Using the QML Language Server for KDE Development (update)

Planet KDE - Fri, 2024-05-10 06:30

In a previous post I talked about using the QML Language Server for KDE development. Since writing that post a few things happened, so it’s time for an update.

I mentioned that when using Kate qmlls should work out of the box when opening a QML file. That’s mostly true, there is one problem though. Depending on your distribution the binary for qmlls has a different name. Sometimes it’s qmlls, sometimes qmlls6 or qmlls-qt6. You may need to adjust the LSP Server settings in Kate to match the name on your system.

In order for qmlls to find types that are defined in your application’s C++ code those must not only be declaratively registered, qmlls also needs to be told where to find the type information. Fortunately Qt 6.7 comes with a handy way to do that. By passing -DQT_QML_GENERATE_QMLLS_INI=ON to CMake you get an appropriate config file generated. This will be placed into the project’s source directory but is specific to your setup, so add that to your gitignore file (PS: You can set up a global gitignore file for your system, so you don’t need to add this to all your projects). Unfortunately the initial implementation produced wrong configurations for some modules, but this is fixed in Qt 6.7.2.

A problem I mentioned is that qmlls doesn’t find modules that are not installed into the same path as Qt. With Qt 6.8 there will be two new options. The -I parameter allows to add custom import paths to qmlls’ search paths. The -E parameter makes qmlls consider the value of the QML_IMPORT_PATH environment variable for its search paths.

In order for qmlls to work properly modules need to be created using the CMake API and use declarative type registration. Since writing the last post some KDE modules have been converted to those, but there’s still more to do.

Thanks to the QML team for those swift improvements!

Categories: FLOSS Project Planets

Reproducible Builds: Reproducible Builds in April 2024

Planet Debian - Fri, 2024-05-10 06:05

Welcome to the April 2024 report from the Reproducible Builds project! In our reports, we attempt to outline what we have been up to over the past month, as well as mentioning some of the important things happening more generally in software supply-chain security. As ever, if you are interested in contributing to the project, please visit our Contribute page on our website.

Table of contents:

  1. New backseat-signed tool to validate distributions’ source inputs
  2. ‘NixOS is not reproducible’
  3. Certificate vulnerabilities in F-Droid’s fdroidserver
  4. Website updates
  5. ‘Reproducible Builds and Insights from an Independent Verifier for Arch Linux’
  6. libntlm now releasing ‘minimal source-only tarballs’
  7. Distribution work
  8. Mailing list news
  9. diffoscope
  10. Upstream patches
  11. reprotest
  12. Reproducibility testing framework
New backseat-signed tool to validate distributions’ source inputs

kpcyrd announced a new tool called backseat-signed, after:

I figured out a somewhat straight-forward way to check if a given git archive output is cryptographically claimed to be the source input of a given binary package in either Arch Linux or Debian (or both).

Elaborating more in their announcement post, kpcyrd writes:

I believe this to be the “reproducible source tarball” thing some people have been asking about. As explained in the README, I believe reproducing autotools-generated tarballs isn’t worth everybody’s time and instead a distribution that claims to build from source should operate on VCS snapshots instead of tarballs with 25k lines of pre-generated shell-script.

Indeed, many distributions’ packages already build from VCS snapshots, and this trend is likely to accelerate in response to the xz incident. The announcement led to a lengthy discussion on our mailing list, as well as shorter followup thread from kpcyrd about bootstrapping Autotools projects.

‘NixOS is not reproducible’

Morten Linderud posted an post on his blog this month, provocatively titled, “NixOS is not reproducible”. Although quickly admitting that his title is indeed “clickbait”, Morten goes on to clarify the precise guarantees and promises that NixOS provides its users.

Later in the most, Morten mentions that he was motivated to write the post because:

I have heavily invested my free-time on this topic since 2017, and met some of the accomplishments we have had with “Doesn’t NixOS solve this?” for just as long… and I thought it would be of peoples interest to clarify[.]

Certificate vulnerabilities in F-Droid’s fdroidserver

In early April, Fay Stegerman announced a certificate pinning bypass vulnerability and Proof of Concept (PoC) in the F-Droid fdroidserver tools for “managing builds, indexes, updates, and deployments for F-Droid repositories” to the oss-security mailing list.

We observed that embedding a v1 (JAR) signature file in an APK with minSdk >= 24 will be ignored by Android/apksigner, which only checks v2/v3 in that case. However, since fdroidserver checks v1 first, regardless of minSdk, and does not verify the signature, it will accept a “fake” certificate and see an incorrect certificate fingerprint. […] We also realised that the above mentioned discrepancy between apksigner and androguard (which fdroidserver uses to extract the v2/v3 certificates) can be abused here as well. […]

Later on in the month, Fay followed up with a second post detailing a third vulnerability and a script that could be used to scan for potentially affected .apk files and mentioned that, whilst upstream had acknowledged the vulnerability, they had not yet applied any ameliorating fixes.

Website updates

There were a number of improvements made to our website this month, including Chris Lamb updating the archive page to recommend -X and unzipping with TZ=UTC [] and adding Maven, Gradle, JDK and Groovy examples to the SOURCE_DATE_EPOCH page []. In addition Jan Zerebecki added a new /contribute/opensuse/ page [] and Sertonix fixed the automatic RSS feed detection [][].

Reproducible Builds and Insights from an Independent Verifier for Arch Linux

Joshua Drexel, Esther Hänggi and Iyán Méndez Veiga of the School of Computer Science and Information Technology, Hochschule Luzern (HSLU) in Switzerland published a paper this month entitled Reproducible Builds and Insights from an Independent Verifier for Arch Linux. The paper establishes the context as follows:

Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges.

What is more, the paper aims to:

… contribute to the reproducible builds effort by setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot […].

A PDF of the paper is available.

libntlm now releasing ‘minimal source-only tarballs’

Simon Josefsson wrote on his blog this month that, going forward, the libntlm project will now be releasing what they call “minimal source-only tarballs”:

The XZUtils incident illustrate that tarballs with files that are not included in the git archive offer an opportunity to disguise malicious backdoors. [The] risk of hiding malware is not the only motivation to publish signed minimal source-only tarballs. With pre-generated content in tarballs, there is a risk that GNU/Linux distributions [ship] generated files coming from the tarball into the binary *.deb or *.rpm package file. Typically the person packaging the upstream project never realized that some installed artifacts was not re-built[.]

Simon’s post goes into further details how this was achieved, and describes some potential caveats and counters some expected responses as well. A shorter version can be found in the announcement for the 1.8 release of libntlm.

Distribution work

In Debian this month, Helmut Grohne filed a bug suggesting the removal of dh-buildinfo, a tool to generate and distribute .buildinfo-like files within binary packages. Note that this is distinct from the .buildinfo generation performed by dpkg-genbuildinfo. By contrast, the entirely optional dh-buildinfo generated a debian/buildinfo file that would be shipped within binary packages as /usr/share/doc/package/buildinfo_$arch.gz.

Adrian Bunk recently asked about including source hashes in Debian’s .buildinfo files, which prompted Guillem Jover to refresh some old patches to dpkg to make this possible, which revealed some quirks Vagrant Cascadian discovered when testing.

In addition, 21 reviews of Debian packages were added, 22 were updated and 16 were removed this month adding to our knowledge about identified issues. A number issue types have been added, such as new random_temporary_filenames_embedded_by_mesonpy and timestamps_added_by_librime toolchain issues.

In openSUSE, it was announced that their Factory distribution enabled bit-by-bit reproducible builds for almost all parts of the package. Previously, more parts needed to be ignored when comparing package files, but now only the signature needs to be deleted.

In addition, Bernhard M. Wiedemann published theunreproduciblepackage as a proper .rpm package which it allows to better test tools intended to debug reproducibility. Furthermore, it was announced that Bernhard’s work on a 100% reproducible openSUSE-based distribution will be funded by NLnet. He also posted another monthly report for his reproducibility work in openSUSE.

In GNU Guix, Janneke Nieuwenhuizen submitted a patch set for creating a reproducible source tarball for Guix. That is to say, ensuring that make dist is reproducible when run from Git. []

Lastly, in Fedora, a new wiki page was created to propose a change to the distribution. Titled “Changes/ReproduciblePackageBuilds”, the page summarises itself as a proposal whereby “A post-build cleanup is integrated into the RPM build process so that common causes of build irreproducibility in packages are removed, making most of Fedora packages reproducible.”

Mailing list news

On our mailing list this month:

  • Continuing a thread started in March 2024 about the Arch Linux minimal container now being 100% reproducible, John Gilmore followed up with a post about the practical and philosophical distinctions of local vs. remote storage of the various artifacts needed to build packages.

  • Chris Lamb asked the list which conferences readers are attending these days: “After peak Covid and other industry-wide changes, conferences are no longer the ‘must attend’ events they previously were… especially in the area of software supply-chain security. In rough, practical terms, it seems harder to justify conference travel today than it did in mid-2019.” The thread generated a number of responses which would be of interest to anyone planning travel in Q3 and Q4 of 2024.

  • James Addison wrote to the list about a “quirk” in Git related to its core.autocrlf functionality, thus helpfully passing on a “slightly off-topic and perhaps not of direct relevance to anyone on the list today” note that might still be “the kind of issue that is useful to be aware of if-and-when puzzling over unexpected git content / checksum issues (situations that I do expect people on this list encounter from time-to-time)”.


diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues. This month, Chris Lamb made a number of changes such as uploading versions 263, 264 and 265 to Debian and made the following additional changes:

  • Don’t crash on invalid .zip files, even if we encounter their ‘badness’ halfway through the file and not at the time of their initial opening. []
  • Prevent odt2txt tests from always being skipped due to an (impossibly) new version requirement. []
  • Avoid parens-in-parens in test ‘skipping’ messages. []
  • Ensure that tests with >=-style version constraints actually print the tool name. []

In addition, Fay Stegerman fixed a crash when there are (invalid) duplicate entries in .zip which was originally reported in Debian bug #1068705). [] Fay also added a user-visible ‘note’ to a diff when there are duplicate entries in ZIP files []. Lastly, Vagrant Cascadian added an external tool pointer for the zipdetails tool under GNU Guix [] and proposed updates to diffoscope in Guix as well [] which were merged as [264] [265], fixed a regression in test coverage and increased verbosity of the test suite[].

Upstream patches

The Reproducible Builds project detects, dissects and attempts to fix as many currently-unreproducible packages as possible. We endeavour to send all of our patches upstream where appropriate. This month, we wrote a large number of such patches, including:


reprotest is our tool for building the same source code twice in different environments and then checking the binaries produced by each build for any differences. This month, reprotest version 0.7.27 was uploaded to Debian unstable) by Vagrant Cascadian who made the following additional changes:

  • Enable specific number of CPUs using --vary=num_cpus.cpus=X. []
  • Consistently use 398 days for time variation, rather than choosing randomly each time. []
  • Disable builds of arch:any packages. []
  • Update the description for the build_path.path option in README.rst. []
  • Update escape sequences for compatibility with Python 3.12. (#1068853). []
  • Remove the generic ‘upstream’ signing-key [] and update the packages’ signing key with the currently active team members [].
  • Update the packaging Standards-Version to 4.7.0. []

In addition, Holger Levsen fixed some spelling errors detected by the spellintian tool [] and Vagrant Cascadian updated reprotest in GNU Guix to 0.7.27.

Reproducibility testing framework

The Reproducible Builds project operates a comprehensive testing framework running primarily at tests.reproducible-builds.org in order to check packages and other artifacts for reproducibility.

In April, an enormous number of changes were made by Holger Levsen:

  • Debian-related changes:

    • Adjust for changed internal IP addresses at Codethink. []
    • Automatically cleanup failed diffoscope user services if there are too many failures. [][]
    • Configure two new nodes at infomanik.cloud. [][]
    • Schedule Debian experimemental even less. [][]
  • Breakage detection:

    • Exclude currently building packages from breakage detection. []
    • Be more noisy if diffoscope crashes. []
    • Health check: provide clickable URLs in jenkins job log for failed pkg builds due to diffoscope crashes. []
    • Limit graph to about the last 100 days of breakages only. []
    • Fix all found files with bad permissions. []
    • Prepare dealing with diffoscope timeouts. []
    • Detect more cases of failure to debootstrap base system. []
    • Include timestamps of failed job runs. []
  • Documentation updates:

    • Document how to access arm64 nodes at Codethink. []
    • Document how to use infomaniak.cloud. []
    • Drop notes about long stalled LeMaker HiKey960 boards sponsored by HPE and hosted at ETH. []
    • Mention osuosl4 and osuosl5 and explain their usage. []
    • Mention that some packages are built differently. [][]
    • Improve language in a comment. []
    • Add more notes how to query resource usage from infomaniak.cloud. []
  • Node maintenance:

    • Add ionos4 and ionos14 to THANKS. [][][][][]
    • Deprecate Squid on ionos1 and ionos10. []
    • Drop obsolete script to powercycle arm64 architecture nodes. []
    • Update system_health_check for new proxy nodes. []
  • Misc changes:

    • Make the update_jdn.sh script more robust. [][]
    • Update my SSH public key. []

In addition, Mattia Rizzolo added some new host details. []

If you are interested in contributing to the Reproducible Builds project, please visit our Contribute page on our website. However, you can get in touch with us via:

Categories: FLOSS Project Planets

Web Review, Week 2024-19

Planet KDE - Fri, 2024-05-10 05:18

Let’s go for my web review for the week 2024-19.

Heat Death of the Internet - takahē

Tags: tech, internet, web, satire, criticism

Obviously a satire, some of it feels eerily real though.


“AI now beats humans at basic tasks”: Really?

Tags: tech, ai, machine-learning, gpt, research, benchmarking, criticism

Nice article. It’s a good reminder that the benchmarks used to evaluate generative AI systems have many caveats.


Did GitHub Copilot really increase my productivity?

Tags: tech, ai, copilot, productivity

Interesting data point. This is a very specialized experience but the fact that those systems are kind of random and slow clearly play a good part in limiting the productivity you could get from them.


AI Copilots Are Changing How Coding Is Taught - IEEE Spectrum

Tags: tech, ai, copilot, ethics, programming, teaching, learning

Well, maybe our profession will make a leap forward. If instead of drinking the generative AI cool aid, if we really get a whole cohort of programmers better at critical skills (ethical issues, being skeptical of their tools, testing, software design and debugging) it’ll clearly be some progress. Let’s hope we don’t fall in the obvious pitfalls.


Machine Unlearning in 2024 - Ken Ziyu Liu - Stanford Computer Science

Tags: tech, ai, machine-learning, gpt, copyright, gdpr

Interesting questions and state of the art around model “unlearning”. This became important due to the opacity of data sets used to train some models. It’ll also be important in any case for managing models over time.


Systemd heads for a big round-number release [LWN.net]

Tags: tech, linux, systemd

Indeed the next systemd release feels feature packed. Definitely to keep an eye on.


UEFI, BIOS, and other confusing x86 PC (firmware) terms

Tags: tech, bios, uefi, hardware

Confused? Well, not surprising we mostly use those terms with very lax definitions.


It’s always TCP_NODELAY. Every damn time. - Marc’s Blog

Tags: tech, tcp, networking

Getting network protocols right is definitely difficult.


Why Full Text Search is Hard

Tags: tech, language, search

If you wonder why information retrieval from natural language texts is a tough domain, here is a short article listing the important things to keep in mind.


All error messages are necessarily bad to some degree

Tags: tech, failure, ux

Not a reason to make no effort into having as proper error messages as possible. Still there’s some truth there that trying to have a really useful error message is a fool’s errand.



Tags: tech, python, qt, spreadsheets, tools

Looks like a fun spreadsheet tool where you can use Python in any cell.


The UX of UUIDs | Unkey

Tags: tech, uuid, encodings

Interesting set of tricks around UUIDs to make them easier to manipulate.


Build your own HTMX

Tags: tech, web, frontend, htmx

Excellent exercise in understanding how HTMX works under the hood.


No, I don’t want to fill out your contact form - Adam Jones’s Blog

Tags: tech, web, email

Good exploration of the many ways contact forms fail us regularly. Also shows a few cases where you might still want to us them… in most cases you shouldn’t.


What You Need to Know about Modern CSS (Spring 2024 Edition) – Frontend Masters Boost

Tags: tech, web, frontend, css

Looks like a good reference about everything which can be done with the latest CSS evolutions.


Google Testing Blog: Test Failures Should Be Actionable

Tags: tech, tests

Good advice indeed. Having asserts using appropriate matchers can go a long way understanding what went wrong.


Simplicity is An Advantage but Sadly Complexity Sells Better

Tags: tech, complexity

Definitely this. We tend to like complexity too much as a profession and field. It’s also a good reminder that the complexity of the problem and the complexity of the solution shouldn’t be conflated.


Programming mantras are proverbs - lukeplant.me.uk

Tags: tech, programming, culture, craftsmanship

Interesting take about the mantras often used in our profession. They shouldn’t be treated as laws, but as proverbs carrying a piece of contextual wisdom. It’s thus unsurprising that they tend to contradict each other. This contradiction should make us pause and think.


Refactor: Inline-Adjust-Extract - XP123

Tags: tech, programming, refactoring

Since there’s a clear tendency in the developers I meet to “extract at all costs”, this is a good reminder that sometimes you need to inline the code first. This very often brings better clarity in the context of use. In turns this leads to a better final extraction.


Bye for now!

Categories: FLOSS Project Planets

Django Weblog: Django Developers Survey 2023 results

Planet Python - Fri, 2024-05-10 02:22

In October-November 2023, the Django Software Foundation, in partnership with PyCharm, carried out a survey to capture the preferences and contributions of Django developers worldwide. Today, we’re excited to share the results through detailed infographics highlighting how our community influences the future of web development.

View the Django Developers Survey 2023 report

Why should you check out the infographics?

  1. Discover the latest trends in Django development.
  2. Learn about the tools and technologies preferred by leading developers.
  3. Understand the challenges and opportunities within the Django ecosystem.

Visit the landing page to explore the full report and gain insights that can help shape your projects and strategies in the Django landscape.

Categories: FLOSS Project Planets

Seth Michael Larson: Bringing supply chain security to PyCon US 2024

Planet Python - Thu, 2024-05-09 20:00
Bringing supply chain security to PyCon US 2024 AboutBlogNewsletterLinks Bringing supply chain security to PyCon US 2024

Published 2024-05-10 by Seth Larson
Reading time: minutes

This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Next week is PyCon US 2024, one of my favorite times of year. If you'll also be in Pittsburgh, reach out to me on Signal (sethmlarson.99) and we'll meet up sometime during the conference.

Here's where you'll find me during the week:

Secure snek 🐍🛡️
  • Talk on "State of Supply Chain Security" with Michael Winser of Alpha-Omega.
  • Open space on Vulnerability Disclosure and Management with Madison Oliver of GitHub Security.
  • Blogger for the Python Language Summit.
  • Spreading security knowledge along with Mike Fiedler, the PyPI Safety and Security Engineer.
  • Working in-person with Python core developers during sprints.

I'll also be bringing along some exclusive "secure snek" stickers, so if you see me at the conference ask about those while supplies last!

If you're interested in security, I recommend considering these other tutorials and talks:

That's all for this week! 👋 If you're interested in more you can read last week's report.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0

Categories: FLOSS Project Planets

KDE Ships Frameworks 6.2.0

Planet KDE - Thu, 2024-05-09 20:00

Friday, 10 May 2024

KDE today announces the release of KDE Frameworks 6.2.0.

KDE Frameworks are 72 addon libraries to Qt which provide a wide variety of commonly needed functionality in mature, peer reviewed and well tested libraries with friendly licensing terms. For an introduction see the KDE Frameworks release announcement.

This release is part of a series of planned monthly releases making improvements available to developers in a quick and predictable manner.

New in this version Attica
  • Modernize: don't else after return. Commit.
  • Provider: document default ctor. Commit.
  • Providermanager: remove unused function with typo. Commit.
  • Postfiledata: simplify private. Commit.
  • Modernize: use unique_ptr for privates. Commit.
  • Basejob: don't leave dangly pointers. Commit.
  • Platformdependent: v3. Commit.
  • Don't kill the lock file, can lead to random corruption. Commit. Fixes bug #389848
Bluez Qt
  • Fixed min_bitpool and max_bitpool from capabilities where ignored. Commit.
  • Port QML module to declarative type registration. Commit.
Breeze Icons
  • Add support for media-playlist-no-shuffle icon name. Commit.
  • Add audio/ogg and audio/x-vorbis+ogg icons. Commit.
  • Add audio/vnd.wave MIME type. Commit.
  • Remove generic non-symbolic audio and video icons. Commit.
  • Add 16 and 22px symbolic versions of some Places icons that were missing. Commit. Fixes bug #486316
  • Add zoom-in-map and zoom-out-map icons along with -symbolic versions. Commit.
  • Longer description for the ICONS_LIBRARY option. Commit.
  • Add symbolic versions for more USB device style icons. Commit.
  • Fix some scale errors. Commit. Fixes bug #485479
  • Fixed input-combo-on.svg colour issue. Commit.
  • Add -symbolic symlinks for notification-* icons. Commit.
  • Use new dev.suyu_emu.suyu id, add symlink for old id. Commit.
  • Add accessories-screenshot-tool icon/symlink. Commit.
  • [webfont] enable ligatures. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Add input-keyboard-color 22px, 32 px. Commit.
Extra CMake Modules
  • API dox: KDEInstallDirs6: refer to qtpaths now as source of Qt paths. Commit.
  • API dox: KDEInstallDirs6: drop outdated note about being in ALPHA state. Commit.
  • Test: Increase minimum cmake version so that it works with Qt 6.7. Commit.
  • ECMQmlModule6: group qml and resource file calls. Commit.
  • Modules/ECMAddTests.cmake - handle unset or empty QT_PLUGIN_PATH. Commit.
  • Gitignore: add VS Code dir. Commit.
  • KQuickConfigModule: Don't crash on null object. Commit.
  • SimpleKCM: Remove remnants of footerParent. Commit.
  • Use ellipsis character instead of three dots. Commit.
  • GridDelegate: Port to ComponentBehavior: Bound. Commit.
  • GridDelegate: Consolidate code paths for opening a menu. Commit.
  • GridDelegate: Don't use qualified property access as appropriate. Commit.
  • GridDelegate: Use concrete type for the popup menu. Commit.
  • GridDelegate: Use somewhat more consistent ToolTip bindings, remove timeout. Commit.
  • Components: Drop QML import versions, unify import aliases. Commit.
  • Components: Guard nullable property access. Commit.
  • Components: Explicitly specify signal handler arguments. Commit.
  • KCModuleQml: Provide a fallback in case a pushed page is not one of magical KCMUtils types. Commit.
  • Add API to make header and footer paddings optional. Commit.
  • Round all the things consistently. Commit.
  • Pluginselector: cache delegates. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Avoid allocations while parsing int/float lists. Commit.
  • Adapt kdesktopfiletest to QTemporaryFile behavior change. Commit.
  • Guard header with an ifndef and include moc generates sources in the cpp file. Commit.
  • Autotests: Don't use a timeout in testLocalDeletion. Commit.
  • Adjust kconfig_compiler autotests to include a version without kcfgc. Commit.
  • Add a CMake function to add a kcfg file without kcfgc. Commit.
  • Gitignore: add VS Code dir. Commit.
  • KRecentFilesAction: Load mimeType and action lazily. Commit.
  • Remove forward declaration of KToggleAction. Commit.
  • Test that an invalid language gives the empty string. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Restore country detection tests on FreeBSD. Commit.
  • Disable FreeBSD tests that recently started to fail in the CI. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Gitignore: add VS Code dir. Commit.
  • API dox: use "MIME type" and "URL" spellings consistently. Commit.
  • API dox: add some minimal info to undocumented classes. Commit.
  • API dox: add empty line between @brief (ends by first period) and rest. Commit.
  • API dox: add some dummy info to namespaces for doxygen to cover them also. Commit.
  • API dox: escape space after e.g. to work-around doxygen sentence end magic. Commit.
  • UserMetadata: return errors when xattr ops fails. Commit.
  • Value is already default timeout value in QT6 framework. Commit.
  • [XmlExtractor] Add support for compressed SVGs. Commit.
  • [XmlExtractorTest] Move Test class declaration to source file. Commit.
  • [Office2007Extractor] Reuse DublinCoreExtractor, fix namespace handling. Commit.
  • [DublinCoreExtractor] Add CreationDate (dc::created) support. Commit.
  • [DublinCoreExtractor] Skip properties from empty elements, cleanup. Commit.
  • Move date parser helper out of ExtractorPlugin, clean it up. Commit.
  • [TaglibExtractor] Include vnd.audible.aaxc audio books in supported types. Commit.
  • [Test] Include vnd.audible.aax audio books in coverage tests. Commit.
  • [TaglibWriterTest] Move test class declaration to source file, cleanup. Commit.
  • [TaglibExtractor|Writer] Fix mimetypes. Commit.
KGlobalAccel KGuiAddons
  • Recorder/kkeysequencerecorder: conform to KKeyServer changes. Commit.
  • Gitignore: add VS Code dir. Commit.
KHolidays KI18n
  • Gitignore: add VS Code dir. Commit.
  • Allow to configure if we register our icon plugin for SVGs. Commit.
  • Port QML module to declarative type registration. Commit.
  • Fix typo in BreezeIcons::initIcons loading. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Fix build with Qt 6.7 on 32 bits. Commit.
  • [kfilefilter] Consider mime globs valid. Commit.
  • Kfileitemtest: add basic tests for dir. Commit.
  • File_unix: don't call QMimeDatabase::mimeTypeForFile for directories. Commit.
  • Widgetsaskuseractionhandler prevent crash when job had no parent widget. Commit.
  • PreviewJob: Add file extension to thumbnail temp files. Commit. Fixes bug #463989
  • KFileItem: handle the case parent url path is empty. Commit.
  • KFileItemActions: Add logic to order actions between separators. Commit. Fixes bug #466115
  • KFileItem: fix getStatusBarInfo() displaying symlink target as "http:". Commit. Fixes bug #475422
  • ScopedProcessRunner: support waitForStarted. Commit.
  • ScopedProcessRunner: fix use of undeclared identifier 'close'. Commit.
  • [ftp] Always use default timeout values. Commit.
  • [http] Set error string for ERR_DOES_NOT_EXIST. Commit.
  • Force test language to en. Commit.
  • Knewfilemenu: Add @since 6.2 to the new signals and methods. Commit.
  • Kfilefilter.h: update API docs. Commit.
  • Kencodingfiledialog dox: rewrite API dox that refer to removed functions. Commit.
  • Kfilewidget dox: replace references to setFilter() with setFilters(). Commit.
  • Fix a few warnings. Commit.
  • Add EnableRemoteFolderThumbnail option checking. Commit.
  • PreviewJob: Display preview for locally mounted remote directories. Commit.
  • Knewfilemenu: add isNewDirNameJobRunning. Commit.
  • KFilePlacesItem: Show teardown busy indicator during optical media eject. Commit.
  • KDirModelTest.testDeleteFiles: lower debug output. Commit.
  • KUrlNavigator: allow adding a badge widget after the breadcrumb. Commit.
  • Set ideal case for TwoVectors. Commit.
  • Udsentry_api_comparison_benchmark: update. Commit.
  • Kurlnavigatorbutton: prevent. Commit.
  • Add more explicit moc includes to sources for moc-covered headers. Commit.
  • Connection: don't queue tasks until OOM. Commit.
  • Http: Fix parsing DAV:getlastmodified. Commit. Fixes bug #484671
  • Kfileitem: Linux, use statx to refresh files. Commit. Fixes bug #446858
  • Fixed wrong navigation and dialog header button colors. Commit. Fixes bug #486163
  • Card: Remove the unnecessary "reality check" binding on footer, add test. Commit.
  • Card: Restrict actions type from arbitrary QObject to T.Action. Commit.
  • Card: Shuffle things around a bit to make them look nicer. Commit.
  • Remove linkActivated/linkHovered from Delegate types. Commit.
  • InlineMessage: Improve examples in documentation, clean up QML. Commit.
  • OverlayDrawer: Rework separator's code, animate transitions. Commit.
  • OverlayDrawer: Hide segmented separator when the drawer is collapsed. Commit.
  • OverlayDrawer: Rewrite visibility condition for segmented separator. Commit.
  • OverlayDrawer: Rewrite segmented separator positioning expression. Commit.
  • OverlayDrawer: Bind segmented separator's width to the real separator's width. Commit.
  • GlobalDrawer: Set spacing on the default header. Commit.
  • Fix null deref in OverlaySheet. Commit.
  • OverlaySheet: Port layout hacks to a simple Padding with its contentItem. Commit.
  • Tst_pagepool: Port testing code from verify(==) to compare. Commit.
  • Tst_pagepool: Fix test properly. Commit.
  • Revert "tst_pagepool: Fix test". Commit.
  • CardsGridView and CheckableListItem are not a thing anymore. Commit.
  • Actions.main is not a thing anymore. Commit.
  • Tst_pagepool: Fix test. Commit.
  • Revert "PageRow: Fix parent of Component-based pages". Commit.
  • PageRow: Fix parent of Component-based pages. Commit. Fixes bug #482753
  • MnemonicAttached: Fix logic when pressing Alt. Commit.
  • Dialog: Always use an overlay as visual parent. Commit.
  • Link Activation TitleSubtitle. Commit.
  • ContextualHelpButton: remove excess space from tooltip. Commit. Fixes bug #481817
  • Fix crash on teardown when QML engine is already unset. Commit.
  • ListSectionHeader: Deprecate label property. Commit.
  • PageRow: Remove superfluous trailing semicolon from a property alias. Commit.
  • PromptDialog: Create default contentItem dynamically on demand. Commit.
  • Padding: Remove old overridden contentItem from the visual hierarchy. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Add a explicit page type check in AbstractApplictionHeader. Commit.
  • Add radius unit for rounded rectangles. Commit.
  • Add dependency to QML module. Commit.
  • Port to declarative type registration. Commit.
  • Add more explicit moc includes to sources for moc-covered headers. Commit.
  • Show header warning message framelessly. Commit. Fixes bug #485464
  • DownloadItemsSheet: use alternating background colors for legibility. Commit. Fixes bug #483724
  • Document ContentWarning. Commit.
  • Page: conditionalize warning message based on riskiness. Commit.
  • Enforce passing tests on Windows. Commit.
  • Enforce passing tests on Windows. Commit.
  • Action: Make bool operator explicit. Commit.
  • Fix matchInternalFinished not being emitted in case of dbus errors. Commit.
  • Don't call update on missing marginObject. Commit.
  • Make property type fully qualified. Commit.
  • Fix caret painting for inline notes at the end of line. Commit.
  • KateCompletionWidget: Mark function static. Commit.
  • KateCompletionModel: remove useless std::as_const. Commit.
  • Run more tests offscreen. Commit.
  • Fix performance with many cursors in a large line. Commit.
  • Fix test expectations. Commit.
  • Fix crashs and OOM on load with encoding failures. Commit. Fixes bug #486195. Fixes bug #486134
  • A11y: Improve tab order for "Appeareance" -> "Borders". Commit.
  • A11y: Set "Line Height Multiplier" buddy. Commit.
  • Fix broken navigation in completion widget with multiple views. Commit.
  • Fix clicking in completion. Commit.
  • Fix textInsertedRange signal for insertText behind last line. Commit. Fixes bug #483363
  • Enforce passing tests on all platforms. Commit.
KUserFeedback KWallet
  • Fix reply type in portal implementation. Commit.
  • Kwalletportalsecrets.h: Add missing include. Commit.
  • Implement XDG Secrets Portal. Commit. Fixes bug #466197
  • Introduce KContextualHelpButton. Commit.
  • KMessageWidget: Fix handling of palette changes. Commit.
  • KMessageWidget: Make sure icon label is always vertically centered. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Port to QNativeInterface::Private::QWaylandWindow. Commit.
  • Remove an unused explicit moc include. Commit.
  • Add more explicit moc includes to sources for moc-covered headers. Commit.
  • Introduce KXcbEvent to initialize the memory of sent XCB events. Commit.
  • Add pre share hooks. Commit.
  • Enforce passing tests on Windows. Commit.
QQC2 Desktop Style
  • TreeViewDelegate: Fix non-observable modelIndex property getting stuck. Commit.
  • [CheckIndicator] Use control as AbstractButton. Commit.
  • Add missing dependency to private module. Commit.
  • Add QTBUG to comment. Commit.
  • Make SwitchIndicator more compiler-friendly. Commit.
  • ItemBranchIndicators: Fix uninitialized member variable m_selected. Commit.
  • StyleSingleton: Check whether object is qGuiApp. Commit.
  • [RadioButton] Use id instead of parent lookup. Commit.
  • [TabButton] Fix property type. Commit.
  • Apply Kirigami.Units.cornerRadius to default list item background too. Commit.
  • Gitignore: add VS Code dir. Commit.
  • Use consistent radius value from Kirigami.Units.radius. Commit.
  • Remove too aggressive assert. Commit. Fixes bug #464149
  • [StorageAccess] Fix storageAccessFromPath returning unmounted filesystems. Commit.
  • [SolidHwTest] Extend FakeHW description with encrypted volume, add tests. Commit.
  • [SolidHwTest] Test Device::storageAccessFromPath. Commit.
  • [DeviceManager] Remove exists() check from storageAccessFromPath. Commit.
  • Udisks: Return empty string for "root" clearTextPath. Commit. Fixes bug #485507
  • [SolidHwTest] Remove unnecessary slotPropertyChanged helper, fix bug. Commit.
  • [SolidHwTest] Remove setenv wrapper, unnecessary qt_windows.h include. Commit.
  • [SolidHwTest] Move test class declaration to source file. Commit.
  • Udisks2: Add support CanCheck/Check/CanRepair/Repair. Commit.
  • Add dependency to QML module. Commit.
  • Gitignore: add VS Code dir. Commit.
Syntax Highlighting
  • Support single-quoted strings in MapCSS. Commit.
  • Add Syntax Highlighting for Vue Template Files. Commit.
  • Add syntax highlighting support for CashScript. Commit.
Categories: FLOSS Project Planets

Reproducible Builds (diffoscope): diffoscope 266 released

Planet Debian - Thu, 2024-05-09 20:00

The diffoscope maintainers are pleased to announce the release of diffoscope version 266. This version includes the following changes:

[ Chris Lamb ] * Use "xz --list" to supplement the output when comparing .xz archives; essential when some underlying metadata differs. (Closes: #1069329) * Actually append the xz --list after the container differences, as it simplifies tests and the output. * Add 7zip to <!nocheck> Build-Depends in debian/control. * Update copyright years. [ James Addison ] * Maintain an in-header boolean state to determine whether to drop from-file/to-file lines. This fixes an issue where HTML differences were being inadvertendly neglected. (Closes: reproducible-builds/diffoscope#372)

You find out more by visiting the project homepage.

Categories: FLOSS Project Planets

Vincent Sanders: Bee to the blossom, moth to the flame; Each to his passion; what's in a name?

Planet Debian - Thu, 2024-05-09 17:24

I like the sentiment of Helen Hunt Jackson in that quote and it generally applies double for computer system names. However I like to think when I named the first NetSurf VM host server phoenix fourteen years ago I captured the nature of its continuous cycle of replacement.

We have been very fortunate to receive a donated server to replace the previous every few years and the very generous folks at Collabora continue to provide hosting for it.

Recently I replaced the server for the third time. We once again were given a replacement by Huw Jones in the form of a SuperServer 6017R-TDAF system with dual Intel Xeon Ivy Bridge E5-2680v2 processors. There were even rack rails!
The project bought some NVMe drives and an adaptor cards and I attempted to arrange to swap out the server in January.
Here we come to the slight disadvantage of an informal arrangement where access to the system depends upon a busy third party. Unfortunately it took until May to arrange access (I must thank Vivek again for coming in on a Saturday to do this)
In the intervening time, once I realised access was going to become increasingly difficult, I decided to obtain as good a system as I could manage to reduce requirements for future access. 
I turned to eBay and acquired a slightly more modern SuperServer with dual Intel Xeon Haswell E5-2680v3 processors which required purchase of 64G of new memory (Haswell is a DDR4 platform). 
I had wanted to use Broadwell processors but this exceeded my budget and would only be a 10% performance uplift (The chassis, motherboard and memory cost £180 and another £50 for processors was just too much, maybe next time)
While making the decision on the processor selection I made a quick chart of previous processing capabilities (based on a passmark comparison) of phoenix servers and was startled to discover I needed a logarithmic vertical axis. Multi core performance of processors has improved at a startling rate in the last decade.
When the original replacement was donated I checked where the performance was limited and noticed it was mainly in disc access which is what prompted the upgrade to NVMe (2 gigabytes a second peek read throughput) which moved the bottleneck to the processors where, even with the upgrades, it remains.
I do not really know if there is a conclusion here beyond noting NetSurf is very fortunate as a project to have some generous benefactors both for donating hardware and hosting for which I know all the developers are grateful.
Now I just need to go and migrate a huge bunch of virtual machines and associated sysadmin to make use of these generous donations.
Categories: FLOSS Project Planets

Kirigami Addons 1.2

Planet KDE - Thu, 2024-05-09 16:00

Kirigami Addons 1.2 is out with some accessibility fixes and one new component: FloatingToolBar.


During the accessibility sprint, there was an effort to ensure the date and time pickers were actually accessible. Aside from improving the screen reader support, this also allow to write Selenium integration tests which uses these components in Itinerary. Thanks Volker, David Redundo and others for working on this!


Mathis and I worked on a new addition to Kirigami Addons adding to the existing FloatingButton and DoubleFloatingButton components. This component is perfect to add tool to editing and drawing areas and can either contain a simple RowLayout/ColumnLayout containing ToolButtons or a Kirigami.ActionToolBar.

import org.kde.kirigamiaddons.components import org.kde.kirigami as Kirigami FloatingToolBar { contentItem: Kirigami.ActionToolBar { actions: [ Kirigami.Action { ... } ] } }


With the style used by FormCardDialog and MessageDialog merged in Kirigami and soon in qqc2-desktop-style too, I did some changes to the FormCardDialog and MessageDialog to use the same padding as Kirigami.Dialog.

MessageDialog now works better on mobile with the layout adapting itself to the dialog size.

messagedialog with a mobile layout

Aditionally similar to KMessageBox, MessageDialog has an optional “don’t show again” option which can be enabled by setting the dontShowAgainName property similar to the KMessageBox api.

I also prepared these two components to work as standalone windows which is likely to come with this Qt 6.8 change request.

Dialog in Qt 6.8


Jonah fixed a bug where it would be impossible to escape the settings on mobile.


I added more screenshot to the API documentation and updated the TableView example app to use a ‘frameless’ style.

Qt 6.7 support

This release also brings support for Qt 6.7 on Android as this release introduced an API and ABI change to the Android code. Thanks Joshua for tackling this issue.

Categories: FLOSS Project Planets

Python People: Shauna Gordon-McKeon - Open Source Governance, Women's Soccer, and Django

Planet Python - Thu, 2024-05-09 10:41

This is a really fun talk with Shauna.  

We talk about: 

Shauna's technical consulting business is Galaxy Rise Consulting

The Complete pytest Course

★ Support this podcast on Patreon ★ <p>This is a really fun talk with Shauna.  </p><p>We talk about: </p><ul><li>Going from academia to tech</li><li>Django</li><li>Open source project governance and <a href="https://governingopen.com">Governing Open</a></li><li><a href="https://www.nwslsoccer.com/">Womens Soccer</a> and the NWSL</li></ul><p>Shauna's technical consulting business is <a href="http://www.galaxyriseconsulting.com/">Galaxy Rise Consulting</a></p><p><br></p> <br><p><strong>The Complete pytest Course</strong></p><ul><li>Level up your testing skills and save time during coding and maintenance.</li><li>Check out <a href="https://courses.pythontest.com/p/complete-pytest-course">courses.pythontest.com</a></li></ul> <strong> <a href="https://www.patreon.com/PythonPeople" rel="payment" title="★ Support this podcast on Patreon ★">★ Support this podcast on Patreon ★</a> </strong>
Categories: FLOSS Project Planets

Mike Driscoll: Episode 40 – Open Source Development with Antonio Cuni

Planet Python - Thu, 2024-05-09 10:16

In this episode, we discuss working on several different open-source Python packages. Antonio Cuni is our guest, and he chats about his work on PyScript, pdb++, pypy, HPy, and SPy.

Listen in as we chat about Python, packages, open source, and so much more!

Show Links

Here are some of the projects we talked about in the show:

  • The Invent Framework
  • PyScript
  • pdb++ – A drop-in replacement for pdb
  • pypy – The fast, compliant, alternative Python implementation
  • HPy – A better C API for Python
  • SPy – Static Python

The post Episode 40 – Open Source Development with Antonio Cuni appeared first on Mouse Vs Python.

Categories: FLOSS Project Planets

KDE neon Rebasing on Ubuntu Noble

Planet KDE - Thu, 2024-05-09 08:04

The new Ubuntu LTS was released in April, congratulations to all involved with that. I know Scarlett worked hard to get Kubuntu back into shape so do if that a try if you want a stable Plasma 5 desktop.

In the KDE neon project we don’t like to sit still for long so we are now building all our KDE packages on Ubuntu Noble, versioned 24.04. This always takes longer than it feels like it should, mostly because it’s a moving target to keep everything compiled as more KDE software gets released, so no promises on when it’ll be ready but we’ll try to be fast because the old Ubuntu base of jammy (22.04) is showing its age with projects like Krita no longer able to compile there.

So far the main issues are all the changes needed for 64-bit time_t to fix the y2k38 problem, we know you wouldn’t want your clocks to zero out in 2038.

Categories: FLOSS Project Planets

Thorsten Alteholz: My Debian Activities in April 2024

Planet Debian - Thu, 2024-05-09 07:44
FTP master

This month I accepted 386 and rejected 39 packages. The overall number of packages that got accepted was 386.

I also added lots of +moreinfo tags to some RM bugs. Is it that hard to check the reverse dependencies on your own?

Debian LTS

This was my hundred-eighteenth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded:

  • [DLA 3781-1] libgd2 security update for three CVEs to fix out-of-bounds reads or NULL pointer derefence
    • [DLA 3784-1] libcaca security update for two CVEs to fix heap buffer overflows
      • [DLA 3805-1] qtbase-opensource-src security update for seven CVEs to fix buffer overflows, infinite loops or application crashs due to processing of crafted input files. When trying to compile the fixed version, I got an error that there is no .compare() for QByteArray available. Yes, indeed, QByteArray::compare, which was used in a patch, was introduced only in Qt 6.0. So I had to backport that to Buster as well. It is astonishing that such a basic function was not needed before.
      • [#1070153] bookworm-pu: qtbase-opensource-src/5.15.8+dfsg-11+deb12u2 to fix two CVEs
      • [#1070154] bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1 to fix ten CVEs
      • [#1064550] uploaded libjwt
      • [#1067544] uploaded libmicrohttpd

      I also continued to work on tiff and last but not least did a week of FD and attended the monthly LTS/ELTS meeting.

      Debian ELTS

      This month was the sixty-ninth ELTS month. During my allocated time I uploaded:

      • [ELA-1069-1]libgd2 security update for three CVEs to fix out-of-bounds reads or NULL pointer derefence in Jessie and Stretch
      • [ELA-1070-1]libcaca security update for two CVEs to fix heap buffer overflows in Jessie and Stretch
      • [ELA-1083-1]qtbase-opensource-src security update for five CVEs to fix buffer overflows, infinite loops or application crashs due to processing of crafted input files in Stretch

      I also continued to work on an update for tiff in Jessie and Stretch, did a week of FD and attended the LTS/ELTS meeting.

      Debian Printing

      This month I uploaded new upstream or bugfix versions of:

      In preparation for cups3 I introduced a new package:

      This work is generously funded by Freexian!

      Debian Astro

      This month I uploaded a new upstream or bugfix version of:

      Debian IoT

      This month I uploaded new upstream or bugfix versions of:

      Debian Mobcom

      This month I uploaded new upstream or bugfix versions of:

      I have done these uploads in preparation for my GSoC student, who will be officially announced in May.


      I am sorry for people still using 32bit computers, but from my point of view these are dying architectures. So if there are any problems with builds on those architectures, I no longer try to fix them but file RM bugs. Patches are welcome, but I am no longer willing to spend any time for this.

      This month I uploaded new upstream or bugfix versions of:

      This month I even found some time to introduce new packages:

      • mailio a cross platform C++ library for email support
      • pksc11-proxy a proxy for the PKCS11-library
Categories: FLOSS Project Planets

Robin Wilson: New Projects page on my website

Planet Python - Thu, 2024-05-09 05:30

Just a quick post here to say that I’ve added a new Projects page to my freelance website. I realised I didn’t have anywhere online that I could point people to that had links to all of the ‘non-work’ (maybe that should be ‘non-paid’) projects I’ve made.

These projects include my Free GIS Data site, the British Placename Mapper, Py6S and more. I’ve also put together a separate page (linked from the projects page) with all my university theses (PhD, MSc and undergraduate) and other university work – which still get a remarkably high number of downloads.

Have a look here, or see a screenshot of the first few entries below:

Categories: FLOSS Project Planets

Talk Python to Me: #461: Python in Neuroscience and Academic Labs

Planet Python - Thu, 2024-05-09 04:00
Do you use Python in an academic setting? Maybe you run a research lab or teach courses using Python. Maybe you're even a student using Python. Whichever it is, you'll find a ton of great advice in this episode. I talk with Keiland Cooper about how he is using Python at his neuroscience lab at the University of California, Irvine.<br/> <br/> <strong>Episode sponsors</strong><br/> <br/> <a href='https://talkpython.fm/neo4j-notes'>Neo4j</a><br> <a href='https://talkpython.fm/posit'>Posit</a><br> <a href='https://talkpython.fm/training'>Talk Python Courses</a><br/> <br/> <strong>Links from the show</strong><br/> <br/> <div><b>Keiland's website</b>: <a href="https://www.kwcooper.xyz" target="_blank" rel="noopener">kwcooper.xyz</a><br/> <b>Keiland on Twitter</b>: <a href="https://twitter.com/kw_cooper" target="_blank" rel="noopener">@kw_cooper</a><br/> <b>Keiland on Mastodon</b>: <a href="https://fediscience.org/@kwcooper" target="_blank" rel="noopener">@kwcooper@fediscience.org</a><br/> <br/> <b>Journal of Open Source Software</b>: <a href="https://joss.readthedocs.io/en/latest/" target="_blank" rel="noopener">joss.readthedocs.io</a><br/> <b>Avalanche project</b>: <a href="https://avalanche.continualai.org" target="_blank" rel="noopener">avalanche.continualai.org</a><br/> <b>ContinualAI</b>: <a href="https://continualai.org" target="_blank" rel="noopener">continualai.org</a><br/> <b>Executable Books Project</b>: <a href="https://executablebooks.org/en/latest/" target="_blank" rel="noopener">executablebooks.org</a><br/> <b>eLife Journal</b>: <a href="https://elifesciences.org/about/" target="_blank" rel="noopener">elifesciences.org</a><br/> <b>Watch this episode on YouTube</b>: <a href="https://www.youtube.com/watch?v=rad6Kd6J0ns" target="_blank" rel="noopener">youtube.com</a><br/> <b>Episode transcripts</b>: <a href="https://talkpython.fm/episodes/transcript/461/python-in-neuroscience-and-academic-labs" target="_blank" rel="noopener">talkpython.fm</a><br/> <br/> <b>--- Stay in touch with us ---</b><br/> <b>Subscribe to us on YouTube</b>: <a href="https://talkpython.fm/youtube" target="_blank" rel="noopener">youtube.com</a><br/> <b>Follow Talk Python on Mastodon</b>: <a href="https://fosstodon.org/web/@talkpython" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>talkpython</a><br/> <b>Follow Michael on Mastodon</b>: <a href="https://fosstodon.org/web/@mkennedy" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>mkennedy</a><br/></div>
Categories: FLOSS Project Planets

Gunnar Wolf: Hacks, leaks, and revelations • The art of analyzing hacked and leaked data

Planet Debian - Thu, 2024-05-09 00:24
This post is a review for Computing Reviews for Constructed truths — truth and knowledge in a post-truth world , a book published in No Starch Press

Imagine you’ve come across a trove of files documenting a serious deed and you feel the need to “blow the whistle.” Or maybe you are an investigative journalist and this whistleblower trusts you and wants to give you said data. Or maybe you are a technical person, trusted by said journalist to help them do things right–not only to help them avoid being exposed while leaking the information, but also to assist them in analyzing the contents of the dataset. This book will be a great aid for all of the above tasks.

The author, Micah Lee, is both a journalist and a computer security engineer. The book is written entirely from his experience handling important datasets, and is organized in a very logical and sound way. Lee organized the 14 chapters in five parts. The first part–the most vital to transmitting the book’s message, in my opinion–begins by talking about the care that must be taken when handling a sensitive dataset: how to store it, how to communicate it to others, sometimes even what to redact (exclude) so the information retains its strength but does not endanger others (or yourself). The first two chapters introduce several tools for encrypting information and keeping communication anonymous, not getting too deep into details and keeping it aimed at a mostly nontechnical audience.

Something that really sets this book apart from others like it is that Lee’s aim is not only to tell stories about the “hacks and leaks” he has worked with, or to present the technical details on how he analyzed them, but to teach readers how to do the work. From Part 2 onward the book adopts a tutorial style, teaching the reader numerous tools for obtaining and digging information out of huge and very timely datasets. Lee guides the reader through various data breaches, all of them leaked within the last five years: BlueLeaks, Oath Keepers email dumps, Heritage Foundation, Parler, Epik, and Cadence Health. He guides us through a tutorial on using the command line (mostly targeted at Linux, but considering MacOS and Windows as well), running Docker containers, learning the basics of Python, parsing and filtering structured data, writing small web applications for getting at the right bits of data, and working with structured query language (SQL) databases.

The book does an excellent job of fulfilling its very ambitious aims, and this is even more impressive given the wide range of professional profiles it is written for; that being said, I do have a couple critiques. First, the book is ideologically loaded: the datasets all exhibit the alt-right movement that has gained strength in the last decade. Lee takes the reader through many instances of COVID deniers, rioters for Donald Trump during the January 2021 attempted coup, attacks against Black Lives Matter activists, and other extremism research; thus this book could alienate right-wing researchers, who might also be involved in handling important whistleblowing cases.

Second, given the breadth of the topic and my 30-plus years of programming experience, I was very interested in the first part of each chapter but less so in the tutorial part. I suppose a journalist reading through the same text might find the sections about the importance of data handling and source protection to be similarly introductory. This is unavoidable, of course, given the nature of this work. However, while Micah Lee is an excellent example of a journalist with the appropriate technical know-how to process the types of material he presents as examples, expecting any one person to become a professional in both fields is asking too much.

All in all, this book is excellent. The writing style is informal and easy to read, the examples are engaging, and the analysis is very good. It will certainly teach you something, no matter your background, and it might very well complement your professional skills.

Categories: FLOSS Project Planets

Dirk Eddelbuettel: RcppArmadillo on CRAN: Upstream Bugfix

Planet Debian - Wed, 2024-05-08 21:54

Armadillo is a powerful and expressive C++ template library for linear algebra and scientific computing. It aims towards a good balance between speed and ease of use, has a syntax deliberately close to Matlab, and is useful for algorithm development directly in C++, or quick conversion of research code into production environments. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 1144 other packages on CRAN, downloaded 34.2 million times (per the partial logs from the cloud mirrors of CRAN), and the CSDA paper (preprint / vignette) by Conrad and myself has been cited 583 times according to Google Scholar.

Conrad released a new upstream bugfix yesterday (for a corner case with fftw3). We uploaded it yesterday too but it took a day for the hard-working CRAN maintainers to concur that the one (!) NOTE from reverse-dependency checking over 1100 packages was in a fact a false positve. And so it appeared on CRAN (very) early this morning. We also made a change removing a long-redundant setter for C++11 mode via the plugin. No other changes were made.

The set of changes since the last CRAN release follows.

Changes in RcppArmadillo version (2024-05-07)
  • Upgraded to Armadillo release 12.8.3 (Cortisol Injector)

    • Fix issue in fft() and fft2() in multi-threaded contexts with FFTW3 enabled
  • No longer set C++11 for the Rcpp plugin as this standard has been the default by R for very long time now.

Courtesy of my CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

If you like this or other open-source work I do, you can sponsor me at GitHub.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: FLOSS Project Planets

Season Of KDE 2024 Conclusion

Planet KDE - Wed, 2024-05-08 20:00

Another year, another successful Season Of KDE for 12 contributors!

This article has been co-written with the input from all contributors.

Translation Projects

KDE counts on a very active translation community and translates software into over 50 different languages. In SOK 2024, we had 2 projects that focused on translating multiple apps into Hindi. Asish Kumar and Akash Kumar joined the KDE Hindi community to translate multiple apps into Hindi. They both worked together on translating Merkuro, then Akash focused on Tellico while Asish worked on KDE Connect and Cantor.


Kdenlive brings you all you need to edit and put together your own movies. We had 2 projects for KDE's full-featured video editor:

  • Ajay Chauhan implemented multi-format rendering for Kdenlive by adding a filter to adjust the aspect ratio of video clips in the main track, allowing users to select the desired aspect ratio during export, and integrating it into the final rendering profile. Ajay also added code to apply filters to clips, calculate crop parameters, and handle video cropping to the desired ratio; and implemented the GUI component ComboBox that selects the aspect ratio and ensures that the selected ratio is passed to the RenderRequest object. Additionally, various issues were fixed during development, such as temporary file handling issue, preventing crashes, and refactoring code.

  • aisuneko icecat created a prototype keyframe curve editor GUI for Kdenlive. Based on recent progress in introducing advanced keyframe types and capabilities into the editor, the widget allows the user to intuitively view and control the current animation curve of keyframable effect parameters. As of now, the widget supports basic interactions such as dragging and double clicking, and integrates well with other existing Kdenlive components. This is still a work-in-progress feature, as more work needs to be done beyond SoK to have it further enhanced before it can be released to end users.

KDE Eco / Accessibility

There are 5 new projects that made measuring the energy consumption of software easier and more integrated in the development pipeline. This helps make KDE software more efficient and environmentally friendly, as well as more accessible at the same time:

  • Sarthak Negi focused on testing, bug-fixing and integrating measurement workflows on KEcoLab. After setting up the testing environments, Sarthak worked on creating a CI test and refactoring code for efficiency and the code has been merged in the main repository.

  • Pradyot Ranjan worked on improving and updating the setup guide for selenium, a tool to automatize testing. The result can be found on this wiki page.

  • Amartya Chakraborty added support for KdeEcoTest on the Windows platforms. To do this, Amartya replicated test-scripts for Okular test using KdeEcoTest which previously used xdotool. Now this test-script can be executed on any platform. The conditional installation of packages based on the platform using pipenv has been implemented.

  • Athul Raj Kollareth worked on bringing support for KdeEcoTest on Wayland systems. The initial work consisted of [adding an abstraction layer](https://invent.kde.org/echarruau/feep-win-32-kdotool-integration/-/ merge_requests/1) so that KdeEcoTest could be run on different platforms including Windows. To build support for Wayland, we had to first restrict our scope and finally decided to move with only supporting the KWin compositor as it had built in functionalities for automating window related manipulations on the GUI. To automate input devices, the Linux kernel's evdev module was used which allowed us to monitor input devices and also emulate them using uinput. With these changes integrated into KdeEcoTest, we were able to run tests on Wayland, X11 and Windows thanks to Amartya's implementation. ![KEcoTest running on Wayland](KdeEcoTest_running under wayland.png)

  • Aakarsh MJ worked on integrating KEcolab into Okular's pipeline. This will allow the Okular team to measure energy consumption for each release. This paves the way for the creation of a template which will be further helpful for other projects as well. A merge request is in progress to integrate it into Okular.

Cantor / LabPlot

Cantor is an application that lets you use your favorite mathematical programming language from within a friendly worksheet interface, while Labplot is KDE's user-friendly data visualization and analysis software. Both applications are closely intertwined, and have had three projects completed during SOK:

  • Dhairya Majmudar worked on extending the embedded documentation for supported Computer Algebra Systems Project. Dhairya created the common styles for several mathematical system documents, enhancing the users' experience allowing them to use them simultaneously; and Python scripts have been written to link the stylesheets to the HTML files. These Python scripts are further extended to convert HTML files in Qt Help files that can be uploaded to the KDE Store. The in-progress merge request can be found at: https://invent.kde.org/education/cantor/-/merge_requests/74.

  • Israel Galadima contributed to the "LabPlot: Download/Import of datasets from kaggle.com" project. Since kaggle.com seems to be the central place nowadays for finding datasets in the data science community, we wanted LabPlot's users to be able to access the datasets on kaggle.com directly from within LabPlot. Thus, Israel worked on a new dialog in LabPlot that allows users to search for and import datasets directly from kaggle.com into LabPlot spreadsheets, using the official kaggle cli tool to facilitate the communication between LabPlot and kaggle.com. Multiple merge requests have been merged, the last one is still in review.

  • Raphael Wirth introduced the support for data stored in the MCAP format to LabPlot. Throughout the project, Raphael extended the backend of LabPlot to allow the loading of JSON-encoded MCAP files into its internal data structure as well as the export back to the MCAP file format. Additionally, the user interface has been adapted to accommodate these advancements. This required the extension of the existing import dialog and the introduction of a new export dialog tailored specifically for saving MCAP files.

We would like to congratulate all participants and look forward to their future journey with KDE!

Categories: FLOSS Project Planets

The State of KDE Apps and Plasma in Archlinux

Planet KDE - Wed, 2024-05-08 20:00

KDE has a symbiotic relationship with many linux distros, since while we develop our software we also use particular versions of linux, I personally use archlinux as my distro of choice for many years being the only distro that I manage to bare for more than six months ( and I believe I am using it for more than 15 years already so that counts).

The "recipe" for packaging KDE software for arch is big, because we are big, and packaging large amounts of software is no easy feat, so me and Antonio Rojas started to update the build scripts to be less manual and less error prone. All the versions of Plasma 6 that have been packaged for arch are using this scripts in one way or another (or manually when we broke everything :)

This work is being done in a separate branch to not break the current workflow, but things are looking good and we hope to merge this in master soon, so that deploying newer versions of KDE software for arch will be a single command, meaning more time for the developers and less time creating packages.

Categories: FLOSS Project Planets

Trey Hunner: My favorite Python 3.13 feature

Planet Python - Wed, 2024-05-08 16:30

Python 3.13 just hit feature freeze with the first beta release today.

Just before the feature freeze, a shiny new feature was added: a brand new Python REPL. ✨

This new Python REPL is will likely be my favorite thing about 3.13. It’s definitely the feature I’m most looking forward to using while teaching after 3.13.0 final is released later this year.

I’d like to share what’s so great about this new REPL and what additional improvements I’m hoping we might see in future Python releases.

Little niceties

The first thing you’ll notice when you launch the new REPL is the colored prompt.

You may also notice that as you type a block of code, after the first indented line, the next line will be auto-indented! Additionally, hitting the Tab key inserts 4 spaces now, which means there’s no more need to ever hit Space Space Space Space to indent ever again.

At this point you might be thinking, “wait did I accidentally launch ptpython or some other alternate REPL?” But it gets even better!

You can “exit” now

Have you ever typed exit at the Python REPL? If so, you’ve seen a message like this:

1 2 >>> exit Use exit() or Ctrl-D (i.e. EOF) to exit

That feels a bit silly, doesn’t it? Well, typing exit will exit immediately.

Typing help also enters help mode now (previously you needed to call help() as a function).

Block-level history

The feature that will make the biggest different in my own usage of the Python REPL is block-level history.

I make typos all the time while teaching. I also often want to re-run a specific block of code with a couple small changes.

The old-style Python REPL stores history line-by-line. So editing a block of code in the old REPL required hitting the up arrow many times, hitting Enter, hitting the up arrow many more times, hitting Enter, etc. until each line in a block was chosen. At the same time you also needed to make sure to edit your changes along the way… or you’ll end up re-running the same block with the same typo as before!

The ability to edit a previously typed block of code is huge for me. For certain sections of my Python curriculum, I hop into ptpython or IPython specifically for this feature. Now I’ll be able to use the default Python REPL instead.

Pasting code just works

The next big feature for me is the ability to paste code.

Check this out:

Not impressed? Well, watch what happens when we paste that same block of code into the old Python REPL:

The old REPL treated pasted text the same as manually typed text. When two consecutive newlines were encountered in the old REPL, it would end the current block of code because it assumed the Enter key had been pressed twice.

The new REPL supports bracketed paste, which is was invented in 2002 and has since been adopted by all modern terminal emulators.

No Windows support? Curses!

Unfortunately, this new REPL doesn’t currently work on Windows. This new REPL relies on the curses and readline modules, neither of which are available on Windows. I’m hoping that this new REPL might encourage the addition of curses support on Windows (there are multiple issues discussing this).

The in-browser Python REPL on Python Morsels also won’t be able to use the new REPL because readline and curses aren’t available in the WebAssembly Python build.

Beta test Python 3.13 to try out the new REPL 💖

Huge thanks to Pablo Galindo Salgado, Łukasz Langa, and Lysandros Nikolaou for implementing this new feature! And thanks to Michael Hudson-Doyle and Armin Rigo for implementing the original version of this REPL, which was heavily borrowed from PyPy’s pyrepl project.

The new Python REPL coming in 3.13 is a major improvement over the old REPL. While the lack of Windows support is disappointing, but I’m hopeful that a motivated Windows user will help add support eventually!

Want to try out this new REPL? Download and install Python 3.13.0 beta 1!

Beta testing new Python releases helps the Python core team ensure the final release of 3.13.0 is as stable and functional as possible. If you notice a bug, check the issue tracker to see if it’s been reported yet and if not report it!

Categories: FLOSS Project Planets