Feeds

FTP master

This month I accepted 235 and rejected 13 packages. The overall number of packages that got accepted was 249. I also handled lots of RM bugs and almost stopped the increase in packages this month :-). Please be aware, if you don’t want your package to be removed, take care of it and keep it in good shape!

Debian LTS

This was my hundred-fourteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

• [DLA 3686-1] xorg-server security update for two CVEs to fix privilege escalation
• [DLA 3686-2] xorg-server security update for one CVE to really fix privilege escalation. Unfortunately the first patches provided by upstream did not really solve the problem, so here we are in round 2
• [DLA 3699-1] libde265 security update for three CVEs to fix heap buffer or global buffer overflows
• [DLA 3700-1] cjson security update for one CVE to fix a segmentation violation
• [#1056934] Bookworm PU-bug for libde265; I could finally upload the package
• [#1056737] Bookworm PU-bug for minizip; I could finally upload the package
• [libde265]For the next round of CVEs of libde265 I prepared debdiffs for Bullseye and Bookworm and sent them to the maintainer.
• [cjson]I prepared debdiffs for Bullseye and Bookworm and sent them to the maintainer.

This month was rather calm and no unexpected things happened. The web team now automatically creates all webpages from data found in the security tracker. So I could deactivate my web-dla script again which created the webpages from the contents of the announcement mailing list.

Last but not least I also did two weeks of frontdesk duties.

Debian ELTS

This month was the sixty-fifth ELTS month. During my allocated time I uploaded:

• [ELA-1019-1]xorg-server security update for two CVEs to fix privilege escalation
• [ELA-1019-2]xorg-server security update for to really fix privilege escalation. As with the DLAs above, the first patches provided by upstream did not really solve the problem, so here we are in round 2
• [ELA 1027-1] libde265 security update for three CVEs in Stretch to fix heap buffer or global buffer overflows

Last but not least I also did two weeks of frontdesk duties.

Debian Printing

This month I uploaded a package to fix bugs:

• … cups/Bookworm to fix a bug related to color printing
• … hplip to fix a bug related to /usr-merge

This work is generously funded by Freexian!

Debian Astro

This month I uploaded a package to fix bugs:

• … libpktriggercord to fix a /usr-merge bug
• … indi-nightscape to fix a /usr-merge bug
• … indi-ffmv to fix a /usr-merge bug
• … indi-armadillo-platypus to fix a /usr-merge bug
• … indi-orion-ssg3 to fix a /usr-merge bug
• … indi-sx to fix a /usr-merge bug

Other stuff

This month I uploaded new upstream version of packages, did a source upload for the transition or uploaded it to fix one or the other issue:

• … usb-modeswitch-data to fix a /usr-merge bug
• … libcontra it is sometimes a bit amazing what software phones home

Drupal 7 security support will end - now is the time to plan a migration to Drupal 10! Nina Holzapfel Project Manager 08.01.2024

Drupal has been a robust choice for building and maintaining websites for decades. Like all other CMS systems, technological advancements and security requirements continually evolve at rapid speed and older software versions will be taken off the market.

In January 2025 Drupal 7 will finally reach its End of Life after 14 successful years and the necessity to transition to Drupal 10 has never been more critical.
Source: Drupal 7 End of Life | Drupal.org

What does Drupal 7 End of Life mean for your business?

This means the Drupal community and the official development team will stop providing support, including crucial security patches and updates. Without these updates, weaknesses in the system remain unaddressed, leaving websites vulnerable to dangerous cyber threats and data exploitation.

46,5% of all Drupal sites are still running on version 7

Source: Usage Statistics and Market Share of Drupal, January 2024 (w3techs.com)

Your company isn't just facing a hard deadline to relaunch your new site as January 2025 grows closer. You’re also competing with a vast number of organizations just like yours that need to coordinate the same migration process.

It is important to understand that depending on the complexity of the website the migration from Drupal 7 to Drupal 10 is not just a simple update. The data structure and design need to be rebuilt and major technical updates executed. Ramsalt has migrated numerous of clients from Drupal 7 to Drupal 10 and have built a team of migration experts for a successful migration process.

Get an offer for the migration and make sure that your company stays agile and competitive:
Yngve Bergheim, yngve@ramsalt.com

Get a Drupal 10 upgrade offer
Why should you migrate from Drupal 7 to Drupal 10? 

The foremost reason to migrate from Drupal 7 to Drupal 10 lies in security. Yet, Drupal 10 brings automated updates, improved user experience, along with several other feature improvements. See our blog article: A new year, A new shiny Drupal 10 | Drupal | Ledende leverandør | Ramsalt.

Below we want to list some of the Drupal 10 highlights:

Improved content editing

CKEditor 5 update from CKEditor 4 - With a thorough rebuild and an exciting new feature set, CKEditor 5 gives Drupal 10 a modern, collaborative editor experience. Users of programs like Microsoft Word or Google Docs will be used to the new CKEditor's interface. It also offers common tools for collaboration like comments, change suggestions, version histories, and other accepted editing practices. 

CKEditor 5 in Drupal

Try it our yourself here: Feature-rich editor - CKEditor 5 demo

Gutenberg Editor - With the latest Drupal 10 update, we are capable of using the most loved content editor. Here are some key points about the Gutenberg editor in the context of Drupal:

User-Friendly Interface: Gutenberg provides a more intuitive and visual editing experience. It uses blocks to represent various content elements like text, images, and videos, making it easy for users to build and design their content layout.

Enhanced Content Creation: With Gutenberg, content creators can design more complex layouts without needing any extensive technical knowledge. It offers a wide range of customization options within each block, making it easier to design diverse and dynamic web pages, we even have our own Gutenberg landing page builder in-house. the limits are your imagination.

Responsive Design: Blocks in the Gutenberg editor are inherently responsive, ensuring that content created in Drupal looks good on all devices.

Extensibility: Just like Drupal, Gutenberg is highly extensible. Developers can create custom blocks to add new functionalities, tailored to specific needs.

Gutenberg in Drupal

Try it out for yourself: Drupal Gutenberg demo

Improved Admin and Design Themes

Drupal 10 introduces a significantly enhanced theming system, characterized by its streamlined single-directory component structure. This advancement not only boosts overall performance but also accelerates the rollout of new features. Furthermore, it offers comprehensive editing capabilities, enabling a seamless top-to-bottom customization experience. This modernized approach in Drupal 10 ensures a more efficient, user-friendly, and agile development process, catering to the evolving needs of end-users and editorial teams alike.

Improved Website Performance & Security

Drupal 10 improves your site security by including up-to-date protocols and technical dependencies such as PHP 8.2, Symfony 6.2. This means a faster and more modern website out of the box.

With enhanced dynamic caching (BigPipe) reduces page load times by invalidating only the content that has changed and therefore provides a faster and better user experience.

Drupal 10 also marks the end of Drupal 7’s jQuery. A large JavaScript library, jQuery was a powerful tool, but modern browsers perform many of the same functions. The up-to-date JavaScript used by Drupal 10 also decreases page load times and snappier behavior for the end users.

Source: Drupal 10 | Drupal.org & Drupal 10.2 is now available | Drupal.org

KDiagram 3.0.1 is an update to our charting libraries which fixes a bug in the cmake path configuration. It also updates translations and removes some unused Qt 5 code.

URL: https://download.kde.org/stable/kdiagram/3.0.1/

sha256: 4659b0c2cd9db18143f5abd9c806091c3aab6abc1a956bbf82815ab3d3189c6d

Signed by E0A3EB202F8E57528E13E72FD7574483BB57B18D Jonathan Esk-Riddell jr@jriddell.org
https://jriddell.org/esk-riddell.gpg

At the beginning of 2023, I started as a community manager for ClearlyDefined, with the goals of creating an open governance model for the project and helping the OSI to establish a neutral infrastructure to foster collaboration among multiple stakeholders. Thanks to the amazing work from our community members, a lot of progress has been made in 2023, but there’s still a lot of work ahead of us. In this post, we would like to highlight some milestones achieved this past year and acknowledge some individuals who have contributed to the project. We would also like to share a vision for 2024 and invite all organizations who care about the Open Source supply chain to become involved.

ClearlyDefined is an Open Source project and service that aims to serve as a global database of licensing metadata for every software component ever published. It was originally developed and used by Microsoft and it’s now in use at companies like GitHub, SAP, and Bloomberg, as well as Open Source projects like the Linux Foundation’s GUAC and ORT (OSS Review Toolkit). At the beginning of 2023, Open Source Initiative took over as community steward of the project.

In the first quarter, outstanding work was developed by Manny Martinez (Microsoft) in collaboration with Qing Tomlinson (SAP) to optimize ClearyDefined’s back-end, particularly the database. This work has resulted in a 10-fold decrease in terms of database size and costs.

In the second quarter, GitHub added 17.5 million package licenses sourced from ClearlyDefined to their database, expanding the license coverage for packages that appear in dependency graph, dependency insights, dependency review, and a repository’s software bill of materials (SBOM).

In the third quarter, we saw greater collaboration between GitHub and SAP spearheaded by E. Lynette Rayle and Qinq Tomlinson. They are making improvements to the documentation and  process of running a local ClearlyDefined harvest and sharing the licensing metadata with other harvesters.

In the fourth quarter, we saw various members currently using ClearlyDefined and new members alike coming together to create a unified vision for the project. Thomas Steenbergen, co-founder of ClearlyDefined and ORT, has come forward to help lead this effort. Key goals for ClearlyDefined in 2024 include:

• Publishing periodic releases and switching to semantic versioning
• Bringing dependencies up to date (in particular using the latest scancode)
• Improving the NOASSERTION/OTHER issue (please check this analysis by Aleksandrs Volodjkins to learn more)
• Advancing usability and the curation process through the UI 
• Enhancing the documentation and process for creating a local harvest

ClearlyDefined’s mission is to help organizations to collaboratively achieve accurate licensing metadata (oftentimes part of SBOMs) at scale, for each stage on the supply chain, for every build or release. If your organization is interested in achieving better compliance and security of the Open Source supply chain, please consider joining ClearlyDefined. We are still working to consolidate a roadmap for 2024, and this is a great time to join the project and learn more about how ClearlyDefined can help your organization.

The post <span class='p-name'>ClearlyDefined: recapping a year of progress and sharing a vision for 2024</span> appeared first on Voices of Open Source.

The Goal

In Drupal Commerce, carts do not have order numbers. Order numbers are not set until checkout completion, when the order is placed. If the order type has been configured with a number pattern, that pattern is used to generate the order number; otherwise the order entity ID is used. As a result, when a credit card payment is added during checkout, the cart/order may not have its final Order Number yet. For some payment gateways, this is fine--only the order entity ID is needed.

The Goal

A Drupal Commerce website may want to offer the same payment terms provided to customers purchasing products offline. If up-front payment is not required, then we need to create an option for customers to complete checkout without providing payment. Additional information may need to be collected during checkout for the "payment on account" option in lieu of a traditional payment method. For our business needs, this additional information takes the form of a Purchase Order number entered by the customer.

The Goal

When a customer completes checkout on a Drupal Commerce website, the cart order is "placed." No additional changes can be made to the order by the customer. Administrative users, with access permissions, can typically edit these "placed" orders. However, significant changes like the addition/removal or an order item or an order item quantity/pricing change can be problematic. The changes can be made, but... afterwards, things like taxes, discounts, shipping charges, etc. may not be correct.

The Goal

When a store has customers that are businesses or institutional, the standard Address field properties and formatting may not align well with actual billing and shipping addresses. For example, a business address may not include the customer's first and last name as the first line; instead, an organizational name may be used. If a contact name is included, it may be an "Attention" line. Additionally, businesses may require a line with reference or purchase order number.

The Goal

Drupal Commerce order types can be configured to email the customer a receipt when an order is placed, with or without a BCC copy sent to a specified email address. Additionally, administrative users can use a "Resend receipt" button to send a receipt to the contact email address set for the order; no copy is sent to an additional email address.

When re-sending an order receipt, administrative users may want to:

The Goal

Administrative users creating and updating orders in the backend may want to:

• Preview the order receipt before emailing customers.
• Send a copy of the order receipt to an email address other than the contact email address for the order.

Developers may want to:

• Preview the order receipt for testing purposes when working on environments with outgoing emails disabled

A Solution

We can add a button to the right of the existing, "Resend receipt" button that appears on Order View pages, like this:

The Goal

Core Drupal Commerce provides Order Receipt functionality. An Order Receipt is an email notification sent to a customer when an order is placed. It lets the customer know that the order has been received and includes a summary of the order. For each Order Type, you can turn order receipts on/off and, if enabled, specify that a copy be sent to a specific recipient.

The Drop Times is now the official media partner for Drupal Mountain Camp 2024. Expect the latest camp updates and insights exclusively from us. Stay connected for all things Drupal Mountain Camp!

Recently, Randy Fay of the DDEV project blogged about two new Docker providers available (and supported by DDEV) for MacOS: Rancher Desktop and OrbStack. Both of these join Colima and Docker Desktop as supported Docker providers for DDEV on MacOS. 

What is a Docker provider?

I know that I certainly have asked this question - more times than I care to admit. As Randy explains in the blog post:

All of the Docker Providers on every platform (except Linux) are actually wrappers on the open-source Docker/Moby project, which is supported by Docker, Inc.

In other words, in order for DDEV to talk to Docker, it needs a provider. But, not all Docker providers are created equal. Neither Docker Desktop nor OrbStack are open-source - both have free versions (with restrictions); for most commercial use cases, there is a cost involved. Colima and Rancher Desktop are both open-source.

Features vary between Docker providers as well, so it only makes sense that performance differences also exist. Fortunately, Randy has written another blog post summarizing the performance differences between the various Docker providers on MacOS.

tl;dr if you have Mutagen enabled with DDEV, then they're all pretty fast, with OrbStack having the edge.

Why switch Docker providers?

While Colima is (IMHO) heads-and-tails better than Docker Desktop for Mac, upgrading Colima itself has been a bit of a rocky road. I have learned to never assume that my databases will remain intact during a Colima upgrade. This usually isn't a deal-breaker, but for me, it is squarely in the inconvenience category.

I'm hoping that the situation is smoother with Rancher Desktop.

Getting started with Rancher Desktop

As I (currently) use DDEV on MacOS with Colima (and Mutagen enabled,) I decided to give Rancher Desktop a try, as it is an open-source option. 

Using the instructions provided by the DDEV project, I downloaded Rancher Desktop from the official site. A bit surprisingly, the recommended installation method was not Homebrew, but rather a bit of an old-school MacOS .dmg file.

After downloading Rancher Desktop (but before installing it,) the steps I took to install and change over from Colima began with:

$ ddev poweroff $ colima stop

Next, I double-clicked to install Rancher Desktop - making sure to uncheck the "Kubernetes" checkbox as the DDEV instructions suggested. I didn't touch any other settings during the Rancher Desktop install.

Once that was installed, I restarted my Terminal app, then navigated to one of my DDEV projects.

$ cd ~/sites/d10 $ docker context use rancher-desktop $ ddev start

If you haven't used it before, the docker context use rancher-desktop bit basically tells Docker which provider to use. In other words, you can have multiple providers installed (like I do with Colima and Rancher Desktop) and switch between them using the docker context use command.

With that, installation was complete. 

My experience with Rancher Desktop

In short: uneventful (in a good way)

I didn't have any issues at all - it all went very smoothly. From a performance standpoint, Drupal 10 sites feel a little bit snappier than with Colima, but this is purely qualitative, not quantitative. 

The (minor) downside

When switching Docker providers, while project code isn't touched, unfortunately, project databases don't automatically come along. In his blog post, Randy suggests using ddev snapshot --all as an initial step in the process to back up all databases. I tend to take a more piecemeal approach - individually exporting databases while using Colima, then importing them while using Rancher Desktop. For example, here's my process for moving a database from Colima to Rancher Desktop (assuming my system is currently using Rancher Desktop):

$ cd ~/sites/d10 $ ddev poweroff $ colima start $ docker context use colima $ ddev start $ ddev export-db > db-backup.sql.gz $ ddev poweroff $ docker context use rancher-desktop $ ddev start $ ddev import-db –file=db-backup.sql.gz $ ddev drush cr

Granted, it's a bit wordy, but it works for me.

So, Orbstack?

At the present time, I have no plans to test-drive Orbstack. While Randy's blog post does indicate I would experience a minor performance boost, at this time, I'd rather just stick with an open-source solution.

One of our Professional Module Development course graduates, Jay Volk, recounted his recent experience with Orbstack:

My experience is that OrbStack is really fast and while not open source (it's $8/mo.) it seems well worth the cost and I'm happy to support this project.  Orbstack will take your existing Docker settings and move them to Orbstack when starting up (it asks your permission.) This proved to be no problem for DDEV but occasionally causes problems with the other solution I sometimes need, Lando.  Easy enough, Docker can reclaim settings back from OrbStack and with a Docker restart you're good to go again with that (albeit slower) solution.

Conclusion

I wrote the first draft of this blog post about 2 weeks ago - since then I've stuck with Rancher Desktop and have no plans to go back to Colima. I'm pretty sure the performance is a bit better than Colima and I've had absolutely zero issues. The real test (for me at least) will be when it comes time to update Rancher Desktop - assuming it is a smooth experience, I doubt I'll be returning to Colima. 

Header image generated by ChatGPT-4 using the prompt: "Create a cartoon image of a cowboy lassoing a giant laptop computer using 2:1 aspect ratio". If someone could identify the two flying objects to the right of the laptop, I'd be most appreciative.

Python is always getting better, and 2023 brought a number of exciting developments. As part of the Faster CPython project, Python 3.12 is speedier than previous versions. The new release brings improved error messages and more powerful f-strings. You can also enjoy support for the Linux perf profiler, static typing improvements, and changes to subinterpreters.

The Python Software Foundation (PSF) focused on enhancing security in 2023, with the help of inaugural Security Developer-in-Residence Seth Michael Larson. As part of this comprehensive effort, PyPI completed its first security audit. Plus, the year brought new major versions of pandas, Django, and Pydantic. Another exciting development was Mojo, a superset of Python that’s specifically designed for use in machine-learning contexts.

Here at Real Python, we’ve published over a hundred written tutorials and video courses this year, plus weekly podcast episodes. Keep reading to revisit an old favorite or embark on a new learning journey. You can also check out the wrap-up podcast episode.

Join Now: Click here to join the Real Python Newsletter and you'll never miss another Python tutorial, course update, or post.

Practice Your Skills

Practice makes perfect, especially when it comes to programming. This year, the Real Python team expanded the Python Basics learning path with exercises designed to strengthen your Python skills and help you apply your knowledge in real-world scenarios.

In these courses, you can test your knowledge by completing review exercises and challenges before comparing your work to the instructors’ solutions:

• Python Basics Exercises: Numbers and Math
• Python Basics Exercises: Object-Oriented Programming
• Python Basics Exercises: Modules and Packages

By actively engaging with these exercises, you’ll solidify your understanding of Python concepts and build confidence in your programming abilities. Another way to test your knowledge is by taking quizzes, and we added several in 2023. For help along the way, be sure to join Real Python’s community chat and weekly office hours.

Customize Your Coding Environment

Your coding environment plays a crucial role in your productivity as a programmer, so it’s definitely worthwhile to explore your options and make yourself at home. That means picking the perfect editor or IDE for your use case and then tweaking how it works for you.

In these tutorials, you’ll learn how to customize your coding environment to suit your needs:

• Boost Your Coding Productivity With Ptpython
• Choosing the Best Coding Font for Programming
• JupyterLab for an Enhanced Notebook Experience

By exploring these resources, you’ll discover tools and techniques that can enhance your coding experience, making you more efficient and comfortable as you write Python code.

Read the full article at https://realpython.com/popular-python-tutorials-2023/ »

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

The Visual Layout Suite module is a great improvement of the core editorial experience leveraging Layout Builder and many contrib modules. Basicailly, it enables Layout Builder, depends on several contrib modules that improves Layout Builder and ads its custom magic.

One of the most important features is the use of utility classes allowing the configuration of the look and feel easily from the frontend with an instant preview. Additionally, it allows to restrict the utility classes a user can use, so the user is not overwhelmed by the extra options and also the look and feel of the page can be limited to be compliant with the style guide of the site. New utility classes can be easily added and components can be configured to only use a reduced set of utility classes to un clutter the UI.

VLSuite integrates with any Drupal component that integrates with Layout Builder and more: entity fields, paragraphs, Views, SDC, medias, etc. And there's no dependency on any theme, external service or certain entities. The only soft dependency is a Bootstrap 5 theme to enjoy all the VLSuite features out of the box. However, you can use any theme as long as it provides the utility classes you require. T

All the previous information means you could add VLSuite to an existing site with minimal…

I find most descriptions of WebAssembly to be uninspiring: if you start with a phrase like “assembly-like language” or a “virtual machine”, we have already lost the plot. That’s not to say that these descriptions are incorrect, but it’s like explaining what a dog is by starting with its circulatory system. You’re not wrong, but you should probably lead with the bark.

I have a different preferred starting point which is less descriptive but more operational: WebAssembly is a new fundamental abstraction boundary. WebAssembly is a new way of dividing computing systems into pieces and of composing systems from parts.

This all may sound high-falutin´, but it’s for real: this is the actually interesting thing about Wasm.

fundamental & abstract

It’s probably easiest to explain what I mean by example. Consider the Linux ABI: Linux doesn’t care what code it’s running; Linux just handles system calls and schedules process time. Programs that run against the x86-64 Linux ABI don’t care whether they are in a container or a virtual machine or “bare metal” or whether the processor is AMD or Intel or even a Mac M3 with Docker and Rosetta 2. The Linux ABI interface is fundamental in the sense that either side can implement any logic, subject to the restrictions of the interface, and abstract in the sense that the universe of possible behaviors has been simplified to a limited language, in this case that of system calls.

Or take HTTP: when you visit wingolog.org, you don’t have to know (but surely would be delighted to learn) that it’s Scheme code that handles the request. I don’t have to care if the other side of the line is curl or Firefox or Wolvic. HTTP is such a successful fundamental abstraction boundary that at this point it is the default for network endpoints; whether you are a database or a golang microservice, if you don’t know that you need a custom protocol, you use HTTP.

Or, to rotate our metaphorical compound microscope to high-power magnification, consider the SYS-V amd64 C ABI: almost every programming language supports some form of extern C {} to access external libraries, and the best language implementations can produce artifacts that implement the C ABI as well. The standard C ABI splits programs into parts, and allows works from separate teams to be composed into a whole. Indeed, one litmus test of a fundamental abstraction boundary is, could I reasonably define an interface and have an implementation of it be in Scheme or OCaml or what-not: if the answer is yes, we are in business.

It is in this sense that WebAssembly is a new fundamental abstraction boundary.

WebAssembly shares many of the concrete characteristics of other abstractions. Like the Linux syscall interface, WebAssembly defines an interface language in which programs rely on host capabilities to access system features. Like the C ABI, calling into WebAssembly code has a predictable low cost. Like HTTP, you can arrange for WebAssembly code to have no shared state with its host, by construction.

But WebAssembly is a new point in this space. Unlike the Linux ABI, there is no fixed set of syscalls: WebAssembly imports are named, typed, and without pre-defined meaning, more like the C ABI. Unlike the C ABI, WebAssembly modules have only the shared state that they are given; neither side has a license to access all of the memory in the “process”. And unlike HTTP, WebAssembly modules are “in the room” with their hosts: close enough that hosts can allow themselves the luxury of synchronous function calls, and to allow WebAssembly modules to synchronously call back into their hosts.

applied teleology

At this point, you are probably nodding along, but also asking yourself, what is it for? If you arrive at this question from the “WebAssembly is a virtual machine” perspective, I don’t think you’re well-equipped to answer. But starting as we did by the interface, I think we are better positioned to appreciate how WebAssembly fits into the computing landscape: the narrative is generative, in that you can explore potential niches by identifying existing abstraction boundaries.

Again, let’s take a few examples. Say you ship some “smart cities” IoT device, consisting of a microcontroller that runs some non-Linux operating system. The system doesn’t have an MMU, so you don’t have hardware memory protections, but you would like to be able to enforce some invariants on the software that this device runs; and you would also like to be able to update that software over the air. WebAssembly is getting used in these environments; I wish I had a list of deployments at hand, but perhaps we can at least take this article last year from a WebAssembly IoT vendor as proof of commercial interest.

Or, say you run a function-as-a-service cloud, meaning that you run customer code in response to individual API requests. You need to limit the allowable set of behaviors from the guest code, so you choose some abstraction boundary. You could use virtual machines, but that would be quite expensive in terms of memory. You could use containers, but you would like more control over the guest code. You could have these functions written in JavaScript, but that means that your abstraction is no longer fundamental; you limit your applicability. WebAssembly fills an interesting niche here, and there are a number of products in this space, for example Fastly Compute or Fermyon Spin.

Or to go smaller, consider extensible software, like the GIMP image editor or VS Code: in the past you would use loadable plug-in modules via the C ABI, which can be quite gnarly, or you lean into a particular scripting language, which can be slow, inexpressive, and limit the set of developers that can write extensions. It’s not a silver bullet, but WebAssembly can have a role here. For example, the Harfbuzz text shaping library supports fonts with an embedded (em-behdad?) WebAssembly extension to control how strings of characters are mapped to positioned glyphs.

aside: what boundaries do

They say that good fences make good neighbors, and though I am not quite sure it is true—since my neighbor put up a fence a few months ago, our kids don’t play together any more—boundaries certainly facilitate separation of functionality. Conway’s law is sometimes applied as a descriptive observation—ha-ha, isn’t that funny, they just shipped their org chart—but this again misses the point, in that boundaries facilitate separation, but also composition: if I know that I can fearlessly allow a font to run code because I have an appropriate abstraction boundary between host application and extension, I have gained in power. I no longer need to be responsible for every part of the product, and my software can scale up to solve harder problems by composing work from multiple teams.

There is little point in using WebAssembly if you control both sides of a boundary, just as (unless you have chickens) there is little point in putting up a fence that runs through the middle of your garden. But where you want to compose work from separate teams, the boundaries imposed by WebAssembly can be a useful tool.

narrative generation

WebAssembly is enjoying a tail-wind of hype, so I think it’s fair to say that wherever you find a fundamental abstraction boundary, someone is going to try to implement it with WebAssembly.

Again, some examples: back in 2022 I speculated that someone would “compile” Docker containers to WebAssembly modules, and now that is a thing.

I think at some point someone will attempt to replace eBPF with Wasm in the Linux kernel; eBPF is just not as good a language as Wasm, and the toolchains that produce it are worse. eBPF has clunky calling-conventions about what registers are saved and spilled at call sites, a decision that can be made more efficiently for the program and architecture at hand when register-allocating WebAssembly locals. (Sometimes people lean on the provably-terminating aspect of eBPF as its virtue, but that could apply just as well to Wasm if you prohibit the loop opcode (and the tail-call instructions) at verification-time.) And why don’t people write whole device drivers in eBPF? Or rather, targetting eBPF from C or what-have-you. It’s because eBPF is just not good enough. WebAssembly is, though! Anyway I think Linux people are too chauvinistic to pick this idea up but I bet Microsoft could do it.

I was thinking today, you know, it actually makes sense to run a WebAssembly operating system, one which runs WebAssembly binaries. If the operating system includes the Wasm run-time, it can interpose itself at syscall boundaries, sometimes allowing it to avoid context switches. You could start with something like the Linux ABI, perhaps via WALI, but for a subset of guest processes that conform to particular conventions, you could build purpose-built composition that can allocate multiple WebAssembly modules to a single process, eliding inter-process context switches and data copies for streaming computations. Or, focussing on more restricted use-cases, you could make a microkernel; googling around I found this article from a couple days ago where someone is giving this a go.

wwwhat about the wwweb

But let’s go back to the web, where you are reading this. In one sense, WebAssembly is a massive web success, being deployed to literally billions of user agents. In another, it is marginal: people do not write web front-ends in WebAssembly. Partly this is because the kind of abstraction supported by linear-memory WebAssembly 1.0 isn’t a good match for the garbage-collected DOM API exposed by web browsers. As a corrolary, languages that are most happy targetting this linear-memory model (C, Rust, and so on) aren’t good for writing DOM applications either. WebAssembly is used in auxiliary modules where you want to run legacy C++ code on user devices, or to speed up a hot leaf function, but isn’t a huge success.

This will change with the recent addition of managed data types to WebAssembly, but not necessarily in the way that you might think. Like, now that it will be cheaper and more natural to pass data back and forth with JavaScript, are we likely to see Wasm/GC progressively occupying more space in web applications? For me, I doubt that progressive is the word. In the same way that you wouldn’t run a fence through the middle of your front lawn, you wouldn’t want to divide your front-end team into JavaScript and WebAssembly sub-teams. Instead I think that we will see more phase transitions, in which whole web applications switch from JavaScript to Wasm/GC, compiled from Dart or Elm or what have you. The natural fundamental abstraction boundary in a web browser is between the user agent and the site’s code, not within the site’s code itself.

conclusion

So, friends, if you are talking to a compiler engineer, by all means: keep describing WebAssembly as an virtual machine. It will keep them interested. But for everyone else, the value of WebAssembly is what it does, which is to be a different way of breaking a system into pieces. Armed with this observation, we can look at current WebAssembly uses to understand the nature of those boundaries, and to look at new boundaries to see if WebAssembly can have a niche there. Happy hacking, and may your components always compose!

‘Chingam’/ചിങ്ങം (named after the first month of Malayalam calendar) is the newest libre/open source font released by Rachana Institute of Typography in the year 2024.

It comes with a regular variant, embellished with stylistic alternates for a number of characters. The default shape of characters D, O, ഠ, ാ etc. are wider in stark contrast with the shape of other characters designed as narrow width. The font contains alternate shapes for these characters more in line with the general narrow width characteristic.

Users can enable the stylistic alternates in typesetting systems, should they wish.

• XeTeX: stylistic variant can be enabled with the StylisticSet={1} option when defining the font via fontspec package. For e.g.

% in the preamble
\newfontfamily\chingam[Ligatures=TeX,Script=Malayalam,StylisticSet={1}]{Chingam}
…
\begin{document}
\chingam{മനുഷ്യരെല്ലാവരും തുല്യാവകാശങ്ങളോടും അന്തസ്സോടും സ്വാതന്ത്ര്യത്തോടുംകൂടി ജനിച്ചിട്ടുള്ളവരാണ്‌…}
\end{document}

• Scribus: extra font features are accessible since version 1.6

• LibreOffice: extra font features are accessible since version 7.4. Enable it using Format→Character→Language→Features.

• InDesign: very similar to Scribus; there should be an option in the text/font properties to choose the stylistic set.

Development

Chingam is designed and drawn by Narayana Bhattathiri. Based on the initial drawings on paper, the glyph shapes are created in vector format (svg) following the glyph naming convention used in RIT projects. A new build script is developed by Rajeesh that makes it easier for designers to iterate & adjust the font metadata & metrics. Review & scrutiny done by CVR, Hussain KH and Ashok Kumar improved the font substantially.

Download

Chingam is licensed under Open Font License. The font can be downloaded from Rachana website, sources are available in GitLab page.

I'm going to FOSDEM'24. Assuming to meet Debian and Kernel folks there, this should be a good opportunity to do PGP keysigning.

If you also go there and you're interested in keysigning: Send me your key via email to fosdem24-keysigning@kleine-koenig.org. I'll collect the keys, create a paper list for a keysigning party and send it back to you in the week before FOSDEM. The list will only be made available to other participants.

Then maybe wear a "keysigning" badge (or a crepe tape with that caption) that allows us to identify others on the list. If there are not too many who are interested, I guess that should work fine. (If this idea becomes too successful, I'd close the list after the first 100 participants.)

Future-proofing your module (and dependencies) with GitLab CI james Mon, 01/08/2024 - 19:00 Image Body

Since Drupal 8, there has been a mostly smooth migration path between major versions, so you can upgrade from 8 to 9 to 10 relatively easily.

One bump in the road can be the availability of modules for the new version. Drupal 8 and 9 were only supported for a year after the release of their successors, which didn’t help. While quite a lot of modules had a release supporting the next version quickly, there seemed to be quite a few that were very slow to update, and quite a few sites were waiting for one or two modules to release compatible versions before being able to upgrade. I think there are…

Dear Pythonistas, after many years of commitment, the current Python Montreal board of directors team has decided to pass the torch. We are now opening the doors to new, passionate members of the Python community to continue to make our organization shine.

Election calendar:

• Application period officially open
• Announcement of applications: January 22, 2024 on our social networks
• Opening of the online voting period from January 22 to 31, 2024
• Physical event to learn more about the candidates and interact with them: January 29, 2024 at MP-103
• Announcement of the new CA: February 1, 2024

If you share our passion for Python and would like to actively contribute to its development in Montréal, we invite you to fill out this application form.