing, you can log your results in the test day result page

Details are available on the wiki page. We need your help, please share this post with others.

The post Fedora 29 Atomic and Cloud Test Day 2018-10-01 appeared first on Fedora Community Blog.

Fedora 29 Beta

Posted by Gwyn Ciesla ( Fedora Account System Username

limb) on September 26, 2018 04:16 PM

It’s Beta time again!

As is my habit, I upgraded my laptop at Beta time. dnf system-upgrade didn’t work for me because of some dependency issues. In the process of working through a dnf upgrade, I discovered that it was due to some odd homegrown Python RPMs I’d made and forgotten about, and gource, which was still FBTBS. After working those out, it was uneventful.

That was last night. Now I’ve been using it for several hours.

It’s still uneventful.

Great job, Fedora folx, I think GA should be smooth. (knock on wood)

Generate XML using SQL query with Oracle database

Posted by Robbi Nespu ( Fedora Account System Username

robbinespu) on September 26, 2018 04:00 PM

Just a quick blog post. I learn something new by exporing Oracle database documentation¹, which is you actually can generate XML from SQL query using XMLELEMENT, XMLAGG and XMLATTRIBUTES or XMLFOREST function. Here an example:

You will get something nice like this: <script src="https://gist.github.com/RobbiNespu/fa38f398c436324312973e203683ebcd.js?file=test.xml"></script>

Thanks to Oracle for providing very extensive and easy features to generate XML.

Generating XML Data from the Database - https://docs.oracle.com/cd/E11882_01/appdev.112/e23094/xdb13gen.htm#ADXDB1600 ↩

Generate XML using SQL query with Oracle database

Posted by Robbi Nespu ( Fedora Account System Username

robbinespu) on September 26, 2018 04:00 PM

You will get something nice like this: <script src="https://gist.github.com/RobbiNespu/fa38f398c436324312973e203683ebcd.js?file=test.xml"></script>

Thanks to Oracle for providing very extensive and easy features to generate XML.

Generating XML Data from the Database - https://docs.oracle.com/cd/E11882_01/appdev.112/e23094/xdb13gen.htm#ADXDB1600 ↩

Security Technologies: FORTIFY_SOURCE

Posted by Red Hat Security ( Fedora Account System Username

sparks) on September 26, 2018 01:30 PM

FORTIFY_SOURCE provides lightweight compile and runtime protection to some memory and string functions (original patch to gcc was submitted by Red Hat). It is supposed to have no or a very small runtime overhead and can be enabled for all applications and libraries in an operating system. The concept is basically universal meaning it can be applied to any operating system, but there are glibc specific patches available in gcc-4 onwards. In gcc, FORTIFY_SOURCE normally works by replacing some string and memory functions with their *_chk counterparts (builtins). These functions do the necessary calculations to determine an overflow. If an overflow is found, the program is aborted; otherwise control is passed to the corresponding string or memory operation functions. Again all this is normally done in assembly so the overhead is really minimal.

While there are some technical articles which talk about FORTIFY_SOURCE in detail, this article discusses broad objectives of this technology and how it can help developers prevent some vulnerabilities related to buffer overflows.

How does FORTIFY_SOURCE actually work

As mentioned earlier, depending on the code, gcc can detect buffer overflows during compile time and runtime.

Consider a buffer of fixed size which is declared as:

char buf[5];

Here are possible scenarios FORTIFY_SOURCE can effectively work with:

Fixed data being copied into buf

memcpy (buf, foo, 5);
strcpy (buf, "abcd");

In this case size of the data being copied into buf is known (5 bytes in first case and 4 chars plus a null byte in the second case), therefore FORTIFY_SOURCE can easily determine at compile time that no buffer overflow is possible, so memcpy/strcpy can be called directly or even inlined.

Again, fixed data being copied into buf

memcpy (buf, foo, 6);
strcpy (buf, "abcde");

Again size of the data is known, but seems to be incorrect. The compiler can detect buffer overflows at compile time. It issues warnings at compile time, and calls the checking alternatives at runtime.

Variable data being copied into buf

memcpy (buf, foo, n);
strcpy (buf, bar);

The compiler knows the number of bytes remaining in object, but doesn't know the length of the actual copy that will happen at runtime. FORTIFY_SOURCE replaces memcpy or strcpy with wrapper functions __memcpy_chk or __strcpy_chk which checks if a buffer overflow happened. If buffer overflow is detected, __chk_fail () is called (the normal action is to abort () the application, perhaps by writing some message to stderr).

Variable data copied into buffer whose size is not known:

memcpy (p, q, n);
strcpy (p, q);

This is not check-able at compile time or at runtime. FORTIFY_SOURCE cannot be used to protect against overflows if they occur.

Functions protected by FORTIFY_SOURCE

Memcpy, memset, stpcpy, strcpy, strncpy, strcat, strncat, sprintf, snprintf, vsprintf, vsnprintf, gets(3), and wide character variants thereof. For some functions, argument consistency is checked; for example, a check is made that open(2) has been supplied with a mode argument when the specified flags include O_CREAT.

How to enable FORTIFY_SOURCE

During compile D_FORTIFY_SOURCE macro needs to be set in order to enable FORTIFY_SOURCE. There are two levels of checking which are implemented. Setting the macro to 1 will enable some checks (the man page says that "checks that shouldn't change the behavior of conforming programs are performed"), while setting it to 2 adds some more checking.

The difference between -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2
is e.g. for:

struct S { 
    struct T {
         char buf[5];
          int x; 
          } t;
     char buf[20]; 
} var;

With -D_FORTIFY_SOURCE=1, "strcpy (&var.t.buf[1], "abcdefg");" is not considered an overflow (object is whole VAR), while with -D_FORTIFY_SOURCE=2 "strcpy (&var.t.buf[1], "abcdefg");" will be considered a buffer overflow.

Another difference is that with -D_FORTIFY_SOURCE=2, "%n" in format strings of the most common *printf family functions is allowed only if the format string is stored in read-only memory (usually string literals, gettext's _("%s string %n") is fine too). Usually, when an attacker attempts to exploit a format string vulnerability, the "%n" is injected by the attacker, so it is necessarily a writable memory.

In conclusion FORTIFY_SOURCE is lightweight and quite effective at controlling some categories of overflows, but again like any other security technology it is not perfect and should be enabled in combination with others.

Language English

Como instalar Packet Tracer 7.2 en Linux

Posted by Alvaro Castillo ( Fedora Account System Username

netsys) on September 26, 2018 11:10 AM

Packet Tracer es un software desarrollado por Cisco en su división de educación NetAcad. Este software de "simulación" permite diseñar múltiples escenarios en el ámbito de redes, ya que permite elaborar diferentes tipos de redes como LAN, MAN, WAN con medios alámbricos e inalámbricos; permite utilizar protocolos de enrutamiento dinámicos como OSPF, IGRP, EIGRP, BGP, RIP y estáticos.

También permite la elaboración de redes convergentes implementando equipos con múltiples servicios que actúen de...

[F29] Participez à la journée de test consacrée à Java 8, 10 et 11

Posted by Charles-Antoine Couret ( Fedora Account System Username

renault) on September 26, 2018 06:00 AM

Aujourd'hui, ce mercredi 26 septembre, est une journée dédiée à un test précis : sur Java 8, 10 et 11. En effet, durant le cycle de développement, l'équipe d'assurance qualité dédie quelques journées autours de certains composants ou nouveautés afin de remonter un maximum de problèmes sur le sujet.

Elle fournit en plus une liste de tests précis à effectuer. Il vous suffit de les suivre, comparer votre résultat au résultat attendu et le notifier.

En quoi consiste ce test ?

Java est un langage de programmation très populaire dont une des caractéristiques est d'utiliser une machine virtuelle pour exécuter le programme, ce que l'on nomme la JVM pour Java Virtual Machine. Il existe plusieurs JVM concurrentes et Fedora fournie la version libre de référence qui est OpenJDK.

Oracle, le développeur principal, a changé récemment le cycle des versions ce qui conduit à Fedora de proposer pour des raisons de compatibilités plusieurs versions en simultanées dans le système. Fedora 29 devra donc proposer la OpenJDK 8, 10 et 11. Et c'est la raison du test d'aujourd'hui.

Plus précisément les tests consistent en :

Installer les paquets des différentes versions, et vérifier si le chemin de différents fichiers est le bon.
Utiliser la méthode des alternatives pour changer la JVM de référence à la volée, et s'assurer que le mécanisme fonctionne.
Vérifier que OpenJDK respecte les règles cryptographiques du système suivant la politique choisie.
Vérifier qu'une application fonctionne si on utilise l'algorithme Shenandoah comme algorithme de référence pour la ramasse miette. Uniquement pour les architectures aarch64 et x86_64.

Comment y participer ?

Vous pouvez vous rendre sur la page des tests pour lister les tests disponibles et rapporter vos résultats. La page wiki récapitule les modalités de la journée.

En cas de bogue, il est nécessaire de le rapporter sur le BugZilla. Si vous ne savez pas faire, n'hésitez pas à consulter la documentation correspondante.

De plus, si une journée est dédiée à ces tests, il reste possible de les effectuer quelques jours plus tard sans problème ! Les résultats seront globalement d'actualité.

Peru for syncing specific git repo files

Posted by Pablo Iranzo Gómez ( Fedora Account System Username

iranzo) on September 25, 2018 08:17 PM

Peru a repo syncer

Some projects upstream bind together lot of files which might not be of interest, but still the conveniency of a git pull to get latest updates, makes you to download the whole repo for just a bunch of files or folders.

For example, this website uses Pelican to generate the webpages out of markdown files. Pelican does have a rich set of plugins but all of them are in the same folder in the git checkout.

Here, is where peru comes in to play. Peru (hosted at https://github.com/buildinspace/peru) comes handy at this task.

You can install peru from pipsi:

pipsi install peru

And will provide you a commandline tool that uses a yaml file for definition of repositories, like the one I do use here:

imports:
    # The dircolors file just goes at the root of our project.
    sitemap: plugins/
    better_codeblock_line_numbering: plugins/
    better_figures_and_images: plugins/
    yuicompressor: plugins/

git module sitemap:
    url: [email protected]:getpelican/pelican-plugins.git
    pick: sitemap
    rev: ead70548ce2c78ed999273e265e3ebe13b747d83

git module yuicompressor:
    url: [email protected]:getpelican/pelican-plugins.git
    pick: yuicompressor
    rev: ead70548ce2c78ed999273e265e3ebe13b747d83

git module better_figures_and_images:
    url: [email protected]:getpelican/pelican-plugins.git
    pick: better_figures_and_images
    rev: ead70548ce2c78ed999273e265e3ebe13b747d83

git module better_codeblock_line_numbering:
    url: [email protected]:getpelican/pelican-plugins.git
    pick: better_codeblock_line_numbering
    rev: ead70548ce2c78ed999273e265e3ebe13b747d83

In this way, peru sync will download from the provided repos the specified folder into the destination indicated, allowing you to integrate "other repo's files" in your own workflow.

For example, if you want to use citellus repo at one specific point in time, to be integrated in your code, you could use:

imports:
    citellus: ./

git module citellus:
    url: [email protected]:citellusorg/citellus.git
    pick: citellusclient/plugins/
    rev: 1ee1c6a36f51e8a7c809d5162004fb57ee99b168

This will checkout citellus repo at one specific point in time and merge in your current folder.

Enjoy!

Pablo

Recently in Geoclue

Posted by Zeeshan Ali ( Fedora Account System Username

zeenix) on September 25, 2018 06:37 PM

After I started working for Collabora in April, I've finally been able to put some time on maintenance and development of Geoclue again. While I've fixed quite a few issues on the backlog, there has been some significant changes as of late, that I felt deserves some highlighting. Hence this blog post.

Leaving security to where it belongs

Since people's location is a very sensitive piece of information, security of this information had been the core part of Geoclue2 design. The idea was (and still is) to only allow apps access to user's location with their explicit permission (that they could easily revoke later). When Geoclue2 was designed and then developed, we didn't have Flatpak. Surely, people were talking about the need for something like Flatpak but even with those ideas, it wasn't clear how location access will be handled.

Hence we decided for geoclue to handle this itself, through an external app authorizing agent and implemented such an agent in GNOME Shell. Since there is no reliable way to identify an app on Linux, there were mixed reactions to this approach. While some thought it's good to have something rather than nothing, others thought it's better to wait for the time when we've the infrastructure that allows us to reliably identify apps.

Fast forward to an year or so ago, when Flatpak portals became a thing, I had a long discussion with Matthias Clasen and Bastien Nocera about how geoclocation should work in Flatpak. We disagreed on our approach and we forgot about the whole thing then.

Some months ago, we had to make app authorizing agent compulsory to plug some security holes and that made a lot of people who don't use GNOME, unhappy. We had to start installing the demo agent for non-GNOME as a workaround. This forced me to rethink the whole approach and after some more long discussions with Matthias and a lot of thinking, the plan is to:

Create a Flatpak geolocation portal. Matthias already has a work-in-progress implementation. I really wanted the portal API to be as identical to the Geoclue API but I failed to convince Matthias on that. This is not that big an issue though, as at least the apps using GeoclueSimple API will not need to change anything for accessing location from inside the Flatpak sandbox.
Drop all authorization from Geoclue and leave that to the geolocation portal. I've already dropped authorization for non-flatpak (i-e system) apps in git master. Once the portal is in place and GNOME shell and control-center have been modified to talk to it, we can drop all app authorizing code from Geoclue.

Note that we have been able to reliably identify Flatpak apps and it's only the system apps that can lie about their identity.

A modern build system

Like many Free Software projects, Geoclue is also now using Meson for its builds. After it started to work reliably, I also dropped autotools-based build completely. The faster build makes development a much more pleasant experience.

And a modern issue tracker to go with it

Bugzilla served us well but patches in Bugzilla are no fun, even though git-bz makes it much much better. So when Daniel Stone setup gitlab on freedesktop.org, Geoclue was one of the first few projects to move to gitlab. Now it's much easier and simpler to contribute to Geoclue.

Minimize GeoIP use

While GeoIP is a nice backup if you have neither WiFi hardware nor a cellular modem, Geoclue would also use (only) that if an app only asked for city-level accuracy. Apps like GNOME Weather and GNOME Clocks ask for only that since that's the info they need and don't need to know which street you're currently on. This would be perfect if only the GeoIP database being used would be correct or accurate for at least 90% of the IP addresses but unfortunately the reality is far from that. This meant, a significant number of people getting annoyed with these apps showing them time and weather of a different town than their current one.

On the other hand, we couldn't just use a more accurate geolocation source (WiFi) since an app should not get more accurate location it asked for and it was authorized for by the user. While currently we don't have the UI in GNOME (or any other platform) that allows users to control the location accuracy, the infrastructure has always been in place to do that.

Recently one person decided to not only report this but had a good suggestion that I recently implemented: Use WiFi geolocation for city-level accuracy as well but randomize the location enough to mitigate the privacy concerns. It should be noted that while this solution ensures that apps don't get more accurate location then they should, it still means sending out the current WiFi data to the Mozilla Location Service (MLS) and Geoclue getting a very accurate (street-level) location in response. It's all over HTTPS so it's not as bad as it sounds.

The future of Mozilla Location Service

When Mozilla announced their location service in late 2013, Geoclue became one of it's first users as it was our only hope for a reliable WiFi-geolocation source. We couldn't use Google's service as their ToC don't allow it to be used in an open source project (I recall some clause that it can only be used with Google Maps and not any other Map software). MLS was a huge success in terms of people contributing WiFi data to it. I've been to quite a few places around Europe and North America in the last few years and I haven't been to any location, that is not already covered by MLS.

Mozilla's own interest in this service was tied to their Firefox OS project. Unfortunately Firefox OS project was abandoned two years ago and Mozilla lost its interest in MLS as a result. Mozilla folks are the good guys so they have kept the service running and users can still contribute data but it's no longer developed or maintained.

Since this is a very important service for all users of geoclue, I feel very uneasy about this uncertain future of MLS. So consider this a call for help. If your company relies on MLS (directly or through Geoclue) and you'd want to secure the future of Open Source geolocation, please do get in touch and we can discuss how we could possibly achieve that.

Using Wireguard, DigitalOcean and firewalld to give your roaming computer a static IP

Posted by Jonathan Dieter ( Fedora Account System Username

jdieter) on September 25, 2018 03:09 PM

"Have fun storming the castle"

While we’re waiting to figure out where in Ireland we’ll be living long-term, we’re currently using mobile broadband. I’d like to be able to ssh into my home network from outside, but when I looked into setting up DDNS, I found that I don’t even have a public IP address. My mobile dongle says that its IP address is in the 10.0.0.0/8 range, so there’s no way to direct traffic to it from the internet.

After my first foray in using wireguard, I figured it should be a good fit to give myself ssh access to the home network. I could have just forwarded a specific port to my home network, but I prefer not to have to deal with non-standard ports. And, as this site is hosted on DigitalOcean, the natural next step was to see if I could pull it off with them.

It took a couple of hours (mainly dealing with firewalld as I’m much more comfortable with iptables), but I got there in the end, and I can now ssh into my home network (using key-based authentication, of course).

This guide will walk you through the process, step by step. It assumes you have a DigitalOcean droplet running, that you’re using Fedora on both the roaming computer and the DigitalOcean droplet, and that you have firewalld on both.

Step 1 - Give your droplet a Floating IP

Log into DigitalOcean
Go to Networking, Floating IPs
Select the droplet you want to use as your gateway and click Assign Floating IP:
Check to see what address you got. This will be your new static IP address

Do note that the floating IP will not appear when you run ip addr in your droplet, but there will be a local IP (most likely in the 10.16.0.0/16 range) that all the floating IP’s traffic will be forwarded to.

Step 2 - Setup wireguard between DigitalOcean and your roaming computer

On both the DigitalOcean droplet and your roaming computer, install wireguard. I want to quickly note that it’s not available from the official Fedora repositories because the kernel module hasn’t been merged into the mainline kernel yet. It has just become available in the RPM Fusion Free testing repositories. This guide assumes you’ve already configured the RPM Fusion Free repository on your system.

$ sudo dnf --enablerepo=rpmfusion-free-updates-testing install wireguard

Now, it’s time to set wireguard up on the DigitalOcean droplet.

We’ll use the wg-quick service to set everything up, so put the following in /etc/wireguard/wgnet0.conf:

[Interface]
Address = 192.168.32.1/24
SaveConfig = true
ListenPort = 51820
PrivateKey = 

[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 192.168.32.0/24

Generate a private key and insert it into the line that says PrivateKey:
```
$ wg genkey
```
Generate a pre-shared key (which should protect your VPN from the omnipresent quantum computers that are undoubtedly listening in) and insert it into the line that says PresharedKey:
```
$ wg genpsk
```
Figure out the public key from the private key you generated in step 2:
```
$ echo {private key} | wg pubkey
```

Now for the roaming computer. Because the roaming computer initiates the connection to the DigitalOcean droplet, we need to setup a keepalive so traffic that starts at the droplet (which is the whole point of this exercise) will get back to the roaming computer in 10 seconds max if the link is completely idle.

Put the following in /etc/wireguard/wgnet0.conf, substituting your droplet’s hostname or public IP (but not the floating IP) for www.example.com:

[Interface]
Address = 192.168.32.2/24
PrivateKey = 

[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 192.168.32.0/24
Endpoint = www.example.com:51820
PersistentKeepalive = 10

Insert the public key we extracted in step 4 of the droplet configuration into the line that says PublicKey
Insert the pre-shared key generated in step 3 of the droplet configuration into the line that says PresharedKey
Generate a private key and insert it into the line that says PrivateKey:
```
$ wg genkey
```
Now, extract the public key from the private key you just generated, go back to the droplet and insert it into the line that says PublicKey:
```
$ echo {private key} | wg pubkey
```

At this point, you should have two configuration files with everything filled in.

Go back to the DigitalOcean droplet now and get the service running.

First open the service port in the firewall:

$ sudo firewall-cmd --add-port=51820/udp --permanent
$ sudo firewall-cmd --reload

Enable and start the service

$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]

Assuming you haven’t hit any errors, you should now have wireguard running on your droplet

On your roaming computer, get the service running.

Enable and start the service

$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]

Test the service by pinging 192.168.32.1 from your roaming computer and 192.168.32.2 from your DigitalOcean droplet. Assuming both work, congratulations, you’ve now setup a VPN between your two systems!

Step 3 - Forward ports from the roaming IP to your roaming computer

So now you have a floating IP on your DigitalOcean droplet and a VPN between the droplet and your roaming computer, so the final step is to put them together.

This process would be easier if DigitalOcean used different interfaces for the public IP and the floating IP, but they don’t, so we have to use firewalld’s rich rules to make this work.

First, figure out which ports you want to open up. We’ll just open the ssh port in this example.

On the droplet, do the following steps:

Verify that you can ssh into the roaming computer:
```
$ ssh [email protected]
```
If this step fails, you’ve made a mistake in your ssh configuration, and fixing it is beyond the scope of this guide.
Figure out the private address that traffic to the floating IP is coming to:
```
$ ip addr show eth0
```
Look for the line that begins with inet 10.x.x.x. 10.x.x.x is the IP address you’re looking for. On my system it’s 10.16.0.5, so that’s what I’m going to use for the rest of the example.

Turn on masquerading for any traffic going over the VPN:

$ sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address=192.168.32.2/32 masquerade" --permanent

Forward the ports from the floating IP to the VPN, making sure to substitute the IP address you found in step 2 for 10.16.0.5:

$ sudo firewall-cmd --add-rich-rule "rule family=ipv4 destination address=10.16.0.5/32 forward-port port=22 protocol=tcp to-port=22 to-addr=192.168.32.2" --permanent

Repeat step four for any other ports you want open.
Reload the firewall rules:
```
$ sudo firewall-cmd --reload
```

Voilà! When you ssh into your floating IP, it should be forwarded to your roaming computer, while your droplet is still accessible on its public IP.

Security notice: you do not want to allow root to ssh into your system using a password. That’s just begging for someone to guess the password and get root access on your roaming computer. Setup SSH keys, and, at the minimum, make sure that root can only log in with an SSH key

One of the benefits of wireguard is that the client (in this case, the roaming computer) will automatically reconnect as it moves from network to network, so your roaming computer will automatically be available at the floating IP no matter where it is as long as it’s on the Internet.

Do note that DigitalOcean doesn’t seem to allow you to connect more than one floating IP to a droplet at a time, so you’ll be limited to one forwarded IP per droplet.

Enjoy your new static IP. If you run into any problems, please leave a message in the comments below.

Tests ouverts pour Fedora 29 Beta

Posted by Charles-Antoine Couret ( Fedora Account System Username

renault) on September 25, 2018 02:42 PM

En ce mardi 25 septembre, les utilisateurs du Projet Fedora seront ravis d'apprendre la disponibilité de la version Beta Fedora 29.

Malgré les risques concernant la stabilité d’une version Beta, il est important de la tester ! En rapportant les bogues maintenant, vous découvrirez les nouveautés avant tout le monde, tout en améliorant la qualité de Fedora 29 et réduisez du même coup le risque de retard. Les versions en développement manquent de testeurs et de retours pour mener à bien leurs buts.

La version finale est pour le moment fixée pour le 23 ou 30 octobre. Voici les nouveautés annoncées pour cette version :

Expérience utilisateur

Passage à GNOME 3.30.
De même pour Xfce 4.13 qui bénéficie enfin de GTK+3.
Le menu de GRUB sera caché par défaut, sauf en cas de dual-boot.
La variable $PATH par défaut change l'ordre des dossiers /.local/bin pour les placer devant afin d'être prioritaires par rapport aux dossiers systèmes. Cela rejoint la politique de Debian et Ubuntu.
L'utilitaire Wireshark perd son interface GTK+, uniquement l'interface Qt est proposée en adéquation avec le choix du projet.
Le synthétiseur vocal festival est proposé à la version 2.5.

Gestion du matériel

Les paquets i686 sont compilés avec les instructions SSE2 ce qui réduit la liste des processeurs compatibles avec Fedora pour cette architecture. Mais pour les processeurs supportés tout comme x86_64 un gain notable de performance est possible.
Les images pré-générées pour les architectures ARMv7 et aarch64 bénéficient de la ZRAM pour la swap par défaut afin d'améliorer les performances et limiter l'usure des cartes SD de stockage.
Prise en charge initiale des FPGA, les cartes 96boards d'Ultra96 et UP² d'Intel proposent des FPGA pour faire des calculs spécialisés comme l'IA ou le machine learning. Fedora propose des outils de base et agnostiques pour les exploiter.
Clap de fin pour l'architecture ppc64, sa sœur little endian ppc64le recevra toutes les attentions pour cette famille.

Internationalisation

Mise à jour du gestionnaire d'entrée de saisie IBus vers 1.5.19.
La famille de police de caractères Liberation, compatible avec celle de Microsoft, passe à la version 2 proposant plus de caractères UNICODE.
Les langues asiatiques chinoises, coréennes et japonaises utiliseront par défaut les polices de Google Noto.
Les fichiers des fuseaux horaires de tzdata seront fondés sur le format vanguard en accord avec le choix effectué en amont. Cela améliore la compatibilité avec POSIX.

Administration système

Mise à jour d'OpenShft Origin 3.10.
Ajout du module Kubernetes.
Ansible utilise Python 3 par défaut.
Stratis Storage est mis à jour à la version 1.0.
GnuTLS utilise le protocole TLS 1.3 par défaut.
Le module p11-kit-proxy gère les bases de données NSS par défaut maintenant en plus d'OpenSLL et GnuTLS.
Fusion de Dstat et Performance Co-Pilot pour les statistiques de performance. Dstat n'est plus maintenu en amont mais PCP ajoute le module pcp-dstat pour être compatible avec son illustre prédécesseur.
OpenLDAP ne gère plus le module NSS pour la sécurité, suite à son remplacement par défaut par OpenSSL pour Fedora 28.
Le fichier /usr/bin/python est fourni par le paquet python-unversioned-command en accord avec la PEP 394. Les paquets de Fedora mentionnent explicitement l'usage de Python 2 ou 3.
Les groupes de paquets python-classroom, engineering-and-scientific, development-libs, cloud-management, font-design, mysql, robotics-suite, authoring-and-publishing et electronic-lab utilisent les paquets Python 3. Le groupe python-web est supprimé.

Développement

Binutils passe à la version 2.31.
GLibc 2.28 est utilisée par défaut.
Node.js 10 est proposé par défaut.
Python 3.7 devient la version de référence.
Ruby on Rails est sur les rails de la version 5.2.
La perle des langages, Perl 5.28, a été mis à jour.
Le langage Go passe à la version 1.11.
MySQL 8 est proposé pour sa gestion des bases de données.
OpenJDK 11 LTS devient la machine virtuelle de référence pour Java.
La sélection de paquets compatibles entre eux Haskell Stackage LTS passe de la version 10 à 11.

Modularité

Fedora Workstation et Cloud bénéficient par défaut des modules en plus de Fedora Server. Ainsi tout le monde est capable facilement d'exploiter les modules, pour installer une version différente de Node.js que celle proposée par exemple.

Projet Fedora

Fedora Workstation Atomic devient Silverblue. Ce projet qui monte en puissance met en avant le projet Atomic pour l'édition phare de Fedora. Cela consiste majoritairement à utiliser Flatpak et rpm-os-tree pour gérer les paquets permettant une meilleure isolation des composants et une plus grande fiabilité du système. Un site web dédié a été conçu pour l'occasion.
Les éditions dérivées de Fedora comme les Spins, labs ou conteneurs auront les champs VARIANT et VARIANT_ID renseignés dans le fichier /usr/lib/os-release pour avoir des statistiques plus précises quant à leur utilisation et pour l'utilisateur de connaître la provenance de l'image.
Fedora Scientific a une image VagrantBox en plus des ISO traditionnelles.
GCC n'est plus nécessaire dans l'image de compilation de Fedora, réduisant le temps nécessaire à la production des paquets n'en ayant pas besoin.
Fedora Cloud aura des images mises à jour mensuellement, pour limiter la taille des mises à jour à effectuer après l'installation.
La compilation du bytecode Python est moins magique pour les paquets, les étapes doivent être mieux décrites pour faciliter la transition vers Python 3.
Les modules Perl obtenus via CPAN changent leurs URL de search.cpan.org vers metacpan.org dans la description des paquets concernés.
Les paquets Erlang sont liés à aucune architecture dorénavant.

Tester

Durant le développement d'une nouvelle Fedora, comme cette version Beta, quasiment chaque semaine le projet propose des journées de tests. Le but est pendant une journée de tester une fonctionnalité précise comme le noyau, Fedora Silverblue, la mise à niveau, GNOME, l’internationalisation, etc. L'équipe de qualité élabore et propose une série de tests en général simples à exécuter. Suffit de les suivre et indiquer si le résultat est celui indiqué. Dans le cas contraire, un bogue devra être ouvert pour permettre l'élaboration d'un correctif.

C'est très simple à suivre et requiert souvent peu de temps (15 minutes à une heure maximum) si vous avez une Beta exploitable sous la main.

Les tests à effectuer et les rapports sont à faire via la page suivante. J'annonce régulièrement ici quand une journée de tests est planifiée.

Si l'aventure vous intéresse, les images sont disponibles par Torrent ou via le site officiel. En cas de bogue, n'oubliez pas de relire la documentation pour signaler les anomalies sur le BugZilla ou de contribuer à la traduction sur Zanata.

Bons tests à tous !

Crossing the Great St Bernard Pass

Posted by Daniel Pocock ( Fedora Account System Username

pocock) on September 25, 2018 02:26 PM

It's a great day for the scenic route to Italy, home of Beethoven's Swiss cousins.

What goes up, must come down...

Descent into the Aosta valley

Announcing the release of Fedora 29 Beta

Posted by Fedora Magazine ( Fedora Account System Username

admin) on September 25, 2018 02:21 PM

The Fedora Project is pleased to announce the immediate availability of Fedora 29 Beta, the next big step on our journey to the exciting Fedora 29 release.

Download the prerelease from our Get Fedora site:

Or, check out one of our popular variants, including KDE Plasma, Xfce, and other desktop environments, as well as images for ARM devices like the Raspberry Pi 2 and 3:

Beta Release Highlights

Modularity for all

Fedora 28 introduced modular repositories for Fedora Server Edition. For Fedora 29 Beta, modularity is available in all Editions, Spins, and Labs. Modularity makes multiple versions of important packages available in parallel and it will work with the same DNF you already know. Learn more about Modularity by reading the documentation, or listening to Episode 003 of the Fedora Podcast.

GNOME 3.30

Fedora 29 Workstation Beta provides GNOME 3.30. GNOME 3.30 streamlines performance, adds a new Podcasts app, and automatically updates Flatpaks in Software Center.

Other updates

Fedora 29 Beta also includes many other updates: The Fedora Atomic Workstation was rebranded as Fedora Silverblue, the GRUB menu will be hidden on single OS installation. Fedora 29 also includes updated versions of many popular packages like MySQL, the GNU C Library, Python and Perl. For a full list, see the Changes page on the Fedora Wiki.

Testing needed

Since this is a Beta release, we expect that you may encounter bugs or missing features. In particular, dnf added many new features to support modularity and other use cases. To report issues encountered during testing, contact the Fedora QA team via the mailing list or in #fedora-qa on Freenode. As testing progresses, common issues are tracked on the Common F29 Bugs page.

For tips on reporting a bug effectively, read how to file a bug report.

What is the Beta Release?

A Beta release is code-complete and bears a very strong resemblance to the final release. If you take the time to download and try out the Beta, you can check and make sure the things that are important to you are working. Every bug you find and report doesn’t just help you, it improves the experience of millions of Fedora users worldwide! Together, we can make Fedora rock-solid. We have a culture of coordinating new features and pushing fixes upstream as much as we can, and your feedback improves not only Fedora, but Linux and Free software as a whole.

More information

For more detailed information about what’s new on Fedora 29 Beta Release, you can consult our Talking Points and the F29 Change Set. They contain more technical information about the new packages and improvements shipped with this release.

Test Day: Java 8,10,11

Posted by Fedora Community Blog ( Fedora Account System Username

admin) on September 25, 2018 12:50 PM

Why test Java

Test Day will focus on OpenJDK 11 and OpenJDK 10. Currently, we have java-1.8.0-openjdk as main JDK in Fedora. It accompanied java-1.7.0-openjdk as JRE for a year, and replaced it in buildroot in F21. Similarly, as did java-1.7.0-openjdk to java-1.6.0-openjdk in F16 as parallel JRE and replaced it in F17 in build root and main JDK. However, today the situation is more complicated. Oracle changed release process, see OpenJDK 11 summary and OpenJDK 10 summary, so currently, in F27 and up, you have java-1.8.0-openjdk as main JDK, java-openjdk as rolling release of STS JDK 10, and java-11-openjdk as techpreview of future LTS JDK. Javaws is provided in another package – icedtea-web

When

On September 26 2018, Java folks and Fedora QA are holding a Test Day for users to try out and test this new Fedora Workstation variant.

Where

The wiki page for the Java Test Day has a lot of good information on what and how to test. After you’ve done some testing, you can log your results in the test day result page

Details are available on the wiki page. We need your help, please share this post with others.

The post Test Day: Java 8,10,11 appeared first on Fedora Community Blog.

Gestionando aplicaciones por defecto en Linux

Posted by Alvaro Castillo ( Fedora Account System Username

netsys) on September 25, 2018 09:20 AM

Una de las formas que tiene Linux es que es tan configurable y tan versátil que podemos hacer lo que queramos con él, en este artículo veremos cómo configurar las aplicaciones por defecto para abrir X tipos de archivos.

¿Aplicaciones por defecto?

Todos los archivos tienen un identificador que permiten saber que tipo de dato contienen como por ejemplo un archivo de audio, está compuesto por un tipo de fichero de audio ya sea MP3, OGG...

Cuando utilizamos un entorno de escritorio o un gesto...

Getting the team together to revolutionize Linux audio

Posted by Christian F.K. Schaller ( Fedora Account System Username

uraeus) on September 24, 2018 07:31 PM

So anyone reading my blog posts would probably have picked up on my excitement for the PipeWire project, the effort to unify the world of Linux audio, add an equivalent video bit and provide multimedia handling capabilities to containerized applications. The video part as I have mentioned before was the critical first step and that is starting to look really good with the screen sharing functionality in GNOME shell already using PipeWire and equivalent PipeWire support being added to KDE by Jan Grulich. We have internal patches for both Firefox and Chrome(ium) which we are polishing up to propose them upstream, but we will in the meantime offer them as downstream patches in Fedora as soon as they are ready for primetime. Once those patches are deployed you should have any browser based desktop sharing software, like Google Hangouts, working fully under Wayland (and X).

With the video part of PipeWire already in production we decided the time has come to try to accelerate the development of the audio bits. So PipeWire creator Wim Taymans, PulseAudio developer Arun Raghavan and myself decided to try to host a PipeWire hackfest this fall to bring together many of the core Linux audio developers to try to hash out a plan and a roadmap. So I am very happy to say that at the end of October we will have a gathering in Edinburgh to work on this and the critical people we where hoping to have there are coming. Filipe Coelho who is the current lead developer on Jack will be there alongside Arun Raghavan, Colin Guthrie and Tanu Kaskinen from PulseAudio, Bastien Nocera from the GNOME project and Jan Grulich from KDE will be there representing desktop integration and finally Nirbheek Chauhan, Nicolas Dufresne and George Kiagiadakis from the GStreamer project. I think we have about the right amount of people for this to be productive and at the same time have representation from everyone who needs to be there, so I am feeling very optimistic that we can come out of this event with both a plan for what we want to do and the right people involved to make it happen. The idea that we can have a shared infrastructure for consumer level audio and pro-audio under Linux really excites me and I do believe that if we do this right Linux will take a huge step forward as a natural home for pro-audio desktop users.

A big thanks you to the GNOME Foundation for sponsoring this event and allow us to bring all this people together!

Testers Needed F28-20180923

Posted by Ben Williams ( Fedora Account System Username

jbwillia) on September 24, 2018 05:11 PM

We need Testers for new updated isos

If yo can help test come see us in Freenode in the #fedora-respin channel

Ben Williams

Respin Lead

LAMP stack for Fedora

Posted by Robbi Nespu ( Fedora Account System Username

robbinespu) on September 24, 2018 04:00 PM

Fedora 28 - Linux, Apache, MariaDB & PHP

I need to setup a working LAMP environment on my Fedora 28 workstation. I created out this tutorial as my personal references and it might be useful for you.

First thing, you need to update your repository at first :

$ sudo dnf update --refresh

Then, lets begin to install Apache web server and MariaDB database server:

$ sudo dnf install httpd
$ sudo dnf install mariadb-server

Now install PHP engine and some dependency

$ sudo dnf install php php-mbstring php-pear php-mysqlnd php-common php-pdo php-xml

Do you need PhpMyAdmin? I always need that:

$ sudo dnf install phpmyadmin

It will install bunch of packages needed to execute phpmyadmin.

Start Apache and MySQL services via systemctl:

$ sudo systemctl start httpd.service
$ sudo systemctl start mariadb.service

Default web server Open you browser and navigate to 127.0.0.1. Now, does default webserver page loaded on your screen? Awesome! Ok, keep calm and continue..

After starting MariaDB database, run mysql_secure_installation and follow the instruction. If it just for local usage then not much to worried about:

$ mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] n
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

By default web server is only accessible as localhost. To allow access publicly to the LAMP over HTTP and HTTPS, you need to configure the firewall rules and after that reboot or reload the firewall:

$ sudo firewall-cmd --permanent --add-service=http
$ sudo firewall-cmd --permanent --add-service=https
$ sudo firewall-cmd --reload 

This are the same step I practically use since Fedora 23 until now (Fedora 28). It should worked for next upcoming version also.

Test the new features in Fedora 29 Atomic and Cloud

Posted by Fedora Magazine ( Fedora Account System Username

admin) on September 24, 2018 07:56 AM

Development on Fedora 29 Atomic and Fedora 29 Cloud editions is wrapping up, and features a range of new features and enhancements.

Latest Packages

Fedora 29 Atomic and Cloud provides latest version of packages from Fedora 29.
Both Fedora Cloud Base and Atomic Host provide the latest available versions of packages in Fedora 29 containing all features and bug fixes done in individual packages like the kernel, cockpit and more. Additionally, Fedora Atomic Host includes the latest version of podman, which provides the ability to use OCI containers and runc.

Install packages with URL

The new version of Fedora Atomic Host also allows installation of packages directly using URLs. rpm-ostree has added support for passing URLs to RPMs to install packages. It can be used notably with `rpm-ostree install` and `rpm-ostree override replace`. For example:

sudo rpm-ostree install https://kojipkgs.fedoraproject.org//packages/wget/1.19.5/5.fc29/x86_64/wget-1.19.5-5.fc29.x86_64.rpm

Migration of AWS Resource IDs

The AMIs for both Cloud-base and Atomic Host are now migrated from short resource IDs to longer resource IDs. For example, if the AMI IDs were ami-1234abc0, after the migration, they would be in the format like: ami-1234567890abcdef0.

Test out Fedora 29 Atomic and Cloud

Fedora Atomic Working Group and Cloud SIG are organizing a Test Day next Monday, 1st October.

This Test Day is to make sure that all artifacts from Fedora 29 Atomic Host and Cloud Base are working as expected and to catch and fix bugs early. For Atomic Host, there are ISO and QCOW2 images available to test on the aarch64, ppc64le and x86_64 architectures. Additionally, there are libvirt and virtualbox vagrant images for both Atomic Host and Cloud Base. If you use AWS to lunch instances in cloud, you can help by testing the AMIs both Atomic Host and Cloud Base.

All the details on how and what to test, and more information about the available media download details are available at test wiki page.

How do test days work?

A test day is an event where anyone can help make sure that changes in Fedora work well in the upcoming release. Fedora community members often participate and and the public is welcome at these events.

The wiki page provides lot of good information on what and how to test. Once you have tested, you can log your results in the test day web application.

Como añadir RPM Fusion en Fedora

Posted by Alvaro Castillo ( Fedora Account System Username

netsys) on September 24, 2018 06:00 AM

El Proyecto Fedora hace uso de una filosofía en la que pretende fomentar lo máximo que pueda el software libre y de open source ya que si no lo hacen de esta manera, fomentarían el uso de lo privativo en primer lugar dejando a lo libre relegado porque tendería a ir conocíendose menos. Por ende es normal que no encontremos drivers de caracter privativo, códecs multimedia, virtualizadores del tipo VirtualBox...etc.

¿Cómo remediarlo?

RPM Fusion es un conjunto de 2 repositorios creado por volu...

Episode 115 - Discussion with Brian Hajost from SteelCloud

Posted by Open Source Security Podcast ( Fedora Account System Username

bressers) on September 24, 2018 12:02 AM

Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it's not that bad when it's explained by someone with experience.

<iframe allowfullscreen="" height="90" mozallowfullscreen="" msallowfullscreen="" oallowfullscreen="" scrolling="no" src="https://html5-player.libsyn.com/embed/episode/id/7081715/height/90/theme/custom/autoplay/no/autonext/no/thumbnail/yes/preload/no/no_addthis/no/direction/backward/render-playlist/no/custom-color/6e6a6a/" style="border: none;" webkitallowfullscreen="" width="100%"></iframe>

Show Notes

Comment on Twitter with the #osspodcast hashtag

Wacom's graphic tablet sizes

Posted by Ismael Olea ( Fedora Account System Username

olea) on September 23, 2018 10:00 PM

For some reasons I’ve been looking for second hand Wacom graphic tablets. To me has been annoying to find out which size is for each model. So I’m writing here the list of the models I gathered.

The reason for looking only for Wacoms is because these days seem to be very well supported in Linux, at least the old models you can get second hand.

model	active area size
CTL460	147,2 x 92,0 mm
CTL 420	127.6 x 92.8 mm
CTE-430 Graphire 3	127 x 101 mm
CTF-430	127.6 x 92.8 mm
CTL 460	147,2 x 92,0 mm
CTH-460	147,2 x 92,0 mm
CTH-461	147,2 x 92,0 mm
CTH-470	147,2 x 92,0 mm
CTL-470	147,2 x 92,0 mm
CTL-480 Intuos	152 x 95 mm
CTE-640	208.8 x 150.8 mm
CTE-650	216.5 x 135.3 mm
CTH-661	215.9 x 137.16 mm
CTH-670	217 x 137 mm
ET-0405A-U	127 x 106 mm
Graphire 2	127.6 x 92.8 mm
Intuos 2	127.6 x 92.8 mm (probably)
Volito 2	127.6 x 92.8 mm

As a reference these are the standards DIN sizes comparable with those models:

DIN type	size
A4	210 x 297 mm
A5	148 x 210 mm
A6	105 x 148 mm

If you find any typo or want to add other models feel free to comment.

Fedora 28 : Start a service daemon with Python.

Posted by mythcat ( Fedora Account System Username

mythcat) on September 23, 2018 04:27 PM

In this tutorial I will starting one service using systemctl , python and systemd. First, you need to create a file named testpython.service .

[mythcat@desk system]# cd /etc/systemd/system/
[root@desk system]# vim testpython.service

This file is a configuration file for this service.

[Unit]
Description=Python Service
After=multi-user.target
[Service]
Type=simple
ExecStart=/usr/bin/python /home/mythcat/test_service.py
[Install]
WantedBy=multi-user.target

Create the python file for this service. I named test_service.py .

[root@desk system]# exit
exit
[mythcat@desk system]$ cd ~
[mythcat@desk ~]$ vim test_service.py

#!/usr/bin/env python

import logging
import time

logging.basicConfig(level="INFO")

while True:
    logging.info("Hi")
    time.sleep(3)

Change permissions file for this python file and testpython.service, see:

[mythcat@desk ~]$ chmod 764 test_service.py

Because you run this service with systemd then selinux will send you error, fix that:

[mythcat@desk ~]$ chcon -t bin_t ~/test_service.py

Reload all services and start your service with this commands:

[root@desk system]# systemctl daemon-reload
[root@desk system]# systemctl start  testpython.service
[root@desk system]# systemctl status  testpython.service
● testpython.service - Python Service
   Loaded: loaded (/etc/systemd/system/testpython.service; enabled; vendor>
   Active: active (running) since Sat 2018-09-22 21:36:23 EEST; 5s ago
 Main PID: 7213 (python)
    Tasks: 1 (limit: 2102)
   Memory: 5.7M
   CGroup: /system.slice/testpython.service
           └─7213 /usr/bin/python /home/mythcat/test_service.py

Sep 22 21:36:23 desk systemd[1]: Started Python Service.
Sep 22 21:36:24 desk python[7213]: INFO:root:Hi
Sep 22 21:36:27 desk python[7213]: INFO:root:Hi

You can use the journalctl command to see the output of this service:

[root@desk system]# journalctl -u testpython.service 
-- Logs begin at Sat 2018-09-22 20:40:06 EEST, end at Sat 2018-09-22 21:31:07 EEST. --
Sep 22 20:40:06 desk python[6232]: INFO:root:Hi
Sep 22 20:40:09 desk python[6232]: INFO:root:Hi
Sep 22 20:40:12 desk python[6232]: INFO:root:Hi
Sep 22 20:40:15 desk python[6232]: INFO:root:Hi
Sep 22 20:40:18 desk python[6232]: INFO:root:Hi
Sep 22 20:40:21 desk python[6232]: INFO:root:Hi
Sep 22 20:40:24 desk python[6232]: INFO:root:Hi
Sep 22 20:40:27 desk python[6232]: INFO:root:Hi
Sep 22 20:40:30 desk python[6232]: INFO:root:Hi

Let's see the result:

LAS 2018

Posted by Patrick Griffis ( Fedora Account System Username

tingping) on September 23, 2018 04:00 AM

This month I was at my second Libre Application Summit in Denver. A smaller event than GUADEC but personally was my favorite conference so far.

One of the main goals of LAS has been to be a place for multiple platforms to discuss the desktop space and not just be a GNOME event. This year two KDE members, @aleixpol and Albert Astals Cid, who spoke about release cycle of KDE Applications, Plasma, and the history of Qt. It is always interesting to see how another project solves the same problems and where there is overlap.

The elementary folks were there since this is @cassidyjames home turf who had a great “It’s Not Always Techincal” talk as well as a talk with @danrabbit about AppCenter which are both very important areas the GNOME Project needs to improve in. I also enjoyed meeting a few other community members such as @Philip-Scott and talk about their use of elementary’s platform.

Heather from Purism spoke about the Librem 5 status which I’m excited for but has a way to go. It was great to get an opportunity to meet her since we’ve spoken online about their interest in Flatpak and GNOME-Builder.

There were some fantastic talks discussing FOSS usage at a broader level:

“FreeHive: An Open-Source Creative Agency” and “Developers, Developers, Developers—How About Creatives?” - Ryan Gorely
“How Can You Make Your Open Source Project Attractive to Students?” - Heidi Ellis and Gregory Hislop
“Research Science and Libre Computing” - Britt Yazel

As always there was a big Flatpak presense and throughout we had the opportunity to discuss things like adding Qt to fdo, tracking runtime CVEs, sandboxing WebKitGTK, etc. We also had a Flatpak BoF on the last day discussing things like possibilty of selling apps and infrastructure improvements.

I really enjoyed the event overall and look forward to future LASes. Next week I will be in A Coruña, Spain, for the webengine hackfest.

GNOME Foundation Sponsored Badge

My code of conduct

Posted by Marcin 'hrw' Juszkiewicz ( Fedora Account System Username

hrw) on September 22, 2018 04:02 PM

Few days ago Linus Torvalds added code of conduct to the Linux kernel. And then lot of discussions started.

I had no plans to take part in any of them. But last week I was dragged into one of them and it was not fun. Turned out that people I know and trust when it comes to technical discussions (never met most of them) do not quite understand the need for such.

There are many “code of conduct” documents. Often they differ a lot. I have my own and it is probably the shortest one:

Do not be an asshole. Respect the others.

Simple. I do not care which gender people have when I speak with them (ok, may stare at your boobs or butt once) nor their sexual preferences. Colour of the skin does not matter as most of my friends I first met online without knowing anything about them. Political stuff? As long as we can be friends and do not discuss it I am fine. Etc etc.

It works on conferences. And in projects where I am/was involved.

Someone may say that part of it was shaped by working for corporation (is Red Hat corpo?) due to all those no harassment regulations and trainings. I prefer to think that it is more of how I was raised by parents, family and society.

FPgM report: 2018–38

Posted by Fedora Community Blog ( Fedora Account System Username

admin) on September 21, 2018 04:38 PM

Here’s your report of what has happened in Fedora Program Management this week. The Fedora 29 Beta RC5 was declared Go and will release on 25 September.

I’ve set up weekly office hours in #fedora-meeting. Drop by if you have any questions or comments about the schedule, Changes, elections or anything else.

Help requests

The Marketing team needs help filling out the F29 Beta Talking Points

Announcements

Changes to the packaging guidelines — includes Python, crypto policies, and others
The CfP for DevConf.cz 2019 is open

Upcoming meetings

Blocker review meeting: 1600 UTC on Monday in in #fedora-blocker-review
FPgM office hours: 1300 UTC on Wednesday in #fedora-meeting
Council (Objectives Update): 1400 UTC on Wednesday in #fedora-meeting-1

Schedule

Fedora 29

Beta freeze is underway through September 18.
Beta release date is set for 25 September.

Fedora 29 Status

Beta RC5 is GO for release on 2018-09-25
Blocker bugs and freeze exceptions

Changes

The numbers below reflect the current state of Bugzilla tracking bugs.

NEW/ASSIGNED	2
MODIFIED	0
ON_QA	39
(total)	41

Fedora 30 Changes

Fedora 30 includes a Change that will cause ambiguous python shebangs to error. A list of failing builds is available on Taskotron.

The post FPgM report: 2018–38 appeared first on Fedora Community Blog.

Sep	OCT	Nov
	02
2017	2018	2019

Fedora People Blog List Feeds RSS 1.0 RSS 2.0 Atom 1.0 FOAF blogroll

1. What is the GRUB hidden menu change?

2. How to enable hidden GRUB menu?

3. How to disable hidden GRUB menu

4.How to access the GRUB menu when hidden

5. When is a boot considered successful ?

Mortirolo Pass

Dinner

Simplon Pass

En quoi consiste ce test ?

Comment y participer ?

Show Notes

Help requests

Announcements

Upcoming meetings

Schedule

Fedora 29

Fedora 29 Status

Fedora 30 Changes

Announced

-fsanitize=undefined; Score: 0 or 10

-Wsuggest-override; Score: 0

-Wduplicated-cond; Score: 1

-Wunused-variable; Score: 2

-D_GLIBCXX_DEBUG; Score: 2

-Wimplicit-fallthrough; Score: 3

-Wshadow=local; Score: 3

-fsanitize=address; Score: 6

Conclusion

i3

sway

Qtile

dwm

awesome

Why test Atomic and Cloud

When

Where

How does FORTIFY_SOURCE actually work

Functions protected by FORTIFY_SOURCE

How to enable FORTIFY_SOURCE

Category

En quoi consiste ce test ?

Comment y participer ?

Peru a repo syncer

Leaving security to where it belongs

A modern build system

And a modern issue tracker to go with it

Minimize GeoIP use

The future of Mozilla Location Service

Step 1 - Give your droplet a Floating IP

Step 2 - Setup wireguard between DigitalOcean and your roaming computer

Step 3 - Forward ports from the roaming IP to your roaming computer

Expérience utilisateur

Gestion du matériel

Internationalisation

Administration système

Développement

Modularité

Projet Fedora

Tester

Beta Release Highlights

Modularity for all

GNOME 3.30

Other updates

Testing needed

What is the Beta Release?

More information

Why test Java

When

Where

¿Aplicaciones por defecto?

Fedora 28 - Linux, Apache, MariaDB & PHP

Latest Packages

Install packages with URL

Migration of AWS Resource IDs

Test out Fedora 29 Atomic and Cloud

How do test days work?

¿Cómo remediarlo?

Show Notes

Related posts:

Fedora People
Blog List

RSS 1.0 RSS 2.0 Atom 1.0 FOAF blogroll