FLOSS Project Planets

During the last month we focused on fixing bugs, improving the behaviour of things, speeding-up performance issues and adding new features for you.

Changes for the User Sales, Purchases and Projects

When processing an exception on an order, the user can ignore the exception and so no more related lines/documents will be re-created. But in case of a mistake it was not possible to cancel the ignore. Now we allow the Sale and Purchase administrator group to edit the list of ignored- lines to be able to remove mistakes. After changes to the list of ignored lines the user needs to manually reprocess the order, using the Process button, to restore it to a coherent state.

Accounting, Invoicing and Payments

Account users are now allowed to delete draft account moves.

Stock, Production and Shipments

When creating a stock forecast the warehouse is now filled in automatically.

Now the scheduled task maintains a global order of assignations for shipments and productions. A global order is important because assignations are competing with each other to get the products first.

User Interface

We now hide the traceback from an error behind an expander widget, as it may scare some users and it is not helpful for most of them.

System Data and Configuration

Employees are now activated based on the start and end date of their employment.

New Modules

The new stock_product_location_place module allows a specific place to be defined where goods are stored in their location. You can refer to its documentation for more details.

New Documentation

We reworked parts of the Tryton documentation.

How to enter in an opening balance.

We changed our documentation hub from readthedocs to self hosting.

New Releases

We released bug fixes for the currently maintained long term support series
7.0 and 6.0, and for the penultimate series 6.8.

Security Please update your systems to take care of a security related bug we found last month. Changes for the System Administrator

We now make cron and workers exit silently on a keyboard interrupt.

We also introduced a switch on trytond-admin to be able to delay the creation of indexes. This is because the index creation can take a long time to complete when updating modules on big databases. Using this switch the database schema can be quickly created, but will be without the performance gain from the new indexes, which are not available yet. Another run at a more appropriate time without the switch can then be used to create the indexes.

For history records we now display the date time on access errors.

Changes for Implementers and Developers

We now use dot notation and binary operators when converting PYSON to a string when it is to be displayed to the user.

Authors: @dave @pokoli @udono

1 post - 1 participant

Read full topic

Drupal as a CMS: Your go-to CMS for a seamless digital experience In today's digital age, a robust and efficient content management system (CMS) is key for a seamless user experience. Drupal, known for its flexibility, scalability and customisation options, has emerged as one of the most popular CMS platforms for website development. As a CMS, Drupal allows you to create, organise and manage your website's content effortlessly. It also provides a user-friendly interface and a wide array of features that ensure a smooth and efficient content creation and management process. Read on for tips and tools for your Drupal migration, or reach out to us now for customised help with your migration.  Why choose Drupal CMS?

Learning about xz and what is happening is fascinating. The scope of potential exploit is very large. The Open source software space is filled with many unmaintained and unreviewed software.

GNU Parallel 20240322 ('Sweden') has been released. It is available for download at: lbry://@GnuParallel:4

Quote of the month:

   GNU parallel ftw
    -- hostux.social/@rmpr @_paulmairo@twitter

New in this release:

• Bug fixes and man page updates.

GNU Parallel - For people who live life in the parallel lane.

If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

For example you can run this to convert all jpeg files into png and gif files and have a progress bar:

  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif

Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:

  find . -name '*.jpg' |
    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200

You can find more about GNU Parallel at: http://www.gnu.org/s/parallel/

You can install GNU Parallel in just 10 seconds with:

    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
       fetch -o - http://pi.dk/3 ) > install.sh
    $ sha1sum install.sh | grep 883c667e01eed62f975ad28b6d50e22a
    12345678 883c667e 01eed62f 975ad28b 6d50e22a
    $ md5sum install.sh | grep cc21b4c943fd03e93ae1ae49e28573c0
    cc21b4c9 43fd03e9 3ae1ae49 e28573c0
    $ sha512sum install.sh | grep ec113b49a54e705f86d51e784ebced224fdff3f52
    79945d9d 250b42a4 2067bb00 99da012e c113b49a 54e705f8 6d51e784 ebced224
    fdff3f52 ca588d64 e75f6033 61bd543f d631f592 2f87ceb2 ab034149 6df84a35
    $ bash install.sh

Watch the intro video on http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/10.5281/zenodo.1146014.

If you like GNU Parallel:

• Give a demo at your local user group/team/colleagues
• Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
• Get the merchandise https://gnuparallel.threadless.com/designs/gnu-parallel
• Request or write a review for your favourite blog or magazine
• Request or build a package for your favourite distribution (if it is not already there)
• Invite me for your next conference

If you use programs that use GNU Parallel for research:

• Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

• (Have your company) donate to FSF https://my.fsf.org/donate/

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:

O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

Bruce Schneier wrote an interesting blog post about his workshop on reimagining democracy and the unusual way he structured it [1]. It would be fun to have a security conference run like that!

Matthias write an informative blog post about Wayland “Wayland really breaks things… Just for now” which links to a blog debate about the utility of Wayland [2]. Wayland seems pretty good to me.

Cory Doctorow wrote an insightful article about the AI bubble comparing it to previous bubbles [3].

Charles Stross wrote an insightful analysis of the implications if the UK brought back military conscription [4]. Looks like the era of large armies is over.

Charles Stross wrote an informative blog post about the Worldcon in China, covering issues of vote rigging for location, government censorship vs awards, and business opportunities [5].

The Paris Review has an interesting article about speaking to the CIA’s Creative Writing Group [6]. It doesn’t explain why they have a creative writing group that has some sort of semi-official sanction.

LongNow has an insightful article about the threats to biodiversity in food crops and the threat that poses to humans [7].

Bruce Schneier and Albert Fox Cahn wrote an interesting article about the impacts of chatbots on human discourse [8]. If it makes people speak more precisely then that would be great for all Autistic people!

• [1] https://tinyurl.com/yppnule7
• [2] https://tinyurl.com/ytcxrvug
• [3] https://tinyurl.com/23ds5phd
• [4] https://tinyurl.com/2268krpg
• [5] https://tinyurl.com/26kr4tb7
• [6] https://tinyurl.com/yr75h7uk
• [7] https://longnow.org/ideas/to-save-it-eat-it/
• [8] https://tinyurl.com/ywwhshor

Related posts:

1. Links February 2024 In 2018 Charles Stross wrote an insightful blog post Dude...
2. Links January 2024 Long Now has an insightful article about domestication that considers...
3. Links March 2023 Interesting paper about a plan for eugenics in dogs with...

   

 

Existing?

 As part of a larger project, I thought I might need to search for a sub-list within a given list, and because I am lazy i did a quick google and did not like the answers I found.I started with the thought that the best algorithm for me would be to start searching from the index of the first item in the sublist and so on, but none of the googled answers used list.index.

I decided then to create my own 

My version

Well I want to use list.index. If the item is not in the list then it raises an error, so I'll need a try-except block too.

I look for successive first item from the sub-list in the list and if found, accumulate the index in the answer and move on to search for the next match.

It seemed easy to add flags to:

1. Stop after finding a first index of the sub-list in the list.
2. Allow overlapping matches  or not. [1,0,1] is found twice in [1,0,1,0,1] at indices 0 and 2, but only once if overlapping is not allowed

#!/bin/env python3#%%from typing import Any

"""Find instance of a sub-list in a list"""
def index_sublist(lst: list[Any],                  sublst: list[Any],                  only_first: bool=False,                  non_overlapping=False,                  ) -> list[int]:    "Find instance of a (non-empty), sub-list in a list"    if not sublst:        raise ValueError("Empty sub-list")    if not lst:        return []        first, ln = sublst[0], len(sublst)    ans, i = [], 0    while True:        try:            i = lst.index(first, i)        except ValueError:            break        if lst[i: i+ln] == sublst:            ans.append(i)        if only_first:            break        i += ln if non_overlapping else 1        return ans
#%%def test():    assert index_sublist([], [1], only_first=False) == []    assert index_sublist([1], [1], only_first=False) == [0]    assert index_sublist([1,0,1], [1], only_first=False) == [0, 2]    assert index_sublist([2,1,0,1], [1], only_first=True) == [1]    assert index_sublist([2,1,0,1], [1, 3], only_first=False) == []        assert index_sublist([1,0,1,0,1], [1,0,1],                         only_first=False,                         non_overlapping=False) == [0, 2]    assert index_sublist([1,0,1,0,1], [1,0,1],                         only_first=False,                         non_overlapping=True) == [0]

#%%if __name__ == '__main__':    test()

End.

 

Μαζί με το openSUSE, το Arch και το Debian, το Fedora είναι μία από τις «τέσσερεις μεγάλες» διανομές Linux. Ανάγεται η καταγωγή του στο Red Hat Linux, την αρχική διανομή που βασίζεται σε RPM.

Το Fedora είναι γνωστό για τις τεχνολογίες αιχμής, το πιο πρόσφατο λογισμικό και τις συχνές ενημερώσεις. Είναι επίσης μια από τις λίγες μεγάλες διανομές που αγκαλιάζουν το GNOME vanilla. Τον τελευταίο καιρό, η διανομή έχει γίνει πιο φιλική προς το χρήστη, με οθόνη καλωσορίσματος, υποστήριξη Flatpak και δυνατότητα ενεργοποίησης αποθετηρίων τρίτων κατά τη ρύθμιση.

Ιστορία του Fedora Η ιστορία του Fedora είναι παράλληλη από την ιστορία του Red Hat. Η διανομή ήταν αρχικά γνωστή ως "Fedora Linux", στη συνέχεια "Fedora Core", πριν τελικά καταλήξει στο Fedora.

Το Fedora Linux ήταν ένα αποθετήριο τρίτου κατασκευαστή για το αρχικό Red Hat Linux, ενώ το Fedora Core ήταν μια δωρεάν έκδοση του Red Hat Enterprise Linux που διατηρείται από την κοινότητα. Σήμερα, το Fedora είναι upstream για το Red Hat Enterprise Linux και χρησιμεύει ως μια καλή προεπισκόπηση του τι πρόκειται να γίνει στην "πληρωμένη" έκδοση Workstation.

Ενώ είναι κοινοτικό έργο, το Fedora προφανώς χρηματοδοτείται από τη Red Hat, η οποία ανήκει πλέον στην IBM.

Αξιοσημείωτα χαρακτηριστικά του Fedora Με μια τόσο μακρά ιστορία, τα επιτεύγματα του Fedora είναι αμέτρητα. Ευτυχώς, αυτή η διανομή έχει πολλά πράγματα αυτή τη στιγμή, επομένως δεν υπάρχει λόγος να επιστρέψουμε στην αρχαία ιστορία για τα κυριότερα σημεία.

1. Κυκλοφορεί με το αυθεντικό GNOME ως προεπιλογή Ένα από τα μεγαλύτερα πλεονεκτήματα του Fedora είναι η κυκλοφορία του με το αυθεντικό GNOME.

Θα νομίζατε ότι επειδή το GNOME είναι ένα από τα "δύο μεγάλα" περιβάλλοντα επιφάνειας εργασίας Linux και είναι τόσες πολλές διανομές που το χρησιμοποιούν, ότι το GNOME θα ήταν κοινό για όλους, αλλά όχι. Σήμερα, οι περισσότερες διανομές που κυκλοφορούν με το GNOME περιλαμβάνουν πολλές τροποποιήσεις που προσπαθούν να κάνουν το GNOME να συμμορφώνεται με τις συμβάσεις GUI της δεκαετίας του '90.

Το Fedora δεν το κάνει αυτό. Αντίθετα, παρέχει ένα από τα πιο "καθαρά" και πιο ενημερωμένα παραδείγματα του GNOME.

2. Φιλικό προς το χρήστη Ενώ πολλές διανομές ξεπερνούν τα όρια για να βοηθήσουν τους νέους χρήστες με προγράμματα εγκατάστασης γραφικών και οθόνες καλωσορίσματος, κανείς δεν περίμενε πραγματικά να κάνει κάτι αντίστοιχο το Fedora. Αλλά το έκανε. Το Fedora υποστηρίζει το Flatpak out-of-the-box εκτός από τα αρχεία RPM.

Επιπλέον, μπορείτε να ενεργοποιήσετε τα αποθετήρια τρίτων κατά τη διάρκεια της εγκατάστασης. Κατά την εγκατάσταση, σας υποδέχεται μια χρήσιμη, γραμμική οθόνη καλωσορίσματος που εξηγεί τα βασικά στοιχεία της διεπαφής χρήστη, τις χειρονομίες και τις συντομεύσεις.

3. Προσφέρει λογισμικό αιχμής Το Fedora ενημερώνεται κάθε έξι μήνες, δεν έχει έκδοση LTS, ώστε να λαμβάνετε πάντα τις πιο πρόσφατες ενημερώσεις και η πιο πρόσφατη έκδοση είναι πάντα η κορυφαία έκδοση.

Πέρα από τις συχνές αναβαθμίσεις, το Fedora κερδίζει τους περισσότερους αντιπάλους του στη κυκλοφορία ως προεπιλεγμένο λογισμικό αιχμής, ανοιχτού κώδικα. Ήταν η πρώτη μεγάλη διανομή που άλλαξε από το X11 στο Wayland και από το PulseAudio στο PipeWire.

4. Το Fedora είναι αξιόπιστο Δεν βλέπετε συχνά μια διανομή να είναι ταυτόχρονα αξιόπιστη με λογισμικό αιχμής.

Όταν το Fedora εισάγει θεμελιώδεις αλλαγές, όπως τα παραπάνω παραδείγματα, είναι καλό σημάδι ότι αυτές οι τεχνολογίες είναι επιτέλους ώριμες. Τότε βλέπετε άλλες διανομές που ακολουθούν αργά.

Αν θέλετε να ζείτε στα άκρα, υπάρχουν εκδόσεις ανάπτυξης του Fedora όπως το Rawhide.

Εκδόσεις Fedora Το Fedora προσφέρει τρεις κανονικές εκδόσεις και τρεις επίσημες "αναδυόμενες εκδόσεις". Ωστόσο, μόνο δύο από αυτά τα έξι είναι για καθημερινή χρήση από έναν τελικό χρήστη. Θα παραλείψουμε τις "γεύσεις" που εστιάζονται σε διακομιστή και σε IoT.

1. Workstation Το Fedora Workstation είναι η κορυφαία έκδοση του έργου. Διαθέτει την τελευταία τρέχουσα σταθερή έκδοση GNOME και υποστήριξη Flatpak out-of-the-box.

Λήψη: Workstation Fedora (δωρεάν & ανοιχτού κώδικα)

2. Silverblue Η αναδυόμενη έκδοση Fedora Silverblue είναι μια "αμετάβλητη" παραλλαγή του Fedora Workstation. Η κύρια διαφορά είναι ότι οι χρήστες είναι πιθανό να αντιμετωπίσουν προβλήματα με την εγκατάσταση RPM, καθώς το Flatpak είναι η εγγενής μορφή πακέτου του Silverblue.

Λήψη: Fedora Silverblue (δωρεάν & ανοιχτού κώδικα)

3. Kinoite Το Kinoite είναι μια ανερχόμενη έκδοση του Fedora που δεν εμφανίζεται ακόμα στην αρχική σελίδα. Το Kinoite είναι απλώς μια εναλλακτική λύση με "γεύση" KDE Plasma εναλλακτικό του Silverblue.

Λήψη: Fedora Kinoite (δωρεάν & ανοιχτού κώδικα)

4. Sericea Ο δημοφιλής διαχειριστής παραθύρων πλακιδίων Sway προσφέρεται από τη Fedora Sericea με "αμετάβλητο" τρόπο. Κάνει το Sway προσιτό και ενδιαφέρον τόσο στους νέους όσο και στους έμπειρους χρήστες που προτιμούν να μην αλληλεπιδρούν με το περιβάλλον τους μέσω ποντικιού, επιφάνειας αφής ή άλλης συσκευής κατάδειξης. Το Fedora Sericea προσφέρει μια ολοκληρωμένη εμπειρία με μια απλή διεπαφή χρήστη και περιλαμβάνει ελαφριές εφαρμογές για περιήγηση στο web, σύνταξη κειμένου και αναπαραγωγή πολυμέσων.

Λήψη: Fedora Kinoite (δωρεάν & ανοιχτού κώδικα)

Fedora Spins Όπως πολλές διανομές, το Fedora προσφέρει μια ποικιλία εναλλακτικών λύσεων με μια ποικιλία περιβαλλόντων επιφάνειας εργασίας. Το Fedora ονομάζει αυτές τις παραλλαγές "Spins".

1. KDE Plasma Desktop Το KDE Plasma Spin του Fedora αφήνει ανέπαφες τις περισσότερες προεπιλογές του KDE, αλλάζοντας μόνο την ταπετσαρία και το εικονίδιο εκκίνησης εφαρμογών και επιτρέποντας το διπλό κλικ για άνοιγμα/εκκίνηση.

Λήψη: Fedora KDE Plasma Desktop Spin (δωρεάν & ανοιχτού κώδικα)

2. XFCE Desktop Το Fedora XFCE Spin χρησιμοποιεί την παραδοσιακή διάταξη διεπαφής τύπου BSD/Mac. Φαίνεται πολύ ωραίο για ένα ελαφρύ περιβάλλον επιφάνειας εργασίας.

Λήψη: Fedora XFCE Desktop Spin (δωρεάν & ανοιχτού κώδικα)

3. Cinnamon Desktop Παραδόξως, το Fedora προσφέρει το Cinnamon, ένα προϊόν του Linux Mint.

Εδώ το Cinnamon διαθέτει την επωνυμία Fedora, μπλε χρώμα με έμφαση, λεπτή γραμμή εργασιών και λείπει κυρίως τα XApps του Mint. Παρά αυτές τις αλλαγές, είναι αναζωογονητικό να βλέπεις το Cinnamon να χρησιμοποιείται διαφορετικά από ό,τι στο Linux Mint.

Λήψη: Fedora Cinnamon Desktop Spin (δωρεάν & ανοιχτού κώδικα)

4. MATE-Compiz Desktop Κολλημένοι στο χρόνο; Το Fedora MATE-Compiz Spin είναι τέλειο για όσους λαχταρούν τις μέρες δόξας του GNOME 2 Ubuntu και τα εντυπωσιακά εφέ επιφάνειας εργασίας.

Λήψη: Fedora MATE-Compiz Desktop Spin (δωρεάν & ανοιχτού κώδικα)

5. i3 Tiling Window Manager Ναι, το Fedora έχει ακόμη και ένα tiling window manager spin, οπότε τώρα μπορείτε και εσείς να δημοσιεύετε στο r/unixporn. Πέρα από την πλάκα, το i3 είναι ένα από τα πιο δημοφιλή WM για πλακάκια και ένα τέλειο σημείο εκκίνησης για να μπείτε στον κόσμο των tiling WM που βασίζονται σε πληκτρολόγιο.

Αυτή η κατηγορία υπολογιστών προσφέρει ανώτερη απόδοση οθόνης, χαμηλότερο κόστος συστήματος και αυξημένη ταχύτητα αλληλεπίδρασης με τον χρήστη μέσω συντομεύσεων που βασίζονται στο πληκτρολόγιο.

Λήψη: Fedora i3 Tiling WM Spin (δωρεάν & ανοιχτού κώδικα)

6. Sway Tiling Window Manager Το Fedora Sway Spin παρέχει τον δημοφιλές διαχειριστή παραθύρου πλακιδίων Sway. Κάνει το Sway προσβάσιμο και ελκυστικό τόσο για αρχάριους όσο και για προχωρημένους χρήστες που προτιμούν να μην χρησιμοποιούν το ποντίκι, την επιφάνεια αφής ή άλλη συσκευή κατάδειξης για να αλληλεπιδρούν με το περιβάλλον τους. Διαθέτει ελαφριές εφαρμογές για περιήγηση στον Ιστό, επεξεργασία κειμένου και αναπαραγωγή πολυμέσων, το Fedora Sway Spin προσφέρει μια ολοκληρωμένη εμπειρία με ένα μινιμαλιστικό περιβάλλον χρήστη.

Λήψη: Fedora Sway Tiling WM Spin (δωρεάν & ανοιχτού κώδικα)

7. LXQt Desktop Χωρίς να σταματά στα "μεγάλα τρία" περιβάλλοντα επιφάνειας εργασίας, το Fedora προσφέρει επίσης το LXQt. Αυτή η εναλλακτική λύση του LXDE που βασίζεται σε Qt παρέχει μια απλή εμπειρία που μοιάζει με τα Windows XP.

Λήψη: Fedora LXQt Desktop Spin (δωρεάν & ανοιχτού κώδικα)

8. Budgie Desktop Το Fedora Budgie Spin παρουσιάζει το Budgie Desktop, μια πλούσια σε χαρακτηριστικά, μοντέρνα επιφάνεια εργασίας. Αυτό το Spin έχει σχεδιαστεί για να ευθυγραμμίζεται στενά με το upstream Budgie Desktop, παρέχοντας μια εμπειρία σχεδόν βανίλια με ένα επιλεγμένο σύνολο προεπιλεγμένων εφαρμογών που ταιριάζουν καλύτερα με το Budgie.

Λήψη: Fedora Budgie Desktop Spin (δωρεάν & ανοιχτού κώδικα)

9. SOAS (Sugar on a Stick) Αφού εξαντλήθηκαν όλα τα περιβάλλοντα επιφάνειας εργασίας που έχετε ακούσει, το Fedora συνεχίζει να εντυπωσιάζει με το Fedora spin SOAS. Ίσως το γνωρίζετε καλύτερα ως Sugar on a Stick, το οποίο όπως υποδηλώνει το όνομά του είναι Sugar on a bootable USB stick.

Το περιβάλλον επιτραπέζιου υπολογιστή πρώιμης εκμάθησης έγινε ευρέως γνωστό όταν επιλέχθηκε ως το λειτουργικό σύστημα για το έργο OLPC (Ένας φορητός υπολογιστής ανά παιδί). Λήψη: Fedora SOAS Spin (δωρεάν & ανοιχτού κώδικα)

10. Phosh Το Phosh spin παρέχει μια φιλική διεπαφή προς κινητά, βασισμένη στην αφή της οθόνης. Είναι κατασκευασμένο για φορητές συσκευές όπως τηλέφωνα και tablet, αλλά και φορητούς υπολογιστές με οθόνες αφής.

Το Phosh σάς επιτρέπει να χρησιμοποιείτε μια συσκευή που βασίζεται στην αφή για γρήγορη εκκίνηση και εναλλαγή εφαρμογών, καθώς και εύχρηστες ρυθμίσεις όπως το επίπεδο της μπαταρίας και η ισχύς του σήματος χαμηλής τάσης.

Πίσω από αυτήν την επιφάνεια εργασίας βρίσκεται ολόκληρη η συλλογή πακέτων Fedora τα οποία μπορείτε να εγκαταστήσετε και να χρησιμοποιήσετε όπως σας ταιριάζει. Το Phosh είναι χτισμένο σε wayland και άλλες σύγχρονες τεχνολογίες επιτραπέζιων υπολογιστών gnome.

Λήψη: Fedora Phosh Spin (δωρεάν & ανοιχτού κώδικα)

Σε ποιον απευθύνεται το Fedora; Το Fedora δεν είναι μόνο μια πρωτότυπη διανομή, αλλά έχει γίνει και αρκετά φιλικό προς τον χρήστη τα τελευταία χρόνια. Αυτός είναι ένας σπάνιος συνδυασμός, καθώς το Arch αναμφισβήτητα δεν είναι φιλικό προς το χρήστη και το Debian μόλις πρόσθεσε ένα πρόγραμμα εγκατάστασης γραφικών πριν από μερικά χρόνια.

Εάν είστε λάτρης του GNOME, το Fedora είναι η μόνη μεγάλη διανομή που στέλνει μια ενημερωμένη έκδοση του GNOME vanilla. Οι χρήστες Mac και οι νεότεροι που μεγάλωσαν με κινητές συσκευές μπορεί επίσης να εκτιμήσουν το GNOME. Και οι χρήστες φορητών υπολογιστών θα ερωτευτούν τις χειρονομίες της επιφάνειας αφής Wayland για έλεγχο του χώρου εργασίας.

There was a bit of a kerfuffle about subverting open source projects recently. That incident made me think about something that's generally on my mind. That thought again was triggered by that incident but is otherwise not in response to it. I want to talk about some of the stresses of being an Open Source contributor and maintainer but specifically about something that have been unsure over the years about: anonymity and pseudonymity.

Over the years it has been pretty clear that some folks are contributing in the Open Source space and don't want to have their name attached to their contributions. I'm not going to judge if they have legitimate reasons for doing so or if pseudonymity a good or bad thing. That it is happening, is simply a fact of life. The consequences of that however are quite interesting and I think worth discussing.

When I talk about names, I primarily think about the ability to associate an online handle and a contribution to a real human being. That does not imply that it should be necessarily trivial for people to find that information, but it should be something that is at least in principle be possible. There is obviously a balance to all of this, but given that there are real consequences to “doing stuff on the internet” there has to be a way to get in contact with the person behind it. So as far as “naming a person” here is concerned it's not so much about a particular name, but as in being able to identify the human being behind it.

While we might get away with believing nothing on the internet matters and laws do not apply, that's not really true. In fact particularly with Open Source we're all leveraging copyright laws and the ability to enforce contracts to work together. And no matter how much we write “THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES” not all legal consequences can be waived.

Which leads me to some development in internet anonymity I have observed over the last 20 years which I find worth reflecting on. When I got started with Open Source, pseudonyms felt much less common. The distance to the legal system at least to me felt much closer than today. I give you a handful examples of this: When I got started doing stuff on the internet and you did something really stupid, someone called your ISP and you had an angry conversation. Because the subscriber of that line was known. A lot of the systems on the earlier internet were based on a lot more trust than would be acceptable today. An angry ISP was not the worst that would happen to you, a lot of people got charged with wire-fraud for things that today are just being ignored because they have become too commonplace (like probably most DDOS attacks these days). When I created my first SourceForge account, the “real name” field was not optional, CLAs talked about names and asked for signatures. When my stuff was packaged up in Debian some of the first things that came my way were folks explaining me some legal stuff about licenses I was unaware before. After I started getting involved with Ubuntu I went to a key signing party where I showed my passport to other human beings to demonstrate that I exist. When I became a Python core contributor I signed a physical paper for the CLA.

A lot of this feels quite untypical today. We no longer do a lot of these things and I believe it mostly just works because people don't go to court much about Open Source projects any more. It probably also works because over time Open Source became more established. If you contribute via GitHub today, even the terms of service probably help resolving copyright issues by being quite explicit about how contributions to public repositories happen (you contribute under the license of the repository).

But sometimes people do go to court. Open Source projects in many ways are an unclear amalgamation of different contributions and we just collectively hope that we all agree that contributions come in under the same licenses as the file in the root of the project. The Linux kernel once did not accept contributions from pseudonymous users. It did so for good reasons. They need to know who the person is that contributes so they know what to do in case of a licensing conflict and there was more than one lawsuit involving Linux. This was true even after the DCO was put in place. Today, pseudonyms are accepted. Not just in Linux, but also in many large projects. An example of that is the CNCF which found a nice middle ground on the name and what you sign off with: “A real name does not require a legal name, nor a birth name, nor any name that appears on an official ID (e.g. a passport). Your real name is the name you convey to people in the community for them to use to identify you as you.”

Most important however is this part: “Your real name should not be an anonymous id or false name that misrepresents who you are.” The need of getting in contact with the person exists and did not go away. It always existed and it quite likely will continue to exist. There are good reasons why you want to know who the person is. Maybe the person contributed code they did not own the copyright of, maybe their employer writes you an angry email. Concerns about licensing are a common reason for why people want to know who the people are that contribute. Maybe sanctions or other legal restrictions prevent to accept contributions from that person. Another reason you might need to get in contact with the author is to change the license. You might remember that a lot of projects tried to move from GPL v2 to GPL v2 or later. A change that required the agreement of every person that contributed before. Reaching out to people sometimes is not the easiest of tasks.

However in addition to pseudonymous contributions, there is also a sharp increase of anonymous contributions. Particularly thanks to GitHub pull requests it's incredibly common that you get commits now from folks whose only identity is a made up user name, no visible email address and some default avatar that GitHub generated.

This is not necessarily a problem, but to me it feels like a trend that I'm not sure how to work with. It creates a somewhat complex form of interaction where one person might be out in the open, the other person might be entirely anonymous. Many of us old timers who went into Open Source in former times have a pretty well established online identity (either via a “real name” or pseudonym). I also think that many of us who are in this for a while feel quite a bit of stress and responsibility for the things we created, at least that is very much true for me. Multiple times over the years did I hear or read online that a person chooses to contribute anonymously is because their employer bans Open Source work. One the one hand it's great that people find a way to avoid these restrictions, on the other hand if that ever gets found out you probably are going to have some unfriendly talks with someone else's legal team. While in practice none of my code is important enough that I think something like this will happen, I can absolutely see this happen to large Open Source projects where a rogue employee contributes on their employer's time or otherwise proprietary code.

I have a heard the sentiment a few times now that one should vet the contributions, not the contributors. That's absolutely true. Yet at the same time many of us are quite frankly assuming good actors and just happy to get contributions. We sometimes merge pull requests not in the best state of mind, sometimes we feel pressured. It can be quite hard to spot back doors and hostile commits, particularly if the other side is sufficiently motivated. But here is the thing: you know who I am, I do not know who a lot of the people are that send pull requests against my libraries. An asymmetry I need to work with.

What motivates me to write this, is that I feel quite a bit of asymmetry in contributions these days. It's a lot easier to contribute to Open Source these days and that's a good thing. But it also comes at a cost. It's impossible to find yourself having become a critical piece of software deployed all over the world by accident. Your users update to the latest version of your code without any vetting on their own. Yet the brunt of the responsibility falls on you, the person associated with the project. A person that might be known. Yet a lot of the contributions are random people, and you might not have a good change to identify them. Sometimes it's not even the contributions, it's already anonymous users on the issue trackers that increase that pressure.

I find that environment at time to be emotionally stressful, much more than it has been. I don't even maintain particularly popular pieces of Open Source libraries these days but I still feel much more stressed about that experience than years ago and a pretty big element of it is that I feel that a lot of the issues and commits are from people who show up once and then leave. Maybe it's because I'm older, or because I also have other things in my life than Open Source, but the situation is what it is.

Which brings me back to the identity thing. It's probably great for a lot of people that their online identity is not clearly linked to the real world identity. What I find less great is that with this loss of real identity many of the real world legal consequences are then stuck with me, a person that can be identified. I don't assume that knowing who the folks are that contribute will solve any problems, mind you. While I do have some probably unrealistic hope that law enforcement agencies would find it a bit easier to get involved if they can better identify a bad actor, I'm not even sure if they find much of an interest to get involved in the first place. To me, it's mostly a piece of mind thing.

Everybody's contribution into ones projects turns into a permanent liability in a way. I take responsibility of someone else's commit with the moment I press the merge button. While many of those contributions are benign no matter what, you do start to trust repeated contributors after a while. A well established identity on the internet creates a form of inner piece, a handing over a project more and more to a person you don't know less so. Yet it can happen absolutely gradually. Maybe verified identities an illusion, but sometimes these illusions is all that's needed to feel more relaxed.

I don't think we should force people to have a real world identity on the internet, but we also have to probably take a step back and look at how we came here and if we like it this way. In a sense this is a generic rant about missing the “good old times” (that probably never were), where people talked to each other eye to eye. Instead more and more, interactions on the internet feel like that they are happening with faceless figures you will probably never ever meet, see, talk or write to.

So what's left? I don't know. Neither do I know if this is a problem that only I feel, nor do I know a solution to it if it was one. All I can say is that I find Open Source stressful more than one way these days.

I didn’t work much on KDE for the first half of March, but still managed to squeeze out some good features and bugfixes. I’m also starting on the Wayland grant work I teased soon, so look forward to news on that next month.

Plasma #

Bugfix The text and buttons are now centered in KCMs that launch external applications, such as the System Monitor in KInfoCenter. 6.1

What the System Monitor KCM looks like now

Bugfix Fix numerous spacing and layout issues in the Date & Time KCM. 6.1

Now it looks nice and centered, and there’s less “mystery spacing”

Bugfix Actually disable the calendar in the Date & Time KCM when NTP is enabled. Basically fixing the bug you see in the above screenshot where the date picker is still enabled. 6.1

Bugfix (Haven’t been able to continue it yet) but disable the searchbox and filter actions when there’s no command output. If you don’t have the “aha” installed you shouldn’t be able to search for non-existent text under “Firmware Security”. 6.1

Bugfix In the Bluetooth KCM, “game controllers” are now called as such where it was previously “joypads”. 6.1

Note that it’s “Game controller” in the final version

Bugfix The same device type names used in the Bluetooth KCM, are now used in it’s applet.

Better device names? Yay! Tokodon #

Feature Added an alert badge for pages in the sidebar. Currently only used for follow requests, but plan on adding it on other pages soon. 24.05

The new alert system being used

Feature Allow popping out the status composer on desktop. This allows you to compose toots while doing something else in the application, like browsing or searching for the correct hashtag. 24.05

Now you can write your status in a separate window

Bugfix I implemented more key navigation fixes. This set of fixes are centered around interacting with media attachments. There’s still a long way to go before you can use Tokodon from a keyboard alone, but it’s getting there. 24.05

Bugfix Ported from Qt5Compat.GraphicalEffects. I usually don’t mention boring refactors, this one is special. Volker found that this old GraphicalEffects module eats up 4 MB of storage on Android so this is a pretty big win! 24.05

Bugfix Numerous UnifiedPush notification fixes. It’s not perfect yet, but much better than it was before. 24.02

NeoChat #

Bugfix Simple change, I made the tabs in the developer tools full-width. 24.05

Perfectly balanced

Bugfix Now lonely question marks are excluded from links as they should be. Websites that don’t handle this will throw up an error instead, so this eliminates lots of user error. 24.02

Now I can actually click these!

Bugfix Fixed the quick format bar not working. 24.02

PlasmaTube #

Lots of small UX changes this month. Including moving more actions to the header, reducing video title duplication and more. I can’t make a good screenshot right now because Invidious is currently broken due to Google’s changes. 24.05

Kirigami #

Bugfix I did a little digging on where one of the color roles came from, and now noted where the disabled text color comes from (on KDE Plasma). Still needs approval though 🙂 6.1

Bugfix (Not approved yet) Stop the back button from appearing even when we explicitly requested it gone. 6.1

Documentation #

Note that Plasma Framework is now libplasma in the Breeze README. 6.1

Clarify that the default alignment for Kirigami’s ActionToolbar is AlignLeft, not AlignRight. 6.1

That’s all for this month!

My work in KDE for February 2024

My Work in KDE

Home

I'm bit late to the train of Plasma 6 related posts... But anyway. I will go through some things I did.

For me working on Plasma 6 was pretty fun, I learned a lot of new things and fixed bunch of bugs and crashes.

The most resourceful ones can find my merge requests, but I am too lazy to link them all.

Things I did

Most of the things I did were a lot more in the background. I hunted down a lot of bugs and crashes, and tried to fix them myself or helped others fix them, in various projects, such as:

• Dolphin
• Plasmashell
• Kwin
• KNS
• And probably a lot of more I have already forgot... :D

But there was A LOT stuff: Around 100 merge requests in total! Pretty much all of them got in, thanks to all the reviews and education other KDE developers provided to me! :)

Again, thanks to everyone who has helped me to work on KDE projects! Thanks for your patience with me and all the knowledge you have parted to me. ❤️ I'll keep doing my best helping KDE projects, be it bug hunting or feature creation.

I have to say my software testing background has been very useful when it comes down to hunting down bugs, and I've learned a lot of things about Qt, C++ and QML. Still got much more to learn though, but that's what makes me so excited about programming!

I think one of the most useful things I've learned is how to use GDB. I can't provide anyone a crash course (at least in this blog post) but it is essential when hunting down weird bugs in plasmashell for example. I love debuggers integrated to editors like using LLDB-DAP in Kate, but sometimes GDB in terminal is all you can use, so it's good idea to learn to use it!

One big thing I worked on with others was fractional scaling related stuff: I didn't do any of the Kwin stuff around it, but I hunted down some weird bugs with window decorations having some weird gaps in them when windows are specific size. Hunting down all these bugs and weirdness took long time, and we're still looking into it, since it seems to be different in every system.. Floating point numbers and computers are very weird combo.

Another more visible thing I did was unifying separator colors and other items, you can find an issue about it here: Frame and outline color consistency and high-contrast setting changes. I have been bothered by the random differences between some elements, which can be especially noticeable in darker colorschemes, so I finally sat down and combed through related codebases. There's likely more to fix though, but there is now easy way for us to add high-contrast support for outlining elements! It just needs doing, and I haven't had the time.. Yet. :)

Things I learned

• GDB is a life saver
• Write down notes. All the time.
  • Journaling is a good idea!
• Working in open source is a lot about the social aspects!
  • Be nice to people! Duh!
  • But also don't let people walk over you!
  • Listen to others, and don't be afraid to share your opinion.
  • Ask many questions and write down the answers.
• Be patient
• Bug triaging is tough, but very important!
• Remember to rest (I'm bad at this)

Things I will do in future

I will continue hunting down various bugs and crashes and fixing them whenever I spot some, or something is raised to me as "hey this looks like something you could do."

I have also started working on couple things related to remote desktop:

• rdp: Proxy and Gateway settings
• Simple KCM for KRDP

Last but not least, I have looked into facelifting our dear Breeze theme, just a lil bit. Nothing drastic, some tell me they don't see any change and some do. But hopefully it would make Breeze look just a lil bit "softer" and "friendlier." :) You can see them here: Slightly rounder elements, slightly lighter outlines

All in all I am very happy with my current job working on KDE projects, fixing bugs and creating new cool things. I also kind of enjoy being a jack-of-all-trades (master of none), since I get to do a lot of different kinds of stuff, from something more "background" like KWin and plasmashell to something more visible like Breeze and Dolphin. Maybe eventually I will specialize around something, but for now I am bit all over the place which is fine by me lol.

I hope that some of my work has helped you as well. :)

I'll keep doing my best and learning more. (And hopefully write more blogposts.. lol.)

Thanks for reading!

The Cost of Coffee

One of the ideas that James Hoffmann — probably the most influential… influencer in the coffee industry — works hard to popularize is that “coffee needs to be more expensive”.

The coffee industry is famously exploitative. Despite relatively thin margins for independent café owners1, there are no shortage of horrific stories about labor exploitation and even slavery in the coffee supply chain.

To summarize a point that Mr. Hoffman has made over a quite long series of videos and interviews2, some of this can be fixed by regulatory efforts. Enforcement of supply chain policies both by manufacturers and governments can help spot and avoid this type of exploitation. Some of it can be fixed by discernment on the part of consumers. You can try to buy fair-trade coffee, avoid brands that you know have problematic supply-chain histories.

Ultimately, though, even if there is perfect, universal, zero-cost enforcement of supply chain integrity… consumers still have to be willing to, you know, pay more for the coffee. It costs more to pay wages than to have slaves.

The Price of Software

The problem with the coffee supply chain deserves your attention in its own right. I don’t mean to claim that the problems of open source maintainers are as severe as those of literal child slaves. But the principle is the same.

Every tech company uses huge amounts of open source software, which they get for free.

I do not want to argue that this is straightforwardly exploitation. There is a complex bargain here for the open source maintainers: if you create open source software, you can get a job more easily. If you create open source infrastructure, you can make choices about the architecture of your projects which are more long-term sustainable from a technology perspective, but would be harder to justify on a shorter-term commercial development schedule. You can collaborate with a wider group across the industry. You can build your personal brand.

But, in light of the recent xz Utils / SSH backdoor scandal, it is clear that while the bargain may not be entirely one-sided, it is not symmetrical, and significant bad consequences may result, both for the maintainers themselves and for society.

To fix this problem, open source software needs to get more expensive.

A big part of the appeal of open source is its implicit permission structure, which derives both from its zero up-front cost and its zero marginal cost.

The zero up-front cost means that you can just get it to try it out. In many companies, individual software developers do not have the authority to write a purchase order, or even a corporate credit card for small expenses.

If you are a software engineer and you need a new development tool or a new library that you want to purchase for work, it can be a maze of bureaucratic confusion in order to get that approved. It might be possible, but you are likely to get strange looks, and someone, probably your manager, is quite likely to say “isn’t there a free option for this?” At worst, it might just be impossible.

This makes sense. Dealing with purchase orders and reimbursement requests is annoying, and it only feels worth the overhead if you’re dealing with a large enough block of functionality that it is worth it for an entire team, or better yet an org, to adopt. This means that most of the purchasing is done by management types or “architects”, who are empowered to make decisions for larger groups.

When individual engineers need to solve a problem, they look at open source libraries and tools specifically because it’s quick and easy to incorporate them in a pull request, where a proprietary solution might be tedious and expensive.

That’s assuming that a proprietary solution to your problem even exists. In the infrastructure sector of the software economy, free options from your operating system provider (Apple, Microsoft, maybe Amazon if you’re in the cloud) and open source developers, small commercial options have been marginalized or outright destroyed by zero-cost options, for this reason.

If the zero up-front cost is a paperwork-reduction benefit, then the zero marginal cost is almost a requirement. One of the perennial complaints of open source maintainers is that companies take our stuff, build it into a product, and then make a zillion dollars and give us nothing. It seems fair that they’d give us some kind of royalty, right? Some tiny fraction of that windfall? But once you realize that individual developers don’t have the authority to put $50 on a corporate card to buy a tool, they super don’t have the authority to make a technical decision that encumbers the intellectual property of their entire core product to give some fraction of the company’s revenue away to a third party. Structurally, there’s no way that this will ever happen.

Despite these impediments, keeping those dependencies maintained does cost money.

Some Solutions Already Exist

There are various official channels developing to help support the maintenance of critical infrastructure. If you work at a big company, you should probably have a corporate Tidelift subscription. Maybe ask your employer about that.

But, as they will readily admit there are a LOT of projects that even Tidelift cannot cover, with no official commercial support, and no practical way to offer it in the short term. Individual maintainers, like yours truly, trying to figure out how to maintain their projects, either by making a living from them or incorporating them into our jobs somehow. People with a Ko-Fi or a Patreon, or maybe just an Amazon wish-list to let you say “thanks” for occasional maintenance work.

Most importantly, there’s no path for them to transition to actually making a living from their maintenance work. For most maintainers, Tidelift pays a sub-hobbyist amount of money, and even setting it up (and GitHub Sponsors, etc) is a huge hassle. So even making the transition from “no income” to “a little bit of side-hustle income” may be prohibitively bureaucratic.

Let’s take myself as an example. If you’re a developer who is nominally profiting from my infrastructure work in your own career, there is a very strong chance that you are also a contributor to the open source commons, and perhaps you’ve even contributed more to that commons than I have, contributed more to my own career success than I have to yours. I can ask you to pay me3, but really you shouldn’t be paying me, your employer should.

What To Do Now: Make It Easy To Just Pay Money

So if we just need to give open source maintainers more money, and it’s really the employers who ought to be giving it, then what can we do?

Let’s not make it complicated. Employers should just give maintainers money. Let’s call it the “JGMM” benefit.

Specifically, every employer of software engineers should immediately institute the following benefits program: each software engineer should have a monthly discretionary budget of $50 to distribute to whatever open source dependency developers they want, in whatever way they see fit. Venmo, Patreon, PayPal, Kickstarter, GitHub Sponsors, whatever, it doesn’t matter. Put it on a corp card, put the project name on the line item, and forget about it. It’s only for open source maintenance, but it’s a small enough amount that you don’t need intense levels of approval-gating process. You can do it on the honor system.

This preserves zero up-front cost. To start using a dependency, you still just use it4. It also preserves zero marginal cost: your developers choose which dependencies to support based on perceived need and popularity. It’s a fixed overhead which doesn’t scale with revenue or with profit, just headcount.

Because the whole point here is to match the easy, implicit, no-process, no-controls way in which dependencies can be added in most companies. It should be easier to pay these small tips than it is to use the software in the first place.

This sub-1% overhead to your staffing costs will massively de-risk the open source projects you use. By leaving the discretion up to your engineers, you will end up supporting those projects which are really struggling and which your executives won’t even hear about until they end up on the news. Some of it will go to projects that you don’t use, things that your engineers find fascinating and want to use one day but don’t yet depend upon, but that’s fine too. Consider it an extremely cheap, efficient R&D expense.

A lot of the options for developers to support open source infrastructure are already tax-deductible, so if they contribute to something like one of the PSF’s fiscal sponsorees, it’s probably even more tax-advantaged than a regular business expense.

I also strongly suspect that if you’re one of the first employers to do this, you can get a round of really positive PR out of the tech press, and attract engineers, so, the race is on. I don’t really count as the “tech press” but nevertheless drop me a line to let me know if your company ends up doing this so I can shout you out.

Acknowledgments

Thank you to my patrons who are supporting my writing on this blog. If you like what you’ve read here and you’d like to read more of it, or you’d like to support my various open-source endeavors, you can support my work as a sponsor! I am also available for consulting work if you think your organization could benefit from expertise on topics such as “How do I figure out which open source projects to give money to?”.

1. I don’t have time to get into the margins for Starbucks and friends, their relationship with labor, economies of scale, etc. ↩

2. While this is a theme that pervades much of his work, the only place I can easily find where he says it in so many words is on a podcast that sometimes also promotes right-wing weirdos and pseudo-scientific quacks spreading misinformation about autism and ADHD. So, I obviously don’t want to link to them; you’ll have to take my word for it. ↩

3. and I will, since as I just recently wrote about, I need to make sure that people are at least aware of the option ↩

4. Pending whatever legal approval program you have in place to vet the license. You do have a nice streamlined legal approvals process, right? You’re not just putting WTFPL software into production, are you? ↩

I am happy to announce the first release of poke-elf, version 1.0.

The tarball poke-elf-1.0.tar.gz is now available at
https://ftp.gnu.org/gnu/poke/poke-elf-1.0.tar.gz.

> poke-elf (https://jemarch.net/poke-elf) is a full-fledged GNU poke pickle for editing ELF object
> files, executables, shared libraries and core dumps.  It supports
> many architectures and extensions.
>
> This pickle is part of the GNU poke project.
>
> GNU poke (https://jemarch.net/poke) is an interactive, extensible
> editor for binary data.  Not limited to editing basic entities such
> as bits and bytes, it provides a full-fledged procedural,
> interactive programming language designed to describe data
> structures and to operate on them.

Please send us comments, suggestions, bug reports, patches,
questions, complaints, bitcoins, or whatever, to poke-devel@gnu.org.

Happy ELF poking!

---

Jose E. Marchesi
Frankfurt am Main
30 March 2024

I am happy to announce a new major release of GNU poke, version 4.0.

This release is the result of a year of development.  A lot of things
have changed and improved with respect to the 3.x series; we have
fixed many bugs and added quite a lot of new exciting and useful
features.  See below for a description of many of them.

The tarball poke-4.0.tar.gz is now available at
https://ftp.gnu.org/gnu/poke/poke-4.0.tar.gz.

> GNU poke (http://www.jemarch.net/poke) is an interactive, extensible
> editor for binary data.  Not limited to editing basic entities such
> as bits and bytes, it provides a full-fledged procedural,
> interactive programming language designed to describe data
> structures and to operate on them.

Thanks to the people who contributed with code and/or documentation to
this release.

Once again, our special thanks to Bruno Haible for his invaluable advise and his help in throughfully testing this new release in many different platforms and configurations.

What is new in this release:

User interface updates

• The `dump' command now accepts an argument :val.  This argument is a mapped value, and makes `dump' to dump the bytes corresponding to the value, using colors for the different fields.  This command is useful in order to get a visual representation of the constituents of the value and their corresponding bytes.

• It is now possible to compare Poke values of type `any' using the equality and inequality operators == and !=.

• GNU poke now acknowledges the POKE_LOAD_PATH environment variable whose value, if defined, gets prepended to the load_path when poke starts.

• When the poke compiler finds an error in an inline asm template it now emits a proper parse error.

• The poked program now recognizes the -S command line option properly.

• The poked program now uses a socket in /tmp/poked-UID.pic where UID is the user ID of the effective user running the program.  This is better than the previous behavior of always using /tmp/poked.ipc, since it allows for several poked instances to be run in the system.

• The poke program now allows referring to IO spaces by name/handler with $<STR>, where STR is a non-ambiguous substring of some open IO space handler.  Examples are $</bin/ls> and $<*0*>, which could be referred to as $<ls> and $<0> respectively.

• A new utility called pokefmt has been added to the GNU poke distribution, which implements a simple template system.  See the manual for details on how to use this utility.

• The poke prompt can now be customized by the user.  This is done by re-defining a function called pk_prompt.  The default value for this function just returns "(poke)", but it can be made as complex as desired.

• The poke prompt can now be styled using the `prompt' styling class.

• The new dot-command `.compiler ast EXPR' will compile EXPR and then print its abstract syntax tree (AST).  This is useful for debugging the compiler.

• The dot-command `.info type' now accepts both expressions or Poke type specifiers as argument.  In the first case it prints information about the type of the value to which the expression evaluates.  In the second case it prints information about the type denoted by the given specifier.

• The dot-command `.info type' no longer shows field pretty-printer methods, nor anonymous fields in the list of methods and fields.

• A dot-command `.mmap FILENAME, BASE, SIZE' is now available to poke at devices and files that require mmap.  This is the case of many devices provided by kernel drivers.

Poke Language updates

• The Poke language now supports using the `t' and `T' suffixes to denote the uint<1> (bit) values 0t and 1t.

• It is now possible to specify pretty-printers for particular fields in struct type definitions, rather than having to pretty-print the whole value.  To pretty-print a field FNAME, just define the pretty-printer as a method called _print_FNAME.

• A new immutable variable pk_version is made available, that contains a string with the version of the running poke.

• A new struct type Pk_Version is defined, that denotes the version of a GNU poke system, or of a pickle.  Accompanying functions pk_version_parse and pk_vercmp are available for parsing PK_Version values from strings and for comparing versions, respectively.  The version comparing function accepts either Pk_Version or string formatted versions indistinctly.

• The new built-in function `rtrace' prints out the current call stack in the PVM, a function name in each line.  It makes use of the new PVM instruction of the same name.

• The new built-in function `iosearch' allows searching for IO spaces by name/handler from Poke programs.

Standard Poke Library updates

• The new built-in `openmmap' function allows to create MMAP-operated IO spaces in Poke programs.

• New functions `isdigit' and `isxdigit' have been added to the standard library, that check whether a given character is a decimal digit or an hexadecimal digit respectively.

• New function `strrchr' has been added to the standard library, that finds th elast occurrence of a character in a string and returns either its index or, if the character is not found, minus one.

• New function `strtoi' has been added to the standard library, that parses a numeric denotation on a string and returns the result and the number of parsed characters.

• The function `atoi' has been refactored to be defined in terms of `strtoi'.

• New function `strtok' has been added to the standard library, that helps tokenizing strings.

• New function `strstr' has been added to the standard library, that searches for a sub-string in some given string.

• The standard function `stoca' has been changed so it doesn't always require passing an array to it.  If no array is passed then it allocates and returns an array by itself.  This is backwards compatible.

libpoke updates

• A new service pk_keyword_p is available in libpoke, that tells whether a given name is a keyword in the Poke language.

• When calling pk_load specifying a module that has already been loaded, it is now loaded again and all the definitions in it are re-defined.  This makes the libpoke service to match the behavior of the `load' Poke language construction.

• The libpoke library now supports the handling of delimited alien tokens with the form $<[^>]*>.

• New services pk_register_thread and pk_unregister_thread have been added in order to allow using libpoke in multi-threaded programs.

• We have done more work to remove global state from libpoke, with the goal that someday it shall be possible for a single program to have several instances of the poke incremental compiler.  We are not there yet, but getting near.

• New services pk_set_debug_p and pk_get_last_ast_str have been added to libpoke, which set the incremental compiler in debug mode and makes it possible to get a printable representation of the AST (abstract syntax tree) corresponding to the last compiled expression.

• The pk_ios_search service now gets a flag argument, enabling the user to select between exact or partial matching of the handler while searching for the IOS.

• New services pk_set_user_data and pk_get_user_data are added in order to set a user-defined payload that gets passed back in several libpoke callbacks.

• The terminal interface in libpoke has been updated so a reference to the pk_compiler incremental compiler is passed to all the callbacks.

Pickles updates

• A new pickle `srec' has been added for editing, encoding and decoding Motorola SREC files.

• A new pickle `orc' has been added for poking at ORC data, which is the stack unwinding format used within the Linux kernel.

• A new pickle `gcov' has been added for editing GCOV data (.gcda) and notes (.gcno) files.

• A new pickle `base64' has been added to poke, that provides functions to encode and decode data in base64 as defined by the RFC 4648.

• A new pickle `iscan' has been added to poke, that provides a framework implementing Icon-like scanning contexts.

• A new pickle `iscan-str' has been added to poke, that provides Icon-like scanning capabilities in Poke strings.

• A new pickle `gpt' pickle has been added to poke at GUID partition tables.

• A new pickle `jojodiff' has been added to generate and apply JojoDiff binary patches.  An accompanying pk-jojopatch utility is also provided.

• A new pickle `linux' has been added to poke, that provides internal data structures used by the Linux kernel.

• The ELF pickle is now developed and distributed separately in its own project: https://jemarch.net/poke-elf.

• The DWARF pickle is now developed and distributed separately in its own project: https://jemarch.net/poke-dwarf.

• The sframe pickle has been updated to reflect AArch64 PAuth information.

• The PE pickle now supports BASE64 encoded names, which is a Microsoft extension.

• The BTF pickle now performs more data integrity checks, and also now supports BTF_KIND_ENUM64 entries.

• All the pickles distributed with GNU poke have been modified so they don't use standard types like `int' or 'long' anymore.  This is to make it possible to use them in non-poke applications integrating with libpoke, like GDB.

Build system updates

• poke, libpoke and pokefmt now builds and runs natively in Windows.

• Different components in the source tree (poked, pokefmt) can now be disabled using the --disable-poked and --disable-pokefmt command-line options.

• A file poke.m4 is now installed, that provides the macros PK_PROG_POKE and PK_CHECK_PICKLE.  These macros are to be used by projects and packages that install GNU poke pickles.  The first macro checks for a particular version of poke, whereas the second checks for the availability of some particular pickle.

Documentation updates

• The manual has been fixed to refer to `gettime' instead of `get_time'.  This function changed name in 3.0.

• The GNU poke manual in `info' format is now installed under its own directory category (GNU poke) rather than under Editors.  This is because other poke related projects like poke-elf and poke-dwarf also install manuals under this new directory category.

---

Jose E. Marchesi
Frankfurt am Main
30 March 2024

As an Easter present for you all, I’ve got a new web app you can play with.

It lets you search for UK place names – things like ‘ends with burgh’ or ‘starts with great’ or ‘contains sea’ – and then plot them on an interactive map. Once you’ve done that, you can even share links to your settings so other people can see your findings.

Have a look at the web app now, and please tweet/toot/email me with any interesting things you find.

A few examples:

• Various different name suffixes
• Names with river names in them
• Names with north in them vs names with south in them
• Names that start and end with the same sequence of letters

The data comes from the Ordnance Survey Open Names dataset, and it was processed on my local machine using Python to create some filtered data that could be used in the webapp, which all runs client-side.

Andres Freund found that xz-utils is backdoored, but could not (despite the otherwise excellent analysis) get quite to the bottom of what the payload actually does.

What you would hope for to be posted by others: Further analysis of the payload.

What actually gets posted by others: “systemd is bad.”

This is the complementary blog post for my DrupalSouth Sydney 2024 session, and also v2.0 follow up of sorts from the original 2022 version. The full presentation was much longer than this blog post, this blog post is just going to highlight the core statistics and findings.

Have you ever wondered how popular Drupal is in your local state and at the Australian Federal Government level? This blog post will help to answer that question, using open source tooling. The hope is that you gain some insight to the relative popularity of Drupal and appreciate more the impact you and Drupal have in Australia.

As this blog post is a follow up, you can also now start to see trends (data is around 13 months newer than the last time I did this).

Just show me the graphs

Disclaimer:

• This is based on Oct 20, 2023 data
• The scoring is based off PageRank data, so the percentages are not raw counts of websites, but an approximation of how important the respective sites are compared to others (assumes a logarithmic base of 5).
• Wappalyzer detection is not perfect (see the end of this blog post for upstreamed PRs), and there is still a fairly large portion of sites where the CMS cannot be identified
• MoGs make this tricky (PageRank relies on incoming links, which break due to MoGs)
• Only source *.gov.au domains considered (some Government sites use other TLDs)
• Unlikely newly created websites are in the top 10 million just yet (due to how the algorithm of PageRank works)

All sites (*.gov.au)All sites (*.gov.au)Federal sites (not state based domains)

Programmes like GovCMS are having an impact here. Also interesting that if you are not using Drupal, the chances are you have written something entirely custom.

Federal sites (every non-state based domain)Victoria *.vic.gov.au

The Single Digital Presence (SDP) programme makes a mark in Victoria.

Victoria (*.vic.gov.au)New South Wales *.nsw.gov.au

Large Drupal sites like https://www.nsw.gov.au/ and https://www.service.nsw.gov.au/ help to make Drupal dominant in NSW.

New South Wales (*.nsw.gov.au)South Australia *.sa.gov.au

Squiz Matrix increasing in market share ↑5.4% over 2022. There is a clear state led mandate here.

South Australia (*.sa.gov.au)Western Australia *.wa.gov.au

A lot of sites this time around are now identified (decrease of ↓30.8% of unknown sites). Drupal also increased market share by ↑9.9%.

Western Australia (*.wa.gov.au)Tasmania *.tas.gov.au

The lowest usage of Drupal for any Australian state or territory and the highest percentage of Wordpress.

Tasmania (*.tas.gov.au)Queensland *.qld.gov.auQueensland (*.qld.gov.au)Australian Capital Territory *.act.gov.au

The highest percentage of Squiz compared to any other Australia state or territory.

Australian Capital Territory (*.act.gov.au)Northern Territory *.nt.gov.auNorthern Territory (*.nt.gov.au)Open Source Software (OSS) CMS vs Proprietary CMS

For the CMS' that can be identified, splitting them into 2 categories, OSS and Proprietary. OSS is determined on whether the source code is freely available, and there is a licence that allows me to run it without paying someone.

Open Source Software (OSS) CMS vs Proprietary CMSDrupal sites by major version

For sites reporting as Drupal, Drupal 10 is the most popular. Still 5.4% of Drupal sites running Drupal 7 to which will be End-of-Life (EOL) in early 2025.

Drupal by major versionScore by state and territory

This is weighted by total score, broken down by federal/state/territory.

Scores by federal/state/territory in AustraliaObservations and other unusual findingsDrupal usage“Drupal powers ~29.9% of all digital experiences that you use in the Australian government. This is↑2.7% compared to 2022”Drupal Growth“Relative to the growth of Australian government sites, Drupal adoption is growing faster”Drupal adoption is rising faster that Australian government sites are risingTop contender“Squiz Matrix is the top contender with 15.6%, and has a clear state lead mandate in 5 states/territories. This is↑3.5% compared to 2022”Drupal 7 usage“Drupal 7 usage dropped from 15.8% in 2022 to 5.4% in 2024. This is↓65.8% compared to 2022. Most popular Drupal 7 site is https://www.sl.nsw.gov.au/”

Also after my presentation I got to meet the team behind the State Library of NSW, and they advised that they are due to upgrade to Drupal 10 anytime soon.

TLS coverage is still not 100%

83 sites with HTTP only (a drop of ↓46 since 2022)

Domain

CMS

Page Rank

Score

http://www.bom.gov.au/

unknown

5.63

8614

http://ips.gov.au/mailman/listinfo

unknown

4.68

1867

http://www.nntt.gov.au/Pages/Home-Page.aspx

microsoft-sharepoint

4.68

1867

http://ajrp.awm.gov.au/

hcl-notes

4.6

1642

http://services.land.vic.gov.au/

unknown

4.56

1539

If in doubt, add a number

14 sites with ww[0-9] in the domain name (a drop of ↓5 since 2022)

Domain

CMS

Page Rank

Score

https://www2.gbrmpa.gov.au/

drupal

5.3

5065

https://www1.health.gov.au/

unknown

4.99

3075

https://www9.health.gov.au/

unknown

4.59

1615

https://www1.aiatsis.gov.au/

unknown

4.53

1467

https://www2.sl.nsw.gov.au/

unknown

4.51

1420

I think this is often used like a form of poor mans version control, often archiving the previous version of the site. For some reason it is archived publicly.

I want the raw data!

If you want to make your own visualisations of the data, or even just do random queries “how popular is Spark CMS in Western Australia”, you can download a CSV from https://bit.ly/dsau2024csv. Slides are https://bit.ly/dsau2024.

Upstreamed enhancements

I found a lot of software running in certain states, so I upstreamed some changes to better detect these software packages:

• Better SilverStripe detection #120
• Datascape detection #122
• Spark CMS detection #123
• Jadu detection #126
• Engagement HQ detection #124
• Social Pinpoint detection #125
• Citizen Space detection #121

Comments

I am keen to hear feedback on this data, and what can be done to improve the scoring. Also, if you can help fill in some of the 'unknown' data, let me know, I am happy to craft another PR into WebAppAnalyzer.

This week I’d like to highlight a very cool development: the automatic crash reporting facility in the Plasma 6 version of our venerable DrKonqi crash report wizard. Automatic reporting is opt-in, but so far lots of people are opting in, and we’re using this data to get a much better picture of the crashes that our users are actually experiencing than we ever could using Bugzilla! Using this system, at least three such important crashes were fixed this week, two by Fushan Wen (link 1 and link 2) and one by Vlad Zahorodnii (link)–and possibly even more than I missed!

These reports make a difference; they’re not a black hole. So if something crashes, please do use the automatic crash reporting feature in DrKonqi!

In addition, quite a lot of technical and performance work was merged, especially for Discover and the Baloo file indexer. Finally, features and UI polishing are starting to land in Plasma 6.1. In addition to everything listed here, there’s something big that I can’t mention yet since it’s not 100% merged yet, but only 95%! Hopefully next week. So stay tuned for that!

New Features

The Power and Battery widget now responds to middle-clicks and scrolls: middle-click will block or re-enable automatic sleep and screen locking, and scrolling will change the active power profile (Natalie Clarius, Plasma 6.1. Link)

UI Improvements

The Power and Battery widget now shows an appropriate icon when you manually block sleep and screen locking (Natalie Clarius, Plasma 6.1. Link 1 and link 2):

Some of the menu items and toolbar buttons in the desktop context menu and global Edit Mode toolbar are now more concise (me: Nate Graham, Plasma 6.1. Link):

The opening and closing animations for expandable List Items in Plasma system tray widgets now respect the global animation speed, and are also a bit faster and more responsive-feeling in general (me: Nate Graham, Plasma 6.1. Link)

“Get new [thing]” dialogs throughout KDE software are now sorted by highest number of downloads first (Ismael Asensio, Frameworks 6.1. Link)

Bug Fixes

Fixed a common crash in Discover related to refreshing KNewStuff content (Harald Sitter, Plasma 6.0.3. Link)

The bug where clicking on certain panel widgets would inappropriately transfer focus to the panel is now actually fixed. It turns out that it was in fact fixed before as well for people living on git master, but I forgot to backport half of it to the stable branch, so it didn’t take effect. Sorry about that. But even if I had, it would have broken other things as it turned out to not be the right fix. This week we have a much better fix that fixes everything and breaks nothing! (Niccolò Venerandi, Plasma 6.0.3. Link 1 and link 2)

Power and session actions once again work for people not using the systemd-enabled boot process (David Edmundson, Plasma 6.0.3. Link)

Fixed multiple related issues that would cause panels to switch to a different screen on wake-up or login when using a multi-screen setup with an AMD GPU (David Redondo, Plasma 6.0.3. Link 1, link 2, and link 3)

It’s once again possible to disable Presentation Mode via the same way you enabled it, in the Display Configuration widget (Natalie Clarius, Plasma 6.0.3. Link)

Syncing your settings to SDDM now also syncs the scale factor and screen arrangement correctly on systems where SDDM is running on KWin as a Wayland server rather than Xorg as an X server (Xaver Hugl, Plasma 6.0.3. Link)

Fixed multiple minor glitches with Task Manager window thumbnails related to them being sometimes cut off, displaced, or never showing up at all (Vlad Zahorodnii, Plasma 6.0.3. Link)

Fixed an issue that could cause Discover to crash at launch under certain circumstances (Harald Sitter, Plasma 6.0.4. Link)

In the Plasma X11 session, the Desktop Grid page on the Overview effect can now be closed using the same keyboard shortcut (Meta+G by default) that was use to open it (Niccolò Venerandi, Plasma 6.0.4. Link)

Fixed a case where Plasma could crash after changing the panel position on certain setups (Fushan Wen, Plasma 6.1. Link)

Fixed a case where the Baloo file indexer could crash after you created or renamed files or folders (Méven Car, Frameworks 6.1. Link)

Other bug information of note:

• 4 Very high priority Plasma bugs (up from 3 than last week). Current list of bugs
• 35 15-minute Plasma bugs (up from 34 than last week). Current list of bugs
• 209 KDE bugs of all kinds fixed over the last week! Full list of bugs

Performance & Technical

Discover is now much faster about showing reviews for apps, especially when doing so immediately after the app is launched (Harald Sitter, Plasma 6.0.3. Link)

Discover is now also faster about displaying information about large offline updates (Harald Sitter, Plasma 6.0.4. Link)

The Baloo file indexer no longer tries to index content on temporarily mounted file systems, such as network shares and overlayfs mounts (Adam Fontenot, Frameworks 6.1. Link)

The list of recently-accessed filed that gets saved to disk by open/save dialogs and other consumers of KFileWidget now gets written to the config file for volatile state data, not user-directed config data (Nicolas Fella, Frameworks 6.1. Link)

…And Everything Else

This blog only covers the tip of the iceberg! If you’re hungry for more, check out https://planet.kde.org, where you can find more news from other KDE contributors.

How You Can Help

Please help with bug triage! The Bugzilla volumes are still pretty high right now and help is appreciated. If you’re interested, read this.

Otherwise, visit https://community.kde.org/Get_Involved to discover other ways to be part of a project that really matters. Each contributor makes a huge difference in KDE; you are not a number or a cog in a machine! You don’t have to already be a programmer, either. I wasn’t when I got started. Try it, you’ll like it! We don’t bite!

As a final reminder, 99.9% of KDE runs on labor that KDE e.V. didn’t pay for. If you’d like to help change that, consider donating today!

This year I will be going to two conferences: PyCon 2024, and North Bay Python 2024.

At PyCon, I will be promoting my open source work and my writing on this blog. As I’m not giving a talk this year, I am looking forward to organizing and participating in some open spaces about topics like software architecture, open source sustainability, framework interoperability, and event-driven programming.

At North Bay Python, though, I will either be:

1. doing a lot more of that, or
2. looking for new full-time employment, pausing the patreon, and winding down this experiment.

If you’d like to see me doing the former, now would be a great time to sign up to my Patreon to support the continuation of my independent open source work and writing.

The Bad News

It has been nearly a year since I first mentioned that I have a Patreon on this blog. That year has been a busy one, with consulting work and personal stuff consuming more than enough time that I have never been full time on independent coding & blogging. As such, I’ve focused more on small infrastructure projects and less on user-facing apps than I’d like, but I have spent the plurality of my time on it.

For that to continue, let alone increase, this work needs to—at the very least—pay for health insurance. At my current consulting rate, a conservative estimate based on some time tracking is that I am currently doing this work at something like a 98.5% discount. I do love doing it! I would be happy to continue doing it at a significant discount! But “significant” and “catastrophic” are different thresholds.

As I have said previously, this is an appeal to support my independent work; not to support me. I will be fine; what you will be voting for with your wallet is not my well-being but a choice about where I spend my time.

Hiding The Hat

When people ask me what I do these days, I sometimes struggle to explain. It is confusing. I might say I have a Patreon, I do a combination of independent work and consulting, or if I’m feeling particularly sarcastic I might say I’m an ✨influencer✨. But recently I saw the very inspiring Matt Ricardo describing the way he thinks about his own Patreon, and I realized what I am actually trying to do, which is software development busking.

Previously, when I’ve been thinking about making this “okay, it’s been a year of Patreon, let’s get serious now” post, I’ve been thinking about adding more reward products to my Patreon, trying to give people better value for their money before asking for anything more, trying to finish more projects to make a better sales pitch, maybe making merch available for sale, and so on. So aside from irregular weekly posts on Friday and acknowledgments sections at the bottom of blog posts, I’ve avoided mentioning this while I think about adding more private rewards.

But busking is a public performance, and if you want to support my work then it is that public aspect that you presumably want to support. And thus, an important part of the busking process is to actually pass the hat at the end. The people who don’t chip in still get to see the performance, but everyone else need to know that they can contribute if they liked it.1

I’m going to try to stop hiding the metaphorical hat. I still don’t want to overdo it, but I will trust that you’ll tell me if these reminders get annoying. For my part today, in addition to this post, I’m opening up a new $10 tier on Patreon for people who want to provide a higher level of support, and officially acknowledging the rewards that I already provide.

What’s The Deal?

So, what would you be supporting?

What You Give (The Public Part)

1. I have tended to focus on my software, and there has been a lot of it! You’d be supporting me writing libraries and applications and build infrastructure to help others do the same with Python, as well as maintaining existing libraries (like the Twisted ecosystem libraries) sometimes. If I can get enough support together to more than bare support for myself, I’d really like to be able to do things like pay people to others to help with aspects of applications that I would struggle to complete myself, like accessibility or security audits.
2. I also do quite a bit of writing though, about software and about other things. To make it easier to see what sort of writing I’m talking about, I’ve collected just the stuff that I’ve written during the period where I have had some patrons, under the supported tag.
3. Per my earlier sarcastic comment about being an “influencer”, I also do quite a bit of posting on Mastodon about software and the tech industry.

What You Get (Just For Patrons)

As I said above, I will be keeping member benefits somewhat minimal.

1. I will add you to SponCom so that your name will be embedded in commit messages like this one on a cadence appropriate to your support level.
2. You will get access to my private Patreon posts where I discuss what I’ve been working on. As one of my existing patrons put it:

   I figure I’m getting pretty good return on it, getting not only targeted project tracking, but also a peek inside your head when it comes to Sores Business Development. Maybe some of that stuff will rub off on me :)

3. This is a somewhat vague and noncommittal benefit, but it might be the best one: if you are interested in the various different projects that I am doing, you can help me prioritize! I have a lot of things going on. What would you prefer that I focus on? You can make suggestions in the comments of Patreon posts, which I pay a lot more attention to than other feedback channels.
4. In the near future2 I am also planning to start doing some “office hours” type live-streaming, where I will take audience questions and discuss software design topics, or maybe do some live development to showcase my process and the tools I use. When I figure out the mechanics of this, I plan to add some rewards to the existing tiers to select topics or problems for me to work on there.

If that sounds like a good deal to you, please sign up now. If you’re already supporting me, sharing this and giving a brief testimonial of something good I’ve done would be really helpful. Github is not an algorithmic platform like YouTube, despite my occasional jokey “remember to like and subscribe”, nobody is getting recommended DBXS, or Fritter, or Twisted, or Automat, or this blog unless someone goes out and shares it.

1. A year into this, after what feels like endlessly repeating this sales pitch to the point of obnoxiousness, I still routinely interact with people who do not realize that I have a Patreon at all. ↩

2. Not quite comfortable putting this on the official patreon itemized inventory of rewards yet, but I do plan to add it once I’ve managed to stream for a couple of weeks in a row. ↩

New Release

Yesterday I published a new release of DBXS for you all. It’s still ZeroVer, but it has graduated from double-ZeroVer as this is the first nonzero minor version.

More to the point though, the meaning of that version increment this version introduces some critical features that I think most people would need to give it a spin on a hobby project.

What’s New

• It has support for MySQL and PostgreSQL using native asyncio drivers, which means you don’t need to take a Twisted dependency in production.

• While Twisted is still used for some of the testing internals, Deferred is no longer exposed anywhere in the public API, either; your tests can happily pretend that they’re doing asyncio, as long as they can run against SQLite.

• There is a new repository convenience function that automatically wires together multiple accessors and transaction discipline. Have a look at the docstring for a sense of how to use it.

• Several papercuts, like confusing error messages when messing up query result handling, and lack of proper handling of default arguments in access protocols, are now addressed.

It’s A Good Time To Contribute!

If you’ve been looking for an open source project to try your hand at contributing to, DBXS might be a great opportunity, for a few reasons:

1. The team is quite small (just me, right now!), so it’s easy to get involved.

2. It’s quite generally useful, so there’s a potential for an audience, but right now it doesn’t really have any production users; there’s still time to change things without a lot of ceremony.

3. Unlike many other small starter projects, it’s got a test suite with 100% coverage, so you can contribute with confidence that you’re not breaking anything.

4. There’s not that much code (a bit over 2 thousand SLOC), so it’s not hard to get your head around.

5. There are a few obvious next steps for improvement, which I’ve filed as issues if you want to pick one up.

Share and enjoy, and please let me know if you do something fun with it.

Acknowledgments

Thank you to my patrons who are supporting my writing on this blog. If you like what you’ve read here and you’d like to read more of it, or you’d like to support my various open-source endeavors, you can support my work as a sponsor! I am also available for consulting work if you think your organization could benefit from expertise on topics such as “How do I shot SQL?”.

From: "Arch Linux: Recent news updates: David Runge" arch-announce@lists.archlinux.org

TL;DR: Upgrade your systems and container images now!

As many of you may have already read 1, the upstream release tarballs for xz in version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.

This vulnerability is tracked in the Arch Linux security tracker 2.

The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.

We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version!

Upgrading the system

It is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed:

pacman -Syu

Regarding sshd authentication bypass/code execution

From the upstream report 1:

> openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:

ldd &quot;$(command -v sshd)&quot;

However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.

URL: https://archlinux.org/news/the-xz-package-has-been-backdoored/