FLOSS Project Planets

This is my final blog about my experience participating in season of KDE 2024. As part of my final term, I translated tellico to hindi. Tellico contains 2070 statements spanning between messages and docmessages. I used lokalize application for the translation. I hardly faced any issues during the translation work apart from some ambiguity in the translated words. Thanks Raghavendra Kamath for helping me resolve those few issues. Overall, It was an awesome experience during the entire program.

In Drupal development, understanding the differences between hooks and event subscribers is essential for building robust and flexible modules. Hooks are a fundamental part of Drupal's architecture, allowing modules to interact with and modify various aspects of the system's behavior. Moreover, event subscribers are a more recent addition to Drupal, introduced in Drupal 8 as part of its transition to a more modern, object-oriented architecture.

Hooks in Drupal

Hooks are specially named functions that a module defines and calls at specific times to alter, add, or modify the data.

Like each month, have a look at the work funded by Freexian’s Debian LTS offering.

Debian LTS contributors

In March, 19 contributors have been paid to work on Debian LTS, their reports are available:

• Abhijith PA did 0.0h (out of 10.0h assigned and 4.0h from previous period), thus carrying over 14.0h to the next month.
• Adrian Bunk did 59.5h (out of 47.5h assigned and 52.5h from previous period), thus carrying over 40.5h to the next month.
• Bastien Roucariès did 22.0h (out of 20.0h assigned and 2.0h from previous period).
• Ben Hutchings did 9.0h (out of 2.0h assigned and 22.0h from previous period), thus carrying over 15.0h to the next month.
• Chris Lamb did 18.0h (out of 18.0h assigned).
• Daniel Leidert did 12.0h (out of 12.0h assigned).
• Emilio Pozuelo Monfort did 0.0h (out of 3.0h assigned and 57.0h from previous period), thus carrying over 60.0h to the next month.
• Guilhem Moulin did 22.5h (out of 7.25h assigned and 15.25h from previous period).
• Holger Levsen did 0.0h (out of 0.5h assigned and 11.5h from previous period), thus carrying over 12.0h to the next month.
• Lee Garrett did 0.0h (out of 0.0h assigned and 60.0h from previous period), thus carrying over 60.0h to the next month.
• Markus Koschany did 40.0h (out of 40.0h assigned).
• Ola Lundqvist did 19.5h (out of 24.0h assigned), thus carrying over 4.5h to the next month.
• Roberto C. Sánchez did 9.25h (out of 3.5h assigned and 8.5h from previous period), thus carrying over 2.75h to the next month.
• Santiago Ruano Rincón did 19.0h (out of 16.5h assigned and 2.5h from previous period).
• Sean Whitton did 4.5h (out of 4.5h assigned and 1.5h from previous period), thus carrying over 1.5h to the next month.
• Sylvain Beucler did 25.0h (out of 24.5h assigned and 35.5h from previous period), thus carrying over 35.0h to the next month.
• Thorsten Alteholz did 14.0h (out of 14.0h assigned).
• Tobias Frost did 12.0h (out of 12.0h assigned).
• Utkarsh Gupta did 19.5h (out of 0.0h assigned and 48.75h from previous period), thus carrying over 29.25h to the next month.

Evolution of the situation

In March, we have released 31 DLAs.

Adrian Bunk was responsible for updating gtkwave not only in LTS, but also in unstable, stable, and old-stable as well. This update involved an upload of a new upstream release of gtkwave to each target suite to address 82 separate CVEs. Guilhem Moulin prepared an update of libvirt which was particularly notable, as it fixed multiple vulnerabilities which would lead to denial of service or information disclosure.

In addition to the normal security updates, multiple LTS contributors worked at getting various packages updated in more recent Debian releases, including gross for bullseye/bookworm (by Adrian Bunk), imlib2 for bullseye, jetty9 and tomcat9/10 for bullseye/bookworm (by Markus Koschany), samba for bullseye, py7zr for bullseye (by Santiago Ruano Rincón), cacti for bullseye/bookwork (by Sylvain Beucler), and libmicrohttpd for bullseye (by Thorsten Alteholz). Additionally, Sylvain actively coordinated with cacti upstream concerning an incomplete fix for CVE-2024-29894.

Thanks to our sponsors

Sponsors that joined recently are in bold.

• Platinum sponsors:
  • TOSHIBA (for 103 months)
  • Civil Infrastructure Platform (CIP) (for 71 months)
• Gold sponsors:
  • Roche Diagnostics International AG (for 114 months)
  • Linode (for 108 months)
  • Babiel GmbH (for 97 months)
  • Plat’Home (for 97 months)
  • CINECA (for 71 months)
  • University of Oxford (for 53 months)
  • Deveryware (for 40 months)
  • VyOS Inc (for 35 months)
  • EDF SA (for 24 months)
• Silver sponsors:
  • Domeneshop AS (for 118 months)
  • Nantes Métropole (for 112 months)
  • Univention GmbH (for 104 months)
  • Université Jean Monnet de St Etienne (for 104 months)
  • Ribbon Communications, Inc. (for 98 months)
  • Exonet B.V. (for 88 months)
  • Leibniz Rechenzentrum (for 82 months)
  • Ministère de l’Europe et des Affaires Étrangères (for 65 months)
  • Cloudways by DigitalOcean (for 55 months)
  • Dinahosting SL (for 53 months)
  • Bauer Xcel Media Deutschland KG (for 47 months)
  • Platform.sh SAS (for 47 months)
  • Moxa Inc. (for 41 months)
  • sipgate GmbH (for 38 months)
  • OVH US LLC (for 36 months)
  • Tilburg University (for 36 months)
  • GSI Helmholtzzentrum für Schwerionenforschung GmbH (for 28 months)
  • Soliton Systems K.K. (for 25 months)
  • THINline s.r.o.
• Bronze sponsors:
  • Evolix (for 119 months)
  • Seznam.cz, a.s. (for 119 months)
  • Intevation GmbH (for 116 months)
  • Linuxhotel GmbH (for 116 months)
  • Daevel SARL (for 114 months)
  • Bitfolk LTD (for 113 months)
  • Megaspace Internet Services GmbH (for 113 months)
  • Greenbone AG (for 112 months)
  • NUMLOG (for 112 months)
  • WinGo AG (for 112 months)
  • Ecole Centrale de Nantes - LHEEA (for 108 months)
  • Entr’ouvert (for 103 months)
  • Adfinis AG (for 100 months)
  • GNI MEDIA (for 95 months)
  • Laboratoire LEGI - UMR 5519 / CNRS (for 95 months)
  • Tesorion (for 95 months)
  • Bearstech (for 86 months)
  • LiHAS (for 86 months)
  • Catalyst IT Ltd (for 81 months)
  • Supagro (for 76 months)
  • Demarcq SAS (for 75 months)
  • Université Grenoble Alpes (for 61 months)
  • TouchWeb SAS (for 53 months)
  • SPiN AG (for 50 months)
  • CoreFiling (for 45 months)
  • Institut des sciences cognitives Marc Jeannerod (for 40 months)
  • Observatoire des Sciences de l’Univers de Grenoble (for 37 months)
  • Tem Innovations GmbH (for 32 months)
  • WordFinder.pro (for 31 months)
  • CNRS DT INSU Résif (for 30 months)
  • Alter Way (for 23 months)
  • Institut Camille Jordan (for 12 months)

KEcoLab, a tool for measuring software energy consumption, needs robust testing to ensure its functionality after every code change. This blog post presents the work I did in Season of KDE 2024 implementing dedicated test builds using Kate test scripts to achieve this goal. By implementing a dedicated "test-build" and "integration" stage within the CI/CD pipeline, we can enhance KEcoLab's reliability and maintain confidence in its results.

Figure : Setting up CI test (image from Sarthak Negi published under a CC-BY-4.0 license). Background

KEcoLab simplifies the process of analyzing KDE software's energy consumption through the CI/CD pipeline in Invent. This automation streamlines the measurement process, offering crucial insights for developers and helping projects seeking eco-certification. However, ensuring KEcoLab's continued effectiveness requires thorough testing after each code modification.

The Challenge

KEcoLab retrieves the package name from the merge request for testing purposes. However, this approach doesn't guarantee stability after code changes unrelated to specific packages. To address this, we propose a dedicated "test-build" stage within the CI/CD pipeline.

The Solution: Dedicated Test Builds

The proposed "test-build" stage leverages Kate test scripts located in the KEcoLab repository. These scripts will be instrumental in mimicking CI tests and validating KEcoLab's functionality.

Here's a breakdown of the proposed stages within the test build:

Stage: test-build

• Tag: test-build

• Function: This stage functions similarly to how the existing KEcoLab pipeline operates. However, instead of dynamically retrieving the package name, it will be hardcoded to org.kde.kate (as this is the specific package we're focusing on for testing).

• Key Difference: This stage won't rely on files from the merge request. Instead, it will clone the KEcoLab repository to access the necessary Kate usage scenario files. This ensures we're testing against the latest codebase in the repository, regardless of specific merge requests.

• Implementation: To improve code organization and maintainability, we've adopted a modular approach to CI/CD pipelines. We now have two dedicated YAML files:

  • .test-energy_measurement.yml: This file defines the stages for the CI test pipeline.
  • .energy_measurement.yml: This file contains the stages previously defined in .gitlab-ci.yml. All the code related to energy measurement testing has been shifted to this new file.

  Both YAML files reside within the same directory for easy management. The main .gitlab-ci.yml file utilizes the include keyword to incorporate the stages from these dedicated files. This promotes modularity, improves readability, and reduces redundancy in the main pipeline configuration.

# Test-build stage test-build: stage: test-build image: alpine tags: - EcoLabWorker before_script: # Hardcode the package name to org.kde.kate - PACKAGE_NAME="org.kde.kate" script: # Add flathub remote if not exists - flatpak remote-add --user --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo # Install the specified package (org.kde.kate) from flathub - flatpak install --user $PACKAGE_NAME -y # Clone the KEcolab repository to access usage scenario files - git clone https://invent.kde.org/teams/eco/remote-eco-lab.git # Copy the kate usage scenario files from the cloned repository to the required location - cp remote-eco-lab/scripts/test_scripts/org.kde.kate/* scripts/test_scripts/org.kde.kate/ rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' Stage: test-energy-measurement

• This stage operates identically to the existing KEcoLab pipeline stage for energy measurement.

Stage: test-report

• This stage also functions identically to the existing KEcoLab pipeline stage responsible for generating reports.

Future OutLook Stage: integration test

We introduce a novel integration test

• This stage aims to compare reports generated during the test build with previous reports. By utilizing the diff command, we can identify significant discrepancies between the reports. This helps us detect potential regressions or unintended changes in how KEcoLab measures energy consumption.

# This stage is for integration tests stage: Integration test # Jobs to be executed in this stage jobs: - run: # Replace with your actual script to run integration tests name: Run integration tests script: your_test_script.sh # Diff reports job (assuming reports are stored in artifacts) - diff_reports: # Retrieve artifacts from previous job stage: Integration test artifacts: paths: - reports/ script: | # Install diff tools apk add diffutils # Get the latest reports from artifacts report1=$(ls reports/*.html | sort -r | head -n 1) report2=$(ls reports/*.html | sort -r | head -n 2) Why it matters

• Enhanced Stability: By focusing on a specific package (org.kde.kate) and utilizing the latest codebase from the KEcoLab repository, we ensure comprehensive testing across code changes, not just those within a particular merge request.

• Catch Bugs Early: The integration test utilizing diff allows for the early detection of regressions or deviations in energy measurement behavior. This proactive approach helps maintain consistent and reliable results from KEcoLab.

• Confidence in Every Change: Whenever someone contributes code, passing tests ensure those changes don't disrupt existing features. This builds trust and keeps development smooth.

• Save Time, Be Awesome: Automating tests frees up valuable time for developers to focus on innovation. We can spend less time debugging and more time making KEcoLab even better!

Figure : CI testing (image from Sarthak Negi published under a CC-BY-4.0 license). So, How Will It Work?

We have existing test scripts used for Kate, KDE's text editor. We'll first see if these can be adapted for KEcoLab. If needed, we'll create new tests specifically designed for KEcoLab's functionalities.

Here's the coolest part: these tests will become part of our CI/CD pipeline. Whenever someone submits code changes (a merge request), the pipeline will automatically run the tests. If everything passes, the changes are merged with manual approval by the maintainers. But if a test fails, it'll be like a flashing red light, prompting us to fix the issue before merging.

The proposed dedicated test build approach using Kate test scripts is a valuable addition to the KEcoLab CI/CD pipeline. This enhanced testing strategy helps ensure that KEcoLab continues to deliver accurate and reliable software energy consumption measurements, ultimately leading to more efficient and eco-friendly code.

Interested in Contributing?

By implementing dedicated CI-tests leveraging Kate's existing test scripts, we're taking a big step towards solidifying KEcoLab's stability and ensuring the accuracy of its software energy consumption measurements. This wouldn't be possible without the incredible support of the KDE community and my mentors @karan @joseph. Their dedication to open-source development is truly inspiring.

Want to See More? Head over to KEcoLab on invent.kde.org to explore the project, learn more about its development, and check out the merge request that sparked this advancement!

We're excited about this approach and would love to hear your thoughts! If you're interested in contributing to KEcoLab's development and helping make software development a more sustainable practice, you are always welcome. Together, we can make a real difference!

Friday, 12 April 2024

KDE today announces the release of KDE Frameworks 6.1.0.

KDE Frameworks are 83 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the KDE Frameworks release announcement.

This release is part of a series of planned monthly releases making improvements available to developers in a quick and predictable manner.

New in this version Attica

• Do not signal an error when a job was cancelled. Commit. Fixes bug #483117

Baloo

• [Extractor] Explicitly abort the transaction on early exit. Commit.
• [WorkerPipe] Verify inputEnd() is signaled when parent process exits. Commit.
• Some indexers need non-slash trailed path. Commit. Fixes bug #478854
• Skip indexing KDE FS volumes unless user included. Commit. Fixes bug #460509. See bug #390830
• [tests/engine/singledbtest] Allow testing multiple databases. Commit.
• Ci: download .clang-format during CI runs. Commit.
• [Extractor] Change to QCoreApplication. Commit.
• Ci: check clang-format during CI. Commit.

Bluez Qt

• Add support for manufacturer data in LE advertisements. Commit.

Breeze Icons

• Temporarily add back kdenlive-*-video for compatibility. Commit.
• Rename kdenlive--edit to timeline-mode-. Commit.
• Remove kdenlive-select-tool. Commit.
• Remove kdenlive-spacer-tool icon. Commit.
• Fix duplicates. Commit.
• Rename kdenlive-object-* to object-*. Commit.
• Rename kdenlive--audiothumb to waveform-. Commit.
• Remove kdenlive-show-videothumb icon. Commit.
• Rename kdenlive--video to video-. Commit.
• Rename kdenlive--audio to audio-. Commit.
• Rename kdenlive-align-none to align-none. Commit.
• Add Flatpak ID symlink for kwalletmanager. Commit.
• Add system-suspend-inhibited, system-suspend-uninhibited. Commit.
• Add rdns-style name symlink for kcolorchooser. Commit.
• Use magnifying glass iconography for zoom icons. Commit. Fixes bug #435671
• Remove 16px view-list-symbolic symlink. Commit.
• Fix incorrect target icon for view-grid-symbolic. Commit.
• Fix user-desktop-symbolic symlink. Commit.
• Remove unsupported colorscheme entries from stylesheets. Commit.
• Quassel_message: Replace ButtonFocus with Highlight. Commit.
• Use Text color for konv_message icon. Commit. See bug #482645
• Replace hardcoded blue with highlight color in OSD icons. Commit.
• Remove unneeded dark applets icons. Commit. Fixes bug #477289
• Software-updates-additional: Port away from ButtonFocus color. Commit.
• Network-mobile-available: Replace ButtonFocus with Highlight. Commit.
• Notification-progress-active: Replace ButtonFocus with Highlight. Commit.
• Drop edit-hover and showinfo-hover icons. Commit.
• Fix suyu color in dark theme. Commit.
• Add suyu icon. Commit.
• Add 48px elisa-symbolic icon used for the Android themed icon. Commit.
• Update outdated url. Commit.
• Fix incorrectly named network icon symlinks. Commit.
• Make process-stop-symbolic a symlink to the base icon. Commit. Fixes bug #482556
• Fix some 96px folder icons not using accent color. Commit. Fixes bug #478016
• Add new icon for Skladnik. Commit. Fixes bug #458214

Extra CMake Modules

• ECMAddQch: drop trying to set IMPORTED on targets with installed config. Commit.
• Fix DATAROOTDIR documentation for Windows. Commit.
• Update documentation favicon. Commit.
• MacOS is the name of the Apple operating system. Commit.
• Fix fetch translations tests in GitLab forks. Commit.
• Docs: Correct escape sequence for Python 3.12 or later. Commit.
• Map some more language codes to the IDs supported by Google Play. Commit.
• [ECMQmlModule] Add option to enable verbose compiler output. Commit.
• Remove extraneous docs-build CI job that is no longer needed following the switch of api.kde.org to Gitlab CI. Commit.

Framework Integration

• Kns: Fix typo in yes / no action request. Commit.

KBookmarks

• Fix KBookmarkManager::save triggering KDirWatch. Commit.

KCalendarCore

• Fix check whether RRULE UNTIL datetime is UTC. Commit.
• Fix conversion of date-only icaltimetype to UTC QDateTime. Commit. Fixes bug #483707
• MemoryCalendar: log details about duplicate events before asserting. Commit. See bug #481031

KCMUtils

• Better document KPluginModel. Commit.
• Deprecate ContextualHelpButton in favor of the Kirigami version. Commit.
• KCMLauncher: Fix up docs. Commit.
• Port QML modules to declarative type registration. Commit.
• ConfigModule: Fix imports and aliases in provided example. Commit.
• SharedQmlEngine: Improve error reporting when loading main component. Commit.
• SettingHighlighterPrivate: update highlight on target children changes. Commit.
• Qml: set domain for i18n strings. Commit.

KConfig

• Don't search for QtDBus on Windows/macOS/Android. Commit.
• Register KConfigPropertyMap to QML. Commit.
• Kconf_update: Also run .upd files if times match but done is empty. Commit. Fixes bug #483795
• Add unittest that URL[$e] works, for bug 482889. Commit.

KConfigWidgets

• Don't use DBus on Windows/macOS. Commit.

KCoreAddons

• Don't search for QtDBus on Windows/macOS/Android. Commit.
• KformatPrivate: fix deprecation enum arithmetic with float. Commit.

KCrash

• Port to sigaction. Commit.

KDBusAddons

• Conditionalise Qt6::GuiPrivate on HAVE_X11. Commit.

KDeclarative

• Remove redundant QML_ELEMENT in KDeclarativeMouseEvent and WheelEvent. Commit.
• Don't use kwidgetsaddons on Android. Commit.
• Refactor kglobalaccel check. Commit.
• Don't use kglobalaccel on Android. Commit.
• Mark Android as supported. Commit.
• Add Android CI. Commit.
• Add dependency to QML module. Commit.
• Kquickcontrolsaddons: Drop QML import versions from doc example. Commit.
• Kquickcontrols: Remove superfluous no-op assignment. Commit.
• Kquickcontrols: Replace superfluous Text item and a semi-broken expression. Commit.
• Kquickcontrols: Reduce superfluous ternary. Commit.
• Kquickcontrols: Declare type of __previousSequence property as a string. Commit.
• Kquickcontrols: Uplift previousSequence property to the root component. Commit.
• Kquickcontrols: Drop QML import versions, fix up code style. Commit.

KDocTools

• Fixes compile problem for projects which uses older cmake versions. Commit.
• Kdoctools_create_handbook/manpage: check INSTALL_DESTINATION for empty value. Commit.
• Replace user.entities. Commit.
• Upload New File bg.xml. Commit.
• Update user.entities in bg. Commit.

KFileMetaData

• [PopplerExtractorTest] Verify multicolumn PDF content (currently broken). Commit.
• [PopplerExtractorTest] Make tests data driven. Commit.
• [PopplerExtractorTest] Move class declaration to source file. Commit.
• Plaintextextractor: autodetect encoding for text. Commit.
• [PlainTextExtractor] Add plain text test file to coverage test. Commit.
• [IndexerExtractorTest] Make tests data driven. Commit.
• Add support for .mod/.s3m/.xm/.it Module Tracker formats meta data. Commit. Fixes bug #448182
• Plaintextextractor: Read file via QFile. Commit.
• [PropertyInfo,TypeInfo] Move static data into scope of its class. Commit.
• [PropertyInfo,TypeInfo] Avoid lookup from id during initilization. Commit.
• [PropertyInfo,TypeInfo] Use QStringView for name in hash. Commit.
• [TypeInfo] Use a hash table for faster fromName TypeInfo creation. Commit.
• Move helper class for case-insensitive QHash lookup to separate file. Commit.
• [TypeInfo] Make set of all types introspectable. Commit.
• [TypeInfo] Improve performance and cleanup. Commit.
• [TypeInfo] Add unit tests and benchmarks. Commit.
• [TypeInfo] Extend documentation for KFileMetaData::TypeInfo. Commit.
• [PlaintextExtractor] Fix possible truncation of last character. Commit.
• [PlaintextExtractor] Verify handling files missing newline delimiters. Commit.
• [PlaintextExtractor] Check countint of empty lines. Commit.
• [IndexerExtractorTest] Actually verify content extraction is skipped. Commit.
• [IndexerExtractorTest] Move class declaration to source file. Commit.
• [CMake] Move mentions of KF Archive dependencies over to the extractors. Commit.
• [CMake] Remove several leftover references to KF5. Commit.
• Fix compilation error for krita extractor when KArchive isn't found. Commit.

KGlobalAccel

• Fix dbus xml. Commit.

KGuiAddons

• Recorder/KKeySequenceRecorderPrivate: support recording multi-key modifier-only shortcuts. Commit. See bug #470256

KHolidays

• Add more holidays. Commit.
• Add one more source. Commit.
• Update holiday-sg. Commit. Fixes bug #483298
• Update german holidays. Commit.

KI18n

• Fix compilation with GCC 9. Commit.
• Main: ensure current thread is main thread. Commit.

KIconThemes

• Fix dbus disabling. Commit.
• Don't hang if no session bus is around. Commit.
• Don't search for QtDBus on Windows/macOS. Commit.
• Eliminate a frequent "Invalid Context" warning for FileSystems. Commit.
• KIconDialog: Add filter for symbolic icons. Commit.
• Allow creating KIconEngine with colors and overlays. Commit.
• Add breeze-icons dependency. Commit.
• Mark index.theme config as SimpleConfig. Commit.

KIdletime

• Guard against invalid timeout values in KIdleTime::addTimeout(). Commit. See bug #482077

KImageformats

• Add KF_VERSION & KF_DEP_VERSION variables. Commit.
• XCF: testcase update for fixed Qt. Commit.
• TGA: added options support. Commit.
• More header checks (CCBUG: 479612). Commit.

KIO

• Improve cppcheck. Commit.
• Fix a compiler warning. Commit.
• Add cppcheck / codequality run for those who care. Commit.
• Fix a few compiler warnings. Commit.
• Make ScopedProcessRunner hold the child until we register with systemd. Commit.
• PreviewJob: allow to display previews of fileitem having a local targetUrl. Commit.
• Fix authentication prompt not being shown. Commit. Fixes bug #460944
• [kdiroperator] Only write icon size settings if non-default. Commit.
• [kdiroperator] Drop code for reading configured icon sizes. Commit.
• [kfilewidget] Store recent files/URLs in state config. Commit.
• [kfileitemactions] Remove dead code. Commit.
• KCoreDirListerCache:: make sure not to reinsert an item twice. Commit. See bug #473488
• [workers/http] Ask user to remember ignoring SSL errors. Commit. See bug #484241
• [workers/http] Ignore already acknowledged SSL errors. Commit. See bug #484241
• [workers/http] Don't ask to ignore non-ignorable SSL errors. Commit.
• [sslerrortest] Print job results. Commit.
• [widgtesaskuseractionhandler] Remove problematic Q_UNREACHABLE. Commit.
• Fix warnings: implicit capture of ‘this’ via ‘[=]’. Commit.
• Slim down sslerrortest. Commit.
• Drop unused entries from defaults-kfile.h. Commit.
• [kfileplacesmodel] Remove wrong assert. Commit. Fixes bug #484160
• Openwith: restore preferredTerminal reading. Commit.
• [kprocessrunner] Unexport checkStartupNotify. Commit.
• KFileItem: when checking access use current user. Commit. Fixes bug #483436
• Fix webshortcuts not giving searchprovider specific icon. Commit. Fixes bug #483164
• KFileitem: Use internal permissions as best case scenario. Commit. Fixes bug #477526. Fixes bug #483436
• Use KUrlRequester in previewtest. Commit.
• Fix sprintf buffer leaks on 32-bit systems. Commit.
• Connectionbackend: improve jumbo packet handling. Commit. Fixes bug #481311
• Drop legacy keys for m_runOnDiscreteGpuBool. Commit. Fixes bug #481538
• Explicitly defined HAVE_DBUS. Commit.
• Make "Create New" dialogs use the same consistent title style. Commit.
• [kopenwithdialog] Populate m_pService in checkAccept. Commit.
• [knewfilemenu] Add window title for new file dialog. Commit. Fixes bug #482732
• Fix hide service menu items in context menu. Commit. Fixes bug #482216
• [kterminallauncherjob] Inherit default process environment from parent. Commit. Fixes bug #482107
• [knewfilemenu] Fix error handling when creating a folder that already exists. Commit. Fixes bug #482145
• Kioexec: Use categorised logging. Commit.
• Kioexec: Remove temporary files after the main loop has completed. Commit.
• Use symbolic icons on buttons. Commit.
• Kioexecd: Use KUIT and button icons for the "Upload changes?" question. Commit.
• Openwith: extract core logic from dialog. Commit.

Kirigami

• PromptDialog: Demote wrapper item from Control to Padding. Commit.
• ListSectionHeader: Clean up and expand docs, add import alias for Controls. Commit.
• PlatformTheme: Note where the disabled text color comes from. Commit.
• ImageColors: make sure QML attached object is fetched from main thread. Commit.
• Clarify that the default alignment for ActionToolbar is AlignLeft. Commit.
• Fix up qualified properties access and doc examples, use appropriate enum for TextEdit. Commit.
• ContextualHelpButton: Fix up code style and qualified property access. Commit.
• ContextualHelpButton: Use a specific and appropriate type for a property. Commit.
• ContextualHelpButton: Sort out imports and improve docs. Commit.
• Padding: make sure to polish on completion. Commit. Fixes bug #477978
• PlaceholderMessage: remove bad example using it as a loading indicator. Commit.
• ContextualHelpButton: fix translated string usage. Commit.
• Adopt ContextualHelpButton. Commit.
• ApplicationItem & ApplicationWindow: Don't reserve space for overlaid vkbd. Commit.
• ColumnView: Disable invisible (out-of-viewport) pages. Commit.
• Make global drawer item keyboard navigable. Commit.
• Respect QT_NO_XDG_DESKTOP_PORTAL. Commit. Fixes bug #482730
• ColumnView: Add check args to clamp. Commit. See bug #481531
• ColumnView: Use OutExpo for page animation. Commit.
• Fix separator of OverlayDrawer in the header bar. Commit.
• ScrollablePage: Workaround Qt flickable inertia being really low. Commit.
• Add Position paramenter for InlineMessage. Commit.
• Handle URL inputs for pushDialogLayer. Commit. Fixes bug #481623
• InlineMessage: Fix showing close button. Commit.
• Handle null drawer as well. Commit.
• Fix footer in layers. Commit. Fixes bug #480428

KItemModels

• Trivial fix for crash in buddy() when sourceModel isn't set yet. Commit.

KItemViews

• Add missing Q_OBJECT to KCategorizedSortFilterProxyModel. Commit.

KJobWidgets

• Tests need dbus due to KUiServerJobTracker. Commit.
• Kjobtrackerstest needs dbus. Commit.
• TARGET Qt6::DBus doesn't work if dependencies export it. Commit.
• Don't search for QtDBus on Windows/macOS/Android. Commit.
• Simplify X11 check. Commit.

KNewStuff

• Add extra ksnrc key to indicate the safety of installation. Commit.
• Use Continue/Cancel style of question for overwrite dialog. Commit.
• Change default sorting of entries to "Most Downloads". Commit.
• Resultsstream: Delay the entry loading into the event look. Commit. Fixes bug #473472
• Resultsstream: handle query results assertively. Commit.
• Resultsstream: Allow for the members to be constant. Commit.
• Unify default sizes. Commit. Fixes bug #482604
• Fix the "working..." overlay for item installation. Commit. Fixes bug #483108
• Remove the last uses of Qt5Compat.GraphicalEffects. Commit.
• Refresh visible entry on uninstall. Commit. Fixes bug #476152
• [qtquick/action] Add API to set transient parent for dialog. Commit. Fixes bug #479816
• Fix link list dialog for installation button. Commit. Fixes bug #482349
• Set questionAsker implicit sizes, set maxWidth to dialog width. Commit. Fixes bug #480338

KNotifications

• Port QML module to declarative type registration. Commit.

KNotifyConfig

• Don't use DBus on Windows/macOS. Commit.

KPackage

• Testpackage: Add a website so that the tests succeed. Commit.
• Fix: implicit capture of ‘this’ via ‘[=]’ is deprecated in C++20. Commit.

KQuickCharts

• Declare QML module dependencies. Commit.
• Generate default set of GLSL shaders. Commit. Fixes bug #482988
• Examples: Remove separator from main page list items. Commit.
• Piechartnode: Rename updateTriangles to updateSegments. Commit.
• Piechartnode: Remove some unused stuff. Commit.
• Examples: Change "smooth" to "interpolate". Commit.
• Piechart: Use the right amount of thickness for the chart. Commit.
• Linechart: Use fwidth of the point instead of sdf to avoid conditional fwidth. Commit. Fixes bug #434462
• Sdf: Allow specifying fwidth() to sdf_render(). Commit.

KRunner

• Add doxygen comment to ResultsModel class. Commit.
• Give favorites a relative boost rather than absolute sorting position. Commit.

KService

• Fix warning: mimeType "x-scheme-handler/file" not found. Commit. Fixes bug #442721

KStatusNotifieritem

• Improve activating associated window on Wayland. Commit.

KSVG

• Add test for loading svgs from qrc files. Commit.
• Support loading svg from QRC files. Commit.

KTextEditor

• Fix argument hint placement. Commit.
• Dont use activeView as save dialog parent. Commit. Fixes bug #484466
• Ensure only set stuff is saved. Commit.
• Dont write useless entries to session config. Commit.
• All tests work offscreen in the CI. Commit.
• Try to avoid crash in destructor. Commit.
• Try more offscreen. Commit.
• Ensure we don't crash if no view is active. Commit.
• Kateviewinternal: accept surrogate category character. Commit. Fixes bug #482864
• Use test mode with e.g. own temporary config files. Commit.
• Avoid using QChar constructor for key codes. Commit. Fixes bug #483631
• Remove obsolete option code. Commit.
• Remove focus frame option. Commit. Fixes bug #483218
• Fix duplicate folds occuring. Commit.
• Fix support for folding in vi normal mode. Commit.
• Adapt test to hinting change. Commit.
• Set full hinting instead to ensure the letters are aligned properly. Commit. Fixes bug #482659
• Try to save changes. Commit. See bug #459093
• Optimize a mark-restoring condition after document reload. Commit.

KUnitConversion

• Binary_data: add match strings with {upper/lower}case k for kilo- and kibi-{bits/bytes}. Commit. Fixes bug #483815

KUserFeedback

• Flatpatk: Use actual 6.6 runtime. Commit.

KWallet

• [kwallet-query] Create QApplication before using i18n. Commit. Fixes bug #482017
• Ensure correct exit status by adding returns after exits in QueryDriver. Commit.

KWindowSystem

• Port QML module to declarative type registration. Commit.
• Kkeyserver: allow shift to modify modifier keys. Commit.
• Kkeyserver: add support for modifier keys. Commit.

KXMLGUI

• Kkeysequencewidget: expose modifierOnlyAllowed. Commit. See bug #470257
• Don't search for QtDBus on Windows/macOS. Commit.
• Make sure that actions just added to the toolbar show up in the edit dialog. Commit.

Prison

• Add dependency to QML module. Commit.

QQC2 Desktop Style

• CheckIndicator: use Theme.View color, dont inherit parent. Commit.
• Delegates: Unify alignment and horizontal stretching of labels. Commit.
• KQuickStyleItem: Replace manual loop with C++20 std::accumulate. Commit.
• Remove unneeded CMake stuff. Commit.
• Port away from deprecated ECMQMLModules. Commit.
• Add type annotations to functions. Commit.
• Qualify property lookups. Commit.
• Use local Label component directly. Commit.
• Use local property directly. Commit.
• Avoid looking up non-Item properties via Item-based properties. Commit.
• Avoid looking up non-Item properties via parent. Commit.
• Remove unused import statements. Commit.
• Declare dependencies on other QML modules. Commit.
• [ToolTip] Use local Label instead of importing QQC2. Commit.
• Completely disable animations when animations are globally disabled. Commit.
• Localization support. Commit.
• Add support for custom fonts in ToolButtons. Commit.
• Autotests: test TextFieldContextMenu. Commit. See bug #481293
• Always use values from Kirigami.Theme as control palette. Commit. Fixes bug #479015

Solid

• Udisks2: Read CleartextDevice instead of introspection. Commit.

Sonnet

• Improve spell check config design. Commit.
• Remove leftover files. Commit.

Syndication

• Fix bug 484615: Error adding feed from https://www.qt.io/blog. Commit. Fixes bug #484615
• Use parent (fix mem leak). Commit.
• Remove duplicate [\s]*. Commit.
• Return code error. Commit.
• Remove unused includes. Commit.

Syntax Highlighting

• Cmake-generator: refactor XML optimizations. Commit.
• Cmake.xml: has-target-names-after-kw could be a list. Commit.
• Cmake.xml: updates for the recently released CMake 3.29. Commit.
• Cpp: Update Qt classes for Qt 6. Commit.
• Initial gprbuild references. Commit.
• Gprbuild: add license info. Commit.
• Add small GPR test file. Commit.
• Add GPRbuild syntax. Commit.
• Add common alternative names used in various markdown parsers for languages. Commit.
• Fix refs for stan. Commit.
• Update 2 files. Commit.
• Use (?:sub){0,2} to work with all pcre versions. Commit.
• Alternate Names for Definitions. Commit.
• Fix implicit size -> int conversion. Commit.

Threadweaver

• Examples: Do not use Qt module includes. Commit.

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

P.S. We’ve completed over a year of writing these blogs. If you have any suggestions on how to make them better or what you’d like us to cover, or any other opinions/reviews you might have, et al, please let us know by dropping an email to us. We’d be happy to hear your thoughts. :)

SSO Authentication for jitsi.debian.social, by Stefano Rivera

Debian.social’s jitsi instance has been getting some abuse by (non-Debian) people sharing sexually explicit content on the service. After playing whack-a-mole with this for a month, and shutting the instance off for another month, we opened it up again and the abuse immediately re-started.

Stefano sat down and wrote an SSO Implementation that hooks into Jitsi’s existing JWT SSO support. This requires everyone using jitsi.debian.social to have a Salsa account.

With only a little bit of effort, we could change this in future, to only require an account to open a room, and allow guests to join the call.

/usr-move, by Helmut Grohne

The biggest task this month was sending mitigation patches for all of the /usr-move issues arising from package renames due to the 2038 transition. As a result, we can now say that every affected package in unstable can either be converted with dh-sequence-movetousr or has an open bug report. The package set relevant to debootstrap except for the set that has to be uploaded concurrently has been moved to /usr and is awaiting migration. The move of coreutils happened to affect piuparts which hard codes the location of /bin/sync and received multiple updates as a result.

Miscellaneous contributions

• Stefano Rivera uploaded a stable release update to python3.11 for bookworm, fixing a use-after-free crash.
• Stefano uploaded a new version of python-html2text, and updated python3-defaults to build with it.
• In support of Python 3.12, Stefano dropped distutils as a Build-Dependency from a few packages, and uploaded a complex set of patches to python-mitogen.
• Stefano landed some merge requests to clean up dead code in dh-python, removed the flit plugin, and uploaded it.
• Stefano uploaded new upstream versions of twisted, hatchling, python-flexmock, python-authlib, python–mitogen, python-pipx, and xonsh.
• Stefano requested removal of a few packages supporting the Opsis HDMI2USB hardware that DebConf Video team used to use for HDMI capture, as they are not being maintained upstream. They started to FTBFS, with recent sdcc changes.
• DebConf 24 is getting ready to open registration, Stefano spent some time fixing bugs in the website, caused by infrastructure updates.
• Stefano reviewed all the DebConf 23 travel reimbursements, filing requests for more information from SPI where our records mismatched.
• Stefano spun up a Wafer website for the Berlin 2024 mini DebConf.
• Roberto C. Sánchez worked on facilitating the transfer of upstream maintenance responsibility for the dormant Shorewall project to a new team led by the current maintainer of the Shorewall packages in Debian.
• Colin Watson fixed build failures in celery-haystack-ng, db1-compat, jsonpickle, libsdl-perl, kali, knews, openssh-ssh1, python-json-log-formatter, python-typing-extensions, trn4, vigor, and wcwidth. Some of these were related to the 64-bit time_t transition, since that involved enabling -Werror=implicit-function-declaration.
• Colin fixed an off-by-one error in neovim, which was already causing a build failure in Ubuntu and would eventually have caused a build failure in Debian with stricter toolchain settings.
• Colin added an sshd@.service template to openssh to help newer systemd versions make containers and VMs SSH-accessible over AF_VSOCK sockets.
• Following the xz-utils backdoor, Colin spent some time testing and discussing OpenSSH upstream’s proposed inline systemd notification patch, since the current implementation via libsystemd was part of the attack vector used by that backdoor.
• Utkarsh reviewed and sponsored some Go packages for Lena Voytek and Rajudev.
• Utkarsh also helped Mitchell Dzurick with the adoption of pyparted package.
• Helmut sent 10 patches for cross build failures.
• Helmut partially fixed architecture cross bootstrap tooling to deal with changes in linux-libc-dev and the recent gcc-for-host changes and also fixed a 64bit-time_t FTBFS in libtextwrap.
• Thorsten Alteholz uploaded several packages from debian-printing: cjet, lprng, rlpr and epson-inkjet-printer-escpr were affected by the newly enabled compiler switch -Werror=implicit-function-declaration. Besides fixing these serious bugs, Thorsten also worked on other bugs and could fix one or the other.
• Carles updated simplemonitor and python-ring-doorbell packages with new upstream versions.
• Santiago is still working on the Salsa CI MRs to adapt the build jobs so they can rely on sbuild. Current work includes adapting the images used by the build job, implementing the basic sbuild support the related jobs, and adjusting the support for experimental and *-backports releases..
  Additionally, Santiago reviewed some MR such as Make timeout action explicit in the logs and the subsequent Implement conditional timeout verbosity, and the batch of MRs included in https://salsa.debian.org/salsa-ci-team/pipeline/-/merge_requests/482.
• Santiago also reviewed applications for the improving Salsa CI in Debian GSoC 2024 project. We received applications from four very talented candidates. The selection process is currently ongoing. A huge thanks to all of them!
• As part of the DebConf 24 organization, Santiago has taken part in the Content team discussions.

The diffoscope maintainers are pleased to announce the release of diffoscope version 264. This version includes the following changes:

[ Chris Lamb ] * Don't crash on invalid zipfiles, even if we encounter 'badness' through through the file. (Re: #1068705) [ FC (Fay) Stegerman ] * Add note when there are duplicate entries in ZIP files. (Closes: reproducible-builds/diffoscope!140) [ Vagrant Cascadian ] * Add an external tool reference for GNU Guix for zipdetails.

You find out more by visiting the project homepage.

There is no such thing as a “root field”.

There is a common - seemingly universal - misconception that GraphQL root fields are somehow special, in both usage and implementation. The better conceptual model is that there are root types, and all types have fields. The difference is not just semantics; it leads to actual misunderstandings.

Multiple queries

A common beginner question is “can there be multiple queries in a request”. The question would be better phrased as “can multiple fields on the root query type be requested”. The answer is of course, because requesting multiple fields on a type is normal. The implementation would have to go out of its way to restrict that behavior on just the root type. The only need for further clarity would be to introduce aliases for duplicate fields.

Flat namespace

GraphQL types share a global namespace, causing conflicts when federating multiple graphs. Nothing can be done about that unless GraphQL adopts namespaces.

But many APIs design the root query type to have unnecessarily flat fields. One often sees a hierarchy of types and fields below the root, but the top-level fields resemble a loose collections of functions. Verbs at the top level; nouns the rest of the way down. This design choice appears to be in a feedback loop with the notion of “root fields”.

Even the convention of calling the root query type Query demonstrates a lack of specificity. In a service-oriented architecture, a particular service might be more narrowly defined.

Mutations

Top-level mutation fields are special in one aspect: they are executed in order. This has resulted in even flatter namespaces for mutations,

mutation { createUser # executed first deleteUser }

This is not necessary, but seems widely believed that it is. Nested mutations work just fine.

mutation { user { create # executed in arbitrary order delete } }

If the underlying reason is truly execution order, the client could be explicit instead.

mutation { created: user { # executed first create } deleted: user { delete } }

There is no reason it has to influence API design.

Static methods

At the library level, the effect is top-level resolvers are implemented as functions (or static methods), whereas all other resolver are methods. This may lead to redundant or inefficient implementations, is oddly inconsistent, and is contrary to the documentation.

A resolver function receives four arguments:

obj The previous object, which for a field on the root Query type is often not used.

Sure, “often not used” by the developer of the API. That does not mean “should be unset” by the GraphQL library, but that is what has happened. Some libraries even exclude the object parameter entirely. In object-oriented libraries like strawberry, the code looks unnatural.

import strawberry @strawberry.type class Query: @strawberry.field def instance(self) -> bool | None: return None if self is None else isinstance(self, Query) schema = strawberry.Schema(Query) query = '{ instance }' schema.execute_sync(query).data {'instance': None}

Strawberry allows omitting self for this reason, creating an implicit staticmethod.

Root values

Libraries which follow the reference javascript implementation allow setting the root value explicitly.

schema.execute_sync(query, root_value=Query()).data {'instance': True}

Strawberry unofficially supports supplying an instance, but it has no effect.

schema = strawberry.Schema(Query()) schema.execute_sync(query).data {'instance': None}

And of course self can be of any type.

schema.execute_sync(query, root_value=...).data {'instance': False}

Moreover, the execute functions are for internal usage. Each library will vary in how to configure the root in a production application. Strawberry requires subclassing the application type.

import strawberry.asgi class GraphQL(strawberry.asgi.GraphQL): def __init__(self, root): super().__init__(strawberry.Schema(type(root))) self.root_value = root async def get_root_value(self, request): return self.root_value Example

Consider a more practical example where data is loaded, and clearly should not be reloaded on each request.

@strawberry.type class Dictionary: def __init__(self, source='/usr/share/dict/words'): self.words = {line.strip() for line in open(source)} @strawberry.field def is_word(self, text: str) -> bool: return text in self.words

Whether Dictionary is the query root - or attached to the query root - it should be instantiated only once. Of course it can be cached, but again there is a more natural way to write this outside the context of GraphQL.

@strawberry.type class Query: dictionary: Dictionary def __init__(self): self.dictionary = Dictionary()

Caching, context values, and root values are all clunky workarounds compared to the consistency of letting the root be Query() instead of Query. The applications which do not require this feature would never notice the difference.

The notion of “root fields” behaving as “top-level functions” has resulted in needless confusion, poorer API design, and incorrect implementations.

In a compelling interview, Irina Zaks, co-founder and CTO of Fibonacci Web Studio, shares insights on bridging quantum physics with web development, simplifying Drupal migrations, and advocating for open source in academia. Ahead of her Stanford WebCamp 2024 session, Irina discusses the impact of her work on the academic sector and her vision for the future of web technology.

Witness the vibrant resurgence of the Greek Drupal Community at the Greece Spring Sprint 2024, where collaboration, camaraderie, and innovation reign supreme.

I work from home these days, and my nearest office is over 100 miles away, 3 hours door to door if I travel by train (and, to be honest, probably not a lot faster given rush hour traffic if I drive). So I’m reliant on a functional internet connection in order to be able to work. I’m lucky to have access to Openreach FTTP, provided by Aquiss, but I worry about what happens if there’s a cable cut somewhere or some other long lasting problem. Worst case I could tether to my work phone, or try to find some local coworking space to use while things get sorted, but I felt like arranging a backup option was a wise move.

Step 1 turned out to be sorting out recursive DNS. It’s been many moons since I had to deal with running DNS in a production setting, and I’ve mostly done my best to avoid doing it at home too. dnsmasq has done a decent job at providing for my needs over the years, covering DHCP, DNS (+ tftp for my test device network). However I just let it slave off my ISP’s nameservers, which means if that link goes down it’ll no longer be able to resolve anything outside the house.

One option would have been to either point to a different recursive DNS server (Cloudfare’s 1.1.1.1 or Google’s Public DNS being the common choices), but I’ve no desire to share my lookup information with them. As another approach I could have done some sort of failover of resolv.conf when the primary network went down, but then I would have to get into moving files around based on networking status and that felt a bit clunky.

So I decided to finally setup a proper local recursive DNS server, which is something I’ve kinda meant to do for a while but never had sufficient reason to look into. Last time I did this I did it with BIND 9 but there are more options these days, and I decided to go with unbound, which is primarily focused on recursive DNS.

One extra wrinkle, pointed out by Lars, is that having dynamic name information from DHCP hosts is exceptionally convenient. I’ve kept dnsmasq as the local DHCP server, so I wanted to be able to forward local queries there.

I’m doing all of this on my RB5009, running Debian. Installing unbound was a simple matter of apt install unbound. I needed 2 pieces of configuration over the default, one to enable recursive serving for the house networks, and one to enable forwarding of queries for the local domain to dnsmasq. I originally had specified the wildcard address for listening, but this caused problems with the fact my router has many interfaces and would sometimes respond from a different address than the request had come in on.

/etc/unbound/unbound.conf.d/network-resolver.conf server: interface: 192.0.2.1 interface: 2001::db8:f00d::1 access-control: 192.0.2.0/24 allow access-control: 2001::db8:f00d::/56 allow

/etc/unbound/unbound.conf.d/local-to-dnsmasq.conf server: domain-insecure: "example.org" do-not-query-localhost: no forward-zone: name: "example.org" forward-addr: 127.0.0.1@5353

I then had to configure dnsmasq to not listen on port 53 (so unbound could), respond to requests on the loopback interface (I have dnsmasq restricted to only explicitly listed interfaces), and to hand out unbound as the appropriate nameserver in DHCP requests - once dnsmasq is not listening on port 53 it no longer does this by default.

/etc/dnsmasq.d/behind-unbound interface=lo port=5353 dhcp-option=option6:dns-server,[2001::db8:f00d::1] dhcp-option=option:dns-server,192.0.2.1

With these minor changes in place I now have local recursive DNS being handled by unbound, without losing dynamic local DNS for DHCP hosts. As an added bonus I now get 10/10 on Test IPv6 - previously I was getting dinged on the ability for my DNS server to resolve purely IPv6 reachable addresses.

Next step, actually sorting out a backup link.

Welcome to the March 2024 report from the Reproducible Builds project! In our reports, we attempt to outline what we have been up to over the past month, as well as mentioning some of the important things happening more generally in software supply-chain security. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

Arch Linux minimal container userland now 100% reproducible

In remarkable news, Reproducible builds developer kpcyrd reported that that the Arch Linux “minimal container userland” is now 100% reproducible after work by developers dvzv and Foxboron on the one remaining package. This represents a “real world”, widely-used Linux distribution being reproducible.

Their post, which kpcyrd suffixed with the question “now what?”, continues on to outline some potential next steps, including validating whether the container image itself could be reproduced bit-for-bit. The post, which was itself a followup for an Arch Linux update earlier in the month, generated a significant number of replies.

Validating Debian’s build infrastructure after the XZ backdoor

From our mailing list this month, Vagrant Cascadian wrote about being asked about trying to perform concrete reproducibility checks for recent Debian security updates, in an attempt to gain some confidence about Debian’s build infrastructure given that they performed builds in environments running the high-profile XZ vulnerability.

Vagrant reports (with some caveats):

So far, I have not found any reproducibility issues; everything I tested I was able to get to build bit-for-bit identical with what is in the Debian archive.

That is to say, reproducibility testing permitted Vagrant and Debian to claim with some confidence that builds performed when this vulnerable version of XZ was installed were not interfered with.

Making Fedora Linux (more) reproducible

In March, Davide Cavalca gave a talk at the 2024 Southern California Linux Expo (aka SCALE 21x) about the ongoing effort to make the Fedora Linux distribution reproducible.

Documented in more detail on Fedora’s website, the talk touched on topics such as the specifics of implementing reproducible builds in Fedora, the challenges encountered, the current status and what’s coming next. (YouTube video)

“Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management”

Julien Malka published a brief but interesting paper in the HAL open archive on Increasing Trust in the Open Source Supply Chain with Reproducible Builds and Functional Package Management:

Functional package managers (FPMs) and reproducible builds (R-B) are technologies and methodologies that are conceptually very different from the traditional software deployment model, and that have promising properties for software supply chain security. This thesis aims to evaluate the impact of FPMs and R-B on the security of the software supply chain and propose improvements to the FPM model to further improve trust in the open source supply chain. PDF

Julien’s paper poses a number of research questions on how the model of distributions such as GNU Guix and NixOS can “be leveraged to further improve the safety of the software supply chain”, etc.

Software and source code identification with GNU Guix and reproducible builds

In a long line of commendably detailed blog posts, Ludovic Courtès, Maxim Cournoyer, Jan Nieuwenhuizen and Simon Tournier have together published two interesting posts on the GNU Guix blog this month. In early March, Ludovic Courtès, Maxim Cournoyer, Jan Nieuwenhuizen and Simon Tournier wrote about software and source code identification and how that might be performed using Guix, rhetorically posing the questions: “What does it take to ‘identify software’? How can we tell what software is running on a machine to determine, for example, what security vulnerabilities might affect it?”

Later in the month, Ludovic Courtès wrote a solo post describing adventures on the quest for long-term reproducible deployment. Ludovic’s post touches on GNU Guix’s aim to support “time travel”, the ability to reliably (and reproducibly) revert to an earlier point in time, employing the iconic image of Harold Lloyd hanging off the clock in Safety Last! (1925) to poetically illustrate both the slapstick nature of current modern technology and the gymnastics required to navigate hazards of our own making.

Two new Rust-based tools for post-processing determinism

Zbigniew Jędrzejewski-Szmek announced add-determinism, a work-in-progress reimplementation of the Reproducible Builds project’s own strip-nondeterminism tool in the Rust programming language, intended to be used as a post-processor in RPM-based distributions such as Fedora

In addition, Yossi Kreinin published a blog post titled “refix: fast, debuggable, reproducible builds” that describes a tool that post-processes binaries in such a way that they are still debuggable with gdb, etc.. Yossi post details the motivation and techniques behind the (fast) performance of the tool.

Distribution work

In Debian this month, since the testing framework no longer varies the build path, James Addison performed a bulk downgrade of the bug severity for issues filed with a level of normal to a new level of wishlist. In addition, 28 reviews of Debian packages were added, 38 were updated and 23 were removed this month adding to ever-growing knowledge about identified issues. As part of this effort, a number of issue types were updated, including Chris Lamb adding a new ocaml_include_directories toolchain issue […] and James Addison adding a new filesystem_order_in_java_jar_manifest_mf_include_resource issue […] and updating the random_uuid_in_notebooks_generated_by_nbsphinx to reference a relevant discussion thread […].

In addition, Roland Clobus posted his 24th status update of reproducible Debian ISO images. Roland highlights that the images for Debian unstable often cannot be generated due to changes in that distribution related to the 64-bit time_t transition.

Lastly, Bernhard M. Wiedemann posted another monthly update for his reproducibility work in openSUSE.

Mailing list highlights

Elsewhere on our mailing list this month:

• Alexander Railean of Siemens asked the list to aid in understanding how one can independently verify the reproducibility of Java projects from the Maven Central repository. Having explored those repositories, Alexander could not find examples where the buildinfo file was present. Arnout Engelen responded with some details.

• Fay Stegerman resuscitated a long-dormant thread to report that she added support in her diff-zip-meta.py tool to expose extra timestamps embedded in .zip and .apk metadata.

Website updates

There were made a number of improvements to our website this month, including:

• Pol Dellaiera noticed the frequent need to correctly cite the website itself in academic work. To facilitate easier citation across multiple formats, Pol contributed a Citation File Format (CIF) file. As a result, an export in BibTeX format is now available in the Academic Publications section. Pol encourages community contributions to further refine the CITATION.cff file. Pol also added an substantial new section to the “buy in” page documenting the role of Software Bill of Materials (SBOMs) and ephemeral development environments. […][…]

• Bernhard M. Wiedemann added a new “commandments” page to the documentation […][…] and fixed some incorrect YAML elsewhere on the site […].

• Chris Lamb add three recent academic papers to the publications page of the website. […]

• Mattia Rizzolo and Holger Levsen collaborated to add Infomaniak as a sponsor of amd64 virtual machines. […][…][…]

• Roland Clobus updated the “stable outputs” page, dropping version numbers from Python documentation pages […] and noting that Python’s set data structure is also affected by the PYTHONHASHSEED functionality. […]

Delta chat clients now reproducible

Delta Chat, an open source messaging application that can work over email, announced this month that the Rust-based core library underlying Delta chat application is now reproducible.

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions 259, 260 and 261 to Debian and made the following additional changes:

• New features:

  • Add support for the zipdetails tool from the Perl distribution. Thanks to Fay Stegerman and Larry Doolittle et al. for the pointer and thread about this tool. […]

• Bug fixes:

  • Don’t identify Redis database dumps as GNU R database files based simply on their filename. […]
  • Add a missing call to File.recognizes so we actually perform the filename check for GNU R data files. […]
  • Don’t crash if we encounter an .rdb file without an equivalent .rdx file. (#1066991)
  • Correctly check for 7z being available—and not lz4—when testing 7z. […]
  • Prevent a traceback when comparing a contentful .pyc file with an empty one. […]

• Testsuite improvements:

  • Fix .epub tests after supporting the new zipdetails tool. […]
  • Don’t use parenthesis within test “skipping…” messages, as PyTest adds its own parenthesis. […]
  • Factor out Python version checking in test_zip.py. […]
  • Skip some Zip-related tests under Python 3.10.14, as a potential regression may have been backported to the 3.10.x series. […]
  • Actually test 7z support in the test_7z set of tests, not the lz4 functionality. (Closes: reproducible-builds/diffoscope#359). […]

In addition, Fay Stegerman updated diffoscope’s monkey patch for supporting the unusual Mozilla ZIP file format after Python’s zipfile module changed to detect potentially insecure overlapping entries within .zip files. (#362)

Chris Lamb also updated the trydiffoscope command line client, dropping a build-dependency on the deprecated python3-distutils package to fix Debian bug #1065988 […], taking a moment to also refresh the packaging to the latest Debian standards […]. Finally, Vagrant Cascadian submitted an update for diffoscope version 260 in GNU Guix. […]

Upstream patches

This month, we wrote a large number of patches, including:

• Bernhard M. Wiedemann:

  • helm (SSL-related build failure)
  • java-21-openjdk (parallelism)
  • libressl (SSL-related build failure)
  • nfdump (date issue)
  • python-django-q (avoid stuck build)
  • python-smart-open (fails to build on single-CPU machines)
  • python-stdnum (fails to build in 2039)
  • python-yarl (regression)
  • qemu (build failure)
  • rabbitmq-java-client (with Fridrich Strba; Maven timestamp issue)
  • rmw (build fails in 2038)
  • warewulf (with Egbert Eich; cpio modification time and inode issue)
  • wxWidgets (fails to build in 2038)

• Chris Lamb:

  • #1066042 filed against python-quantities.
  • #1066083 filed against gnome-maps.
  • #1066084 filed against tox.
  • #1066085 filed against q2cli.
  • #1067098 filed against mpl-sphinx-theme.
  • #1067099 filed against woof-doom.
  • #1067100 filed against bochs.
  • #1067101 filed against storm-lang.
  • #1067102 filed against librsvg.
  • #1067218 filed against gretl.
  • #1067483 filed against postfix.
  • #1067484 filed against node-function-bind.
  • #1067485 filed against python-pysaml2.
  • #1067947 filed against golang-github-stvp-tempredis.

• James Addison:

  • #1065124 filed against matplotlib.
  • #1066014 filed against pathos.
  • #1066016 filed against rdflib.
  • #1066017 filed against xonsh.
  • #1066045 filed against maven-bundle-plugin. (This patch was then uploaded by Mattia Rizzollo.)

• Jiří Techet:

  • geany (toolchain-related issue for glfw)

Bernhard M. Wiedemann used reproducibility-tooling to detect and fix packages that added changes in their %check section, thus failing when built with the --no-checks option. Only half of all openSUSE packages were tested so far, but a large number of bugs were filed, including ones against caddy, exiv2, gnome-disk-utility, grisbi, gsl, itinerary, kosmindoormap, libQuotient, med-tools, plasma6-disks, pspp, python-pypuppetdb, python-urlextract, rsync, vagrant-libvirt and xsimd.

Similarly, Jean-Pierre De Jesus DIAZ employed reproducible builds techniques in order to test a proposed refactor of the ath9k-htc-firmware package. As the change produced bit-for-bit identical binaries to the previously shipped pre-built binaries:

I don’t have the hardware to test this firmware, but the build produces the same hashes for the firmware so it’s safe to say that the firmware should keep working.

Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.

In March, an enormous number of changes were made by Holger Levsen:

• Debian-related changes:

  • Sleep less after a so-called “404” package state has occurred. […]
  • Schedule package builds more often. […][…]
  • Regenerate all our HTML indexes every hour, but only every 12h for the released suites. […]
  • Create and update unstable and experimental base systems on armhf again. […][…]
  • Don’t reschedule so many “depwait” packages due to the current size of the i386 architecture queue. […]
  • Redefine our scheduling thresholds and amounts. […]
  • Schedule untested packages with a higher priority, otherwise slow architectures cannot keep up with the experimental distribution growing. […]
  • Only create the stats_buildinfo.png graph once per day. […][…]
  • Reproducible Debian dashboard: refactoring, update several more static stats only every 12h. […]
  • Document how to use systemctl with new systemd-based services. […]
  • Temporarily disable armhf and i386 continuous integration tests in order to get some stability back. […]
  • Use the deb.debian.org CDN everywhere. […]
  • Remove the rsyslog logging facility on bookworm systems. […]
  • Add zst to the list of packages which are false-positive diskspace issues. […]
  • Detect failures to bootstrap Debian base systems. […]

• Arch Linux-related changes:

  • Temporarily disable builds because the pacman package manager is broken. […][…]
  • Split reproducible_html_live_status and split the scheduling timing . […][…][…]
  • Improve handling when database is locked. […][…]

• Misc changes:

  • Show failed services that require manual cleanup. […][…]
  • Integrate two new Infomaniak nodes. […][…][…][…]
  • Improve IRC notifications for artifacts. […]
  • Run diffoscope in different systemd slices. […]
  • Run the node health check more often, as it can now repair some issues. […][…]
  • Also include the string Bot in the userAgent for Git. (Re: #929013). […]
  • Document increased tmpfs size on our OUSL nodes. […]
  • Disable memory account for the reproducible_build service. […][…]
  • Allow 10 times as many open files for the Jenkins service. […]
  • Set OOMPolicy=continue and OOMScoreAdjust=-1000 for both the Jenkins and the reproducible_build service. […]

Mattia Rizzolo also made the following changes:

• Debian-related changes:

  • Define a systemd slice to group all relevant services. […][…]
  • Add a bunch of quotes in scripts to assuage the shellcheck tool. […]
  • Add stats on how many packages have been built today so far. […]
  • Instruct systemd-run to handle diffoscope’s exit codes specially. […]
  • Prefer the pgrep tool over grepping the output of ps. […]
  • Re-enable a couple of i386 and armhf architecture builders. […][…]
  • Fix some stylistic issues flagged by the Python flake8 tool. […]
  • Cease scheduling Debian unstable and experimental on the armhf architecture due to the time_t transition. […]
  • Start a few more i386 & armhf workers. […][…][…]
  • Temporarly skip pbuilder updates in the unstable distribution, but only on the armhf architecture. […]

• Other changes:

  • Perform some large-scale refactoring on how the systemd service operates. […][…]
  • Move the list of workers into a separate file so it’s accessible to a number of scripts. […]
  • Refactor the powercycle_x86_nodes.py script to use the new IONOS API and its new Python bindings. […]
  • Also fix nph-logwatch after the worker changes. […]
  • Do not install the stunnel tool anymore, it shouldn’t be needed by anything anymore. […]
  • Move temporary directories related to Arch Linux into a single directory for clarity. […]
  • Update the arm64 architecture host keys. […]
  • Use a common Postfix configuration. […]

The following changes were also made: by

• Jan-Benedict Glaw:

  • Initial work to clean up a messy NetBSD-related script. […][…]

• Roland Clobus:

  • Show the installer log if the installer fails to build. […]
  • Avoid the minus character (i.e. -) in a variable in order to allow for tags in openQA. […]
  • Update the schedule of Debian live image builds. […]

• Vagrant Cascadian:

  • Maintenance on the virt* nodes is completed so bring them back online. […]
  • Use the fully qualified domain name in configuration. […]

Node maintenance was also performed by Holger Levsen, Mattia Rizzolo […][…] and Vagrant Cascadian […][…][…][…]

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

• IRC: #reproducible-builds on irc.oftc.net.

• Twitter: @ReproBuilds

• Mastodon: @reproducible_builds@fosstodon.org

• Mailing list: rb-general@lists.reproducible-builds.org

Qt for MCUs 2.5.3 LTS (Long-Term Support) has been released and is available for download. As a patch release, Qt for MCUs 2.5.3 LTS provides bug fixes and other improvements, and maintains source compatibility with Qt for MCUs 2.5.x. It does not add any new functionality.

Last year a Debian Developer blogged about writing Haskell code to give a bad result for LLMs that were trained on it. I forgot who wrote the post and I’d appreciate the URL if anyone has it.

I respect such technical work to enforce one’s legal rights when they aren’t respected by corporations, but I have a different approach.

As an aside the Fosdem lecture “Fortify AI against regulation, litigation and lobotomies” is interesting on this topic [1], it’s what inspired me to write about this.

For what I write I am at this time happy to allow it to be used as part of a large training data set (consider this blog post a licence grant that applies until such time as I edit this post to change it). But only if aggregated with so much other data that my content is only a tiny portion of the data set by any metric. So I don’t want someone to make a programming LLM that has my code as the only C code or a political data set that has my blog posts as the only left-wing content. If someone wants to train an LLM on only my content to make a Russell-simulator then I don’t license my work for that purpose but also as it’s small enough that anyone with a bit of skill could do it on a weekend I can’t stop it. I would be really interested in seeing the results if someone from the FOSS community wanted to make a Russell-simulator and would probably issue them a license for such work if asked.

If my work comprises more than 0.1% of the content in a particular measure (theme, programming language, political position, etc) in a training data set then I don’t permit that without prior discussion.

Finally if someone wants to make a FOSS training data set to be used for FOSS LLM systems (maybe under the AGPL or some similar license) then I’ll allow my writing to be used as part of that.

• [1] https://tinyurl.com/24sptqxo

Related posts:

1. lemonup and blog license I have just updated my previous post about licenses and...
2. License Fees for Music in Clubs The Cyber Law Center has blogged about the Phonographic Performance...
3. BTRFS Training Some years ago Barwon South Water gave LUV 3 old...

Are you new to Django development? Are you already familiar with it and want to expand your knowledge? PyCharm has Django learning resources for everyone.  In this article, you’ll find a compilation of all the Django-related resources created by the experts at PyCharm to help you navigate through them all. From creating a new Django […]

Getting the Belgian eID to work on Linux systems should be fairly easy, although some people do struggle with it.

For that reason, there is a lot of third-party documentation out there in the form of blog posts, wiki pages, and other kinds of things. Unfortunately, some of this documentation is simply wrong. Written by people who played around with things until it kind of worked, sometimes you get a situation where something that used to work in the past (but wasn't really necessary) now stopped working, but it's still added to a number of locations as though it were the gospel.

And then people follow these instructions and now things don't work anymore.

One of these revolves around OpenSC.

OpenSC is an open source smartcard library that has support for a pretty large number of smartcards, amongst which the Belgian eID. It provides a PKCS#11 module as well as a number of supporting tools.

For those not in the know, PKCS#11 is a standardized C API for offloading cryptographic operations. It is an API that can be used when talking to a hardware cryptographic module, in order to make that module perform some actions, and it is especially popular in the open source world, with support in NSS, amongst others. This library is written and maintained by mozilla, and is a low-level cryptographic library that is used by Firefox (on all platforms it supports) as well as by Google Chrome and other browsers based on that (but only on Linux, and as I understand it, only for linking with smartcards; their BoringSSL library is used for other things).

The official eID software that we ship through eid.belgium.be, also known as "BeID", provides a PKCS#11 module for the Belgian eID, as well as a number of support tools to make interacting with the card easier, such as the "eID viewer", which provides the ability to read data from the card, and validate their signatures. While the very first public version of this eID PKCS#11 module was originally based on OpenSC, it has since been reimplemented as a PKCS#11 module in its own right, with no lineage to OpenSC whatsoever anymore.

About five years ago, the Belgian eID card was renewed. At the time, a new physical appearance was the most obvious difference with the old card, but there were also some technical, on-chip, differences that are not so apparent. The most important one here, although it is not the only one, is the fact that newer eID cards now use a NIST P-384 elliptic curve-based private keys, rather than the RSA-based ones that were used in the past. This change required some changes to any PKCS#11 module that supports the eID; both the BeID one, as well as the OpenSC card-belpic driver that is written in support of the Belgian eID.

Obviously, the required changes were implemented for the BeID module; however, the OpenSC card-belpic driver was not updated. While I did do some preliminary work on the required changes, I was unable to get it to work, and eventually other things took up my time so I never finished the implementation. If someone would like to finish the work that I started, the preliminal patch that I wrote could be a good start -- but like I said, it doesn't yet work. Also, you'll probably be interested in the official documentation of the eID card.

Unfortunately, in the mean time someone added the Applet 1.8 ATR to the card-belpic.c file, without also implementing the required changes to the driver so that the PKCS#11 driver actually supports the eID card. The result of this is that if you have OpenSC installed in NSS for either Firefox or any Chromium-based browser, and it gets picked up before the BeID PKCS#11 module, then NSS will stop looking and pass all crypto operations to the OpenSC PKCS#11 module rather than to the official eID PKCS#11 module, and things will not work at all, causing a lot of confusion.

I have therefore taken the following two steps:

1. The official eID packages now conflict with the OpenSC PKCS#11 module. Specifically only the PKCS#11 module, not the rest of OpenSC, so you can theoretically still use its tools. This means that once we release this new version of the eID software, when you do an upgrade and you have OpenSC installed, it will remove the PKCS#11 module and anything that depends on it. This is normal and expected.
2. I have filed a pull request against OpenSC that removes the Applet 1.8 ATR from the driver, so that OpenSC will stop claiming that it supports the 1.8 applet.

When the pull request is accepted, we will update the official eID software to make the conflict versioned, so that as soon as it works again you will again be able to install the OpenSC and BeID packages at the same time.

In the mean time, if you have the OpenSC PKCS#11 module installed on your system, and your eID authentication does not work, try removing it.

Drupal is moving ahead with PHP attributes. Introduced in PHP 8.1, this feature is changing how developers define plugins and manage their metadata. But there’s a lot more that comes with it. 

First and foremost, PHP attributes are a native feature of PHP 8.1. It eliminates the need for external libraries like "doctrine/annotations." This simplifies the development process by keeping code clean and concise. 

Furthermore, modern IDEs offer better support for attributes. They provide features like code completion and validation, making your workflow significantly more efficient. And because attributes are a core part of the PHP language, you can rest assured that they'll receive ongoing development and support in future PHP versions. All of this ensures that your code remains compatible and up-to-date as Drupal evolves.

However, one question that comes up very often is why PHP attributes in the first place. Well, let’s understand this by knowing the limitations of annotations. 

If you've ever thought about starting a podcast or a SaaS project, you'll want to listen to this episode.
 
Justin is one of the people who motivated me to get started podcasting.
He's also running a successful SaaS company, transistor.fm, which hosts this podcast.

Topics:

• Podcasting
• Building new SaaS (software as a service) products
• Balancing work, side hustle, and family
• Great places to snowboard in British Columbia

BTW. This episode was recorded last summer before I switched to transistor.fm.
I'm now on Transistor for most of a year now, and I love it.

Links from the show:

• Transistor.fm - excellent podcast hosting, Justin is a co-founder
• How to start a podcast in 2024
• Podcasts from Justin
  • Build your SaaS - current
  • Build & Launch - an older one, but great
  • MegaMaker - from 2021 / 2022

Sponsored by Mailtrap.io

• An Email Delivery Platform that developers love. 
• An email-sending solution with industry-best analytics, SMTP, an email API, SDKs for major programming languages, and 24/7 human support. 
• Try for Free at MAILTRAP.IO

Sponsored by PyCharm Pro

• Use code PYTEST for 20% off PyCharm Professional at jetbrains.com/pycharm
• Now with Full Line Code Completion
• See how easy it is to run pytest from PyCharm at pythontest.com/pycharm

The Complete pytest Course

• For the fastest way to learn pytest, go to courses.pythontest.com
• Whether your new to testing or pytest, or just want to maximize your efficiency and effectiveness when testing.

<p>If you've ever thought about starting a podcast or a SaaS project, you'll want to listen to this episode.<br> <br>Justin is one of the people who motivated me to get started podcasting. <br>He's also running a successful SaaS company, <a href="https://transistor.fm/?via=okken">transistor.fm</a>, which hosts this podcast.</p><p>Topics:</p><ul><li>Podcasting</li><li>Building new SaaS (software as a service) products</li><li>Balancing work, side hustle, and family</li><li>Great places to snowboard in British Columbia</li></ul><p>BTW. This episode was recorded last summer before I switched to <a href="https://transistor.fm/?via=okken">transistor.fm</a>.<br>I'm now on Transistor for most of a year now, and I love it.</p><p>Links from the show:</p><ul><li><a href="https://transistor.fm/?via=okken">Transistor.fm</a> - excellent podcast hosting, Justin is a co-founder</li><li><a href="https://transistor.fm/how-to-start-a-podcast/?via=okken">How to start a podcast in 2024</a></li><li>Podcasts from Justin<ul><li><a href="https://saas.transistor.fm/">Build your SaaS</a> - current</li><li><a href="https://www.buildandlaunch.net/">Build &amp; Launch</a> - an older one, but great</li><li><a href="https://podcast.megamaker.co/">MegaMaker</a> - from 2021 / 2022</li></ul></li></ul> <br><p><strong>Sponsored by Mailtrap.io</strong></p><ul><li>An Email Delivery Platform that developers love. </li><li>An email-sending solution with industry-best analytics, SMTP, an email API, SDKs for major programming languages, and 24/7 human support. </li><li>Try for Free at <a href="https://l.rw.rw/pythontest">MAILTRAP.IO</a></li></ul><p><strong>Sponsored by PyCharm Pro</strong></p><ul><li>Use code PYTEST for 20% off PyCharm Professional at <a href="https://www.jetbrains.com/pycharm/">jetbrains.com/pycharm</a></li><li>Now with Full Line Code Completion</li><li>See how easy it is to run pytest from PyCharm at <a href="https://pythontest.com/pycharm/">pythontest.com/pycharm</a></li></ul><p><strong>The Complete pytest Course</strong></p><ul><li>For the fastest way to learn pytest, go to <a href="https://courses.pythontest.com/p/complete-pytest-course">courses.pythontest.com</a></li><li>Whether your new to testing or pytest, or just want to maximize your efficiency and effectiveness when testing.</li></ul>

The 2024 Drupal Developer Survey is now open, inviting developers worldwide to contribute their experiences and shape the future of Drupal. With a focus on new questions and broadened language accessibility, the survey aims to capture diverse perspectives from the global Drupal community. Results will be revealed at DrupalCon Portland 2024 and are set to influence the ecosystem's direction, benefiting contributors, tool makers, and users alike.

Recently I was tasked to come up with an architecture for remote real time instantiation and updating of arbitrary QML components.

This entry shows how you can use a simple variation of the factory method pattern in QML for instantiating arbitrary components. I’ve split my findings into 3 blog entries, each one covering a slightly different topic. Part 1 focuses on the software design pattern used to dynamically instantiate components. Part 2 shows how to layout these dynamic components by incorporating QML’ s positioning and layout APIs. The last entry, consisting of Parts 3 and 4, addresses the anchors API and important safety aspects.

This is Part 1: Recursive Instantiation with Qt Quick and JSON.

The original factory method pattern made use of static methods to programmatically instantiate objects of different classes, instead of having to call their constructors. It achieved that by having the classes share a common ancestor. Our variation of the popular pattern uses a Loader to choose which component to load, and a Repeater to dynamically instantiate arbitrary instances of this loader using a model.

Here we specify which components with a JSON array and use a Repeater to load them.

id: root // A JSON representation of a QML layout: property var factoryModel: [ { "component": "Button", }, { "component": "Button", } ] // Root of our component factory Repeater { model: root.factoryModel delegate: loaderComp }

To be able to instantiate any kind of item, you can use a Component with a Loader inside, as the Repeater’s delegate. This allows you to load a different component based on the Repeater’s model data.

// Root component of the factory and nodes Component { id: loaderComp Loader { id: instantiator required property var modelData sourceComponent: switch (modelData.component) { case "Button": return buttonComp; case "RowLayout": return rowLayoutComp; case "Item": default: return itemComp; } } }

To assign values from the model to the component, add a method that gets called when the Loader’s onItemChanged event is triggered. I use this method to take care of anything that involves the component’s properties:

// Root component of the factory and nodes Component { id: loaderComp Loader { id: instantiator required property var modelData sourceComponent: switch (modelData.component) { case "Button": return buttonComp; case "RowLayout": return rowLayoutComp; case "Item": default: return itemComp; } onItemChanged: { // Pass children (see explanation below) if (typeof(modelData.children) === "object") item.model = modelData.children; // Button properties switch (modelData.component) { case "Button": // If the model contains certain value, we may assign it: if (typeof(modelData.text) !== "undefined") item.text = modelData.text; break; } // Item properties // Since Item is the parent of all repeatable, we don't need to check // if the component supports Item properties before we assign them: if (typeof(modelData.x) !== "undefined") loaderComp.x = Number(modelData.x); if (typeof(modelData.y) !== "undefined") loaderComp.y = Number(modelData.y); // ... } } }

Examples of components that loaderComp could load are defined below. To enable recursion, these components must contain a Repeater that instantiates children components, with loaderComp set as the delegate:

Component { id: itemComp Item { property alias children: itemRepeater.model children: Repeater { id: itemRepeater delegate: loaderComp } } } Component { id: buttonComp Button { property alias children: itemRepeater.model children: Repeater { id: itemRepeater delegate: loaderComp } } } Component { id: rowLayoutComp RowLayout { property alias children: itemRepeater.model children: Repeater { id: itemRepeater delegate: loaderComp } } }

The Repeater inside of the components allows us to instantiate components recursively, by having a branch or more of children components in the model, like so:

// This model lays out buttons vertically property var factoryModel: [ { "component": "RowLayout", "children": [ { "component": "Button", "text": "Button 1" }, { "component": "Button", "text": "Button 2" } ] } ]

Here we’ve seen how we can use a Repeater, a JSON model, a Loader delegate, and simple recursive definition to instantiate arbitrary QML objects from a JSON description. In my next entry I will focus on how you can lay out these arbitrarily instantiated objects on your screen.

Thanks to Kevin Krammer and Jan Marker whose insights helped improve the code you’ve seen here.

I hope you’ve found this useful! Part 2 may be found already or later by following this link.

Reference

• To see a real world application of this factory design pattern in action, watch “QML for building beautiful desktop apps | Dev/Des 2021”, by Prashanth N. Udupa https://www.youtube.com/watch?v=l2nC-onPGQs

About KDAB

If you like this article and want to read similar material, consider subscribing via our RSS feed.

Subscribe to KDAB TV for similar informative short video content.

KDAB provides market leading software consulting and development services and training in Qt, C++ and 3D/OpenGL. Contact us.

The post Recursive Instantiation with Qt Quick and JSON appeared first on KDAB.