Feeds
Glyph Lefkowitz: DBXS 0.1.0
Yesterday I published a new release of DBXS for you all. It’s still ZeroVer, but it has graduated from double-ZeroVer as this is the first nonzero minor version.
More to the point though, the meaning of that version increment this version introduces some critical features that I think most people would need to give it a spin on a hobby project.
What’s New-
It has support for MySQL and PostgreSQL using native asyncio drivers, which means you don’t need to take a Twisted dependency in production.
-
While Twisted is still used for some of the testing internals, Deferred is no longer exposed anywhere in the public API, either; your tests can happily pretend that they’re doing asyncio, as long as they can run against SQLite.
-
There is a new repository convenience function that automatically wires together multiple accessors and transaction discipline. Have a look at the docstring for a sense of how to use it.
-
Several papercuts, like confusing error messages when messing up query result handling, and lack of proper handling of default arguments in access protocols, are now addressed.
If you’ve been looking for an open source project to try your hand at contributing to, DBXS might be a great opportunity, for a few reasons:
-
The team is quite small (just me, right now!), so it’s easy to get involved.
-
It’s quite generally useful, so there’s a potential for an audience, but right now it doesn’t really have any production users; there’s still time to change things without a lot of ceremony.
-
Unlike many other small starter projects, it’s got a test suite with 100% coverage, so you can contribute with confidence that you’re not breaking anything.
-
There’s not that much code (a bit over 2 thousand SLOC), so it’s not hard to get your head around.
-
There are a few obvious next steps for improvement, which I’ve filed as issues if you want to pick one up.
Share and enjoy, and please let me know if you do something fun with it.
AcknowledgmentsThank you to my patrons who are supporting my writing on this blog. If you like what you’ve read here and you’d like to read more of it, or you’d like to support my various open-source endeavors, you can support my work as a sponsor! I am also available for consulting work if you think your organization could benefit from expertise on topics such as “How do I shot SQL?”.
Parabola GNU/Linux-libre: [arch-announce] The xz package has been backdoored
From: "Arch Linux: Recent news updates: David Runge" arch-announce@lists.archlinux.org
TL;DR: Upgrade your systems and container images now!
As many of you may have already read 1, the upstream release tarballs for xz in version 5.6.0 and 5.6.1 contain malicious code which adds a backdoor.
This vulnerability is tracked in the Arch Linux security tracker 2.
The xz packages prior to version 5.6.1-2 (specifically 5.6.0-1 and 5.6.1-1) contain this backdoor.
We strongly advise against using affected release artifacts and instead downloading what is currently available as latest version!
Upgrading the systemIt is strongly advised to do a full system upgrade right away if your system currently has xz version 5.6.0-1 or 5.6.1-1 installed:
pacman -Syu
Regarding sshd authentication bypass/code executionFrom the upstream report 1:
> openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
URL: https://archlinux.org/news/the-xz-package-has-been-backdoored/
Chapter Three: Tackling Complicated Drupal 7 Migrations
Lullabot: Lullabot Podcast: Just Say Drupal‽
Drupal's identity is very nuanced, from its rich history to its future potential. We discuss why at least one member of the community says just saying "Drupal" is important when discussing current versions of Drupal and the community that drives it.
Is specifically calling out "Drupal 10.2" or or "Drupal 11" useful, or just confusing to outsiders?
Raphaël Hertzog: Freexian is looking to expand its team with more Debian contributors
It’s been a while that I haven’t posted anything on my blog, the truth is that Freexian has been doing very well in the last years and that I have a hard time to allocate time to write articles or even to contribute to my usual Debian projects… the exception being debusine since that’s part of the Freexian work (have a look at our most recent announce!).
That being said, given Freexian’s growth and in the hope to reduce my workload, we are looking to extend our team with Debian members of more varied backgrounds and skills, so they can help us in areas like sales / marketing / project management. Have a look at our announce on debian-jobs@lists.debian.org.
As a mission-oriented company, we are looking to work with persons already involved in Debian (or persons who were waiting the right opportunity to get involved). All our collaborators can spend 20% of their paid work time on the Debian projects they care about.
Web Review, Week 2024-13
Let’s go for my web review for the week 2024-13.
Google Ordered To Identify Who Watched Certain YouTube VideosTags: tech, google, law, surveillance
This is a worrying trend we see in law enforcement a bit everywhere. It’s a bit too convenient to make such requests even though it is unconstitutional.
Tags: tech, redis, foss, licensing, community
Indeed, time to leave Redis behind in favor of Redict. It’s not like one can expect new things to come out to such a project.
https://andrewkelley.me/post/redis-renamed-to-redict.html
Tags: tech, streaming, movie, copyright, economics
Interesting, with the price hikes and bundles to come, we might indeed see a resurgence in physical media. It will stay niche for sure, but looks like demand is about to grow.
https://www.audioholics.com/news/a-return-to-blu-ray-as-streaming-value-evaporates
Tags: tech, ai, gpt, creativity, quality
Interesting study on the impact generative AI can have on people performances in business settings. There are a few nuggets in there. In particular anything related to problem solving people do worse with generative AI tools than without. And even worse than that when they’ve been trained (probably due to overconfidence). The place where it seems to help is for more creativity related tasks… at the individual level, but at the collective level creativity decreases due to homogenization. Definitely things to keep in mind.
Tags: tech, ai, gpt, criticism, communication, copyright, law
Very interesting piece. The chances that it is another bubble are high. It’s currently surviving on a lot of wishful thinking and hypothetical. This really feels like borrowed time… I wonder what useful will remain once it all collapses. Coding assistants are very likely to survive. Clearly there could be interesting uses in a more sober approach.
https://www.wheresyoured.at/peakai/
Tags: tech, ai, machine-learning, statistics, bias
Wondering where some of the biases of AI models generating images come from? This is an excellent deep dive into one of the most successful data sets used to train said models. And they’ve been curated by… statistical models, not humans. This unsurprisingly amplifies biases all the way to the final models.
This is an excellent piece, I highly recommend reading it.
https://knowingmachines.org/models-all-the-way#section5
Tags: tech, mozilla, browser, security
Those were nasty, good they’ve been patched already.
Tags: tech, web, automation, wifi
Some captive portals are indeed stupid. Why not automating going through them?
https://peateasea.de/hotel-hotspot-hijinks/
Tags: tech, cpu, hardware
Good exploration of the CPU architectures we have nowadays, and why the RISC vs CISC debate doesn’t make sense anymore.
https://chipsandcheese.com/2024/03/27/why-x86-doesnt-need-to-die/
Tags: tech, memory
Making your own allocator? This is definitely something to consider and measure.
https://coredumped.dev/2024/03/25/bump-allocation-up-or-down/
Tags: tech, rust, multithreading, coroutine
In which case you want one or the other? This is illustrated in the Rust case which has its own struggles, but the question applies more largely in my opinion.
https://notgull.net/why-not-threads/
Tags: tech, production, linux, tools
Good reminder that you want the diagnosis tools in place and working before you get an actual problem in production.
https://www.brendangregg.com/blog/2024-03-24/linux-crisis-tools.html
Tags: tech, python, processes, filesystem
Interesting API for running subprocesses and interact with files.
https://shelmet.readthedocs.io/en/latest/
Tags: tech, data, json
Might be a good alternative to JSON in some cases.
Tags: tech, web, browser, debugging, frontend
Interesting debug tool for web frontend code. It’d be nice as a browser extension.
https://gist.github.com/OrionReed/4c3778ebc2b5026d2354359ca49077ca
Tags: tech, tdd, craftsmanship
All good points. Can we improve? Sure. Does it means we do it bad? No. Just do it more when it makes sense.
https://blog.thecodewhisperer.com/permalink/tdd-youre-probably-doing-it-just-fine
Tags: tech, supply-chain, maintenance, complexity
This is about a Rust library but equally applies to any ecosystem which allows to easily pull a dependency. As soon as you pull them, you need to monitor their health for the sake of your own project.
https://lucumr.pocoo.org/2024/3/26/rust-cdo/
Tags: tech, documentation, architecture
Of course documentation, especially one presenting the architecture, shouldn’t be neglected. It takes time and skills of course.
https://johnjago.com/great-docs/
Bye for now!
Real Python: The Real Python Podcast – Episode #198: Build a Video Game With Python Turtle & Visualize Data in Seaborn
Can you build a Space Invaders clone using Python's built-in turtle module? What advantages does the Seaborn data visualization library provide compared to Matplotlib? Christopher Trudeau is back on the show this week, along with special guest Real Python core team member Bartosz Zaczyński. We're sharing another batch of PyCoder's Weekly articles and projects.
[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]
wget @ Savannah: GNU Wget 1.24.5 Released
Noteworthy changes in release 1.24.5 (2024-03-10) [stable]
- Fix how subdomain matches are checked for HSTS. Fixes a minor issue where cookies may be leaked to the wrong domain
- Wget will now also parse the srcset attribute in <source> HTML tags
- Support reading fetchmail style "user" and "passwd" fields from netrc
- In some cases, prevent the confusing "Cannot write to... (success)" error messages
- Support extremely fast download speeds (TB/s). Previously this would cause Wget to crash when printing the speed
- Improve portability on OpenBSD to run the test suite
- Ensure that CSS URLs are corectly quoted (Bug: 64082)
Ravi Dwivedi: A visit to the Taj Mahal
Note: The currency used in this post is Indian Rupees, which was around 83 INR for 1 US Dollar as that time.
I and my friend Badri visited the Taj Mahal this month. Taj Mahal is one of the main tourist destinations in India and does not need an introduction, I guess. It is in Agra, in the state of Uttar Pradesh, 188 km from Delhi by train. So, I am writing a post documenting useful information for people who are planning to visit Taj Mahal. Feel free to ask me questions about visiting the Taj Mahal.
Our retiring room at the Old Delhi Railway Station.We had booked a train from Delhi to Agra. The name of the train was Taj Express, and its scheduled departure time from Hazrat Nizamuddin station in Delhi is 07:08 hours in the morning, and its arrival time at Agra Cantt station is 09:45. So, we booked a retiring room at the Old Delhi railway station for the previous night. This retiring room was hard to find. We woke up at 05:00 in the morning and took the metro to Hazrat Nizamuddin station. We barely reached the station in time, but anyway, the train was not yet at the station; it was late.
We reached Agra at 10:30 and checked into our retiring room, took rest and went out for Taj Mahal at 13:00 in the afternoon. Taj Mahal’s outer gate is 5 km away from the Agra Cantt station. As we were going out of the railway station, we were chased by an autorickshaw driver who offered to go to Taj Mahal for 150 INR for both of us. I asked him to raise it down to 60 INR, and after some back and forth, he agreed to drop us off at Taj Mahal for 80 INR. But I said we won’t pay anything above 60 INR. He agreed with that amount but said that he would need to fill up with more passengers. When we saw that he wasn’t making any effort in bringing more passengers, we walked away.
As soon as we got out of the railway station complex, an autorickshaw driver came to us and offered to drop us off at Taj Mahal for 20 INR if we are sharing with other passengers and 100 INR if we reserve the auto for us. We agreed to go with 20 INR per person, but he started the autorickshaw as soon as we hopped in. I thought that the third person in the auto was another passenger sharing a ride with us, but later we got to know he was with the driver. Upon reaching the outer gate of Taj Mahal, I gave him 40 INR (for both of us), and he asked to instead give 100 INR as he said we reserved the auto, even though I clearly stated before taking the auto that we wanted to share the auto, not reserve it. I think this was a scam. We walked away, and he didn’t insist further.
Taj Mahal entrance was like 500 m from the outer gate. We went there and bought offline tickets just outside the West gate. For Indians, the ticket for going inside the Taj Mahal complex is 50 INR, and a visit to the mausoleum costs 200 INR extra.
Security outside the Taj Mahal complex. This red colored building is entrance to where you can see the Taj Mahal. Taj Mahal. Shoe covers for going inside the mausoleum. Taj Mahal from side angle.We came out of the Taj Mahal complex at 18:00 and stopped for some tea and snacks. I also bought a fridge magnet for 30 INR. Then we walked back towards Agra Cantt station, as we had a train for Jaipur at midnight. We were hoping to find a restaurant along the way, but we didn’t find any that we found interesting, so we just ate at the railway station. During the return trip, we noticed there was a bus stand near the station, which we didn’t know about. It turns out you can catch a bus to Taj Mahal from there. You can click here to check out the location of that bus stand on OpenStreetMap.
ExpensesThese were our expenses per person
Retiring room at Delhi Railway Station for 12 hours ₹131
Train ticket from Delhi to Agra (Taj Express) ₹110
Retiring room at Agra Cantt station for 12 hours ₹450
Auto-rickshaw to Taj Mahal ₹20
Taj Mahal ticket (including going inside the mausoleum): ₹250
Food ₹350
Important information for visitors-
Taj Mahal is closed on Friday.
-
There are plenty of free-of-cost drinking water taps inside the Taj Mahal complex.
-
Ticket price for Indians is ₹50, for foreigners and NRIs it is ₹1100, and for people from SAARC/BIMSTEC is ₹540. ₹200 extra for the mausoleum for everyone.
-
A visit inside the mausoleum requires covering your shoes or removing them. Shoe covers costs ₹10 per person inside the complex, but are probably involved free of charge in foreigner tickets. We could not find a place to keep our shoes, but some people managed to enter barefoot, indicating there must be some place to keep your shoes.
-
Mobile phones and cameras are allowed inside the Taj Mahal, but not eatables.
-
We went there on March 10th, and the weather was pleasant. So, we recommend going around that time.
-
Regarding the timings, I found this written near the ticket counter: “Taj Mahal opens 30 minutes before sunrise and closes 30 minutes before sunset during normal operating days,” so the timings are vague. But we came out of the complex at 18:00 hours. I would interpret that to mean the Taj Mahal is open from 07:00 to 18:00, and the ticket counter closes at around 17:00. During the winter, the timings might differ.
-
The cheapest way to reach Taj Mahal is by bus, and the bus stop is here
Bye for now. See you in the next post :)
Python Software Foundation: DjangoCon Africa Grant Process Retrospective
The PSF received an open letter asking us, amongst other things, to look into some of our recent grant decisions and make recommendations to the PSF Board for improving the Grants Program. We contracted Carol Willing, of Willing Consulting, to do this work in the form of a retrospective. Carol’s scope included reading through mailing lists, examining Board and Grants Working group norms, creating a comprehensive timeline, conducting interviews, documenting findings, and offering recommendations for the future.
In the retrospective Willing contextualizes the PSF Grants Program as part of the work of a non-profit with a charitable mission, incorporating research on best practices and effective governance. The full text of the DjangoCon Africa Grant Process Retrospective is now available. We are eager to explore the suggestions made in the retrospective and respond to community feedback.
This retrospective is just one step in our process to ensure the PSF Grants Program is responsive, transparent, and more approachable. We also recently started hosting PSF Grants Program Office Hours. The office hours are a text-only chat-based session hosted on the Python Software Foundation Discord at 1-2PM UTC (9AM Eastern) on the third Tuesday of the month. (Check what time
that is for you.) We look forward to sharing more of our progress as
we continue to enhance and improve the PSF Grants Program.
FOSSGIS Conference 2024
Last week I attended this year’s FOSSGIS Konferenz in Hamburg, Germany, focusing especially on topics around indoor navigation and public transport.
Photo by FOSSGIS e.V., CC-BY-SA Indoor NavigationTobias Knerr and I hosted an Indoor OSM user meeting which was mainly intended for connecting people working on various aspects of that subject. We ended up overrunning our timeslot by 40 minutes until we were kicked out of the room, I count that as a success.
For continuing this, there’s the quarterly OSM indoor online meetup on June 5th at 18:00 CEST.
Particularly interesting topics for me:
- The multi-floor route visualization and routing profile configuration approaches from the OPENER next team. Their focus is also train stations, so there is a lot of inspiration for KDE Itinerary there.
- Getting the latest update from indoor localization research. Besides Wi-Fi, Bluetooth, UWP, Lidar and IMU-based approaches there’s now also a project using optical SLAM (which is interesting as it doesn’t need special hardware), but much of this isn’t available as FOSS (yet) unfortunately.
- Seeing the progress on the BIM to OSM conversion work and subsequent discussions with train station operators on what it would take to provide/publish (partial) BIM data.
And just because this is called “indoor” data doesn’t mean there is no field work involved. With Hamburg being by far not as flat as one might think, both the venue itself and the nearby city provided some nice examples for tricky to model and visualize vertical structures, which helps a lot with the otherwise often very abstract discussions on how to best represent this in OSM.
- The TUHH campus is built into a hillside, with ground-level entrance on one side being several floors below those on the other side, which makes visualizing the surroundings tricky.
- Hamburg Harburg station is seamlessly connected to a two-story outside pedestrian area, which challenges the current definition of OSM’s level tag.
- The southerns concourse of Hamburg central station is a slightly inclined area starting on the ground floor on the eastern side but connecting to an underground area on the western side. Both our visualization and our router get utterly confused by this at the moment, having seen this myself in person I now at least understand why.
- And if that wouldn’t be enough already, the Landungsbrücken subway/rapid transit station basically combines all of the above.
The other set of topics I was especially interested in was anything regarding public transport and routing, as that could be relevant for Transitous.
- Contact with the openrouteservice team, as we are still missing an OSM router for Transitous to enable full intermodal routing in MOTIS.
- Multiple talks and sessions about improving bike routing, covering OSM-based cycleway quality data analysis and ways on how such data could be used in routing. While we don’t have any (bike) routing in Transitous at all yet, this shows what future expectations for this might look like.
- Research on public transport connectivity, needing higher quality GTFS data as well.
There were also a few opportunities to promote the Open Transport Meetup, to connect more people working in that area as well.
Public administration and Open DataThere increasing regulation requiring public administration to publish data unless there’s a valid reason against that. That’s great of course, but it’s not enough. Data needs to be available in standardized formats and automatically discoverable as well.
A city publishing the location of their street lamps as a spreadsheet is just the first step. It’s of little help as such if for example your usecase is taking lighting into account when doing nighttime pedestrian routing. City- or region-specific apps are not the solution for this, that doesn’t scale and isn’t sustainable.
Instead such information would ideally be jointly maintained in globally unified database, such as OSM or Wikidata. That would also help with the data quality issues often found in official datasets, as lacking a way to upstream fixes also limits their value.
Public administration and Free SoftwareOne of the ideas behind the eco-certifying KDE software was that eco-certification is an established procurement criteria in the public sector for many other products already. Therefore I was happy to see KDE’s Okular mentioned in a panel discussion on public procurement as the first Blue Angel certified application (without anyone from KDE being on that panel).
Another noteworthy aspect for me here was for the first time seeing someone from the public administration questioning the Github monopoly and the risks involved with that. For organisations like KDE and GNOME who run their own infrastructure for exactly that reason this isn’t news, but outside of that bubble this is rarely something people are even aware of.
ConferenceAnd of course I can’t attend a conference without looking for ideas to “steal” for KDE’s Akademy:
- As part of signing up for the event attendees got two 20% discount vouchers for Deutsche Bahn for travel to/from the event (and unlike similar offers at other events those actually applied on top of all other discounts). I yet have to figure out how to obtain that as an event organizer, with Akademy in Germany this year that is of course particularly interesting.
- Lanyards and name badge holders were collected at the end for reuse at the next event.
- Talks were streamed and chat input was considered during the Q&A part as it’s common at many events by now. For BoFs/meetings there was new equipment though which seemed to fare much better in the typical university seminar rooms, “Meeting Owl”. Those seem significantly more expensive than the Jabra conference microphones we used previously though.
In a session about marketing/promotion of OSM Maik said something along the lines of “we are seen every day in Germany’s prime time news broadcast, yet hardly anyone knows who we are”, which is not much different from the situation for KDE. Our code is in the majority of web browsers, yet hardly anyone using those knows about us. Similarly, the discussion about sustainable funding and moving towards hiring people seemed very familiar.
And there’s likely even more subjects that affect OSM, KDE and any other FOSS/Open Data organisation of that scale, where all of us might benefit from more knowledge exchange and collaboration. Probably also something to discuss after congratulating our friends at GNOME for their new release at next week’s release event in Berlin :)
Patryk Cisek: Sanoid on TrueNAS
Marknote finally released!
Seth Michael Larson: Security Developer-in-Residence Weekly Report #32
Published 2024-03-29 by Seth Larson
Reading time: minutes
Returned from my vacation this week and have gotten things back in order heading into April. This report covers what's happened since the first week of March.
CISA Open Source SummitI attended the Open Source Security summit hosted by CISA in early March. The event was attended by many other open source ecosystems. The summit focused on strengthening the security of open source infrastructure like package repositories.
The Principles for Package Repository Security document was a top point of discussion. This document provides a roadmap for other package repositories to prioritize security work into discrete projects and all examples have prior art that can be learned from other package repositories (such as Trusted Publishers for PyPI).
The summit also discussed the available resources and challenges between the public sector and open source software and a tabletop exercise between package repositories, the public sector, and open source maintainers and users.
Google Summer of Code 2024Google Summer of Code is open now and there are many available ideas for Python including one that I submitted with Dustin Ingram on adopting the OpenSSF Hardened Compiler Options for C/C++ for CPython. The task description is:
- There's already a list of compiler option candidates to adopt, use that as the initial list.
- Do some performance evaluation for how each compiler option affects performance (using CPython's existing performance suite). Report back on the performance impact of enabling each option.
- Implement a small custom tool (proposed in the existing issue) that allows ignoring existing violations of compiler options while preventing future violations.
- At this point we've achieved a lot of value, all future CPython contributions will have these compiler options applied.
- After the tooling is integrated, fill the rest of the project time by remediating known issues.
Applications are due by April 2nd, 2024 so if you're interested in working on this idea act quickly to prepare your application. I've already received some interest and have been providing some guidance to potential applicants.
Speaking and Tabletop Exercise participant at SOSS Community Day NAI'm speaking at the OpenSSF SOSS Community Day in Seattle on April 15th. I'm also a participant in the Tabletop Exercise that caps off SOSS Community Day.
Other items- CPython source and documentation builds moved to GitHub Actions thanks to Developer-in-Residence Łukasz Langa for reviewing and dry-running the GitHub Action during the most recent CPython release.
- Security advisories for CVE-2023-6597 and CVE-2024-0450 were published while I was away by Ee Durbin.
- CPython 3.13.0a5 is released containing some changes to default certificate verification behavior. Please test the latest CPython alpha releases for 3.13!
- Reviewed Brett Cannon's lock file pre-PEP to ensure package URLs and SBOMs can be constructed reliably and for future changes to checksum algorithms.
- I'll be blogging for the Python Language Summit at PyCon US 2024.
That's all for this week! 👋 If you're interested in more you can read last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under CC BY-SA 4.0
Reproducible Builds (diffoscope): diffoscope 262 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 262. This version includes the following changes:
[ Chris Lamb ] * Factor out Python version checking in test_zip.py. (Re: #362) * Also skip some zip tests under 3.10.14 as well; a potential regression may have been backported to the 3.10.x series. The underlying cause is still to be investigated. (Re: #362)You find out more by visiting the project homepage.
Joey Hess: the vulture in the coal mine
Turns out that VPS provider Vultr's terms of service were quietly changed some time ago to give them a "perpetual, irrevocable" license to use content hosted there in any way, including modifying it and commercializing it "for purposes of providing the Services to you."
This is very similar to changes that Github made to their TOS in 2017. Since then, Github has been rebranded as "The world’s leading AI-powered developer platform". The language in their TOS now clearly lets them use content stored in Github for training AI. (Probably this is their second line of defense if the current attempt to legitimise copyright laundering via generative AI fails.)
Vultr is currently in damage control mode, accusing their concerned customers of spreading "conspiracy theories" (-- founder David Aninowsky) and updating the TOS to remove some of the problem language. Although it still allows them to "make derivative works", so could still allow their AI division to scrape VPS images for training data.
Vultr claims this was the legalese version of technical debt, that it only ever applied to posts in a forum (not supported by the actual TOS language) and basically that they and their lawyers are incompetant but not malicious.
Maybe they are indeed incompetant. But even if I give them the benefit of the doubt, I expect that many other VPS providers, especially ones targeting non-corporate customers, are watching this closely. If Vultr is not significantly harmed by customers jumping ship, if the latest TOS change is accepted as good enough, then other VPS providers will know that they can try this TOS trick too. If Vultr's AI division does well, others will wonder to what extent it is due to having all this juicy training data.
For small self-hosters, this seems like a good time to make sure you're using a VPS provider you can actually trust to not be eyeing your disk image and salivating at the thought of stripmining it for decades of emails. Probably also worth thinking about moving to bare metal hardware, perhaps hosted at home.
I wonder if this will finally make it worthwhile to mess around with VPS TPMs?
Kubuntu, KDE Report. In Loving Memory of my Son.
Personal:
As many of you know, I lost my beloved son March 9th. This has hit me really hard, but I am staying strong and holding on to all the wonderful memories I have. He grew up to be an amazing man, devoted christian and wonderful father. He was loved by everyone who knew him and will be truly missed by us all. I have had folks ask me how they can help. He left behind his 7 year old son Mason. Mason was Billy’s world and I would like to make sure Mason is taken care of. I have set up a gofundme for Mason and all proceeds will go to the future care of him.
Work report
Kubuntu:
Bug bashing! I am triaging allthebugs for Plasma which can be seen here:
https://bugs.launchpad.net/plasma-5.27/+bug/2053125
I am happy to report many of the remaining bugs have been fixed in the latest bug fix release 5.27.11.
I prepared https://kde.org/announcements/plasma/5/5.27.11/ and Rik uploaded to archive, thank you. Unfortunately, this and several other key fixes are stuck in transition do to the time_t64 transition, which you can read about here: https://wiki.debian.org/ReleaseGoals/64bit-time . It is the biggest transition in Debian/Ubuntu history and it couldn’t come at a worst time. We are aware our ISO installer is currently broken, calamares is one of those things stuck in this transition. There is a workaround in the comments of the bug report: https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2054795
Fixed an issue with plasma-welcome.
Found the fix for emojis and Aaron has kindly moved this forward with the fontconfig maintainer. Thanks!
I have received an https://kfocus.org/spec/spec-ir14.html laptop and it is truly a great machine and is now my daily driver. A big thank you to the Kfocus team! I can’t wait to show it off at https://linuxfestnorthwest.org/.
KDE Snaps:
You will see the activity in this ramp back up as the KDEneon Core project is finally a go! I will participate in the project with part time status and get everyone in the Enokia team up to speed with my snap knowledge, help prepare the qt6/kf6 transition, package plasma, and most importantly I will focus on documentation for future contributors.
I have created the ( now split ) qt6 with KDE patchset support and KDE frameworks 6 SDK and runtime snaps. I have made the kde-neon-6 extension and the PR is in: https://github.com/canonical/snapcraft/pull/4698 . Future work on the extension will include multiple versions track support and core24 support.
I have successfully created our first qt6/kf6 snap ark. They will show showing up in the store once all the required bits have been merged and published.
Thank you for stopping by.
~Scarlett
Scarlett Gately Moore: Kubuntu, KDE Report. In Loving Memory of my Son.
Personal:
As many of you know, I lost my beloved son March 9th. This has hit me really hard, but I am staying strong and holding on to all the wonderful memories I have. He grew up to be an amazing man, devoted christian and wonderful father. He was loved by everyone who knew him and will be truly missed by us all. I have had folks ask me how they can help. He left behind his 7 year old son Mason. Mason was Billy’s world and I would like to make sure Mason is taken care of. I have set up a gofundme for Mason and all proceeds will go to the future care of him.
Work report
Kubuntu:
Bug bashing! I am triaging allthebugs for Plasma which can be seen here:
https://bugs.launchpad.net/plasma-5.27/+bug/2053125
I am happy to report many of the remaining bugs have been fixed in the latest bug fix release 5.27.11.
I prepared https://kde.org/announcements/plasma/5/5.27.11/ and Rik uploaded to archive, thank you. Unfortunately, this and several other key fixes are stuck in transition do to the time_t64 transition, which you can read about here: https://wiki.debian.org/ReleaseGoals/64bit-time . It is the biggest transition in Debian/Ubuntu history and it couldn’t come at a worst time. We are aware our ISO installer is currently broken, calamares is one of those things stuck in this transition. There is a workaround in the comments of the bug report: https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2054795
Fixed an issue with plasma-welcome.
Found the fix for emojis and Aaron has kindly moved this forward with the fontconfig maintainer. Thanks!
I have received an https://kfocus.org/spec/spec-ir14.html laptop and it is truly a great machine and is now my daily driver. A big thank you to the Kfocus team! I can’t wait to show it off at https://linuxfestnorthwest.org/.
KDE Snaps:
You will see the activity in this ramp back up as the KDEneon Core project is finally a go! I will participate in the project with part time status and get everyone in the Enokia team up to speed with my snap knowledge, help prepare the qt6/kf6 transition, package plasma, and most importantly I will focus on documentation for future contributors.
I have created the ( now split ) qt6 with KDE patchset support and KDE frameworks 6 SDK and runtime snaps. I have made the kde-neon-6 extension and the PR is in: https://github.com/canonical/snapcraft/pull/4698 . Future work on the extension will include multiple versions track support and core24 support.
I have successfully created our first qt6/kf6 snap ark. They will show showing up in the store once all the required bits have been merged and published.
Thank you for stopping by.
~Scarlett
coreutils @ Savannah: coreutils-9.5 released [stable]
This is to announce coreutils-9.5, a stable release.
See the NEWS below for a summary of changes.
There have been 187 commits by 18 people in the 30 weeks since 9.4.
Thanks to everyone who has contributed!
The following people contributed changes to this release:
Aearil (1) Petr Malat (1)
Bruno Haible (3) Pádraig Brady (75)
Christian Göttsche (1) Samuel Tardieu (1)
Collin Funk (4) Stephane Chazelas (1)
Daan De Meyer (1) Stephen Kitt (1)
Greg Wooledge (1) Sylvestre Ledru (3)
Grisha Levit (2) Ville Skyttä (1)
Michel Lind (1) dann frazier (1)
Paul Eggert (89) lvgenggeng (1)
Pádraig [on behalf of the coreutils maintainers]
==================================================================
Here is the GNU coreutils home page:
https://gnu.org/s/coreutils/
For a summary of changes and contributors, see:
https://git.sv.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v9.5
or run this command from a git-cloned coreutils directory:
git shortlog v9.4..v9.5
Here are the compressed sources:
https://ftp.gnu.org/gnu/coreutils/coreutils-9.5.tar.gz (15MB)
https://ftp.gnu.org/gnu/coreutils/coreutils-9.5.tar.xz (5.8MB)
Here are the GPG detached signatures:
https://ftp.gnu.org/gnu/coreutils/coreutils-9.5.tar.gz.sig
https://ftp.gnu.org/gnu/coreutils/coreutils-9.5.tar.xz.sig
Use a mirror for higher download bandwidth:
https://www.gnu.org/order/ftp.html
Here are the SHA1 and SHA256 checksums:
3285114d93b39e5e4643b0846f570203a5e4c97b coreutils-9.5.tar.gz
dnrmoilQ7ELzul98Heed0ngA7o6bhkLaXe21l0oXQeU= coreutils-9.5.tar.gz
867fed7ce2ee15c5150a355a5f3a3b50578cf78d coreutils-9.5.tar.xz
zTKO3qyS9qZl3p8yPJO3Eq8YWLwuDYjz9xAEaUcKG4o= coreutils-9.5.tar.xz
Verify the base64 SHA256 checksum with cksum -a sha256 --check
from coreutils-9.2 or OpenBSD's cksum since 2007.
Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify coreutils-9.5.tar.gz.sig
The signature should match the fingerprint of the following key:
pub rsa4096/0xDF6FD971306037D9 2011-09-23 [SC]
Key fingerprint = 6C37 DC12 121A 5006 BC1D B804 DF6F D971 3060 37D9
uid [ultimate] Pádraig Brady <P@draigBrady.com>
uid [ultimate] Pádraig Brady <pixelbeat@gnu.org>
If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.
gpg --locate-external-key P@draigBrady.com
gpg --recv-keys DF6FD971306037D9
wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=coreutils&download=1' | gpg --import -
As a last resort to find the key, you can try the official GNU
keyring:
wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
gpg --keyring gnu-keyring.gpg --verify coreutils-9.5.tar.gz.sig
This release was bootstrapped with the following tools:
Autoconf 2.72c.32-cb6fb
Automake 1.16.5
Gnulib v0.1-7293-g259829e78b
Bison 3.8.2
NEWS
* Noteworthy changes in release 9.5 (2024-03-28) [stable]
** Bug fixes
chmod -R now avoids a race where an attacker may replace a traversed file
with a symlink, causing chmod to operate on an unintended file.
[This bug was present in "the beginning".]
cp, mv, and install no longer issue spurious diagnostics like "failed
to preserve ownership" when copying to GNU/Linux CIFS file systems.
They do this by working around some Linux CIFS bugs.
cp --no-preserve=mode will correctly maintain set-group-ID bits
for created directories. Previously on systems that didn't support ACLs,
cp would have reset the set-group-ID bit on created directories.
[bug introduced in coreutils-8.20]
join and uniq now support multi-byte characters better.
For example, 'join -tX' now works even if X is a multi-byte character,
and both programs now treat multi-byte characters like U+3000
IDEOGRAPHIC SPACE as blanks if the current locale treats them so.
numfmt options like --suffix no longer have an arbitrary 127-byte limit.
[bug introduced with numfmt in coreutils-8.21]
mktemp with --suffix now better diagnoses templates with too few X's.
Previously it conflated the insignificant --suffix in the error.
[bug introduced in coreutils-8.1]
sort again handles thousands grouping characters in single-byte locales
where the grouping character is greater than CHAR_MAX. For e.g. signed
character platforms with a 0xA0 (aka  ) grouping character.
[bug introduced in coreutils-9.1]
split --line-bytes with a mixture of very long and short lines
no longer overwrites the heap (CVE-2024-0684).
[bug introduced in coreutils-9.2]
tail no longer mishandles input from files in /proc and /sys file systems,
on systems with a page size larger than the stdio BUFSIZ.
[This bug was present in "the beginning".]
timeout avoids a narrow race condition, where it might kill arbitrary
processes after a failed process fork.
[bug introduced with timeout in coreutils-7.0]
timeout avoids a narrow race condition, where it might fail to
kill monitored processes immediately after forking them.
[bug introduced with timeout in coreutils-7.0]
wc no longer fails to count unprintable characters as parts of words.
[bug introduced in textutils-2.1]
** Changes in behavior
base32 and base64 no longer require padding when decoding.
Previously an error was given for non padded encoded data.
base32 and base64 have improved detection of corrupted encodings.
Previously encodings with non zero padding bits were accepted.
basenc --base16 -d now supports lower case hexadecimal characters.
Previously an error was given for lower case hex digits.
cp --no-clobber, and mv -n no longer exit with failure status if
existing files are encountered in the destination. Instead they revert
to the behavior from before v9.2, silently skipping existing files.
ls --dired now implies long format output without hyperlinks enabled,
and will take precedence over previously specified formats or hyperlink mode.
numfmt will accept lowercase 'k' to indicate Kilo or Kibi units on input,
and uses lowercase 'k' when outputting such units in '--to=si' mode.
pinky no longer tries to canonicalize the user's login location by default,
rather requiring the new --lookup option to enable this often slow feature.
wc no longer ignores encoding errors when counting words.
Instead, it treats them as non white space.
** New features
chgrp now accepts the --from=OWNER:GROUP option to restrict changes to files
with matching current OWNER and/or GROUP, as already supported by chown(1).
chmod adds support for -h, -H,-L,-P, and --dereference options, providing
more control over symlink handling. This supports more secure handling of
CLI arguments, and is more consistent with chown, and chmod on other systems.
cp now accepts the --keep-directory-symlink option (like tar), to preserve
and follow existing symlinks to directories in the destination.
cp and mv now accept the --update=none-fail option, which is similar
to the --no-clobber option, except that existing files are diagnosed,
and the command exits with failure status if existing files.
The -n,--no-clobber option is best avoided due to platform differences.
env now accepts the -a,--argv0 option to override the zeroth argument
of the command being executed.
mv now accepts an --exchange option, which causes the source and
destination to be exchanged. It should be combined with
--no-target-directory (-T) if the destination is a directory.
The exchange is atomic if source and destination are on a single
file system that supports atomic exchange; --exchange is not yet
supported in other situations.
od now supports printing IEEE half precision floating point with -t fH,
or brain 16 bit floating point with -t fB, where supported by the compiler.
tail now supports following multiple processes, with repeated --pid options.
** Improvements
cp,mv,install,cat,split now read and write a minimum of 256KiB at a time.
This was previously 128KiB and increasing to 256KiB was seen to increase
throughput by 10-20% when reading cached files on modern systems.
env,kill,timeout now support unnamed signals. kill(1) for example now
supports sending such signals, and env(1) will list them appropriately.
SELinux operations in file copy operations are now more efficient,
avoiding unneeded MCS/MLS label translation.
sort no longer dynamically links to libcrypto unless -R is used.
This decreases startup overhead in the typical case.
wc is now much faster in single-byte locales and somewhat faster in
multi-byte locales.
Evolving Web: Building Websites that Win Over Prospective Students
Universities and colleges are faced with unique goals, challenges, and opportunities around digital transformation. We often hear from folks who want to reorient their higher education websites around attracting and nurturing potential new students. I recently shared insights on how to accomplish this at the 2023 HighEdWeb Conference in Buffalo, New York, where I co-presented with Winna Tse and Vibeke Silverthorne from OCAD University.
We showcased our collaboration on OCAD U’s Admissions sites—two visually bold, accessible, interactive microsites that we designed to captivate a creative audience and streamline the application process. OCAD U saw a 21% increase in website visits and a 15% increase in applicants within a few weeks of the launch.
In this article, I’ve shared some of our best lessons and findings from the project. Read on to explore six proven ways to reach, engage, and win over prospective students.
1. Consider Building a Separate Microsite
According to usability research, students often select a program first before they choose which school to attend. That means it’s really important to show prospective students what programs are available and make program pages easily accessible. Many websites successfully use a program finder on their main website to funnel prospective students to their program of choice.
But because OCAD U had information architecture issues on its main site, we recommended replacing the old admissions section with two stand-alone microsites targeted at prospective students (one for graduates, one for undergraduates). This solution brought several advantages for OCAD U’s admissions team and the wider university, which we’ll explore below.
Targeted user experienceBy capturing prospective undergraduates on a self-contained microsite, OCAD U can deliver a highly tailored digital experience. Everything from the menu navigation to the visuals are geared towards users who’re considering studying at the university. OCAD U was so happy with this approach that they commissioned a second microsite aimed at prospective postgraduates.
Streamlined updates processOriginally, the admissions team had to ask the marketing team to make content changes. Every department did this, meaning it could take 2-3 weeks for requests to reach the top of the queue. This wasn’t practical for the fast-paced nature of admissions and recruitment.
A stand-alone microsite gives the admissions team greater ownership over their content. They can make changes in a single day, enabling them to publish time-sensitive content such as deadlines reminders.
Because the microsites are built using Drupal, the admissions team has access to a powerful user roles feature for managing editing permissions. This is one of many reasons to use Drupal for higher education websites.
Possibilities for experimentationOCAD U’s admissions website created an opportunity to experiment with the visual brand and user experience. It offers more freedom and breathing room than the main website due to its size and age. What’s more, the university can learn from the admissions website and apply lessons from its successes to the main website.
Alternative: Program FinderA separate microsite was the right choice for OCAD U, but another strategy is using a program finder on both the main and recruitment site to funnel users towards detailed program pages. This approach is particularly effective for institutions with multiple campus websites, as it offers a versatile starting point for program exploration. For OCAD U, the decision to go with a microsite stemmed from a lack of flexibility with the information architecture on their main site, making a microsite the obvious choice. For other institutions, the program finder funnel solution might make more sense.
2. Create Straightforward User JourneysBecause you’re competing for the time and attention of prospective students, it’s all the more important that your website serves up the information they’re looking for quickly and effortlessly. The best way to achieve this is by mapping user journeys and working out how to streamline your site architecture, search experience, and calls to action.
User Journey MappingWe ran a user journey mapping exercise with OCAD U where we developed user personas and explored the types of interactions they had with the university. This included everything from Googling the institution, to attending an open day, to completing an application form. The process helped us uncover new opportunities to improve their journey, and allowed us to start developing wireframes and mockups.
User MindsetsUsing a less traditional approach, we also explored user mindsets. Our team identified three mindsets that any prospective student might have—whether they’re a high schooler, undergraduate, mature student, or coming from abroad:
- “I don’t know what I want to study.”
- “I want to study art and design, but I don’t know where yet.”
- “I already know that I want to attend OCAD University.”
Looking into these mindsets with OCAD U helped us shape their site navigation and provide relevant, consistent CTAs. Their Discover section is aimed at the first mindset, the Afford and Visit sections at the second mindset, and the Apply section at the third mindset.
We helped OCAD U refine its program selectors and calls to action for a simpler user experience.
Want to learn more about the discovery and UX design in higher education projects? Read about our collaboration with York University’s School of the Arts, Media, Performance and Design in 5 Surprising Findings That’ll Change How You See Discovery.
3. Integrate Storytelling Throughout Your ContentStorytelling creates an emotional connection between users and your brand. The most powerful stories are authentic and value-based, showing target audiences that you care about what they care about. Storytelling isn’t just for your homepage either. Program pages are a common entry point for prospective students, so they need to promote your brand as well as the course details.
As an art, design, and media institution, OCAD U has incredible opportunities to use visual storytelling. We infused a range of student-created art throughout the university’s website. Not only does this elevate the design, it also showcases talent that reflects OCAD U’s reputation, and invites prospective students to imagine their own creative possibilities.
“We felt that [Evolving Web’s] aesthetic was very strong, that they could really adapt to our brand. Also, most importantly, was their thoughtful approach to storytelling.”
- Winna Tse, Communications & Projects Specialist, OCAD University
Having worked with dozens of higher education institutions, our team has interviewed many prospective students about what matters to them. We’ve heard repeatedly about the importance of connecting with current students and alumni. Prospective students value hearing about real-life experiences at your university—in fact, it’s often a tipping point in their decision making process. So, don’t isolate student stories and testimonials in a corner of your website. Integrate them on every page to ensure exposure to your most persuasive content.
We reimagined the application of OCAD U’s visual brand to create a striking website design.
4. Fine-Tune Your Visual Brand
An eye-catching, memorable visual identity sets your university apart from competitors. Above all, it needs to resonate with your target audience. Building a new website is often a good opportunity to refresh your brand—but it’s possible to refine what you already have in a way that targets prospective students.
Identify where your brand allows for flexibility, and experiment with different flavours of existing design elements. OCAD U wanted a bolder look and feel that reflects their reputation and meets the expectations of discerning young creatives. So we found ways to use their visual identity in new ways, bringing out more daring and fun aspects of the brand.
Our design team developed ‘Windows into OCAD U’, a concept that invites students to explore creative possibilities, escape the boring, and reimagine a more fantastical reality. We also used the distinctive architecture of OCAD U’s buildings as inspiration for textures and shapes, including tiled patterns, concentric squares, and boldly coloured buttons.
We communicated our vision to the client using stylescapes, a valuable tool for enhancing collaboration on art direction.
Stylescapes helped us communicate design ideas and get early alignment on the visual direction of the project.
5. Help Prospective Students Apply with Confidence
If you want to increase applications from prospective students, it’s essential to make the admissions process as straightforward and welcoming as possible. A useful exercise is to identify major touchpoints in the user’s journey and find ways to provide better support and value around it.
For OCAD U, this touchpoint was when prospective students prepared and submitted their portfolio. For other universities, it might be something like attending an open day or having an interview with faculty.
We helped OCAD U develop a dedicated page for portfolio preparation. It offers step-by-step guidance, information about requirements, creative prompts and tips, answers to common questions, and access to portfolio clinics. By providing these valuable resources, OCAD U saw an increase not only in the number of applications but also in their quality.
Portfolio submission is a unique aspect of OCAD U’s admissions process that required special attention.
6. Prioritize Accessibility and Inclusion
Prospective students come from a wide range of cultures and backgrounds, and include people with disabilities and support needs. Higher education institutions need to prioritize accessibility and inclusion when building a website, ensuring that everyone has equal access to content and feels welcomed and represented.
Everything our team builds complies with WCAG 2.0 AA and relevant federal, provincial, state, or local requirements. But we encourage and guide clients to go beyond these standards with a human-centric, personalized approach to web accessibility. This can empower your organization to reach even more people and offer ever-better experiences.
It’s also important to represent your institution’s diversity into your site’s content strategy. Select website imagery that represents people of various cultures, races, ethnicities, religions, and so on that represent that diversity you would find on campus. Diversity can also mean highlighting different paths to success, such as showcasing someone who is a mature student that went to OCAD to start a second career. Prioritize plain language to help non-native speakers and users with cognitive disabilities to find the right information. Consider whether you need a multilingual website to cater to audiences such as international students.
Finally, explore ways to support prospective students from historically underserved communities. As a North American university, OCAD U has a dedicated section for indigenous applicants that provides tailored information about relevant resources, contacts, programs, scholarships and bursaries.
Meet Evolving Web, Your Digital Agency PartnerEvolving Web works with higher education organizations across North America—including Princeton University, McGill University, Georgia Tech, the University of Washington, OCAD University, Queen’s University, York University, and the University of California Berkeley.
Our experience has allowed us to develop best practices and tried-and-tested solutions that help us deliver exceptional value to our higher education clients. We create dynamic, user-centric websites to help you connect with target audiences and cultivate valuable relationships. Our team prioritizes your digital independence, giving you the tools you need to grow and evolve your digital presence.
Learn about our work with higher education clients and see what we can do for you.
+ more awesome articles by Evolving Web