FLOSS Project Planets

Again this year, Arm offered to host us for a mini-debconf in Cambridge. Roughly 60 people turned up on 10-13 October to the Arm campus, where they made us really welcome. They even had some Debian-themed treats made to spoil us!

Hacking together

For the first two days, we had a "mini-debcamp" with disparate group of people working on all sorts of things: Arm support, live images, browser stuff, package uploads, etc. And (as is traditional) lots of people doing last-minute work to prepare slides for their talks.

Sessions and talks

Saturday and Sunday were two days devoted to more traditional conference sessions. Our talks covered a typical range of Debian subjects: a DPL "Bits" talk, an update from the Release Team, live images. We also had some wider topics: handling your own data, what to look for in the upcoming Post-Quantum Crypto world, and even me talking about the ups and downs of Secure Boot. Plus a random set of lightning talks too! :-)

Video team awesomeness

Lots of volunteers from the DebConf video team were on hand too (both on-site and remotely!), so our talks were both streamed live and recorded for posterity - see the links from the individual talk pages in the wiki, or http://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Cambridge/ for the full set if you'd like to see more.

A great time for all

Again, the mini-conf went well and feedback from attendees was very positive. Thanks to all our helpers, and of course to our sponsor: Arm for providing the venue and infrastructure for the event, and all the food and drink too!

Photo credits: Andy Simpkins, Mark Brown, Jonathan Wiltshire. Thanks!

Read more

At Drupalcamp Spain I had this moment of inspiration where I saw a further comparison between Drupal and the USS Enterprise from Star Trek.

Enjoy this creative exercise :)

 

Drupal and the USS enterprisedrupalSaturday, October 26, 2024 - 20:42

In one way or another, I have developed, configured, and worked with Drupal for over 15 years. On almost every website I’ve had the privilege of working on, there have been various forms of forms—comment fields, contact forms, membership requests, and so on. And something that’s always been present is spam.

Regardless of the size of the site, bots eventually find the forms. I’ve moved from module to module trying to prevent forms from being overtaken by bots and their often offensive content, which 99.9% of the time includes a link to some obscure website, often on the darker parts of the web. But where there are spam bots, there are also services and modules to stop them. Over the years, I’ve moved from module to module as bots have become smarter and some modules have become outdated technologically.

About six months ago, I revamped my own site, AdamEvertsson.se, and just recently realized that I’d forgotten to add a spam prevention module. How did I notice? I happened to see that I had over 3,500 comments spread across a very small number of posts—all 100% spam.

I quickly activated one of the classic modules I’ve used, but the spam posts continued to pour in by the dozens every day. Even though I have some go-to modules, I thought it might be interesting to see what’s new among spam prevention modules since it had been a while since I updated myself on the state of Drupal spam-blocking modules.

I quickly found the Antibot module, a new discovery for me, and within just a couple of days of testing, it proved to be 100% effective against spam. Since it worked so incredibly well, I stopped searching. I haven’t received a single spam post since activating it earlier this week, and I now have a new favorite to add to my collection of modules when building Drupal sites.

Here are the modules I currently consider relevant for blocking spam posts:

Antibot

As mentioned, this is now my go-to for spam-fighting and will be my standard module for spam management for a good while—until it loses effectiveness and another module steps up.

Visit the module’s project page on drupal.org.

Honeypot

A classic module that monitors how quickly a form is filled in, with some other functions as well. It’s been a favorite for many years and keeps pace with Drupal’s development. I highly recommend it and still use it on my sites that run on Drupal 7, for instance.

Visit the module’s project page on drupal.org.

Google reCAPTCHA

The classic box with prompts like "select all boxes with a moped" or "choose the images showing a bridge" is something we’ve all seen. It’s one of the internet’s most effective and widely used systems for ensuring “I am not a robot.” In Drupal alone, there are over 168,000 registered sites using this module and the reCAPTCHA system.

Visit the module’s project page on drupal.org.

Anti-Spam by CleanTalk

This is a new module I came across during my search but didn’t get around to testing since I found Antibot, which worked well. It has a bit more modest stats in terms of usage, with just over 3,000 sites using it, but it’s maintained and appears reliable.

Visit the module’s project page on drupal.org.

SpamSpan

While it doesn’t block spam directly, it prevents email addresses displayed on the site from being picked up by bots. It can and should be combined with one of the modules above.

Visit the module’s project page on drupal.org

Last weekend I attended the bi-annual OSM Hack Weekend in Karlsruhe again, organized by Geofabrik and this time hosted at a nearby university building due to the large number of participants.

Transitous

My main focus has been getting the public transport client library used by KDE Itinerary ready for MOTIS v2, as Transitous, our community-run public transport routing service, will switch to that in the not too distant future.

One big new feature in MOTIS v2 is support for GTFS shapes. That is, getting detailed paths for public transport sections, beyond just positions of intermediate stops, which allows for a much more useful map display for example.

Even more importantly, MOTIS now also provides detailed multi-floor paths for transfers or other parts of a trip where you have to move yourself (walking, biking, etc). This is all based on OSM data and thus matches perfectly to the map data, but since practically no other backend provides this level of detail it also required a few changes in our data model and API.

Besides the new MOTIS API being much more intuitive than the previous one having had Felix from the MOTIS team around (even if just online) who instantly implemented all suggested improvements in the server made this super productive.

If your region isn’t covered by Transitous yet, check out the contributor documentation on how to change that.

Itinerary

For debugging parsing of paths provided by MOTIS I added a map view to the KPublicTransport demo app. That ended up getting close to what we’d need for a map view of an entire trip in Itinerary, so we also have that now. It’s not where I’d like it yet e.g. regarding interactivity and the look of bi-directional paths it’s a good start.

Trip map view prototype in Itinerary.

A full trip map view was also one of the feature requests I got from other participants. Another suggestions that came up and that meanwhile has been implemented is pre-filling the stop location history with all locations involved in the current trip, which is quite helpful during trip planning.

Indoor Routing

Following a discussion on detailed mapping of hedges in outdoor mazes I learned there’s an OSM wiki page on that subject, which also lists a bunch of examples.

While I don’t really have any particular interest in outdoor mazes and/or fancy hedge art, these things just ask for being used as a test case for our indoor router.

Indoor router finding a way through a maze made out of hedges. You can help!

Hack weekends how this is called in the OSM community or sprints as this is known in the KDE community are immensely valuable and productive. There’s a great deal of knowledge transfer happening, and they are a big motivational boost.

However, physical meetings incur costs, and that’s where your donations help! KDE e.V. and local OSM chapters like the FOSSGIS e.V. support these activities.

The Announcement

Late last month there was an announcement of a “severity 9.9 vulnerability” allowing remote code execution that affects “all GNU/Linux systems (plus others)” [1]. For something to affect all Linux systems that would have to be either a kernel issue or a sshd issue. The announcement included complaints about the lack of response of vendors and “And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix”.

He seems to have a different experience to me of reporting bugs, I have had plenty of success getting bugs fixed without hyping them. I just report the bug, wait a while, and it gets fixed. I have reported potential security bugs without even bothering to try and prove that they were exploitable (any situation where you can make a program crash is potentially exploitable), I just report it and it gets fixed. I was very dubious about his ability to determine how serious a bug is and to accurately report it so this wasn’t a situation where I was waiting for it to be disclosed to discover if it affected me. I was quite confident that my systems wouldn’t be at any risk.

Analysis Not All Linux Systems Run CUPS

When it was published my opinion was proven to be correct, it turned out to be a series of CUPS bugs [2]. To describe that as “all GNU/Linux systems (plus others)” seems like a vast overstatement, maybe a good thing to say if you want to be a TikTok influencer but not if you want to be known for computer security work.

For the Debian distribution the cups-browsed package (which seems to be the main exploitable one) is recommended by cups-daemon, as I have my Debian systems configured to not install recommended packages by default that means that it wasn’t installed on any of my systems. Also the vast majority of my systems don’t do printing and therefore don’t have any part of CUPS installed.

CUPS vs NAT

The next issue is that in Australia most home ISPs don’t have IPv6 enabled and CUPS doesn’t do the things needed to allow receiving connections from the outside world via NAT with IPv4. If inbound port 631 is blocked on both TCP and USP as is the default on Australian home Internet or if there is a correctly configured firewall in place then the network is safe from attack. There is a feature called uPnP port forwarding [3] to allow server programs to ask a router to send inbound connections to them, this is apparently usually turned off by default in router configuration. If it is enabled then there are Debian packages of software to manage this, the miniupnpc package has the client (which can request NAT changes on the router) [4]. That package is not installed on any of my systems and for my home network I don’t use a router that runs uPnP.

The only program I knowingly run that uses uPnP is Warzone2100 and as I don’t play network games that doesn’t happen. Also as an aside in version 4.4.2-1 of warzone2100 in Debian and Ubuntu I made it use Bubblewrap to run the game in a container. So a Remote Code Execution bug in Warzone 2100 won’t be an immediate win for an attacker (exploits via X11 or Wayland are another issue).

MAC Systems

Debian has had AppArmor enabled by default since Buster was released in 2019 [5]. There are claims that AppArmor will stop this exploit from doing anything bad.

To check SE Linux access I first use the “semanage fcontext” command to check the context of the binary, cupsd_exec_t means that the daemon runs as cupsd_t. Then I checked what file access is granted with the sesearch program, mostly just access to temporary files, cupsd config files, the faillog, the Kerberos cache files (not used on the Kerberos client systems I run), Samba run files (might be a possibility of exploiting something there), and the security_t used for interfacing with kernel security infrastructure. I then checked the access to the security class and found that it is permitted to check contexts and access-vectors – not access that can be harmful.

The next test was to use sesearch to discover what capabilities are granted, which unfortunately includes the sys_admin capability, that is a capability that allows many sysadmin tasks that could be harmful (I just checked the Fedora source and Fedora 42 has the same access). Whether the sys_admin capability can be used to do bad things with the limited access cupsd_t has to device nodes etc is not clear. But this access is undesirable.

So the SE Linux policy in Debian and Fedora will stop cupsd_t from writing SETUID programs that can be used by random users for root access and stop it from writing to /etc/shadow etc. But the sys_admin capability might allow it to do hostile things and I have already uploaded a changed policy to Debian/Unstable to remove that. The sys_rawio capability also looked concerning but it’s apparently needed to probe for USB printers and as the domain has no access to block devices it is otherwise harmless. Below are the commands I used to discover what the policy allows and the output from them.

# semanage fcontext -l|grep bin/cups-browsed /usr/bin/cups-browsed regular file system_u:object_r:cupsd_exec_t:s0 # sesearch -A -s cupsd_t -c file -p write allow cupsd_t cupsd_interface_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write }; allow cupsd_t cupsd_lock_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_log_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_runtime_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_rw_etc_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t faillog_t:file { append getattr ioctl lock open read write }; allow cupsd_t init_tmpfs_t:file { append getattr ioctl lock read write }; allow cupsd_t krb5_host_rcache_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ allow_kerberos ]:True allow cupsd_t print_spool_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; allow cupsd_t samba_var_t:file { append getattr ioctl lock open read write }; allow cupsd_t security_t:file { append getattr ioctl lock open read write }; allow cupsd_t security_t:file { append getattr ioctl lock open read write }; [ allow_kerberos ]:True allow cupsd_t usbfs_t:file { append getattr ioctl lock open read write }; # sesearch -A -s cupsd_t -c security allow cupsd_t security_t:security check_context; [ allow_kerberos ]:True allow cupsd_t security_t:security { check_context compute_av }; # sesearch -A -s cupsd_t -c capability allow cupsd_t cupsd_t:capability net_bind_service; [ allow_ypbind ]:True allow cupsd_t cupsd_t:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill net_bind_service setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; # sesearch -A -s cupsd_t -c capability2 allow cupsd_t cupsd_t:capability2 { block_suspend wake_alarm }; # sesearch -A -s cupsd_t -c blk_file Conclusion

This is an example of how not to handle security issues. Some degree of promotion is acceptable but this is very excessive and will result in people not taking security announcements seriously in future. I wonder if this is even a good career move by the researcher in question, will enough people believe that they actually did something good in this that it outweighs the number of people who think it’s misleading at best?

• [1] https://threadreaderapp.com/thread/1838169889330135132.html
• [2] https://tinyurl.com/26rjd5ex
• [3] https://tinyurl.com/2ckyvpyq
• [4] https://packages.debian.org/sid/miniupnpc
• [5] https://wiki.debian.org/AppArmor/HowToUse

Related posts:

1. SE Linux audit2allow -R and Milter policy Since the earliest days there has been a command named...
2. SE Linux File Context Precedence In my previous post I expressed a desire to use...
3. SE Linux Things To Do At the end of my talk on Monday about the...

We continued fixing bugs and making UI improvements this week. You’ll notice a good many of them are about screens somehow! Ah, screens, the magical windows to our computers. They are amazing… and they suck. So many graphics driver bugs and hardware quirks to work around, so many edge cases to handle… and so that was a large part of what we spent doing for you, dear reader! Because getting all this screen stuff right has a massive impact on quality.

And of course there was a lot of other work too!

Notable UI Improvements

There’s a new behavior when dragging things out of a window that’s not the top one in the stacking order: the window with the dragged content remains where it is during the drag, instead of immediately jumping to the front (Xaver Hugl, Plasma 6.3.0. Link)

Kickoff, Kicker, and other launcher menus now have a “Help” category, and the Help Center app appears there instead of among other top-level categories (me: Nate Graham, Plasma 6.3 and KHelpCenter 24.12. Link 1, link 2, and link 3):

Added a touch-friendly UI for the clipboard widget that appears only when in touch mode (Fushan Wen, Plasma 6.3.0. Link)

Fixed a case where some system components’ default shortcuts all wanted to use Meta+0 and interfered with one another. Now they all use different shortcuts:

• “Zoom to Actual Size” remains Meta+0
• “Manually Invoke Action on Current Clipboard” and “Activate Task Manager Entry 10” no longer have a default shortcut set

(Zhangzhi Hu, Plasma 6.3.0. Link)

WireGuard VPNs are now considered VPNs by the Networks widget, and labeled and grouped accordingly (Ivan Tkachenko, Plasma 6.3.0. Link)

Multi-instance or multi-process Flatpak apps are now grouped together and shown as only one app on System Monitor’s Applications page (Arjen Hiemstra, Plasma 6.3.0. Link):

SDDM themes that are actually just symlinks to other themes are now filtered out of the relevant page in System Settings (Bruno Ivan, Plasma 6.3.0. Link)

Capped the maximum width of the Bluetooth file transfer error dialog so it can’t be ridiculously wide (Zhangzhi Hu, Plasma 6.3.0. Link)

Added Breeze icons for Typst files (MV Puccino, Frameworks 6.8. Link)

A bunch of symbolic Breeze icons that were inappropriately symbolic-but-colorful are now monochrome to better match all the other monochrome symbolic icons (me: Nate Graham, Frameworks 6.8. Link)

Notable Bug Fixes

Fixed a bug that could cause KWin to freeze when plugging in a Valve Index VR headset when there are no other screens enabled (Xaver Hugl, Plasma 6.2.2. Link)

Fixed a case where Plasma could crash when interacting with connected storage devices in certain ways (Fushan Wen, Plasma 6.2.2. Link)

Fixed a bug that would cause the positions of recently-renamed desktop files to not be saved to the config file correctly (Akseli Lahtinen, Plasma 6.2.2. Link). And on this subject, we’re currently deep into the process of fixing a related bug that causes icons to get scrambled when some (but not all) screens are turned off. Not for this week, but maybe next week!

Fixed a set of regressions that caused System Settings’ main window to not remember its size correctly (Akseli Lahtinen, Plasma 6.2.2 with Frameworks 6.8. Link)

Fixed a recent regression that made certain styles of user avatar image not get applied properly on System Settings’ Users page (Harald Sitter, Plasma 6.2.3. Link)

Spectacle no longer fails to save MP4-formatted screen recordings some of the time (Arjen Hiemstra, Plasma 6.2.3. Link)

You can now do a rectangular region screencast on any screen in a multi-screen setup, not just the left-most one (David Redondo, Plasma 6.2.3. Link)

The “Maximum time before updates” setting for grid-style System Monitor widgets now works (Arjen Hiemstra, Plasma 6.2.3. Link)

Worked around a quirk of certain HDR-capable screens screens that caused them to leave HDR move whenever any other display settings were changes (Xaver Hugl, Plasma 6.2.3. Link)

The “Forget all” menu item of Task Manager Task context menus now succeeds at forgetting abstract resources like URLs (Jin Liu, Plasma 6.2.3. Link)

Made it more reliable to save custom names given to audio devices (Harald Sitter, Plasma 6.2.3. Link)

Fixed a case where the ksystemstats background service that provides information to System Monitor and its widgets’ could crash due to a recent change in Qt (Arjen Hiemstra, Plasma 6.3.0. Link)

Fixed a case where Plasma and other KDE apps could crash when ejecting a CD (Nicolas Fella, Frameworks 6.8. Link)

When your user account is slightly misconfigured and does not define a templates directory, the “Create New” menu does no longer weirdly populates itself with the entire contents of your home folder (Benjamin Gonzalez, Frameworks 6.8. Link)

Fixed an issue that could cause the setting to govern notification sound level to not appear as expected (Harald Sitter, Pulseaudio-Qt 1.6.1. Link)

Fixed a bug that could cause the pointer’s target to get sort of stuck after dragging things until after the first click following the completion of the drag. This was commonly seen when re-arranging Task Manager entries: if you failed to click once after dragging an app, the next drag would target the preciously-dragged app instead of the one you wanted (David Edmundson, Qt 6.8.1. Link)

Other bug information of note:

• 5 Very high priority Plasma bug (up from 4 last week). Current list of bugs
• 35 15-minute Plasma bugs (up from 33 last week). Current list of bugs
• 129 KDE bugs of all kinds fixed over the last week. Full list of bugs

Performance & Technical

Improved the reliability of the “remember for next time” feature in the screen recording source chooser window (David Redondo, Plasma 6.3. Link)

Reduces a source of slowness in the Task Manager widget when faced with windows that have hundreds or thousands of characters in their titles (Jin Liu, Plasma 6.2.3. Link)

The Night Light feature now tints the screen in a colorimetrically correct way when not using ICC profiles (Xaver Hugl, Plasma 6.3.0. Link)

It’s now possible to use Plasma scripting to change panels’ opacity levels or what screen they appear on (Heitor Augusto Lopes Nunes and Devin Lin, Plasma 6.3.0. Link 1 and link 2)

How You Can Help

If you’re a developer, keep on working to fix Plasma 6.2 regressions! We’ve got ’em on the run, and this is our chance to finish them off!

Otherwise, visit https://community.kde.org/Get_Involved to discover additional ways to be part of a project that really matters. Each contributor makes a huge difference in KDE; you are not a number or a cog in a machine! You don’t have to already be a programmer, either. I wasn’t when I got started. Try it, you’ll like it! We don’t bite! Or consider donating instead! That helps too.

Let’s go for my web review for the week 2024-43. It’s published later than usual since I’m attending the Ubuntu Summit 2024 and had to travel because of it.

Microsoft maintains its own Windows debloat scripts on GitHub

Tags: tech, microsoft, criticism, funny

This is indeed telling unfortunately. It’s kind of ironic that they felt the need of having their own debloat scripts.

https://www.osnews.com/story/140955/microsoft-maintains-its-own-windows-debloat-scripts-on-github/

This Is Exactly How an Elon Musk-Funded PAC Is Microtargeting Muslims and Jews With Opposing Messages

Tags: tech, democracy, politics

This is just insane, claiming two opposite things to different demographic groups for political gains. And if you try to stop this kind of manipulative stunts they’d probably cry wolf about free speech…

https://www.404media.co/this-is-exactly-how-an-elon-musk-funded-pac-is-microtargeting-muslims-and-jews-with-opposing-messages/

Big Tech has given itself an AI deadline

Tags: tech, ai, machine-learning, gpt, economics, energy, criticism

More signs of the current bubble being about to burst?

https://www.theatlantic.com/newsletters/archive/2024/10/big-tech-has-given-itself-an-ai-deadline/680301/

Google, Microsoft, and Perplexity promote scientific racism in AI search results

Tags: tech, ai, machine-learning, gpt, criticism

This is what you get by making bots spewing text based on statistics without a proper knowledge base behind it.

https://arstechnica.com/ai/2024/10/google-microsoft-and-perplexity-promote-scientific-racism-in-ai-search-results/

The 3 AI Use Cases: Gods, Interns, and Cogs

Tags: tech, ai, gpt, copilot, language

Using the right metaphors will definitely help with the conversation in our industry around AI. This proposal is an interesting one.

https://www.dbreunig.com/2024/10/18/the-3-ai-use-cases-gods-interns-and-cogs.html

You Don’t Need Words to Think

Tags: cognition, neuroscience, language, logic, knowledge, research

Very interesting research. Looks like we’re slowly moving away from the “language and thinking are intertwined” hypothesis. This is probably the last straw for Chomsky’s theory of language. It served us well but neuroscience points that it’s time to leave it behind.

https://www.scientificamerican.com/article/you-dont-need-words-to-think/

Reliable Reasoning Beyond Natural Language

Tags: tech, ai, machine-learning, gpt, logic, research

Now this is an interesting paper. Neurosymbolic approaches are starting to go somewhere now. This is definitely helped by the NLP abilities of LLMs (which should be used only for that). The natural language to Prolog idea makes sense, now it needs to be more reliable. I’d be curious to know how many times the multiple-try path is exercised (the paper doesn’t quite focus on that). More research is required obviously.

https://arxiv.org/abs/2407.11373

Introducing quantized Llama models with increased speed and a reduced memory footprint

Tags: tech, ai, machine-learning, gpt, optimization

More marketing announcement than real research paper. Still it’s nice to see smaller models being optimized to run on mobile devices. This will get interesting when it’s all local first and coupled to symbolic approaches.

https://ai.meta.com/blog/meta-llama-quantized-lightweight-models/

You Should Probably Pay Attention to Tokenizers

Tags: tech, statistics, ai, machine-learning, gpt, language

This is still an important step with LLM. It’s not because the models are huge that tokenizers disappeared or that you don’t need to clean up your data.

https://cybernetist.com/2024/10/21/you-should-probably-pay-attention-to-tokenizers/

Developing a Beautiful and Performant Block Editor in Qt C++ and QML

Tags: tech, markdown, qt, note-taking, tools

Ah! I wish MarkNotes or KleverNotes would work like this. I wish we’d have a reusable component in KDE Frameworks too. This is quite some work of course, too bad this isn’t FOSS.

https://rubymamistvalove.com/block-editor

Bookmark Keywords

Tags: tech, browser, firefox, bookmarks

A very useful but indeed little known feature of Firefox bookmarks.

https://paper.wf/binarycat/bookmark-keywords

The IPv6 Transition

Tags: tech, internet, protocols, ip

Looks like we’re stuck in the middle of the bridge. Also looks like the motivation to finish the transition isn’t high.

https://www.potaroo.net/ispcol/2024-10/ipv6-transition.html

against /tmp

Tags: tech, programming, unix, security

Good reminder that /tmp has many security flaws built in.

https://dotat.at/@/2024-10-22-tmp.html

The Part of PostgreSQL We Hate the Most

Tags: tech, databases, postgresql, design

Since everything has design choices which imply trade offs. Here is the main issue with PostgreSQL right now. Hopefully it’ll get modernized at some point.

https://www.cs.cmu.edu/~pavlo/blog/2023/04/the-part-of-postgresql-we-hate-the-most.html

Sensible SQLite defaults

Tags: tech, backend, databases, sqlite

Another nice list of defaults for SQLite. Some of them I didn’t have on my radar.

https://briandouglas.ie/sqlite-defaults/

Using uv to develop Python command-line applications

Tags: tech, python, developer-experience

uv keeps showing promise to make development easier. It makes everything very much self contained.

https://til.simonwillison.net/python/uv-cli-apps

Use data that looks like data

Tags: tech, programming, debugging

Definitely a sound advice. You don’t want to be confused when debugging something because it looks too much like a variable or a property name.

https://registerspill.thorstenball.com/p/use-data-that-looks-like-data

pytest selection arguments for failing tests

Tags: tech, tests, python

Another example of why pytest is really a nice test runner. I really miss it on projects which don’t have it.

https://mathspp.com/blog/til/pytest-selection-arguments-for-failing-tests

SMURF: Beyond the Test Pyramid

Tags: tech, tests

Indeed a good way to reason about tests and the value they bring.

https://testing.googleblog.com/2024/10/smurf-beyond-test-pyramid.html?m=1

I’ve been writing software for the last 25 years. Here some things I learned so far

Tags: tech, career, engineering, craftsmanship, complexity

Another good set of advices. They’re not all technical which is to be expected.

https://blog.rpanachi.com/after-25-years-writing-software-here-some-things-learned-so-far

Framework overload: when convenience dulls innovation in software development

Tags: tech, framework, complexity, knowledge, learning, debugging, craftsmanship

I very much agree with this. The relationship between developers and their frameworks is rarely healthy. I think the author misses an important advice though: read the code of your frameworks. When stuck invest sometime stepping into the frameworks with the debugger. Developers too often treat those as a black box.

https://prahladyeri.github.io/blog/2024/10/framework-overload.html

Learning to learn

Tags: tech, learning, career

Definitely the most important skill to develop. Especially in our profession.

https://kevin.the.li/posts/learning-to-learn/

How do we evaluate people for their technical leadership?

Tags: tech, management, career, hr

Lots of open questions which are left unanswered. That said it shows how difficult it is to evaluate knowledge workers in general and that we’re often grasping to the wrong metrics.

https://chelseatroy.com/2024/03/29/how-do-we-evaluate-people-for-their-technical-leadership/

Ground Rules of Fairness at Work

Tags: management, transparency, fair

Transparency and fairness are definitely important to keep people motivated across an organization. That doesn’t make it easy to deal with of course, but that’s where managers should focus.

https://read.perspectiveship.com/p/fairness-at-work

Bye for now!

Check out the important work our volunteers accomplished at today's Free Software Directory (FSD) IRC meeting.

Check out the important work our volunteers accomplished at today's Free Software Directory (FSD) IRC meeting.

This week, we realized that there are a few things we need to do to button-down our use of colors in a way that makes sense, not just for designers but also for developers.

As we find inspiration on what others are doing, we will make a couple of changes in the design system when it comes to colors.

1. Select UI colors using HCT color methodology.
2. Adopt a similar variable/token naming strategy as Material Design

HCT (hue, chroma, tone) Method

As suggested by team members, the HCT color selection methodology has a few advantages:

1. Accessibility
   • Standard calculation method for color selection rather than by doing manual contrast calculations. This allows for all selected colors to be separated and distinct-enough from each other that users can see color differences in their applications.
2. Perceptual accuracy
   • HCT allows for seeing colors more accurately at a perceptual level.
3. Consistent lightness and colorfulness
   • Consistent lightness and colorfulness across hues. 
4. Precise color and tonal accuracy
   • More precise color and tonal accuracy, especially in dark shadows and richly-saturated colors. 
5. Higher dynamic range and wider color gamut
   • Provides a wider color gamut and higher dynamic range than typical camera targets.

In our team, we have 3 people currently working on this. Not only are we selecting colors, but also creating a color-use system that all users can understand.

Building logic use into the colors allows for less dependence on people but something we can document and anyone looking at it would be able to understand regardless of their specialty.

Tokens

A few of the questions we had as a team while producing the design system were, how can we make it so that developers and designers understand all the pieces used in the design system, but at a development level?

One of the things that applications such as Figma and PenPot allow is for designers to define the names of each of the elements used in a design. We create variables names for stuff like fonts and colors. However, while that’s helpful, we also have to have logic behind the naming so that our developer friends are not confused by the use of variable names in the design system.

For this purpose, design system creators often use a token system that ensures naming between the design system and development is consistent, predictable, and useful.

Material design has a robust naming idea around tokens. It works a little like this:

The types of tokens are:

1. Reference tokens
   All available tokens with associated values
   
2. System tokens
   Decisions and roles that give the design system its character, from color and typography, to elevation and shape
   
3. Component tokens
   The design attributes assigned to elements in a component, such as the color of a button icon

https://m3.material.io/foundations/design-tokens/how-to-read-tokens: Design System – Colors, Variables and Tokens!

We consulted with the team members and it seems like a good strategy. Right now, we don’t have any of the reference or system tokens but we use component tokens in some capacities. The idea is to create and organize the naming conventions around the token ideas from Material. We may still decide to change some of the naming conventions but keep the general idea.

Note that we don’t have the intention of replacing current tokens. The process would be to add new ones that developers would begin using over time while keeping the ones we already have.

What this means for us in the design system, is that we will change our design variables to reflect this organization and when communicating the changes to the dev team, we will provide tables showing all the variables/tokens used. It will also contain which elements of the design system are included in a reference, system, or component token.

If you would like to participate of this effort, you’re welcome to join us here:

https://matrix.to/#/#plasma-next:kde.org

Our channel is dedicated to working on the design system. For general Visual Design questions, you can access our team here:
https://matrix.to/#/#visualdesigngroup:kde.org

Keeping up with Drupal’s Evolving Plugin API: Updating Tutorials for PHP Attributes

At Drupalize.Me, one of our goals is to provide learners with up-to-date resources that align with the latest best practices. To that end, I recently worked to update our tutorials to reflect the transition from PHP annotations to PHP attributes for plugin discovery. I blogged previously about why this transition is happening.

As Drupalize.Me’s tutorial library continues to grow, these kinds of changes touch ever larger numbers of existing tutorials. Plugins is an interesting one because we have tutorials that teach the inner workings of the Plugin API. And, we have tutorials about things like blocks, field types, and views plugins, that while not specifically about the Plugin API, make use of it. This ended up being one the most significant updates we’ve made since the release of Drupal 8.

In short, the updates are necessary because Drupal is transitioning from annotations to native PHP attributes. And while annotations will continue to work for the foreseeable future, we wanted to make sure that the code examples, and recommendations, you find on our site are aligned with that code you’ll see in the latest versions of Drupal core.

joe Fri, 10/25/2024 - 11:00

Whilst researching what synth to buy, I learned of the Behringer1 Model-D2: a 2018 clone of the 1970 Moog Minimoog, in a desktop form factor.

Behringer Model-D

In common with the original Minimoog, it's a monophonic analogue synth, featuring three audible oscillators3 , Moog's famous 12-ladder filter and a basic envelope generator. The model-d has lost the keyboard from the original and added some patch points for the different stages, enabling some slight re-routing of the audio components.

1970 Moog Minimoog

Since I was focussing on more fundamental, back-to-basics instruments, this was very appealing to me. I'm very curious to find out what's so compelling about the famous Moog sound. The relative lack of features feels like an advantage: less to master. The additional patch points makes it a little more flexible and offer a potential gateway into the world of modular synthesis. The Model-D is also very affordable: about £ 200 GBP. I'll never own a real Moog.

For this to work, I would need to supplement it with some other equipment. I'd need a keyboard (or press the Micron into service as a controller); I would want some way of recording and overdubbing (same as with any synth). There are no post-mix effects on the Model-D, such as delay, reverb or chorus, so I may also want something to add those.

What stopped me was partly the realisation that there was little chance that a perennial beginner, such as I, could eek anything novel out of a synthesiser design that's 54 years old. Perhaps that shouldn't matter, but it gave me pause. Whilst the Model-D has patch points, I don't have anything to connect to them, and I'm firmly wanting to avoid the Modular Synthesis money pit. The lack of effects, and polyphony could make it hard to live-sculpt a tone.

I started characterizing the Model-D as the "heart" choice, but it seemed wise to instead go for a "head" choice.

Maybe another day!

1. There's a whole other blog post of material I could write about Behringer and their clones of classic synths, some long out of production, and others, not so much. But, I decided to skip on that for now.↩
2. taken from the fact that the Minimoog was a productised version of Moog's fourth internal prototype, the model D.↩
3. 2 oscillators is more common in modern synths↩

Package Manager API module was just added as an alpha experimental module to Drupal 11's development code. It will be in a release when it reaches beta. Package Manager provides APIs on top of Composer and is used by Project Browser and Automatic Updates. https://www.drupal.org/project/drupal/issues/3346707

In this quiz, you’ll test your understanding of how to reset a pandas DataFrame index.

By working through the questions, you’ll review your knowledge of indexing and also expand on what you learned in the tutorial.

You’ll need to do some research outside of the tutorial to answer all the questions. Embrace this challenge and let it take you on a learning journey.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

What changes are happening under the hood in the latest versions of Python? How are these updates laying the groundwork for a faster Python in the coming years? Christopher Trudeau is back on the show this week, bringing another batch of PyCoder's Weekly articles and projects.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Learn how to turn Drupal into a scalable publishing platform that developers, marketers & editors love while meeting your regulatory & compliance requirements.

The diffoscope maintainers are pleased to announce the release of diffoscope version 282. This version includes the following changes:

[ Chris Lamb ] * Ignore errors when listing .ar archives. (Closes: #1085257) * Update copyright years.

You find out more by visiting the project homepage.

After reading about Jonathan McDowell feed reader install and the back to blogging initiative, I decided to install a feed reader to follow all those nice blog posts. With a feed reader you can compose your own feed of news based on blog posts, websites, mastodon toots. And then you are independant from ad oriented ranking algorithms of social networks.

Since Jonathan used FreshRSS as a feed reader, I started with the same software. On a quick glance on its github page, it sounded like a good project:

• active contributions
• different channels for stable and latest version of the software
• container images pointing to the stable release
• support multiple databases for storage, including PostgreSQL
• correct documentation mentioning security caveats

I prefer to do the container image installation using podman since:

• upgrades from FreshRSS are easy to do and can be done separately from operating system upgrades
• I do not mess my based operating system with php (subjective) and in case of a compromized freshrss, the freshrss/apache install would be still restrained to its own Linux namespaces, separated from the rest of the system.

Podman is image compatible with Docker as they both implement the OCI runtime specification, and have a nearly identical command line interface. This installation will be done on a Debian server, but should work too on any Linux distribution.

Initial setup

• start a container image based on the start command provided by the FreshRSS project. The podman command line is nearly identical to the docker command line, excepts that podman expects the fully qualified domain name associated with the container image, and I chose to run the freshrss container on the localhost interface only. I also use a defined version tag, because using the latest tag makes it complicated to track which exact ersion I have installed.

# podman pull docker.io/freshrss/freshrss:1.20.1 # podman run --detach --restart unless-stopped --log-opt max-size=10m \ --publish 127.0.0.1:8081:80 \ --env TZ=Europe/Paris \ --env 'CRON_MIN=1,31' \ --volume freshrss_data:/var/www/FreshRSS/data \ --volume freshrss_extensions:/var/www/FreshRSS/extensions \ --name freshrss \ docker.io/freshrss/freshrss:1.20.1

• verify where the podman volumes have been created. This is where the user data of freshrss will be stored.

# podman volume ls # podman volume inspect freshrss_data

• now that freshrss is installed, you can start its configuration wizard at localhost:8081. You should keep the default sqlite choice
• finally after running the wizard, you can login again and add some feeds
• verify that your config has been stored outside the container, and inside the volume (so that it will not be erased in case of upgrages)

# ls -l /var/lib/containers/storage/volumes/freshrss_data/_data/users/

• verify the state of sqlite database

echo '.tables'| sqlite3 /var/lib/containers/storage/volumes/freshrss_data/_data/users/<your freshrss user>/db.sqlite category entry entrytag entrytmp feed tag Going with FreshRSS in Production

Podman has this very nice feature that it can generate a systemd unit from a running container, and use systemd to start a container on boot. This is in contrary to docker where the docker daemon does the stop/start of containers on boot. I prefer the systemd approach as it treats containers the same way as other system services.

Once the freshrss container is running we can generate a systemd unit of it with:

# podman generate systemd --new --name freshrss | tee /etc/systemd/system/container-freshrss.service

Let’s stop the container we started previously, and use systemd to manage it:

# podman stop freshrss # systemctl enable --now container-freshrss.service

We can verify that we have a listening socket on the localhost interface, on the source port 8081

# systemctl status container-freshrss.service ... # ss --listening --numeric --process '( sport = 8081 )' Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process tcp LISTEN 0 4096 127.0.0.1:8081 0.0.0.0:* users:(("conmon",pid=4464,fd=5))

Nota Bene: conmon (8) is the process managing the network namespace in which fresh-rss is running, hence it is displayed as the process owning the listening socket

Exposing FreshRSS to the external world

We have now a running service, but we need to make it reachable from the internet. The simplest, classical way, is to create a subdomain and a VirtualHost configured as a reverse proxy to access the service at 127.0.0.1:8081. Fortunately the FreshRSS authors have documented this setup in https://github.com/FreshRSS/FreshRSS/tree/edge/Docker#alternative-reverse-proxy-using-apache and those steps are no different from a standard application behind a web reverse proxy.

Upgrading freshrss container to a newer version

A documentation showing how to install a piece of software is nothing when it does not show how to upgrade that said software. Installing is easy, upgrading is where the challenge is. Fortunately to the good stateless design of freshrss (everything is in the sqlite database, which is backed by a non-epheremal volume in our setup), switchting versions is a peace of cake.

# podman pull docker.io/freshrss/freshrss:1.20.2 # systemctl stop container-freshrss.service # sed -i 's,docker.io/freshrss/freshrss:1.20.1,docker.io/freshrss/freshrss:1.20.2,' /etc/systemd/system/container-freshrss.service # systemctl daemon-reload # systemctl start container-freshrss.service

If you need to rollback, you just need to revert version numbers in the instruction above.

Enjoy your own reader feed !

I will add the following feeds of blogs I like, let us see if I follow them better with a feed reader !

An effective Request for Proposals (RFP) or Call for Proposals (CFP) not only outlines the goals and expectations of your project but also defines the framework within which potential vendors must operate. It goes beyond simply finding the right vendor to build your website or deliver a content management system (CMS) tailored to your needs—it's an opportunity to establish a partnership, support open source software, and contribute to a vibrant community ecosystem.

For many organizations, choosing open source software isn’t just a preference—it’s a strategic imperative. The advantages of free and open source software (FOSS) include cost savings, solutions tailored precisely to your organization’s needs, and robust security, strengthened by a vigilant community.

In this blog post, we’ll guide you through crafting an RFP that prioritizes open source solutions while tapping into the expertise of Drupal Certified Partners. We also offer a free, downloadable RFP template to help streamline the process, ensuring your project specifications attract top-tier vendors dedicated to innovation and contributing to the Drupal community.

The advantages of open source software

• Cost savings: Open source eliminates hefty licensing fees, allowing organizations to allocate resources more efficiently. While there may be costs associated with customization and maintenance, the overall financial burden is often significantly lower.
• Flexibility and extensibility: Open source platforms can be tailored to meet specific organizational needs. With access to the source code, developers can modify and extend functionalities without waiting for vendor updates or feature requests.
• Enhanced security: Open source communities actively monitor and address security vulnerabilities. The collaborative nature ensures that security patches and updates are promptly developed and deployed. 
• Alignment with organizational values: Open source promotes transparency, collaboration, and community-driven development. Organizations that prioritize these values find open source solutions to be a natural fit.
• Case study: Swiss Government's open source mandate

A notable example of strategic open source adoption is the Swiss government's recent decision to prioritize open source solutions in public sector projects. This mandate not only underscores the benefits of open source but also sets a precedent for other governmental bodies. By embracing open source, the Swiss government aims to enhance transparency, reduce costs, and foster innovation within its digital infrastructure.

Finding the ideal service provider

Finding the right service provider that aligns with your vision is crucial to the success of your project. The right partner not only brings the necessary technical expertise but also understands your long-term goals, ensures smooth collaboration, and shares your commitment to quality and innovation. A well-aligned service provider becomes a trusted partner, invested in both your immediate needs and your future growth.

Here's why partnering with Drupal Certified Partners makes a significant difference:

• Rigorous certification process: The Drupal Association evaluates potential partners based on their contributions to Drupal core, contributed modules, and themes. This ensures that only the most dedicated and skilled agencies receive certification.
• Proven track record: Certified Partners have a history of successful Drupal implementations, showcasing their ability to handle complex projects with efficiency and expertise.
• Commitment to the community: These partners actively contribute to the Drupal project through code contributions, module development, and participation and sponsorship in Drupal events and initiatives.
• Verifiable capabilities: The Drupal Association provides verified letters of recommendation for Certified Partners to include in RFP responses, giving procurement teams trusted verification of their skills and commitment to the Drupal ecosystem.

Certified partners are contributing experts

When drafting your Request for Proposals (RFP) or tender, specifying a preference for officially certified implementation partners — such as Drupal Certified Partners — can dramatically elevate the quality of vendor responses. Drupal Certified Partners are distinguished not only by their expertise in deploying Drupal solutions but also by their active contributions to the Drupal project itself. This dual commitment ensures that these partners are intimately familiar with the latest developments in Drupal, enabling them to deliver solutions that are both innovative and sustainable. Moreover, by requiring a Drupal Certified Partner, organizations directly support vendor involvement with the open source community, fostering a collaborative ecosystem that drives continuous improvement and long-term success.

The flywheel effect: How partner contributions benefit everyone

Choosing a Drupal Certified Partner also supports the broader Drupal project by empowering top contributors to maintain and enhance the platform that underpins your organization's digital presence. These partners often invest more resources into contributing to Drupal core, contributed modules, and themes than they do into traditional marketing efforts. This investment creates a "flywheel" effect: as partners develop new features or improvements to meet your specific needs, these enhancements are reintegrated into the Drupal community, benefiting all users and ensuring the platform remains cutting-edge and secure. You benefit as well, though, as the community jumps on board to test, extend, maintain, and update the code that you (through your partner) contributed. This makes your code better in the long run at no additional cost to you.

About the Drupal Certified Partner program

The Drupal Association, a nonprofit organization dedicated to promoting and sustaining the Drupal project, plays a crucial role in identifying and certifying these top-tier partners. Through evaluation of their contributions to Drupal core, contributed modules, and themes, the Drupal Association designates certain agencies as Drupal Certified Partners. This certification not only recognizes their technical prowess and commitment to the Drupal ecosystem but also provides procurers with verified attestations of their capabilities, simplifying the vendor selection process.

Testimonials and success stories

Organizations that have partnered with Drupal Certified Partners consistently report higher satisfaction levels, smoother project executions, and more robust and scalable solutions. These partners bring not only technical expertise but also a collaborative spirit that aligns with the open source philosophy, ensuring that projects are both innovative and sustainable.

Crafting your RFP for success

An effective RFP not only clearly defines your requirements and expectations, it also sets the boundaries within which potential vendors must operate. For example, specifying the need for mobile-responsive design ensures all proposals meet modern accessibility standards, while outlining strict data security requirements guarantees vendors prioritize protecting sensitive information. Additionally, specifying a preference for open source software like Drupal can impact your project's flexibility, cost, and alignment with organizational values.

Here's how to structure your RFP to prioritize open source solutions and Drupal Certified Partners:

1. Define project goals and objectives

   • Clearly outline what you aim to achieve with your website redesign or CMS selection.

   • Include specific functionalities, design preferences, and performance metrics.

2. Specify open source requirements

   • Highlight the importance of using open source software.

   • Explain how open source aligns with your organization’s values and strategy.

3. Mandate Drupal Certified Partner certification

   • State that only proposals from Drupal Certified Partners will be considered.

   • Provide information about the certification and its significance.

4. Outline evaluation criteria

   • Detail how proposals will be assessed, focusing on contributions to Drupal.

   • Include criteria such as technical expertise, project management skills, and community involvement.

5. Provide a clear timeline and budget

   • Offer realistic deadlines and budget ranges.

   • Allow flexibility for high-quality vendors to propose innovative solutions.

6. Include legal and compliance requirements

   • Address legal considerations such as data protection and accessibility standards.

7. Offer resources and support

   • Provide access to your organization’s content, branding guidelines, and technical documentation.

   • Encourage collaboration and ongoing communication.

Jumpstart your RFP with a ready-made template

The Drupal Association is proud to offer a downloadable RFP template tailored for open source website design and CMS selection projects. This template includes all the essential sections outlined above, along with customizable fields to suit your organization's unique needs. The template is also applicable to Request for Quotation (RFQ), Invitation to Bid (ITB), Request for Information (RFI), and Request for Tender (RFT) procurement processes. 

Download the open source RFP template

Many thanks to Vardot, a Drupal Certified Partner, for providing the inspiration for this post and the initial version of the template!

Strategies for evaluating vendor proposals

Evaluating vendor proposals can be daunting, especially when faced with lengthy submissions or a high volume of responses. A common approach is to use a weighted scoring system to compare proposals based on key criteria while ensuring your priorities and values are accounted for. Keep in mind that the best fit may not meet every criterion perfectly, but a vendor who aligns with your organization’s values and fully understands your vision can offer the greatest long-term success. 

Use these strategies to ensure a thorough assessment:

• Alignment with goals: Make sure the proposal clearly aligns with your project’s goals and objectives.
• Technical expertise: Assess the vendor's technical capabilities and experience with Drupal. Have they successfully delivered projects for clients similar to yours in size and industry? Looks for published case studies to verify their claims.
• Community contributions: Check the vendor's contributions to the Drupal project. Their involvement can demonstrate both commitment and expertise. From the vendor's page on Drupal.org, you can see if they have contributed to or maintained modules that may be essential to your project.
• References and case studies: Review client testimonials and case studies to gauge the vendor's reliability and quality of work. Drupal.org publishes case studies for Drupal Certified Partners to showcase their success stories.
• Long-term support: elect vendors who offer ongoing support and maintenance to keep your website secure, up-to-date, and adaptable to future needs.

Get the results you want with a targeted RFP

A well-crafted RFP is the foundation of a successful website redesign or CMS selection project. By prioritizing open source solutions and requiring Drupal Certified Partner certification, you ensure that your project is handled by capable vendors committed to both your success and the open source community. This approach not only enhances the quality and sustainability of your project but also supports the broader Drupal community, fostering an environment of continuous improvement and innovation.

Ready to create an effective RFP that attracts top-tier Drupal Certified Partners? Download our comprehensive RFP template today and take the first step towards a successful, sustainable, and community-driven project.

Start your project with confidence with this RFP Template!

As I said on linked in, this week my brain was fried and also buzzing while working on getting a beta release of the LocalGov Live Preview module.