Feeds

Chat Changes, Editor Enhancements and Audio Advancements

Welcome to a new issue of "This Week in KDE Apps"! Every week we cover as much as possible of what's happening in the world of KDE apps.

This week's changes and improvements cover a wide range of applications, from audio apps (including the classic Amarok, which is making a comeback) to Kate getting improvements to its integrated Git features.

In between, you have everything from new functionalities for note-taking utilities and media players, to upgrades in financial software and mobile apps.

Let's dig in!

Amarok A powerful music player that lets you rediscover your music

Tuomas Nurmi worked on making the codebase Qt6-compatible. (Tuomas Nurmi, Link)

Ark Archiving Tool

Jin Liu disabled the "Compress to tar.gz/zip" service menu items in read-only directories. (Jin Liu, 24.12.0. Link)

Dolphin Manage your files

You can now sort your videos by duration. (Somsubhra Bairi, 24.12.0. Link)

Eren Karakas added more standard actions (Sort By, View Mode, Cut and Copy) to the context menu in the trash view. (Eren Karakas, 24.12.0. Link)

Elisa Play music and listen to online radio stations

Elisa now supports loading lyrics from .lrc files sitting alongside the song files. (Gary Wang, 24.12.0. Link)

Manuel Roth fixed the bug in which the metadata for webradio http streams was not getting displayed. (Manuel Roth, 24.12.0. Link)

Haruna Media player

You now have the option to open videos in full screen mode. (Rikesh Patel, Link)

KDE Itinerary Digital travel assistant

Volker Krause was at the OSM Hack Weekend last week and worked on the support of MOTIS v2 API support in the public transport client library used by KDE Itinerary. He also added a map view of an entire trip to Itinerary and the KPublicTransport demo application.

Read more on his blog!

Kate Advanced Text Editor

In large repos, a git status update can be slow. The least we can do for the user is show that something is happening. Hence, now, if the git status is being refreshed you will see the refresh button become unclickable and start spinning. (Waqar Ahmed, 24.12.0. Link)

In the project tree view, files will now show their status in git. The status is shown minimally, i.e. via a small circle displayed in front of the file name. If the file has been modified, the circle is red; if the file is staged, it's green. (Waqar Ahmed, 24.12.0. Link)

We simplified the git panel by hiding the project combobox. The git panel will now show the status of the currently opened project. (Waqar Ahmed, 24.12.0. Link)

We fixed the SQL plugin's SQL export being randomly ordered. (Waqar Ahmed, 24.08.3. Link)

Clock Keep time and set alarms

KClock's timer now shows the remaining time instead of the elapsed time. (Zhangzhi Hu, 24.12.0. Link)

KMix Sound Mixer

We fixed the Audio Setup button, which didn't open the System Settings Audio page correctly. (Sergio Basto, 24.12.0. Link)

KMyMoney Personal finance manager based on double-entry bookkeeping

It's once again possible to download stock quotes from yahoo.com after they changed their output format. (Ralf Habacker, Link)

Reports can now be exported as PDF and XML. (Ralf Habacker, KMyMoney 5.2.0. Link 1, link 2)

Photos Image Gallery

We improved the design of the properties panel. (Carl Schwan, 24.12.0. Link)

Kleopatra Certificate manager and cryptography app

The name of the "KWatchGnuPG" utility provided by Kleopatra has been updated to "GnuPG Log Viewer" (Carl Schwan, 24.12.0. Link) and we gave it a new logo.

KleverNotes Take and manage your notes

KleverNotes' painting mode has been completely rewritten. It is now possible to add circles, rectangles, labels, and to choose the stroke size. The UI also uses a new floating toolbar. (Louis Schul, 1.2.0. Link)

We improved the animation when switching pages. (Luis Schul, 1.2.0. Link)

The note preview in the appearance settings was simplified to only show the important parts. (Luis Schul, 1.2.0. Link)

KMail A feature-rich email application

Fix a crash in the Exchange Web Services (EWS) backend. (Louis Moureaux, 24.08.3. Link)

KRDC Connect with RDP or VNC to another computer

We fixed sharing folders. (Fabio Bas, 24.08.3. Link)

Merkuro Calendar Manage your tasks and events with speed and ease

Claudio Cambra fixed adding and creating sub-todos (Claudio Cambra, 24.08.3. Link and Link)) and a bug that made clicking on the month view unreliable. (Claudio Cambra, 24.08.3, Link).

We also added back the maps showing the location of individual events. This was disabled during the Qt6 migration and never enabled back afterwards. (Claudio Cambra, 24.08.3, Link)

NeoChat Chat on Matrix

Support for libQuotient 0.9 has been backported to NeoChat 24.08. This brings, among other things, cross-signing support and support for the Matrix 1.12 API, including most importantly content repo functionality switching to authenticated media. (James Graham, 24.08.0, Link)

Okular View and annotate documents

Albert Astals fixed switching between pages in the single-page mode when using a mouse with a "high resolution" scroll wheel. (Albert Astals Cid, 24.12.0. Link)

You can now use any image type as a signature background. (Sune Vuorela, 24.12.0. Link)

We removed the last CHM support mention in Okular and on the website. CHM support was dropped when transitioning to the Qt6 version. (Albert Astals Cid, 24.12.0. Link 1, link 2)

Zanshin To Do Management Application

Fixed an issue where projects would be displayed twice when toggling on and off their data source. (David Faure, 24.08.3. Link)

And all this too...

Justin Zobel fixed various appstream files to use the new way of declaring the developer's name. (Justin Zobel, KRuler, Gwenview, KEuroCalc, ...)

We ported various projects to use declarative QML declaration for better maintainance and performance (Carl Schwan, Koko, Francis, Kalk).

... And Everything Else

This blog only covers the tip of the iceberg! If you’re hungry for more, check out Nate's blog about Plasma and be sure not to miss his This Week in Plasma series, where every Saturday he covers all the work being put into KDE's Plasma desktop environment.

For a complete overview of what's going on, visit KDE's Planet, where you can find all KDE news unfiltered directly from our contributors.

Get Involved

The KDE organization has become important in the world, and your time and contributions have helped us get there. As we grow, we're going to need your support for KDE to become sustainable.

You can help KDE by becoming an active community member and getting involved. Each contributor makes a huge difference in KDE — you are not a number or a cog in a machine! You don’t have to be a programmer either. There are many things you can do: you can help hunt and confirm bugs, even maybe solve them; contribute designs for wallpapers, web pages, icons and app interfaces; translate messages and menu items into your own language; promote KDE in your local community; and a ton more things.

You can also help us by donating. Any monetary contribution, however small, will help us cover operational costs, salaries, travel expenses for contributors and in general just keep KDE bringing Free Software to the world.

To get your application mentioned here, please ping us in invent or in Matrix.

Are you near London and want to learn about automated testing in Drupal?

I'll be presenting a session and Q&A on automated testing and test-driven development in Drupal.

This is one of my favourite topics to present and teach, so I'm looking forward to this event.

If you want to attend, RSVP on the meetup event page.

If you can't, check out my free Drupal testing email course or book a 1-on-1 consulting call and I'll get you started.

Drupal 11.1.0 and 10.4.0 release dates

Drupal core typically has a minor release window the second week of December. This is to provide enough time after PHP and Symfony's release dates for core compatibility to be updated, but still far enough before the major end-of-year holidays to avoid interfering with vacations and travel.

This year, DrupalCon Singapore is scheduled for the same week as the minor release. Normally, we would avoid having a minor release the same week as a DrupalCon, but in this case we are unable to move the release date. We will aim to release 11.1.0 and 10.4.0 later in the week to avoid having the release during the actual days of the conference. The release window is now December 12-13 UTC.

Drupal 11.0 and 10.3 will continue to have security coverage until June 2025. So, it is safe for site owners to wait until January 2025 or later, if necessary, to update their sites.

Drupal 11.1 alpha phase begins October 28

In preparation for the minor release, Drupal 11.1.x will enter the alpha phase the week of October 28, 2024. Core developers should plan to complete changes that are only allowed in minor releases prior to the alpha release. The 11.1.0-alpha1 deadline for most core patches is October 28, 2024.

The 10.5.x release branch of core will be created for the next maintenance minor release.

• Developers and site owners can begin testing the alpha after its release.

• The 11.1.x release branch of core will be created before the alpha is tagged. Future feature and API additions will continue to be targeted against 11.x.

• After 11.1.x is branched but before 11.1.0-alpha1 is tagged, alpha experimental modules will be removed from the 11.1.x codebase. Their development will continue in 11.x only.

• Following the release of Drupal 11.1 and 10.4, only security issues will be fixed in Drupal 11.0 and 10.3. Additionally, Drupal 10.2 will become end-of-life (EOL).

• During the alpha phase, core issues will be committed according to the following policy:

  1. Most issues that are allowed for patch releases will be committed to 11.1.x and 10.4.x. Such issues may also be committed to 11.0.x and 10.3.x until the final normal bugfix releases of 11.0 and 10.3 on December 4, 2024.
  2. Most issues that are only allowed in minor releases will be committed to 11.x only. (Such issues may be released in 11.2 or another future minor.). A few strategic issues may be backported to 11.1.x, but only at committer discretion after the issue is fixed in 11.x (so leave them set to 11.x unless you are a committer), and only up until the beta deadline.
  3. Most issues that are allowed in maintenance minor releases will be committed to 11.x and 10.5.x only. A few strategic issues may be backported to 11.1.x and 10.4.x, but only at committer discretion after the issue is fixed in 11.x (so leave them set to 11.x unless you are a committer), and only up until the beta deadline.

Roughly two weeks after the alpha release, the first beta release will be created. All the restrictions of the alpha release apply to beta releases as well. The release of the first beta is a firm deadline for all feature and API additions. Even if an issue is pending in the Reviewed & Tested by the Community (RTBC) queue when the commit freeze for the beta begins, it will be committed to the next minor release only.

The release candidate phase will begin the week of November 25.

Security support of Drupal 10 and 11 Drupal 10.2.x Security releases will be provided until December 12, 2024. Drupal 10.3.x and 11.0.x Security releases will be provided until June 18, 2025.

See the Drupal core release process overview, the Drupal core release schedule, allowed changes during the Drupal 10 and 11 release cycles, and Drupal 10 and 11 backwards compatibility and internal API policy for more information.

Again this year, Arm offered to host us for a mini-debconf in Cambridge. Roughly 60 people turned up on 10-13 October to the Arm campus, where they made us really welcome. They even had some Debian-themed treats made to spoil us!

Hacking together

For the first two days, we had a "mini-debcamp" with disparate group of people working on all sorts of things: Arm support, live images, browser stuff, package uploads, etc. And (as is traditional) lots of people doing last-minute work to prepare slides for their talks.

Sessions and talks

Saturday and Sunday were two days devoted to more traditional conference sessions. Our talks covered a typical range of Debian subjects: a DPL "Bits" talk, an update from the Release Team, live images. We also had some wider topics: handling your own data, what to look for in the upcoming Post-Quantum Crypto world, and even me talking about the ups and downs of Secure Boot. Plus a random set of lightning talks too! :-)

Video team awesomeness

Lots of volunteers from the DebConf video team were on hand too (both on-site and remotely!), so our talks were both streamed live and recorded for posterity - see the links from the individual talk pages in the wiki, or http://meetings-archive.debian.net/pub/debian-meetings/2024/MiniDebConf-Cambridge/ for the full set if you'd like to see more.

A great time for all

Again, the mini-conf went well and feedback from attendees was very positive. Thanks to all our helpers, and of course to our sponsor: Arm for providing the venue and infrastructure for the event, and all the food and drink too!

Photo credits: Andy Simpkins, Mark Brown, Jonathan Wiltshire. Thanks!

Read more

At Drupalcamp Spain I had this moment of inspiration where I saw a further comparison between Drupal and the USS Enterprise from Star Trek.

Enjoy this creative exercise :)

 

Drupal and the USS enterprisedrupalSaturday, October 26, 2024 - 20:42

In one way or another, I have developed, configured, and worked with Drupal for over 15 years. On almost every website I’ve had the privilege of working on, there have been various forms of forms—comment fields, contact forms, membership requests, and so on. And something that’s always been present is spam.

Regardless of the size of the site, bots eventually find the forms. I’ve moved from module to module trying to prevent forms from being overtaken by bots and their often offensive content, which 99.9% of the time includes a link to some obscure website, often on the darker parts of the web. But where there are spam bots, there are also services and modules to stop them. Over the years, I’ve moved from module to module as bots have become smarter and some modules have become outdated technologically.

About six months ago, I revamped my own site, AdamEvertsson.se, and just recently realized that I’d forgotten to add a spam prevention module. How did I notice? I happened to see that I had over 3,500 comments spread across a very small number of posts—all 100% spam.

I quickly activated one of the classic modules I’ve used, but the spam posts continued to pour in by the dozens every day. Even though I have some go-to modules, I thought it might be interesting to see what’s new among spam prevention modules since it had been a while since I updated myself on the state of Drupal spam-blocking modules.

I quickly found the Antibot module, a new discovery for me, and within just a couple of days of testing, it proved to be 100% effective against spam. Since it worked so incredibly well, I stopped searching. I haven’t received a single spam post since activating it earlier this week, and I now have a new favorite to add to my collection of modules when building Drupal sites.

Here are the modules I currently consider relevant for blocking spam posts:

Antibot

As mentioned, this is now my go-to for spam-fighting and will be my standard module for spam management for a good while—until it loses effectiveness and another module steps up.

Visit the module’s project page on drupal.org.

Honeypot

A classic module that monitors how quickly a form is filled in, with some other functions as well. It’s been a favorite for many years and keeps pace with Drupal’s development. I highly recommend it and still use it on my sites that run on Drupal 7, for instance.

Visit the module’s project page on drupal.org.

Google reCAPTCHA

The classic box with prompts like "select all boxes with a moped" or "choose the images showing a bridge" is something we’ve all seen. It’s one of the internet’s most effective and widely used systems for ensuring “I am not a robot.” In Drupal alone, there are over 168,000 registered sites using this module and the reCAPTCHA system.

Visit the module’s project page on drupal.org.

Anti-Spam by CleanTalk

This is a new module I came across during my search but didn’t get around to testing since I found Antibot, which worked well. It has a bit more modest stats in terms of usage, with just over 3,000 sites using it, but it’s maintained and appears reliable.

Visit the module’s project page on drupal.org.

SpamSpan

While it doesn’t block spam directly, it prevents email addresses displayed on the site from being picked up by bots. It can and should be combined with one of the modules above.

Visit the module’s project page on drupal.org

Last weekend I attended the bi-annual OSM Hack Weekend in Karlsruhe again, organized by Geofabrik and this time hosted at a nearby university building due to the large number of participants.

Transitous

My main focus has been getting the public transport client library used by KDE Itinerary ready for MOTIS v2, as Transitous, our community-run public transport routing service, will switch to that in the not too distant future.

One big new feature in MOTIS v2 is support for GTFS shapes. That is, getting detailed paths for public transport sections, beyond just positions of intermediate stops, which allows for a much more useful map display for example.

Even more importantly, MOTIS now also provides detailed multi-floor paths for transfers or other parts of a trip where you have to move yourself (walking, biking, etc). This is all based on OSM data and thus matches perfectly to the map data, but since practically no other backend provides this level of detail it also required a few changes in our data model and API.

Besides the new MOTIS API being much more intuitive than the previous one having had Felix from the MOTIS team around (even if just online) who instantly implemented all suggested improvements in the server made this super productive.

If your region isn’t covered by Transitous yet, check out the contributor documentation on how to change that.

Itinerary

For debugging parsing of paths provided by MOTIS I added a map view to the KPublicTransport demo app. That ended up getting close to what we’d need for a map view of an entire trip in Itinerary, so we also have that now. It’s not where I’d like it yet e.g. regarding interactivity and the look of bi-directional paths it’s a good start.

Trip map view prototype in Itinerary.

A full trip map view was also one of the feature requests I got from other participants. Another suggestions that came up and that meanwhile has been implemented is pre-filling the stop location history with all locations involved in the current trip, which is quite helpful during trip planning.

Indoor Routing

Following a discussion on detailed mapping of hedges in outdoor mazes I learned there’s an OSM wiki page on that subject, which also lists a bunch of examples.

While I don’t really have any particular interest in outdoor mazes and/or fancy hedge art, these things just ask for being used as a test case for our indoor router.

Indoor router finding a way through a maze made out of hedges. You can help!

Hack weekends how this is called in the OSM community or sprints as this is known in the KDE community are immensely valuable and productive. There’s a great deal of knowledge transfer happening, and they are a big motivational boost.

However, physical meetings incur costs, and that’s where your donations help! KDE e.V. and local OSM chapters like the FOSSGIS e.V. support these activities.

The Announcement

Late last month there was an announcement of a “severity 9.9 vulnerability” allowing remote code execution that affects “all GNU/Linux systems (plus others)” [1]. For something to affect all Linux systems that would have to be either a kernel issue or a sshd issue. The announcement included complaints about the lack of response of vendors and “And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix”.

He seems to have a different experience to me of reporting bugs, I have had plenty of success getting bugs fixed without hyping them. I just report the bug, wait a while, and it gets fixed. I have reported potential security bugs without even bothering to try and prove that they were exploitable (any situation where you can make a program crash is potentially exploitable), I just report it and it gets fixed. I was very dubious about his ability to determine how serious a bug is and to accurately report it so this wasn’t a situation where I was waiting for it to be disclosed to discover if it affected me. I was quite confident that my systems wouldn’t be at any risk.

Analysis Not All Linux Systems Run CUPS

When it was published my opinion was proven to be correct, it turned out to be a series of CUPS bugs [2]. To describe that as “all GNU/Linux systems (plus others)” seems like a vast overstatement, maybe a good thing to say if you want to be a TikTok influencer but not if you want to be known for computer security work.

For the Debian distribution the cups-browsed package (which seems to be the main exploitable one) is recommended by cups-daemon, as I have my Debian systems configured to not install recommended packages by default that means that it wasn’t installed on any of my systems. Also the vast majority of my systems don’t do printing and therefore don’t have any part of CUPS installed.

CUPS vs NAT

The next issue is that in Australia most home ISPs don’t have IPv6 enabled and CUPS doesn’t do the things needed to allow receiving connections from the outside world via NAT with IPv4. If inbound port 631 is blocked on both TCP and USP as is the default on Australian home Internet or if there is a correctly configured firewall in place then the network is safe from attack. There is a feature called uPnP port forwarding [3] to allow server programs to ask a router to send inbound connections to them, this is apparently usually turned off by default in router configuration. If it is enabled then there are Debian packages of software to manage this, the miniupnpc package has the client (which can request NAT changes on the router) [4]. That package is not installed on any of my systems and for my home network I don’t use a router that runs uPnP.

The only program I knowingly run that uses uPnP is Warzone2100 and as I don’t play network games that doesn’t happen. Also as an aside in version 4.4.2-1 of warzone2100 in Debian and Ubuntu I made it use Bubblewrap to run the game in a container. So a Remote Code Execution bug in Warzone 2100 won’t be an immediate win for an attacker (exploits via X11 or Wayland are another issue).

MAC Systems

Debian has had AppArmor enabled by default since Buster was released in 2019 [5]. There are claims that AppArmor will stop this exploit from doing anything bad.

To check SE Linux access I first use the “semanage fcontext” command to check the context of the binary, cupsd_exec_t means that the daemon runs as cupsd_t. Then I checked what file access is granted with the sesearch program, mostly just access to temporary files, cupsd config files, the faillog, the Kerberos cache files (not used on the Kerberos client systems I run), Samba run files (might be a possibility of exploiting something there), and the security_t used for interfacing with kernel security infrastructure. I then checked the access to the security class and found that it is permitted to check contexts and access-vectors – not access that can be harmful.

The next test was to use sesearch to discover what capabilities are granted, which unfortunately includes the sys_admin capability, that is a capability that allows many sysadmin tasks that could be harmful (I just checked the Fedora source and Fedora 42 has the same access). Whether the sys_admin capability can be used to do bad things with the limited access cupsd_t has to device nodes etc is not clear. But this access is undesirable.

So the SE Linux policy in Debian and Fedora will stop cupsd_t from writing SETUID programs that can be used by random users for root access and stop it from writing to /etc/shadow etc. But the sys_admin capability might allow it to do hostile things and I have already uploaded a changed policy to Debian/Unstable to remove that. The sys_rawio capability also looked concerning but it’s apparently needed to probe for USB printers and as the domain has no access to block devices it is otherwise harmless. Below are the commands I used to discover what the policy allows and the output from them.

# semanage fcontext -l|grep bin/cups-browsed /usr/bin/cups-browsed regular file system_u:object_r:cupsd_exec_t:s0 # sesearch -A -s cupsd_t -c file -p write allow cupsd_t cupsd_interface_t:file { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write }; allow cupsd_t cupsd_lock_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_log_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_runtime_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_rw_etc_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t cupsd_tmp_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; allow cupsd_t faillog_t:file { append getattr ioctl lock open read write }; allow cupsd_t init_tmpfs_t:file { append getattr ioctl lock read write }; allow cupsd_t krb5_host_rcache_t:file { append create getattr ioctl link lock open read rename setattr unlink write }; [ allow_kerberos ]:True allow cupsd_t print_spool_t:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; allow cupsd_t samba_var_t:file { append getattr ioctl lock open read write }; allow cupsd_t security_t:file { append getattr ioctl lock open read write }; allow cupsd_t security_t:file { append getattr ioctl lock open read write }; [ allow_kerberos ]:True allow cupsd_t usbfs_t:file { append getattr ioctl lock open read write }; # sesearch -A -s cupsd_t -c security allow cupsd_t security_t:security check_context; [ allow_kerberos ]:True allow cupsd_t security_t:security { check_context compute_av }; # sesearch -A -s cupsd_t -c capability allow cupsd_t cupsd_t:capability net_bind_service; [ allow_ypbind ]:True allow cupsd_t cupsd_t:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill net_bind_service setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; # sesearch -A -s cupsd_t -c capability2 allow cupsd_t cupsd_t:capability2 { block_suspend wake_alarm }; # sesearch -A -s cupsd_t -c blk_file Conclusion

This is an example of how not to handle security issues. Some degree of promotion is acceptable but this is very excessive and will result in people not taking security announcements seriously in future. I wonder if this is even a good career move by the researcher in question, will enough people believe that they actually did something good in this that it outweighs the number of people who think it’s misleading at best?

• [1] https://threadreaderapp.com/thread/1838169889330135132.html
• [2] https://tinyurl.com/26rjd5ex
• [3] https://tinyurl.com/2ckyvpyq
• [4] https://packages.debian.org/sid/miniupnpc
• [5] https://wiki.debian.org/AppArmor/HowToUse

Related posts:

1. SE Linux audit2allow -R and Milter policy Since the earliest days there has been a command named...
2. SE Linux File Context Precedence In my previous post I expressed a desire to use...
3. SE Linux Things To Do At the end of my talk on Monday about the...

We continued fixing bugs and making UI improvements this week. You’ll notice a good many of them are about screens somehow! Ah, screens, the magical windows to our computers. They are amazing… and they suck. So many graphics driver bugs and hardware quirks to work around, so many edge cases to handle… and so that was a large part of what we spent doing for you, dear reader! Because getting all this screen stuff right has a massive impact on quality.

And of course there was a lot of other work too!

Notable UI Improvements

There’s a new behavior when dragging things out of a window that’s not the top one in the stacking order: the window with the dragged content remains where it is during the drag, instead of immediately jumping to the front (Xaver Hugl, Plasma 6.3.0. Link)

Kickoff, Kicker, and other launcher menus now have a “Help” category, and the Help Center app appears there instead of among other top-level categories (me: Nate Graham, Plasma 6.3 and KHelpCenter 24.12. Link 1, link 2, and link 3):

Added a touch-friendly UI for the clipboard widget that appears only when in touch mode (Fushan Wen, Plasma 6.3.0. Link)

Fixed a case where some system components’ default shortcuts all wanted to use Meta+0 and interfered with one another. Now they all use different shortcuts:

• “Zoom to Actual Size” remains Meta+0
• “Manually Invoke Action on Current Clipboard” and “Activate Task Manager Entry 10” no longer have a default shortcut set

(Zhangzhi Hu, Plasma 6.3.0. Link)

WireGuard VPNs are now considered VPNs by the Networks widget, and labeled and grouped accordingly (Ivan Tkachenko, Plasma 6.3.0. Link)

Multi-instance or multi-process Flatpak apps are now grouped together and shown as only one app on System Monitor’s Applications page (Arjen Hiemstra, Plasma 6.3.0. Link):

SDDM themes that are actually just symlinks to other themes are now filtered out of the relevant page in System Settings (Bruno Ivan, Plasma 6.3.0. Link)

Capped the maximum width of the Bluetooth file transfer error dialog so it can’t be ridiculously wide (Zhangzhi Hu, Plasma 6.3.0. Link)

Added Breeze icons for Typst files (MV Puccino, Frameworks 6.8. Link)

A bunch of symbolic Breeze icons that were inappropriately symbolic-but-colorful are now monochrome to better match all the other monochrome symbolic icons (me: Nate Graham, Frameworks 6.8. Link)

Notable Bug Fixes

Fixed a bug that could cause KWin to freeze when plugging in a Valve Index VR headset when there are no other screens enabled (Xaver Hugl, Plasma 6.2.2. Link)

Fixed a case where Plasma could crash when interacting with connected storage devices in certain ways (Fushan Wen, Plasma 6.2.2. Link)

Fixed a bug that would cause the positions of recently-renamed desktop files to not be saved to the config file correctly (Akseli Lahtinen, Plasma 6.2.2. Link). And on this subject, we’re currently deep into the process of fixing a related bug that causes icons to get scrambled when some (but not all) screens are turned off. Not for this week, but maybe next week!

Fixed a set of regressions that caused System Settings’ main window to not remember its size correctly (Akseli Lahtinen, Plasma 6.2.2 with Frameworks 6.8. Link)

Fixed a recent regression that made certain styles of user avatar image not get applied properly on System Settings’ Users page (Harald Sitter, Plasma 6.2.3. Link)

Spectacle no longer fails to save MP4-formatted screen recordings some of the time (Arjen Hiemstra, Plasma 6.2.3. Link)

You can now do a rectangular region screencast on any screen in a multi-screen setup, not just the left-most one (David Redondo, Plasma 6.2.3. Link)

The “Maximum time before updates” setting for grid-style System Monitor widgets now works (Arjen Hiemstra, Plasma 6.2.3. Link)

Worked around a quirk of certain HDR-capable screens screens that caused them to leave HDR move whenever any other display settings were changes (Xaver Hugl, Plasma 6.2.3. Link)

The “Forget all” menu item of Task Manager Task context menus now succeeds at forgetting abstract resources like URLs (Jin Liu, Plasma 6.2.3. Link)

Made it more reliable to save custom names given to audio devices (Harald Sitter, Plasma 6.2.3. Link)

Fixed a case where the ksystemstats background service that provides information to System Monitor and its widgets’ could crash due to a recent change in Qt (Arjen Hiemstra, Plasma 6.3.0. Link)

Fixed a case where Plasma and other KDE apps could crash when ejecting a CD (Nicolas Fella, Frameworks 6.8. Link)

When your user account is slightly misconfigured and does not define a templates directory, the “Create New” menu does no longer weirdly populates itself with the entire contents of your home folder (Benjamin Gonzalez, Frameworks 6.8. Link)

Fixed an issue that could cause the setting to govern notification sound level to not appear as expected (Harald Sitter, Pulseaudio-Qt 1.6.1. Link)

Fixed a bug that could cause the pointer’s target to get sort of stuck after dragging things until after the first click following the completion of the drag. This was commonly seen when re-arranging Task Manager entries: if you failed to click once after dragging an app, the next drag would target the preciously-dragged app instead of the one you wanted (David Edmundson, Qt 6.8.1. Link)

Other bug information of note:

• 5 Very high priority Plasma bug (up from 4 last week). Current list of bugs
• 35 15-minute Plasma bugs (up from 33 last week). Current list of bugs
• 129 KDE bugs of all kinds fixed over the last week. Full list of bugs

Performance & Technical

Improved the reliability of the “remember for next time” feature in the screen recording source chooser window (David Redondo, Plasma 6.3. Link)

Reduces a source of slowness in the Task Manager widget when faced with windows that have hundreds or thousands of characters in their titles (Jin Liu, Plasma 6.2.3. Link)

The Night Light feature now tints the screen in a colorimetrically correct way when not using ICC profiles (Xaver Hugl, Plasma 6.3.0. Link)

It’s now possible to use Plasma scripting to change panels’ opacity levels or what screen they appear on (Heitor Augusto Lopes Nunes and Devin Lin, Plasma 6.3.0. Link 1 and link 2)

How You Can Help

If you’re a developer, keep on working to fix Plasma 6.2 regressions! We’ve got ’em on the run, and this is our chance to finish them off!

Otherwise, visit https://community.kde.org/Get_Involved to discover additional ways to be part of a project that really matters. Each contributor makes a huge difference in KDE; you are not a number or a cog in a machine! You don’t have to already be a programmer, either. I wasn’t when I got started. Try it, you’ll like it! We don’t bite! Or consider donating instead! That helps too.

Let’s go for my web review for the week 2024-43. It’s published later than usual since I’m attending the Ubuntu Summit 2024 and had to travel because of it.

Microsoft maintains its own Windows debloat scripts on GitHub

Tags: tech, microsoft, criticism, funny

This is indeed telling unfortunately. It’s kind of ironic that they felt the need of having their own debloat scripts.

https://www.osnews.com/story/140955/microsoft-maintains-its-own-windows-debloat-scripts-on-github/

This Is Exactly How an Elon Musk-Funded PAC Is Microtargeting Muslims and Jews With Opposing Messages

Tags: tech, democracy, politics

This is just insane, claiming two opposite things to different demographic groups for political gains. And if you try to stop this kind of manipulative stunts they’d probably cry wolf about free speech…

https://www.404media.co/this-is-exactly-how-an-elon-musk-funded-pac-is-microtargeting-muslims-and-jews-with-opposing-messages/

Big Tech has given itself an AI deadline

Tags: tech, ai, machine-learning, gpt, economics, energy, criticism

More signs of the current bubble being about to burst?

https://www.theatlantic.com/newsletters/archive/2024/10/big-tech-has-given-itself-an-ai-deadline/680301/

Google, Microsoft, and Perplexity promote scientific racism in AI search results

Tags: tech, ai, machine-learning, gpt, criticism

This is what you get by making bots spewing text based on statistics without a proper knowledge base behind it.

https://arstechnica.com/ai/2024/10/google-microsoft-and-perplexity-promote-scientific-racism-in-ai-search-results/

The 3 AI Use Cases: Gods, Interns, and Cogs

Tags: tech, ai, gpt, copilot, language

Using the right metaphors will definitely help with the conversation in our industry around AI. This proposal is an interesting one.

https://www.dbreunig.com/2024/10/18/the-3-ai-use-cases-gods-interns-and-cogs.html

You Don’t Need Words to Think

Tags: cognition, neuroscience, language, logic, knowledge, research

Very interesting research. Looks like we’re slowly moving away from the “language and thinking are intertwined” hypothesis. This is probably the last straw for Chomsky’s theory of language. It served us well but neuroscience points that it’s time to leave it behind.

https://www.scientificamerican.com/article/you-dont-need-words-to-think/

Reliable Reasoning Beyond Natural Language

Tags: tech, ai, machine-learning, gpt, logic, research

Now this is an interesting paper. Neurosymbolic approaches are starting to go somewhere now. This is definitely helped by the NLP abilities of LLMs (which should be used only for that). The natural language to Prolog idea makes sense, now it needs to be more reliable. I’d be curious to know how many times the multiple-try path is exercised (the paper doesn’t quite focus on that). More research is required obviously.

https://arxiv.org/abs/2407.11373

Introducing quantized Llama models with increased speed and a reduced memory footprint

Tags: tech, ai, machine-learning, gpt, optimization

More marketing announcement than real research paper. Still it’s nice to see smaller models being optimized to run on mobile devices. This will get interesting when it’s all local first and coupled to symbolic approaches.

https://ai.meta.com/blog/meta-llama-quantized-lightweight-models/

You Should Probably Pay Attention to Tokenizers

Tags: tech, statistics, ai, machine-learning, gpt, language

This is still an important step with LLM. It’s not because the models are huge that tokenizers disappeared or that you don’t need to clean up your data.

https://cybernetist.com/2024/10/21/you-should-probably-pay-attention-to-tokenizers/

Developing a Beautiful and Performant Block Editor in Qt C++ and QML

Tags: tech, markdown, qt, note-taking, tools

Ah! I wish MarkNotes or KleverNotes would work like this. I wish we’d have a reusable component in KDE Frameworks too. This is quite some work of course, too bad this isn’t FOSS.

https://rubymamistvalove.com/block-editor

Bookmark Keywords

Tags: tech, browser, firefox, bookmarks

A very useful but indeed little known feature of Firefox bookmarks.

https://paper.wf/binarycat/bookmark-keywords

The IPv6 Transition

Tags: tech, internet, protocols, ip

Looks like we’re stuck in the middle of the bridge. Also looks like the motivation to finish the transition isn’t high.

https://www.potaroo.net/ispcol/2024-10/ipv6-transition.html

against /tmp

Tags: tech, programming, unix, security

Good reminder that /tmp has many security flaws built in.

https://dotat.at/@/2024-10-22-tmp.html

The Part of PostgreSQL We Hate the Most

Tags: tech, databases, postgresql, design

Since everything has design choices which imply trade offs. Here is the main issue with PostgreSQL right now. Hopefully it’ll get modernized at some point.

https://www.cs.cmu.edu/~pavlo/blog/2023/04/the-part-of-postgresql-we-hate-the-most.html

Sensible SQLite defaults

Tags: tech, backend, databases, sqlite

Another nice list of defaults for SQLite. Some of them I didn’t have on my radar.

https://briandouglas.ie/sqlite-defaults/

Using uv to develop Python command-line applications

Tags: tech, python, developer-experience

uv keeps showing promise to make development easier. It makes everything very much self contained.

https://til.simonwillison.net/python/uv-cli-apps

Use data that looks like data

Tags: tech, programming, debugging

Definitely a sound advice. You don’t want to be confused when debugging something because it looks too much like a variable or a property name.

https://registerspill.thorstenball.com/p/use-data-that-looks-like-data

pytest selection arguments for failing tests

Tags: tech, tests, python

Another example of why pytest is really a nice test runner. I really miss it on projects which don’t have it.

https://mathspp.com/blog/til/pytest-selection-arguments-for-failing-tests

SMURF: Beyond the Test Pyramid

Tags: tech, tests

Indeed a good way to reason about tests and the value they bring.

https://testing.googleblog.com/2024/10/smurf-beyond-test-pyramid.html?m=1

I’ve been writing software for the last 25 years. Here some things I learned so far

Tags: tech, career, engineering, craftsmanship, complexity

Another good set of advices. They’re not all technical which is to be expected.

https://blog.rpanachi.com/after-25-years-writing-software-here-some-things-learned-so-far

Framework overload: when convenience dulls innovation in software development

Tags: tech, framework, complexity, knowledge, learning, debugging, craftsmanship

I very much agree with this. The relationship between developers and their frameworks is rarely healthy. I think the author misses an important advice though: read the code of your frameworks. When stuck invest sometime stepping into the frameworks with the debugger. Developers too often treat those as a black box.

https://prahladyeri.github.io/blog/2024/10/framework-overload.html

Learning to learn

Tags: tech, learning, career

Definitely the most important skill to develop. Especially in our profession.

https://kevin.the.li/posts/learning-to-learn/

How do we evaluate people for their technical leadership?

Tags: tech, management, career, hr

Lots of open questions which are left unanswered. That said it shows how difficult it is to evaluate knowledge workers in general and that we’re often grasping to the wrong metrics.

https://chelseatroy.com/2024/03/29/how-do-we-evaluate-people-for-their-technical-leadership/

Ground Rules of Fairness at Work

Tags: management, transparency, fair

Transparency and fairness are definitely important to keep people motivated across an organization. That doesn’t make it easy to deal with of course, but that’s where managers should focus.

https://read.perspectiveship.com/p/fairness-at-work

Bye for now!

Check out the important work our volunteers accomplished at today's Free Software Directory (FSD) IRC meeting.

Check out the important work our volunteers accomplished at today's Free Software Directory (FSD) IRC meeting.

This week, we realized that there are a few things we need to do to button-down our use of colors in a way that makes sense, not just for designers but also for developers.

As we find inspiration on what others are doing, we will make a couple of changes in the design system when it comes to colors.

1. Select UI colors using HCT color methodology.
2. Adopt a similar variable/token naming strategy as Material Design

HCT (hue, chroma, tone) Method

As suggested by team members, the HCT color selection methodology has a few advantages:

1. Accessibility
   • Standard calculation method for color selection rather than by doing manual contrast calculations. This allows for all selected colors to be separated and distinct-enough from each other that users can see color differences in their applications.
2. Perceptual accuracy
   • HCT allows for seeing colors more accurately at a perceptual level.
3. Consistent lightness and colorfulness
   • Consistent lightness and colorfulness across hues. 
4. Precise color and tonal accuracy
   • More precise color and tonal accuracy, especially in dark shadows and richly-saturated colors. 
5. Higher dynamic range and wider color gamut
   • Provides a wider color gamut and higher dynamic range than typical camera targets.

In our team, we have 3 people currently working on this. Not only are we selecting colors, but also creating a color-use system that all users can understand.

Building logic use into the colors allows for less dependence on people but something we can document and anyone looking at it would be able to understand regardless of their specialty.

Tokens

A few of the questions we had as a team while producing the design system were, how can we make it so that developers and designers understand all the pieces used in the design system, but at a development level?

One of the things that applications such as Figma and PenPot allow is for designers to define the names of each of the elements used in a design. We create variables names for stuff like fonts and colors. However, while that’s helpful, we also have to have logic behind the naming so that our developer friends are not confused by the use of variable names in the design system.

For this purpose, design system creators often use a token system that ensures naming between the design system and development is consistent, predictable, and useful.

Material design has a robust naming idea around tokens. It works a little like this:

The types of tokens are:

1. Reference tokens
   All available tokens with associated values
   
2. System tokens
   Decisions and roles that give the design system its character, from color and typography, to elevation and shape
   
3. Component tokens
   The design attributes assigned to elements in a component, such as the color of a button icon

https://m3.material.io/foundations/design-tokens/how-to-read-tokens: Design System – Colors, Variables and Tokens!

We consulted with the team members and it seems like a good strategy. Right now, we don’t have any of the reference or system tokens but we use component tokens in some capacities. The idea is to create and organize the naming conventions around the token ideas from Material. We may still decide to change some of the naming conventions but keep the general idea.

Note that we don’t have the intention of replacing current tokens. The process would be to add new ones that developers would begin using over time while keeping the ones we already have.

What this means for us in the design system, is that we will change our design variables to reflect this organization and when communicating the changes to the dev team, we will provide tables showing all the variables/tokens used. It will also contain which elements of the design system are included in a reference, system, or component token.

If you would like to participate of this effort, you’re welcome to join us here:

https://matrix.to/#/#plasma-next:kde.org

Our channel is dedicated to working on the design system. For general Visual Design questions, you can access our team here:
https://matrix.to/#/#visualdesigngroup:kde.org

Keeping up with Drupal’s Evolving Plugin API: Updating Tutorials for PHP Attributes

At Drupalize.Me, one of our goals is to provide learners with up-to-date resources that align with the latest best practices. To that end, I recently worked to update our tutorials to reflect the transition from PHP annotations to PHP attributes for plugin discovery. I blogged previously about why this transition is happening.

As Drupalize.Me’s tutorial library continues to grow, these kinds of changes touch ever larger numbers of existing tutorials. Plugins is an interesting one because we have tutorials that teach the inner workings of the Plugin API. And, we have tutorials about things like blocks, field types, and views plugins, that while not specifically about the Plugin API, make use of it. This ended up being one the most significant updates we’ve made since the release of Drupal 8.

In short, the updates are necessary because Drupal is transitioning from annotations to native PHP attributes. And while annotations will continue to work for the foreseeable future, we wanted to make sure that the code examples, and recommendations, you find on our site are aligned with that code you’ll see in the latest versions of Drupal core.

joe Fri, 10/25/2024 - 11:00

Whilst researching what synth to buy, I learned of the Behringer1 Model-D2: a 2018 clone of the 1970 Moog Minimoog, in a desktop form factor.

Behringer Model-D

In common with the original Minimoog, it's a monophonic analogue synth, featuring three audible oscillators3 , Moog's famous 12-ladder filter and a basic envelope generator. The model-d has lost the keyboard from the original and added some patch points for the different stages, enabling some slight re-routing of the audio components.

1970 Moog Minimoog

Since I was focussing on more fundamental, back-to-basics instruments, this was very appealing to me. I'm very curious to find out what's so compelling about the famous Moog sound. The relative lack of features feels like an advantage: less to master. The additional patch points makes it a little more flexible and offer a potential gateway into the world of modular synthesis. The Model-D is also very affordable: about £ 200 GBP. I'll never own a real Moog.

For this to work, I would need to supplement it with some other equipment. I'd need a keyboard (or press the Micron into service as a controller); I would want some way of recording and overdubbing (same as with any synth). There are no post-mix effects on the Model-D, such as delay, reverb or chorus, so I may also want something to add those.

What stopped me was partly the realisation that there was little chance that a perennial beginner, such as I, could eek anything novel out of a synthesiser design that's 54 years old. Perhaps that shouldn't matter, but it gave me pause. Whilst the Model-D has patch points, I don't have anything to connect to them, and I'm firmly wanting to avoid the Modular Synthesis money pit. The lack of effects, and polyphony could make it hard to live-sculpt a tone.

I started characterizing the Model-D as the "heart" choice, but it seemed wise to instead go for a "head" choice.

Maybe another day!

1. There's a whole other blog post of material I could write about Behringer and their clones of classic synths, some long out of production, and others, not so much. But, I decided to skip on that for now.↩
2. taken from the fact that the Minimoog was a productised version of Moog's fourth internal prototype, the model D.↩
3. 2 oscillators is more common in modern synths↩

Package Manager API module was just added as an alpha experimental module to Drupal 11's development code. It will be in a release when it reaches beta. Package Manager provides APIs on top of Composer and is used by Project Browser and Automatic Updates. https://www.drupal.org/project/drupal/issues/3346707

In this quiz, you’ll test your understanding of how to reset a pandas DataFrame index.

By working through the questions, you’ll review your knowledge of indexing and also expand on what you learned in the tutorial.

You’ll need to do some research outside of the tutorial to answer all the questions. Embrace this challenge and let it take you on a learning journey.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

What changes are happening under the hood in the latest versions of Python? How are these updates laying the groundwork for a faster Python in the coming years? Christopher Trudeau is back on the show this week, bringing another batch of PyCoder's Weekly articles and projects.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

Learn how to turn Drupal into a scalable publishing platform that developers, marketers & editors love while meeting your regulatory & compliance requirements.

The diffoscope maintainers are pleased to announce the release of diffoscope version 282. This version includes the following changes:

[ Chris Lamb ] * Ignore errors when listing .ar archives. (Closes: #1085257) * Update copyright years.

You find out more by visiting the project homepage.