Feeds

The Drop Times: Correction Notice: Important Update in Our Recent Newsletter

Planet Drupal - Tue, 2024-09-10 07:35
In our recent newsletter, we incorrectly stated the dates for DrupalCon Europe 2024. The event will take place from September 24 to 27, 2024. We regret the oversight and appreciate your understanding.
Categories: FLOSS Project Planets

Steinar H. Gunderson: GS1900-10HP web session hijack

Planet Debian - Tue, 2024-09-10 03:00

While fiddling around, I found a (fairly serious) vulnerability in Zyxel's GS1900-10HP and related switches; today Zyxel released an advisory with updated firmware, so I can publish my side of it as well. (Unfortunately there's no Zyxel bounty program, but Zyxel PSIRT has been forthcoming all along, which I guess is all you can hope for.)

The CVE (CVE-2024-38270) is sparse on details, so I'll simply paste my original message to Zyxel below:

Hi, GS1900-10HP (probably also many other switches in the same series), firmware V2.80(AAZI.0) (also older ones) generate web authentication tokens in an unsafe way. This makes it possible for an attacker to guess them and hijack the session. web_util_randStr_generate() contains code that is functionally the same as this: char token[17]; struct timeval now; gettimeofday(&now, NULL); srandom(now.tv_sec + now.tv_usec); for (int i = 0; i < 16; ++i) { long r = random() % 62; char c; if (r < 10) { c = r + '0'; // 0..9 } else if (r < 36) { c = r + ('A' - 10); // A..Z } else { c = r + ('a' - 36); // a..z } token[i] = c; } token[16] = 0; (random() comes from uclibc, but it has the same generator as glibc, so the code runs just as well on desktop Linux) This token is generated on initial login, and stored in a cookie on the client. This has multiple problems: First, the clock is a known quantity; even if the switch is not on SNTP, it is trivial to get its idea of time-of-day by just doing a HTTP request and looking at the Date header. This means that if an attacker knows precisely when the administrator logged in (for instance, by observing a HTTPS login on the network), they will have a very limited range of possible tokens to check. Second, tv_sec and tv_usec are combined in an improper way, canceling out much of the intended entropy. As long as one assumes that the administrator logged in less than a day ago, the entire range of possible seeds it contained within the range [now - 86400, now + 999999], i.e. only about 1.1M possible cookies, which can simply be tried serially even if one did not observe the original login. There is no brute-force protection on the web interface. I have verified that this attack is practical, by simply generating all the tokens and asking for the status page repeatedly (it is trivial to see whether it returns an authentication success or failure). The switch can sustain about one try every 96 ms on average against an attacker on a local LAN (there is no keepalive or multithreading, so the most trivial code is seemingly also the best one), which means that an attack will succeed on average after about 15 hours; my test run succeeded after a bit under three hours. If there are multiple administrator sessions active, the expected time to success is of course lower, although the tries are also somewhat slower because the switch has to deal with the keepalive traffic from the admins. This is a straightforward case of CWE-330 (Use of Insufficiently Random Values), with subcategories CWE-331, CWE-334, CWE-335, CWE-337, CWE-339, CWE-340, CWE-341 and probably others. The suggested fix is simple: Read entropy from /dev/urandom or another good source, instead of using random(). (Make sure that you don't get bias issues due to the use of modulo; you can use e.g. rejection sampling.) Session timeout does help against this attack (by default, it is 3 minutes), but only as long as the administrator has not kept a tab open. If the tab is left open, that keeps on making background requests that refreshes the token every five seconds, guaranteeing a 100% success rate if given a day or two. There is also _tons_ of outdated software on the switch (kernel from 2008, OpenSSH from 2013, netkit-telnetd which is no longer maintained, a fork of a very old NET-SNMP, etc.), but I did not check whether there are any relevant security holes or whether you have actually backported patches.

I haven't verified what their fix looks like, but it's probably somewhere there in the GPL dump. :-)

Categories: FLOSS Project Planets

Specbee: Upgrading from Drupal 10 to the all-new Drupal 11 (and what’s new)

Planet Drupal - Tue, 2024-09-10 02:38
Drupal 11 has arrived! Okay, it’s been a month, but we were too busy exploring its new features to write the blog right away. With improved CKEditor integration, performance boosts, a redesigned Field UI, and updated taxonomy term revisions, this version builds on the success of Drupal 10. It introduces new tools and workflows designed to simplify development, improve performance, and streamline content management—making it easier than ever to create and maintain high-quality digital experiences. In this article we’ll talk about what makes Drupal 11 so exciting and even walk you through the upgrade from Drupal 10. Dive in! What’s introduced in Drupal 11 Drupal 11, the latest major release of the Drupal Content Management System, brings powerful new features that enhance the capabilities of developers, site builders, and content owners. This version focuses on modern technologies and best practices to make sites more efficient, scalable, and easier to maintain. Key improvements in Drupal 11 include enhancements to the developer experience, performance boosts, and advanced tools for content creators. With these updates, Drupal 11 empowers users to build and maintain optimized digital experiences with greater ease. Below are the major features and enhancements you can expect in Drupal 11 compared to Drupal 10: Faster real and perceived page performance including interface previews and lazy loading. New Experimental Recipes API. Single Directory Components (SDC) - used to create UI components. Symfony 7 under the hood (replacing Symfony 6). Decoupled menu support improved with Linkset support. Content editing is streamlined with automatic formatting. Menu, taxonomy, block and permission management made easier. What’s removed Several Drupal core modules and themes are deprecated in Drupal 10 and removed in Drupal 11. While they are no longer included in Drupal 11, you can still install and use them if needed: Actions UI Book Tracker Forum Statistics Tour How to Upgrade from Drupal 10 to Drupal 11 Platform requirements This version of Drupal 11 requires specific conditions to be met in your environment. Please ensure you check the following requirements: Update to PHP 8.3 Update to Drush 13 Database: It requires MySQL 8.0+ or MariaDB 10.6+. Otherwise, use the mysql57 module to use Drupal 11 on MySQL 5.7.8+ and MariaDB 10.3.7+. Symfony 7 jQuery 4 PHPUnit 10 Composer 2.7.7 Web server - As of Drupal 11.0.0, it does not support using Microsoft IIS. Other web server requirements remain unchanged.  Upgrade to the latest Drupal 10 Drupal sites running version 10.2.x or earlier must first upgrade to version 10.3.0 or later before updating to Drupal 11. This is necessary because all core updates introduced prior to version 10.3.0 have been removed. Upgrade Status + Drupal Rector Run a deprecation scan using the Upgrade Status module in conjunction with Drupal Rector to identify and address deprecated code before upgrading your Drupal site. The screenshot below shows the upgrade status report for Drupal Core version 10.1. Here is a snapshot of the upgrade status report after upgrading Drupal core to the latest version, 10.3. Update platform requirements as needed Drupal 11 requires PHP 8.3 and the MySQL database driver requires MySQL 8.0. While Drupal 11 does not currently use MySQL 8-specific syntax, future versions will. If you cannot upgrade to MySQL 8.0 immediately, you can use the MySQL 5.7 backport module as a temporary solution. Upgrade Contributed Packages Upgrade contributed modules & themes to the latest compatible version using Composer. For example: composer require drupal/package_name:^x.y --no-updateWhere, ^x.y is the latest available version of the package. For packages without Drupal 11 compatibility, use composer require with mglaman/composer-drupal-lenient and apply necessary patches using cweagans/composer-patches. Update Custom Code Use Upgrade Status and Drupal Rector to assess the readiness of your custom modules and themes for Drupal 11. Replace any code that was deprecated in Drupal 10 and removed in Drupal 11. Update Core to Drupal Core The following provides instructions for updating from Drupal 10.3.x to Drupal 11.x. Temporarily grant write access to protected files and directories: chmod 777 web/sites/default chmod 666 web/sites/default/*settings.php chmod 666 web/sites/default/*services.yml Update the required versions of the core-recommended packages. Use the --no-update option to prevent issues with mutual dependencies during the update process: composer require 'drupal/core-recommended:^11' 'drupal/core-composer-scaffold:^11' 'drupal/core-project-message:^11' --no-update Upgrade drush to version ^13: composer require 'drush/drush:^13' --no-update Perform upgrade to the core using: composer update After successfully running composer update without errors, verify that you can also run composer install. Update the database using drush:  drush updatedb Once complete, restore read-only access to the sites/default directory: chmod 755 web/sites/default chmod 644 web/sites/default/*settings.php chmod 644 web/sites/default/*services.yml For a detailed guide on upgrading, please visit https://www.drupal.org/docs/upgrading-drupal/upgrading-from-drupal-8-or-later/how-to-upgrade-from-drupal-10-to-drupal-11. Final thoughts No need to stress though! Drupal 10 isn’t going anywhere for a while. It will remain supported until Drupal 12 arrives, which is expected around mid to late 2026. But the fact that there are so many exciting updates and features in Drupal 11 means that moving from Drupal 10 to Drupal 11 is an opportunity you won’t want to miss. Transitioning now will set you up for future success and make the most of what Drupal 11 has to offer. Thinking about making the jump to Drupal 11? Our Drupal experts are just an email away!
Categories: FLOSS Project Planets

Ben Hutchings: FOSS activity in August 2024

Planet Debian - Mon, 2024-09-09 20:51
Categories: FLOSS Project Planets

Oliver Davies' daily list: Beyond Blocks passes 1,000 downloads

Planet Drupal - Mon, 2024-09-09 20:00

Today, Beyond Blocks - the podcast I started last year and has 20 published episodes - passed 1,000 total downloads.

I've had some great guests on the show and discussed some interesting topics so far and I have others recorded and guests lined up for future episodes.

This week's episode will be with Eirik Morland again - the first returning guest - where we discuss the improvements and changes that have been made to Violinist.io since we spoke in January.

The first episode with Erik is here if you want to listen to it beforehand.

Thanks to all the guests and listeners of the podcast, and if you'd like to be a guest or suggest a topic, reply and let me know.

Categories: FLOSS Project Planets

Freexian Collaborators: Debian Contributions: Python 3 patches, OpenSSH GSS-API split, rebootstrap, salsa CI, etc. (by Anupa Ann Joseph)

Planet Debian - Mon, 2024-09-09 20:00
Debian Contributions: 2024-08

Contributing to Debian is part of Freexian’s mission. This article covers the latest achievements of Freexian and their collaborators. All of this is made possible by organizations subscribing to our Long Term Support contracts and consulting services.

Debian Python 3 patch review, by Stefano Rivera

Last month, at DebConf, Stefano reviewed the current patch set of Debian’s cPython packages with Matthias Klose, the primary maintainer until now. As a result of that review, Stefano re-reviewed the patchset, updating descriptions, etc. A few patches were able to be dropped, and a few others were forwarded upstream.

One finds all sorts of skeletons doing reviews like this. One of the patches had been inactive (fortunately, because it was buggy) since the day it was applied, 13 years ago. One is a cleanup that probably only fixes a bug on HPUX, and is a result of copying code from xfree86 into Python 25 years ago. It was fixed in xfree86 a year later. Others support just Debian-specific functionality and probably never seemed worth forwarding. Or good cleanup that only really applies to Debian.

A trivial new patch would allow Debian to multiarch co-install Python stable ABI dynamic extensions (like we can with regular dynamic extensions). Performance concerns are stalling it in review, at the moment.

DebConf 24 Organization, by Stefano Rivera

Stefano helped organize DebConf 24, which concluded in early August. The event is run by a large entirely volunteer team. The work involved in making this happen is far too varied to describe here. While Freexian provides funding for 20% of collaborator time to spend on Debian-related work, it only covers a small fraction of contributions to time-intensive tasks like this.

Since the end of the event, Stefano has been doing some work on the conference finances, and initiated the reimbursement process for travel bursaries.

Archive rebuilds on Debusine, by Stefano Rivera

The recent setuptools 73 upload to Debian unstable removed the test subcommand, breaking many packages that were using python3 setup.py test in their Debian packaging. Stefano did a partial archive-rebuild using debusine.debian.net to find the regressions and file bugs.

Debusine will be a powerful tool to do QA work like this for Debian in the future, but it doesn’t have all the features needed to coordinate rebuild-testing, yet. They are planned to be fleshed out in the next year. In the meantime, Debusine has the building blocks to work through a queue of package building tasks and store the results, it just needs to be driven from outside the system.

So, Stefano started working on a set of tools using the Debusine client API to perform archive rebuilds, found and tagged existing bugs, and filed many more.

OpenSSH GSS-API split, by Colin Watson

Colin landed the first stage of the planned split of GSS-API authentication and key exchange support in Debian’s OpenSSH packaging. In order to allow for smooth upgrades, the second stage will have to wait until after the Debian 13 (trixie) release; but once that’s done, as upstream puts it, “this substantially reduces the amount of pre-authentication attack surface exposed on your users’ sshd by default”.

OpenSSL vs. cryptography, by Colin Watson

Colin facilitated a discussion between Debian’s OpenSSL team and the upstream maintainers of Python cryptography about a new incompatibility between Debian’s OpenSSL packaging and cryptography’s handling of OpenSSL’s legacy provider, which was causing a number of build and test failures. While the issue remains open, the Debian OpenSSL maintainers have effectively reverted the change now, so it’s no longer a pressing problem.

/usr-move, by Helmut Grohne

There are less than 40 source packages left to move files to /usr, so what we’re left with is the long tail of the transition. Rather than fix all of them, Helmut started a discussion on removing packages from unstable and filed a first batch. As libvirt is being restructured in experimental, we’re handling the fallout in collaboration with its maintainer Andrea Bolognani. Since base-files validates the aliasing symlinks before upgrading, it was discovered that systemd has its own ideas with no solution as of yet. Helmut also proposed that dash checks for ineffective diversions of /bin/sh and that lintian warns about aliased files.

rebootstrap by Helmut Grohne

Bootstrapping Debian for a new or existing CPU architecture still is a quite manual process. The rebootstrap project attempts to automate part of the early stage, but it still is very sensitive to changes in unstable. We had a number of fairly intrusive changes this year already. August included a little more fallout from the earlier gcc-for-host work where the C++ include search path would end up being wrong in the generated cross toolchain. A number of packages such as util-linux (twice), libxml2, libcap-ng or systemd had their stage profiles broken. e2fsprogs gained a cycle with libarchive-dev due to having gained support for creating an ext4 filesystem from a tar archive. The restructuring of glib2.0 remains an unsolved problem for now, but libxt and cdebconf should be buildable without glib2.0.

Salsa CI, by Santiago Ruano Rincón

Santiago completed the initial RISC-V support (!523) in the Salsa CI’s pipeline. The main work started in July, but it was required to take into account some comments in the review (thanks to Ahmed!) and some final details in [!534]. riscv64 is the most recently supported port in Debian, which will be part of trixie. As its name suggests, the new build-riscv64 job makes it possible to test that a package successfully builds in the riscv64 architecture. The RISC-V runner (salsaci riscv64 runner 01) runs in a couple of machines generously provided by lab.rvperf.org. Debian Developers interested in running this job in their projects should enable the runner (salsaci riscv64 runner 01) in Settings / CI / Runners, and follow the instructions available at https://salsa.debian.org/salsa-ci-team/pipeline/#build-job-on-risc-v.

Santiago also took part in discussions about how to optimize the build jobs and reviewed !537 to make the build-source job to only satisfy the Build-Depends and Build-Conflicts fields by Andrea Pappacoda. Thanks a lot to him!

Miscellaneous contributions
  • Stefano submitted patches for BeautifulSoup to support the latest soupsieve and lxml.
  • Stefano uploaded pypy3 7.3.17, upgrading the cPython compatibility from 3.9 to 3.10. Then ran into a GCC-14-related regression, which had to be ignored for now as it’s proving hard to fix.
  • Colin released libpipeline 1.5.8 and man-db 2.13.0; the latter included foundations allowing adding an autopkgtest for man-db.
  • Colin upgraded 19 Python packages to new upstream versions (fixing 5 CVEs), fixed several other build failures, fixed a Python 3.12 compatibility issue in zope.security, and made python-nacl build reproducibly.
  • Colin tracked down test failures in python-asyncssh and Ruby resulting from certain odd /etc/hosts configurations.
  • Carles upgraded the packages python-ring-doorbell and simplemonitor to new upstream versions.
  • Carles started discussions and implementation of a tool (still in early days) named “po-debconf-manager”: a way for translators and reviewers to collaborate using git as a backend instead of mailing list; and submit the translations using salsa MR. More information next month.
  • Carles (dog-fooding “po-debconf-manager”) reviewed debconf templates translated by a collaborator.
  • Carles reviewed and submitted the translation of “apt”.
  • Helmut sent 19 patches for improving cross building.
  • Helmut implemented the cross-exe-wrapper proposed by Simon McVittie for use with glib2.0.
  • Helmut detailed what it takes to make Perl’s ExtUtils::PkgConfig suitable for cross building.
  • Helmut made the deletion of the root password work in debvm in all situations and implemented a test case using expect.
  • Anupa attended Debian Publicity team meeting and is moderating and posting on Debian Administrators LinkedIn group.
  • Thorsten uploaded package gutenprint to fix a FTBFS with gcc14 and package ipp-usb to fix a /usr-merge issue.
  • Santiago updated bzip2 to fix a long-standing bug that requested to include a pkg-config file. An important impact of this change is that it makes it possible to use Rust bindings for libbz2 by Sequoia, an implementation of OpenPGP.
Categories: FLOSS Project Planets

KDE Plasma 6.1.5, Bugfix Release for September

Planet KDE - Mon, 2024-09-09 20:00

Tuesday, 10 September 2024. Today KDE releases a bugfix update to KDE Plasma 6, versioned 6.1.5.

Plasma 6.1 was released in June 2024 with many feature refinements and new modules to complete the desktop experience.

This release adds a month's worth of new translations and fixes from KDE's contributors. The bugfixes are typically small but important and include:

  • Screenedge: allow activating clients in drag and drop. Commit. Fixes bug #450579
  • Applets/kickoff: Fix keyboard navigation getting stuck inside gridviews. Commit. Fixes bug #489867
  • Klipper: fix copying cells when images are ignored. Commit. Fixes bug #491488
View full changelog
Categories: FLOSS Project Planets

Ben Hutchings: FOSS activity in July 2024

Planet Debian - Mon, 2024-09-09 19:57
Categories: FLOSS Project Planets

ImageX: Test and Publish Easily: Exclusive Drupal Content Management Options with the Workspaces Module

Planet Drupal - Mon, 2024-09-09 16:59

Authored by Nadiia Nykolaichuk.

Having your website on the World Wide Web is a responsible task because it must always be impeccable in the eyes of your audience. What if you must launch a new product, run a content-rich campaign, or just review and publish large amounts of content?

Categories: FLOSS Project Planets

Talking Drupal: Talking Drupal #466 - Progressive Migration

Planet Drupal - Mon, 2024-09-09 14:00

Today we are talking about Progressive migration with Drupal, What it is, and how you can do it with your organization with guest Stephen Cross. We’ll also cover Views JSON Source as our module of the week.

For show notes visit: www.talkingDrupal.com/466

Topics
  • What is a progressive migration
  • What other types of migration are there
  • What problem does progressive migration solve at the ATF
  • What versions of Drupal are involved
  • Technical implementation
  • Technical challenges
  • Non-Technical challenges
  • Processes needed for success
  • When to use another migration process
Resources Guests

Stephen Cross - stephencross.com stephencross

Hosts

Nic Laflin - nLighteneddevelopment.com nicxvan John Picozzi - epam.com johnpicozzi Nate Dentzau - dentzau.com nathandentzau

MOTW Correspondent

Martin Anderson-Clutz - mandclu.com mandclu

  • Brief description:
    • Have you ever wanted to use Drupal’s Views interface to allow visitors to browse and navigate data from another source? There’s a module for that
  • Module name/project name:
  • Brief history
    • How old: created in Apr 2020 by Pradeep Venugopal (venugopp), but recent releases are by Viktor Holovachek (astonvictor), a member of the Ukraine Drupal community
    • Versions available: 2.0.2 compatible with Drupal 8.8 and newer, all the way up to Drupal 11
  • Maintainership
    • Actively maintained
    • Security coverage
    • Documentation: pretty lengthy README to help you get started
    • Number of open issues: 17 open issues, 4 of which are bugs against the current branch, although one had a fixed merged in the past week
  • Usage stats:
    • 1,641 sites
  • Module features and usage
    • After installing the module, you can create a view and specify it should show “JSON” instead of some kind of content entity
    • In the view settings you can then provide a URL for where to retrieve the JSON, and an optional Apath value to indicate a section of the data to show
    • It also supports contextual filters, so you can create a single view that will show different sections of data depending on the path used to access it
    • From there you can build out your view in the normal way: using fields to specify what data should be shown and how, filters to limit which rows will be shown, and sort criteria to specify the order in which it will be listed. And of course, the ability to expose controls for users to filter and sort the data in ways that meet their own needs make this an extremely powerful way to make data available to your site’s visitors
    • We spoke a couple of episodes ago about how powerful it can be to use Drupal as the “glass” or experience layer through which visitors can interact with other systems, and I think this is another great example of that
Categories: FLOSS Project Planets

Drupal Association blog: Join Us at the Drupal Association Booth at DrupalCon Barcelona!

Planet Drupal - Mon, 2024-09-09 13:20

Drupal is thriving due to the contributions of its community of developers, site builders, designers, business owners, and more. Our open source model ensures that everyone has a voice and can directly contribute to the platform’s growth, making it more powerful, flexible, and secure. In a couple of weeks, our chance to come together in person is not just about learning the latest in Drupal development; it’s about connecting with like-minded individuals who share a passion for open source and the open web. 


Some of the crowd attending DrupalCon Portland in May 2024

We welcome all attendees to stop by the Drupal Association booth at DrupalCon Barcelona to share their ideas, meet our team, learn more about our work, and how to get involved. If you’re not already a supporter, you can sign up and discover how your contribution as a Ripple Maker or a Drupal Certified Partner can make a significant impact. Other opportunities are the Drupal Certified Partner Roundtable or the Ripple Makers Roundtable. The Drupal Association is hosting a coffee for Ripple Makers on Wednesday, 25 September at 8:45 am. The first 50 people who RSVP reserve their spot - you can RSVP here!

Other Drupal Association sessions include Bridging the Gap: Unlocking Non-Code Contributions on Wednesday, the Drupal.org Engineering Panel, the Local Drupal Regions & Associations Round Table, and Supply Chain Security in Drupal and Composer on Thursday. Lastly, we also encourage you to attend the Drupal Association Public Board Meeting, also on Thursday. At this session, the community-elected 2024 At-Large Board member will be announced and welcomed onto the board.

Make sure to also ask about Drupal CMS (aka Drupal Starshot) to learn more about the initiative when you’re visiting the Drupal Association booth. We’ll share:

  • The latest Drupal CMS news
  • Plans for the future of Drupal CMS, especially the first market-ready version
  • How you can get involved in helping with this awesome product!

There will also be a giveaway to win one of three Drupal Starshot initiative posters. Visit us at the booth to enter for a chance to win! 

DrupalCon is a vibrant, collaborative space where individuals from all walks of life come together to create, innovate, and share. The event fosters friendships, offers inspiration, and provides opportunities to contribute back to the community in meaningful ways. The excitement around Drupal CMS and the energy of being surrounded by people who love Drupal is palpable, making DrupalCon an invaluable experience for both newcomers and seasoned contributors alike.

If you can’t make the event in person, we invite you to become a Ripple Maker or a Drupal Certified Partner. You’re not just making a contribution—you’re investing in the future of Drupal. With increased and customized communication, you will learn how these programs support critical initiatives such as security updates, community events, and educational resources that benefit users and developers alike. With your support, you'll be part of the dedicated group of community members who understand the importance of giving back and ensuring that Drupal remains a powerful, free, and open-source tool for everyone. 

See you in Barcelona from 24-27 September 2024!

Categories: FLOSS Project Planets

BRAINSUM: Harnessing the Power of Decoupled Architecture with Next.js and Drupal

Planet Drupal - Mon, 2024-09-09 13:04
Harnessing the Power of Decoupled Architecture with Next.js and Drupal Marco Mon, 09/09/2024 - 17:04 Harnessing the Power of Decoupled Architecture with Next.js and Drupal

In today's digital ecosystem, the choice of technology stack is crucial to the success of any project, particularly when developing large-scale web applications. A trend gaining momentum is the decoupling of the frontend and backend, which enhances flexibility, scalability, and the overall user experience. This architectural choice is brilliantly exemplified by the integration of Next.js and Drupal, where Drupal's robust content management capabilities are combined with the modern frontend framework of Next.js.

Recognizing the limitations of its traditional Twig-based frontend, Drupal has embraced a more flexible approach known as "Decoupled Drupal." This blog post delves into  projects that we’ve worked on: Novozymes and Novonesis that leveraged Next.js for the frontend and Drupal as the headless CMS backend, offering valuable insights for digital solution leads and developers keen on exploring this technology stack.

Categories: FLOSS Project Planets

Open Source AI Definition – Weekly update September 9

Open Source Initiative - Mon, 2024-09-09 13:02

Week 36 summary 

Draft v.0.0.9 of the Open Source AI Definition is available for comments
  • -@Shamar agrees with @thesteve0 and emphasizes that AI systems consist of two parts: a virtual machine (architecture) and the weights (the executable software). He argues that while weights are important, they are not sufficient to study or fully understand an AI model. For a system to be truly Open Source, it must provide all the data used to recreate an exact copy of the model, including random values used during the process. Without this, the system should not be labeled Open Source, even if the weights are available under an open-source license. Shamar suggests calling such systems “freeware” instead and ensuring the Open Source AI Definition aligns with the Open Source Definition.
  • @jberkus questions whether creating an exact copy of an AI system is truly possible, even with access to all the training data, or if slight differences would always exist.
  • @shujisado explains that under Japan’s copyright law, AI training on publicly available copyrighted works is permissible, but sharing the datasets created during training requires explicit permission from copyright holders. He notes that while AI training within legal limits may be allowed in many jurisdictions, making all training data freely available is unlikely. He adds that the current Open Source AI Definition strikes a reasonable balance given global intellectual property rights but suggests that more specific language might help clarify this further.
Share your thoughts about draft v0.0.9
  • @marianataglio suggests including hardware specifications, training time, and carbon footprint in the Open Source AI Definition to improve transparency. She believes this would enhance reproducibility, accessibility, and collaboration, while helping practitioners estimate computational costs and optimize models for more efficient training.
Open Source AI Definition Town Hall – September 6, 2004 Welcome diverse approaches to training data within a unified Open Source AI Definition Explaining the concept of Data information
  • @Senficon highlights a concern from the open science community that, while EU copyright law allows reproductions of protected content for research, it restricts making the research corpus available to third parties. This limits research reproducibility and open access, as it aims to protect rights holders’ revenue.
  • @kjetilk agrees with the observation but questions the assumption that making content publicly available would significantly harm rights holders’ revenue. He believes such policies should be based on solid evidence from extensive research.
Categories: FLOSS Research

The Drop Times: Get Ready for DrupalCon Barcelona 2024: What to Expect

Planet Drupal - Mon, 2024-09-09 11:00

DrupalCon Barcelona is just around the corner, running from September 9 to 12, 2024. As one of the most anticipated events in the Drupal community, this year’s conference promises to deliver a blend of technical insights, community collaboration, and exciting updates that everyone will be talking about. If you're a developer, site builder, project manager, or just someone intrigued by the future of web technology, there’s something in store for you.

Why DrupalCon Barcelona Matters

This year's DrupalCon is packed with key sessions, hands-on workshops, and networking opportunities designed to bring the community together. Whether you’re looking to dive deep into Drupal 11, which will see some significant updates during the event, or catch the latest on how Drupal is evolving as a powerful digital platform, the conference is shaping up to be a can't-miss opportunity.

What’s New? A Focus on Starshot

A highlight of the event will be the ongoing work on the Starshot Initiative, which is aimed at taking Drupal to the next level. In a recent interview with The Drop Times, Drupal’s founder Dries Buytaert shared, 

"Our next big milestone is DrupalCon Barcelona, which is in September. We hope to show some real progress there on a variety of different things, from marketing to our demo of Starshot to maybe having the first recipes... implemented."

This makes DrupalCon Barcelona not just another tech event but a milestone where the community will witness key advancements, including live demos of Starshot. The first recipes, a crucial technical feature within Starshot, might be unveiled, offering an early glimpse into the future of Drupal.

Program Highlights

The event's schedule will feature sessions on critical topics such as Composer, security, local development, and the latest updates in Drupal 11. Expect to hear about performance improvements, new modules, and security enhancements that aim to make Drupal 11 even more powerful. Developers will also have the opportunity to discuss workflows, integrations, and DevOps practices that can streamline their projects.

Additionally, keep an eye on the Starshot Initiative sessions, where you’ll get a closer look at how this ambitious project is progressing and what it means for Drupal’s future. We have listed the key Starshot sessions happening at DrupalCon Barcelona—take a look at the Key Sessions on Drupal Starshot Initiative at DrupalCon Barcelona 2024 

Community and Networking Opportunities

As always, DrupalCon is more than just technical talks. It's about community. The event is set to feature numerous networking events, helping attendees meet fellow Drupal enthusiasts, share ideas, and collaborate on projects. Whether you're looking to expand your skill set or connect with others in the industry, DrupalCon Barcelona offers the perfect platform.

Why You Should Attend

With all the excitement surrounding Starshot and the recent release of Drupal 11, there’s no better place to catch up on the latest developments in the Drupal ecosystem. With keynotes from leading voices in the community, hands-on workshops, and the promise of some surprise updates, DrupalCon Barcelona 2024 is poised to leave a lasting mark.

Don’t miss your chance to be part of this landmark event. Now, as we proceed further, let’s find out what The Drop Times has covered last week:

In an exclusive interviewVincenzo Gambino, Drupal Architect and Senior React Developer, shared his career journey from Palermo to London with our former sub-editor, Elma John. He discussed working on high-profile projects, such as those for Cambridge University, and co-authoring Jumpstart Jamstack Development. Vincenzo touched on the role of Drupal in headless architectures and its future in open-source technologies.

Christian Burk, Senior Backend Engineer at CivicActions, provided insights into managing complex content changes on large sites like VA.gov during Drupal GovCon 2023. He highlighted the codit_batch_operations module, which simplifies revisions, logging, and script execution alongside co-presenter Steve Wirt.

At the same event, Michael Kinnunen, Backend Engineer at CivicActions, discussed A/B testing within Drupal using LaunchDarkly, underscoring the platform’s versatility for government websites. He also attended sessions on content translation and large-scale content management, deepening his understanding of Drupal's growing influence.

In other news, Drupal CMS has launched a community survey to improve its default search configuration. The initiative, led by 1XINTERNET, focuses on making Drupal’s search functionality more flexible for both developers and no-code users. Community members are encouraged to contribute to shaping the future of Drupal’s search experience.

Additionally, Drupal.org has updated its fonts to enhance readability, switching to ZT Gatha for headings and Noto Sans for body text. The update modernizes the platform’s look, improving user experience across its global community.

For a deep dive into Dresktop, an open-source tool transforming Drupal management, check out a tutorial by José Daniel Estrada Guzmán. From local development to cloud integration, Dresktop streamlines workflows using Docker, SSH, and Drush.

Lukas Fischer, CEO of Netnode AG, shared his innovative Native Design Flow, which integrates Figma and code at the outset of a project. This approach aims to eliminate the traditional design handoff, creating a more cohesive and efficient workflow from day one.

For the first time, local Drupal associations will jointly host a booth, highlighting collaboration within the European Drupal community. The booth will serve as a hub for networking and sharing information about upcoming events.

Looking ahead to other events, the NEDCamp 2024 session submission deadline has been extended to September 15, offering opportunities for presenters of all experience levels. Splash Awards Switzerland 2025 is scheduled for March 11 in Davos, coinciding with Drupal Mountain Camp. These awards celebrate the best in Drupal projects and innovation.

Early bird registration for DrupalCamp Berlin 2024 remains open until September 15, offering a discounted rate of €80. After October 15, the price will increase to €120, so early registration is recommended. The ticket includes entry, lunch, and an official event T-shirt.

Additionally, DrupalSouth Community Day 2024 in Canberra is seeking volunteers for event support, speaker coordination, and attendee assistance. The call for papers is also open, inviting Drupal professionals to submit session proposals for the event on November 14.

Meanwhile, The Splash Awards will debut in Asia at DrupalCon Singapore on December 9, 2024, celebrating excellence in Drupal projects across categories like Government, Corporate, and Education.

Mark your calendars for DrupalCamp Atlanta on October 18, 2024, in Sandy Springs, Georgia. This one-day conference will offer sessions on the technical and business aspects of Drupal and plenty of networking opportunities.

Finally, join The Drop Times at DrupalCon Barcelona as a volunteer to help cover the event’s best moments. From live updates to behind-the-scenes stories, it’s a great way to engage with the community and share the excitement.

We acknowledge that there are more stories to share. However, due to selection constraints, we must pause further exploration for now.

To get timely updates, follow us on LinkedIn, Twitter and Facebook. You can also, join us on Drupal Slack at #thedroptimes.

Thank you, 
Sincerely 
Kazima Abbas
Sub-editor, The DropTimes.

Categories: FLOSS Project Planets

Wouter Verhelst: NBD: Write Zeroes and Rotational

Planet Debian - Mon, 2024-09-09 11:00

The NBD protocol has grown a number of new features over the years. Unfortunately, some of those features are not (yet?) supported by the Linux kernel.

I suggested a few times over the years that the maintainer of the NBD driver in the kernel, Josef Bacik, take a look at these features, but he hasn't done so; presumably he has other priorities. As with anything in the open source world, if you want it done you must do it yourself.

I'd been off and on considering to work on the kernel driver so that I could implement these new features, but I never really got anywhere.

A few months ago, however, Christoph Hellwig posted a patch set that reworked a number of block device drivers in the Linux kernel to a new type of API. Since the NBD mailinglist is listed in the kernel's MAINTAINERS file, this patch series were crossposted to the NBD mailinglist, too, and when I noticed that it explicitly disabled the "rotational" flag on the NBD device, I suggested to Christoph that perhaps "we" (meaning, "he") might want to vary the decision on whether a device is rotational depending on whether the NBD server signals, through the flag that exists for that very purpose, whether the device is rotational.

To which he replied "Can you send a patch".

That got me down the rabbit hole, and now, for the first time in the 20+ years of being a C programmer who uses Linux exclusively, I got a patch merged into the Linux kernel... twice.

So, what do these things do?

The first patch adds support for the ROTATIONAL flag. If the NBD server mentions that the device is rotational, it will be treated as such, and the elevator algorithm will be used to optimize accesses to the device. For the reference implementation, you can do this by adding a line "rotational = true" to the relevant section (relating to the export where you want it to be used) of the config file.

It's unlikely that this will be of much benefit in most cases (most nbd-server installations will be exporting a file on a filesystem and have the elevator algorithm implemented server side and then it doesn't matter whether the device has the rotational flag set), but it's there in case you wish to use it.

The second set of patches adds support for the WRITE_ZEROES command. Most devices these days allow you to tell them "please write a N zeroes starting at this offset", which is a lot more efficient than sending over a buffer of N zeroes and asking the device to do DMA to copy buffers etc etc for just zeroes.

The NBD protocol has supported its own WRITE_ZEROES command for a while now, and hooking it up was reasonably simple in the end. The only problem is that it expects length values in bytes, whereas the kernel uses it in blocks. It took me a few tries to get that right -- and then I also fixed up handling of discard messages, which required the same conversion.

Categories: FLOSS Project Planets

kevinquillen.com: Rebuilding Netlify from Drupal

Planet Drupal - Mon, 2024-09-09 10:39
I've recently taken up maintainership of the Netlify module for Drupal. This module helps bridge the gap between rebuilds and syncing changes that happen in Drupal to ensure your connected Netlify site correctly reflects that data, which is useful for avoiding certain aggressive caching scenarios with Next.js when it stubbornly refuses to refresh. Saving config, content or manually triggering a build will update the site.https://www.drupal.org/project/netlify
Categories: FLOSS Project Planets

Maui Release Briefing #6

Planet KDE - Mon, 2024-09-09 10:26

Today, we bring you a report on the brand-new release of the Maui Project.

We are excited to announce the latest release of MauiKit version 4.0.0, our comprehensive user interface toolkit specifically designed for convergent interfaces, the complying frameworks, and an in-house developed set of convergent applications.

Built on the solid foundations of Qt Quick Controls, QML, and the power and stability of C++, MauiKit empowers developers to create adaptable and seamless user interfaces across a range of devices, and with this release, we have finally migrated to Qt6 and made available the documentation for the frameworks.

Join us on this journey as we unveil the potential of MauiKit 4 for building convergent interfaces, and finally discover the possibilities offered by the enhanced Maui App stack.

Community

To follow the Maui Project’s development or to just say hi, you can join us on our Telegram group @mauiproject

We are present on X and Mastodon:

Thanks to the KDE contributors who have helped to translate the Maui Apps and Frameworks!

Downloads & Sources

You can get the stable release packages [APKs, AppImage, TARs] directly from the KDE downloads server at https://download.kde.org/stable/maui/

All of the Maui repositories have the newly released branches and tags. You can get the sources right from the Maui group: https://invent.kde.org/maui

Qt6

With this version bump the Maui team has finalized the migration over to Qt6, which implies more stability and better performance coming from Qt upgraded QQC engine; but also means that some features have been removed or did not make the cut and still need more time to be brought back in posterior releases.

MauiKit 4 Frameworks & Apps

Currently, there are over 10 frameworks, with two new ones recently introduced. They all, for the most part, have been fully documented, and although, the KDE doxygen agent has some minor issues when publishing some parts, you can find the documentation online at https://api.kde.org/mauikit/ (and if you find missing parts, confusing bits, or overall sections to improve – you can open a ticket at any of the framework repos and it shall be fixed shortly after)

 

fav filemanager and music player. minimal modern & convergent @maui_project
Maui Apps 4.0 coming out soon. pic.twitter.com/OVLM2HWv6v

— Camilo Higuita (@cmhiguita) May 6, 2024

A script element has been removed to ensure Planet works properly. Please find it in the original post.

Core & Others

MauiKit Core controls also include the Mauikit Style, which along with the core controls has been revised and improved in the migration. New features have been introduced and some minor changes in the API have been made.

A good way to test the new changes made visually is via the MauiDemo application, when building MauiKit from the source, just add the -DBUILD_DEMO=ON flag and then launch it as MauiDemo4

All of the other frameworks have also been fully ported and reviewed, and some features are absent – for example, for ImageTools the image editor is missing for Android due to KQuickImageEditor problems.

Comic book support is missing in MauiKit-Documents, due to a big pending refactoring.

Finally, TextEditor new backend rendering engine migration is yet to be started.

Most of these pending issues will be tackled in the next releases bit by bit.

More details can be found in the previous blog posts:

Maui Release Briefing # 4

Maui Release Briefing #5

 

Archiver & Git

MauiKit-Archiver is a new framework, and it was created to share components and code between different applications that were duplicating the same code: Index, Arca, and Shelf.

The same goes for MauiKit-Git, which will help unify the code base for implementations made in Index, Bonsai, and Strike, so all of those apps can benefit from a single cohesive and curated code base in the form of a framework.

Archiver is pending to be documented, and Git is pending to be finished for its first stable release.

I have now finished porting all the Maui Apps and MauiKit frameworks to Qt6.

Vvave music player mini mode is back.@maui_project @Nitrux_NX pic.twitter.com/Mal3RU87O2

— Camilo Higuita (@cmhiguita) May 1, 2024

A script element has been removed to ensure Planet works properly. Please find it in the original post.

Known Issues
  • MauiKit-Documents comic book support is stalled until the next release due to heavy refactoring under Android.
  • MauiKit-ImageTools under Android does not include the image editor, since KQuickImageEditor is not working correctly under Android
  • Clip is not working under Android due to issues with the libavformat not finding openssl.so when packaging the APK, this is still under review
  • MauiKit-Git is still being worked on, and due to this Bonsai is not included on this stable release as it is being ported over to MauiKit-Git

 

@maui_project looking good. after the port to qt6 the next goal is to put out a stable version of Maui Shell with a tight integration to the app ecosystem and the HIG #mauikit pic.twitter.com/BkR9ecTzMT

— Camilo Higuita (@cmhiguita) May 6, 2024

A script element has been removed to ensure Planet works properly. Please find it in the original post.

Maui Shell

Although Maui Shell has been ported over to Qt6 and is working with the latest MauiKit4, a lot of pending issues are still present and being worked on. The next release will be dedicated fully on Maui Shell and all of its subprojects, such as Maui Settings, Maui Core, CaskServer, etc.

That’s it for now. Until the next blog post, that will be a bit closer to the 4.0.1 stable release.

Release schedule

The post Maui Release Briefing #6 appeared first on MauiKit — #UIFramework.

Categories: FLOSS Project Planets

Wim Leers: XB week 15: docs & DX

Planet Drupal - Mon, 2024-09-09 10:04

Monday August 19, 2024 definitely was a milestone:

  1. I had the satisfaction of being able to remove the TwoTerribleTextareasWidget that I introduced two months ago, because the Experience Builder (XB) UI now is sufficiently developed to be able to place a component and populate its props using static prop sources — by now this terrible hack was now doing more harm than good, so: good riddance! :D
  2. a huge sigh of relief was heard emanating from Ghent, Belgium because finally comprehensive docs for the XB data model were published, and ADR #2 was published to capture the initial back-end decisions, but is expected to be superseded
    (an ADR or Architecture Decision Record can be a way to unambiguously capture current choices, knowing it will be superseded).

Those docs define all XB terminology (such as “static prop sources” in that first bullet above), which enables more precise communication. Contributing to XB becomes simpler thanks to those docs 1, as does observing from a distance — with reviews to ensure accuracy & clarity from Simon “siramsay” Ramsay, Dave “longwave” Long, Ted “tedbow” Bowman, Feliksas “f.mazeikis” Mazeikis and of course, crucially, Alex “effulgentsia” Bronstein, whose proposed abstract data model it is that XB makes concrete.

While we’ll continue to iterate fast, it now is a hard requirement that every MR updates affected docs. That’s why several updates already have been committed.

Docs to come for other aspects!

Missed a prior week? See all posts tagged Experience Builder.

Goal: make it possible to follow high-level progress by reading ~5 minutes/week. I hope this empowers more people to contribute when their unique skills can best be put to use!

For more detail, join the #experience-builder Slack channel. Check out the pinned items at the top!

For a huge DX leap forward for both those working on XB itself as well as those working on the Starshot Demo Design System (spearheaded by Kristen Pol): Felix’ MR to auto-create/update Component config entities for all discovered Single-Directory Components (SDCs) landedif they meet the minimum criteria.
For example, each SDC prop must have a title defined, because otherwise XB would be forced to expose machine names, like I mentioned at the start of last week’s update. So: XB requires SDCs to have rich enough metadata to be able to generate a good UX.
That also allowed Omkar “omkar-pd” Deshpande to remove the awkward-but-necessary-at-the-time add/edit form we’d added months ago. When installing the demo_design_system theme, you’ll see something like:

The ‘components’ listing, all auto-generated based on discovered SDCs meeting criteria.
Issue #3464025, image by me.

Ted helped the back end race ahead of the front end: while we don’t have designs for it yet (nor capacity to build it before DrupalCon if they would suddenly exist), there now is an HTTP API to get a list of viable candidate field properties that are able to correctly populate a particular component prop. These are what in the current XB terminology are called dynamic prop sources 2 3.

The preview in the XB UI has been loading component CSS/JS for a while, but thanks to Dave & Ted it now also loads the default theme’s global CSS/JS.

More accurate previews, including for example the Olivero font stack, background and footer showing up.
Issue #3468106, image by Dave.

Small(ish) but noteworthy

Week 15 was August 19–25, 2024.

  1. Yes, that’s the third time I’m linking to docs/data-model.md. It’s that important! ↩︎

  2. Dynamic Prop Sources are similar to Drupal’s tokens, but are more precise, and support more than only strings, because SDC props often require more complex shapes than just strings. ↩︎

  3. This is the shape matching from ~3 months ago made available to the client side. ↩︎

Categories: FLOSS Project Planets

The Drop Times: Starshot at Barcelona: 10 Sessions on Drupal CMS You Shouldn't Miss

Planet Drupal - Mon, 2024-09-09 10:00
DrupalCon Barcelona 2024 will feature 10 sessions exploring the Drupal Starshot Initiative, focusing on AI, no-code tools, and browser-based development. Learn how Starshot is shaping Drupal's future.
Categories: FLOSS Project Planets

Real Python: Python News Roundup: September 2024

Planet Python - Mon, 2024-09-09 10:00

As the autumn leaves start to fall, signaling the transition to cooler weather, the Python community has warmed up to a series of noteworthy developments. Last month, a new maintenance release of Python 3.12.5 was introduced, reinforcing the language’s ongoing commitment to stability and security.

On a parallel note, Python continues its reign as the top programming language according to IEEE Spectrum’s annual rankings. This sentiment is echoed by the Python Developers Survey 2023 results, which reveal intriguing trends and preferences within the community.

Looking ahead, PEP 750 has proposed the addition of tag strings in Python 3.14, inspired by JavaScript’s tagged template literals. This feature aims to enhance string processing, offering developers more control and expressiveness.

Furthermore, EuroSciPy 2024 recently concluded in Poland after successfully fostering cross-disciplinary collaboration and learning. The event featured insightful talks and hands-on tutorials, spotlighting innovative tools and libraries that are advancing scientific computing with Python.

Let’s dive into the most significant Python news from the past month!

Python 3.12.5 Released

Early last month, Python 3.12.5 was released as the fifth maintenance update for the 3.12 series. Since the previous patch update in June, this release packs over 250 bug fixes, performance improvements, and documentation enhancements.

Here are the most important highlights:

  • Standard Library: Many modules in the standard library received crucial updates, such as fixes for crashes in ssl when the main interpreter restarts, and various corrections for error-handling mechanisms.
  • Core Python: The core Python runtime has several enhancements, including improvements to dictionary watchers, error messages, and fixes for edge-case crashes involving f-strings and multithreading.
  • Security: Key security improvements include the addition of missing audit events for interactive Python use and socket connection authentication within a fallback implementation on platforms such as Windows, where Unix inter-process communication is unavailable.
  • Tests: New test cases have been added and bug fixes have been applied to prevent random memory leaks during testing.
  • Documentation: Python documentation has been updated to remove discrepancies and clarify edge cases in multithreaded queues.

Additionally, Python 3.12.5 comes equipped with pip 24.2 by default, bringing a slew of significant improvements to enhance security, efficiency, and functionality. One of the most notable upgrades is that pip now defaults to using system certificates, bolstering security measures when managing and installing third-party packages.

Read the full article at https://realpython.com/python-news-september-2024/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Categories: FLOSS Project Planets

Pages