Feeds

Justin Mason: Links for 2017-10-10

Planet Apache - Tue, 2017-10-10 19:58
Categories: FLOSS Project Planets

Carl Chenet: The Slack Threat

Planet Debian - Tue, 2017-10-10 18:00

During a long era, electronic mail was the main communication tool for enterprises. Slack, which offer public or private group discussion boards and instant messaging between two people, challenge its position, especially in the IT industry.

Not only Slack has features known and used since IRC launch in the late ’80s, but Slack also offers file sending and sharing, code quoting, and it indexing for ulterior searches everything that goes through the application. Slack is also modular with numerous plug-in to easily add new features.

Using the Software-As-A-Service (SAAS) model, Slack basic version is free, and users pay for options. Slack is now considered by the Github generation like the new main enterprise communication tool.

As I did in my previous article on the Github threat, this one won’t promote Slask’s advantages, as many other articles have already covered all these points ad nauseam, but to show the other side and to warn the companies using this service about its inherent risks. So far, these risks have been ignored, sometimes voluntary in the name of the “It works™” ideology. Neglecting all economic and safety consideration, neglecting all threat to privacy and individual freedom. We’ll see about them below.

Github, a software forge as a SAAS, with all the advantage but also all the risk of its economic model

All your company communication since its creation

When a start-up chooses Slack, all of its internal communication will be stored by Slack. When someone uses this service, the simple fact to chat through it means that the whole communication is archived.

One may point that within the basic Slack offer, only the last 10.000 messages can be read and searched. Bad argument. Slack stored every message and every file shared as it pleases. We’ll see below this application behavior is of capital importance in the Slack threat to enterprises.

And the problem is the same for all other companies which choose Slack at one point or another. If they replace their traditional communication method with it, Slack will have access to capital data, not only in volume, but also because of their value for the company itself… Or anyone interested in this company life.

Search Your Entire Archive

One of the main arguments to use Slack is its “Search your entire archive” feature. One can search almost anything one can think of. Why? Because everything is indexed. Your team chat archive or the more or less confidential documents exchanged with the accountant department; everything is in it in order to provide the most effective search tool.

The search bar, well-known by Slack users

We can’t deny it’s a very attractive feature for everyone inside the company. But it is also a very attractive feature for everyone outside of the company who would want to know more about its internal life. Even more if you’re looking for a specific subject.

If Slack is the main communication tool of your company, and if as I’ve experienced in my professional life, some teams prefer to use it than to go to the office next door or even bug you to put the information on the dedicated channel, one can easily deduce that nothing—in this type of company—escape Slack. The automatic indexation and the search feature efficiency are excellent tools to get all the information needed, in quantity and in quality.

As such, it’s a great social engineering tool for everyone who has access to it, with a history as old as the use of Slack as a communication tool in the company.

Across borders… And Beyond!

Slack is a Web service which uses mainly Amazon Web services and most specially Cloudfront, as stated by the available information on Slack infrastructure.

Even without a complete study of said infrastructure, it’s easy to state that all the data regarding many innovative global companies around the world (and some of them including for all their internal communication since their creation) are located in the United States, or at least in the hands of a US company, which must follow US laws, a country with a well-known history of large scale industrial espionage, as the whistleblower Edward Snowden demonstrated it in 2013 and where company data access has no restriction under the Patriot Act, as in the Microsoft case (2014) where data stored in Ireland by the Redmond software editor have been given to US authorities.

Edward Snowden, an individual—and corporate—freedom fighter

As such, Slack’s automatic indexation and search tool are a boon for anyone—spy agency or hacker—which get authorized access to it.

To trust a third party with all, or at least most of, your internal corporate communication is a certain risk for your company if the said third party doesn’t follow the same regulations as yours or if it has different interests, from a data security point of view or more globally on its competitiveness. A badly timed data leak can be catastrophic.

What’s the point of secretly preparing a new product launch or an aggressive takeover if all your recent Slack conversations have leaked, including your secret plans?

What if… Slack is hacked?

First let’s remember that even if a cyber attack may appear as a rare or hypothetical scenario to a badly informed and hurried manager, it is far from being as rare as she or he believes it (or wants to believe it).

Infrastructure hacking is quite common, as a regular visit to Hacker News will give you multiple evidence. And Slack itself has already been hacked.

February 2015: Slack is the victim during four days of a cyber attack, which was made public by the company in March. Officially, the unauthorized access was limited to information on the users’ profiles. It is impossible to measure exactly what and who was impacted by this attack. In a recent announcement, Yahoo confessed that these 3 billion accounts (you’ve read well: 3 billions) were compromised … late 2014!

Yahoo, the company which suffered the largest recorded cyberattack regarding the compromised account numbers

Officially, Slack stated that “No financial or payment information was accessed or compromised in this attack.” Which is, and by far, the least interesting of all data stored within Slack! With company internal communication indexed—sometimes from the very beginning of said company—and searchable, Slack may be a potential target for cybercriminal not looking for its users’ financial credentials but more their internal data already in a usable format. One can imagine Slack must give information on a massive data leak, which can’t be ignored. But what would happen if only one Slack user is the victim of said leak?

The Free Alternative Solutions

As we demonstrated above, companies need to find an alternative solution to Slack, one they can host themselves to reduce data leaks and industrial espionage and dependency on the Internet connection. Luckily, Slack success created its own copycats, some of them being also free software.

Rocket.chat is one of them. Its comprehensive service offers chat rooms, direct messages and file sharing but also videoconferencing and screen sharing, and even most features. Check their dedicated page. You can also try an online demo. And even more, Rocket Chat has a very simple extension system and an API.

Mattermost is another service which has the advantages of proximity and of compatibility with Slack. It offers numerous features including the main expected by this type of software. It also offers numerous apps and plug-ins to interact with online services, software forges, and continuous integration tools.

It works

In the introduction, we discussed the “It works™” effect, usually invoked to dispel any arguments about data protection and exchange confidentiality we discussed in this article. True, one single developer can ask: why worry about it? All I want is to chat with my colleagues and send files!

Because Slack service subscription in the long term put the company continuously at risk. Maybe it’s not the employees’ place to worry about it, they just have to do their job the more efficiently possible. On the other side, the company management, usually non-technical, may not be aware of what risks will threaten their company with this technical choice. The technical management may pretend to be omniscient, nobody is fooled.

Either someone from the direction will ask the right question (where are our data and who can access them?) or someone from the technical side alert them officially on these problems. This is this technical audience, even if not always heard by their direction, which is the target of this article. May they find in it the right arguments to be convincing.

We hope that the several points we developed in this article will help you to make the right choice.

About Me

Carl Chenet, Free Software Indie Hacker, founder of the French-speaking Hacker News-like Journal du hacker.

Follow me on social networks

Translated from French by Stéphanie Chaptal. Original article written in October 2016.

 

Categories: FLOSS Project Planets

Yves-Alexis Perez: OpenPGP smartcard transition (part 1)

Planet Debian - Tue, 2017-10-10 16:44

A long time ago, I switched my GnuPG setup to a smartcard based one. I kept using the same master key, but:

  • copied the rsa4096 master key to a “master” smartcard, for when I need to sign (certify) other keys;
  • created rsa2048 subkeys (for signature, encryption and authentication) and moved them to an OpenPGP smartcard for daily usage.

I've been working with that setup for a few years now and it is working perfectly fine. The signature counter on the OpenPGP basic card is a bit north of 5000 which is large but not that huge, all considered (and not counting authentication and decryption key usage).

One very nice feature of using a smartcard is that my laptop (or other machines I work on) never manipulates the private key directly but only sends request to the card, which is a really huge improvement, in my opinion. But it's also not the perfect solution for me: the OpenPGP card uses a proprietary platform from ZeitControl, named BasicCard. We have very few information on the smartcard, besides the fact that Werner Koch trust ZeistControl to not mess up. One caveat for me is that the card does not use a certified secure microcontroler like you would find in smartcard chips found in debit card or electronic IDs. That means it's not really been audited by a competent hardware lab, and thus can't be considered secure against physical attacks. The cardOS software and the application implementing the OpenPGP specification are not public either and have not been audited either, to the best of my knowledge.

At one point I was interested in the Yubikey Neo, especially since the architecture Yubico used was common: a (supposedly) certified platform (secure microcontroler, card OS) and a GlobalPlatform / JavaCard virtual machine. The applet used in the Yubikey Neo is open-source, too, so you could take a look at it and identify any issue.

Unfortunately, Yubico transitioned to a less common and more proprietary infrastructure for Yubikey 4: it's not longer Javacard based, and they don't provide the applet source anymore. This was not really seen as a good move by a lot of people, including Konstantin Ryabitsev (kernel.org administrator). Also, it wasn't possible  even for the Yubico Neo to actually build the applet yourself and inject it on the card: when the Yubikey leaves the facility, the applet is already installed and the smartcard is locked (for obvious security reason). I've tried asking about getting naked/empty Yubikey with developers keys to load the applet myself, but it' was apparently not possible or would have required signing an NDA with NXP (the chip maker), which is not really possible as an individual (not that I really want to anyway).

In the meantime, a coworker actually wrote an OpenPGP javacard applet, with the intention to support latest version of the OpenPGP specification, and especially elliptic curve cryptography. The applet is called SmartPGP and has been released on ANSSI github repository. I investigated a bit, and found a smartcard with correct specification: certified (in France or Germany), and supporting Javacard 3.0.4 (required for ECC). The card can do RSA2048 (unfortunately not RSA4096) and EC with NIST (secp256r1, secp384r1, secp521r1) and Brainpool (P256, P384, P512) curves.

I've ordered some cards, and when they arrived started playing. I've built the SmartPGP applet and pushed it to a smartcard, then generated some keys and tried with GnuPG. I'm right now in the process of migrating to a new smartcard based on that setup, which seems to work just fine after few days.

Part two of this serie will describe how to build the applet and inject it in the smartcard. The process is already documented here and there, but there are few things not to forget, like how to lock the card after provisionning, so I guess having the complete process somewhere might be useful in case some people want to reproduce it.

Categories: FLOSS Project Planets

Colorfield: The Hitchhiker's Guide to the Planet Drupal

Planet Drupal - Tue, 2017-10-10 16:24
The Hitchhiker's Guide to the Planet Drupal christophe Tue, 10/10/2017 - 22:24 In this newcomer guide, you will find:
  • How to accelerate the onboarding process and how to get a fresh Drupal 8 install, for testing.
  • The documentation reduced to the essential for the following topics: tools, projects, Drupal concepts and drupalisms, main events, contribution and service providers.
  • A brief comparison of other solutions, and when to use Drupal.

There are at least 42 reasons to onboard drupalship.org!

Categories: FLOSS Project Planets

Acro Media: Video: Integrating Payment Gateways in Drupal Commerce 2.x is a Snap!

Planet Drupal - Tue, 2017-10-10 16:00

 

 

To say that payment gateways are much improved in Commerce 2.x is a bit of an understatement. The process of implementing a payment gateway has been cut down to about a third of the time, with more functionality rather than less.

Categories: FLOSS Project Planets

Michal Čihař: Better access control in Weblate

Planet Debian - Tue, 2017-10-10 14:45

Upcoming Weblate 2.17 will bring improved access control settings. Previously this could be controlled only by server admins, but now the project visibility and access presets can be configured.

This allows you to better tweak access control for your needs. There is additional choice of making the project public, but restricting translations, what has been requested by several projects.

You can see the possible choices on the UI screenshot:

On Hosted Weblate this feature is currently available only to commercial hosting customers. Projects hosted for free are limited to public visibility only.

Filed under: Debian English SUSE Weblate

Categories: FLOSS Project Planets

Iain R. Learmonth: Automatic Updates

Planet Debian - Tue, 2017-10-10 14:00

The @TorAtlas web application will now also prompt operators to update their relays if they are outdated. pic.twitter.com/HMixwqbBKM

— Tor Atlas (@TorAtlas) October 9, 2017

We have instructions for setting up new Tor relays on Debian. The only time the word “upgrade” is mentioned here is:

Be sure to set your ContactInfo line so we can contact you if you need to upgrade or something goes wrong.

This isn’t great. We should have some decent instructions for keeping your relay up to date too. I’ve been compiling a set of documentation for enabling automatic updates on various Linux distributions, here’s a taste of what I have so far:

Debian

Make sure that unattended-upgrades is installed and then enable the installation of updates (as root):

apt install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades Fedora 22 or later

Beginning with Fedora 22, you can enable automatic updates via:

dnf install dnf-automatic

In /etc/dnf/automatic.conf set:

apply_updates = yes

Now enable and start automatic updates via:

systemctl enable dnf-automatic.timer systemctl start dnf-automatic.timer

(Thanks to Enrico Zini I know all about these timer units in systemd now.)

RHEL or CentOS

For CentOS, RHEL, and older versions of Fedora, the yum-cron package is the preferred approach:

yum install yum-cron

In /etc/yum/yum-cron.conf set:

apply_updates = yes

Enable and start automatic updates via:

systemctl start yum-cron.service

I’d like to collect together instructions also for other distributions (and *BSD and Mac OS). Atlas knows which platform a relay is running on, so there could be a link in the future to some platform specific instructions on how to keep your relay up to date.

Categories: FLOSS Project Planets

Elevated Third: 5 Ways Web Development Project Management Will Make Your Project More Successful

Planet Drupal - Tue, 2017-10-10 12:45
5 Ways Web Development Project Management Will Make Your Project More Successful 5 Ways Web Development Project Management Will Make Your Project More Successful Lily Berman Tue, 10/10/2017 - 10:45

As account managers at Elevated Third, we manage many projects across our accounts. Web development project management is intangible though not unimportant. We do not create wireframes or write code, so our direct impact on the Drupal websites Elevated Third produces may be less clear to our clients.

During the sales process, some clients see their communication budget as an unnecessary expense. Similar to limiting overhead spending when choosing recipients for charitable organizations, limiting the communication budget means more time goes to execution, right?

Maybe not. In the same way that a successful benefit event can dramatically increase the funds available for a nonprofit’s mission, strong account management directly contributes to our clients achieving their business goals across projects.

So, how does an account manager foster a successful Drupal project at Elevated Third?

  1) Account managers are the single consistent knowledge holder throughout the life of a project

Our team’s level of involvement will vary throughout a project. While UX has a large impact in the beginning, developers complete the majority of the tasks at the end. The account manager is the only member of the team who is in every meeting from kickoff to launch. It can be frustrating (and often expensive) for clients when the team veers from their vision. As a consistent project knowledge holder, an account manager can guide the team to ensure that they are considering the big picture, even when the client is not in the room.

For Instance: A designer knows he needs to create visual design for the project. He reviews what he believes is the necessary documentation, but did not see the client’s email update describing her new brand direction. He spends hours designing with the original brand guidelines in mind, then presents it to the client. The client is then frustrated that her feedback was not implemented and additional hours will be needed to modify the design. As our contracts are time and materials, every additional hour spent on a project has a corresponding cost to our clients.

When an account manager is involved in a project, she is part of every conversation and reviews every client email. This means no feedback will get lost in translation and costly adjustments will be avoided. Account managers are not responsible for creating any element of the website, so we can focus on ensuring that our clients and end users are kept in mind in every meeting and throughout the whole project.

  2) Account managers keep budget and timeline top of mind

A core part of the account manager’s role is managing the client’s budget and timeline. No other member of the team has that responsibility. We balance designers and developers who, if given a chance, would often prefer to build the most beautiful, perfect user-friendly functionality. Their desire to build the best thing ever is valuable, but it has to be balanced with the client’s budget and timeline needs. The account manager sets deadlines and monitors burndown throughout the project. From early discussions of which features will be prioritized to consistent check-ins and tweaks throughout execution, account managers ensure that the project aligns with the established constraints.

For instance: A UX strategist, excited about how valuable the tool we are building will be for its users, starts planning her user testing. She creates a first round of prototypes and tests with five users. Their feedback is so beneficial, she creates another iteration of prototypes to test with another five users, and then tests a third. Although she has gained valuable insight, she has now used half of the project hours that were allocated for visual design, as the budget did not accommodate extensive user testing. When an account manager takes on the role of web development project management, she knows the scope and the hours that are allocated for each task. She completes a variety of checks and balances to ensure the execution aligns with the project constraints.

  3) Account managers communicate with clients and with the team

Custom web development can often be a mysterious and complex process. Luckily, an account manager has learned to translate jargon for our clients. As a result of working in this industry, we understand the terminology used along with the impact of the choices we are asking our clients to make. Not only do we coordinate meetings and send status updates to keep clients in the loop, but we are also uniquely equipped to ensure they understand the process. This means that our team can stay focused on their tasks and more efficiently complete work with minimal interruptions.

For Instance: A developer has spent an hour working on a very complex task. Knowing that he needs to maximize concentration and minimize interruptions, he silences all of his notifications. This practice, called going “heads down,” is common when tackling problem-solving tasks. During this time, a client reaches out with an extremely urgent issue. Since he is the only person available to answer her request, it lingers for hours before she receives a response. For some development-related issues, especially on a live site, this delay can dramatically impact the client’s bottom line. When an account manager is involved in the project, she can immediately alert the developer of the request and let the client know her concern is being addressed right away.

  4) Account managers are organization wizards

For all projects, but especially for complex projects, there can be a lot of documentation. Luckily, account managers choose this field because we love organizing chaos. This skill helps our team work faster throughout the course of a project. Although a client rarely sees our organization and management of tasks and documentation, they will see the benefits of more accurate work and increased efficiency across teams.

For Instance: A developer knows that she needs to reference a particular piece of documentation for the element of the site she is building today, but she can’t find it. She spends 15 minutes digging through folders to find what she needs, which seems to happen every time she completes a task. When an account manager is involved in a project, she knows what documentation the developer will need, so she has already attached it to the current task, saving the developer time.

 

5) Account managers are flexible and adapt their skills to maximize their value

Every other role on a project is clear. A UX strategist helps to define which features will best achieve the business goals and how to maximize a user’s experience of interacting with them. A designer crafts how they will appear. A developer builds them. An account manager’s role in web development project management is less clear. When people ask me what I do on a typical day, my answer often comes after a long pause, and it’s rarely the same. Many others in my field find it difficult to describe their role succinctly, as our work can vary dramatically from day to day and from project to project.

For instance: Some days, my role is quite technical, and I am preparing or reviewing project documentation or checking the quality of completed development tasks. Other days, my role is more interpersonal, and I am supporting my team in delivering their best work or in back-to-back meetings with my clients. With each project comes a new business to learn, often along with new technologies and additional nuance to my role. To be successful, I am always switching between the various priorities outlined here, along with many more.

 

At Elevated Third, we value our clients’ investment in our work and are always evolving to maximize the value of that investment. We build communication time into our projects because we know how invaluable strong account managers are to ensuring our Drupal websites generate the outcomes our clients value most.

Categories: FLOSS Project Planets

Qt2 ported for modern systems with cmake

Planet KDE - Tue, 2017-10-10 12:27

So, to continue my archeology process to revive old software, again i´m preparing my next step to revive KDE 2, on the so indirect baptized KDE restoration project.

Despite KDE 1 last year, KDE 2 is a complete different beast and will take me some time to made it ready.

The very base foundation, though is Qt2, the this time i decided do a better treatment to Qt to easier my further work. I based my work on clang compiler.

Result is far from perfect, i decided publish on the very first stage of usage, but some strategies on the port still not here yet. but is perfectly usable, all examples compiles and runs.

Qt designer has some funny bugs though, and i decided not investigate it yet. New ported png code is not 100% reliable ( png pure documentation is horrible )

So, the F.A.Q. for the curious

  • Why ????
    • Because i was motivated and i really believe we need to restore our memory code wise.
  • Don’t you have better things to do ?
    • Yes, so what ?
  • Can i compile on Windows ?
    • Well, yes but not yet. I focused only on *nix platforms for now, mostly Linux
  • Can i use with Wayland ?
    • Nope, an i doubt about future.
  • Can i compile applications with Qt2
    • Yes, perfect plausible
  • Do you accept patches ?
    • It depends. If is for fix or improve the buildsystem or fix a bug on code, yes. Otherwise i want to keep the code as most as original possible. Remember, the intention is archeological. And i will be happy if anyone tackle the crazy designer ( or themes example ) before me
  • Are you joking with us ?

The mandatory screenshot !!

Categories: FLOSS Project Planets

Jamie McClelland: Docker in Debian

Planet Debian - Tue, 2017-10-10 12:07

It's not easy getting Docker to work in Debian.

It's not in stable at all:

0 jamie@turkey:~$ rmadison docker.io docker.io | 1.6.2~dfsg1-1~bpo8+1 | jessie-backports | source, amd64, armel, armhf, i386 docker.io | 1.11.2~ds1-5 | unstable | source, arm64 docker.io | 1.11.2~ds1-5 | unstable-debug | source docker.io | 1.11.2~ds1-6 | unstable | source, armel, armhf, i386, ppc64el docker.io | 1.11.2~ds1-6 | unstable-debug | source docker.io | 1.13.1~ds1-2 | unstable | source, amd64 docker.io | 1.13.1~ds1-2 | unstable-debug | source 0 jamie@turkey:~$

And a problem with runc makes it really hard to get it working on Debian unstable.

These are the steps I took to get it running today (2017-10-10).

Remove runc (allow it to remove containerd and docker.io):

sudo apt-get remove runc

Install docker-runc (now in testing)

sudo apt-get install docker-runc

Fix containerd package to depend on docker-runc instead of runc:

mkdir containerd cd containerd apt-get download containerd ar x containerd_0.2.3+git20170126.85.aa8187d~ds1-2_amd64.deb tar -xzf control.tar.gz sed -i s/runc/docker-runc/g control tar -c md5sums control | gzip -c > control.tar.gz ar rcs new-containerd.deb debian-binary control.tar.gz data.tar.xz sudo dpkg -i new-containerd.deb

Fix docker.io package to depend on docker-runc instead of runc.

mkdir docker cd docker apt-get download docker.io ar x docker.io_1.13.1~ds1-2_amd64.deb tar -xzf control.tar.gz sed -i s/runc/docker-runc/g control tar -c {post,pre}{inst,rm} md5sums control | gzip -c > control.tar.gz ar rcs new-docker.io.deb debian-binary control.tar.gz data.tar.xz sudo dpkg -i new-docker.io.deb

Symlink docker-runc => runc

sudo ln -s /usr/sbin/docker-runc /usr/sbin/runc

Keep apt-get from upgrading until this bug is fixed:

printf "# Remove when docker.io and containerd depend on docker-runc # instead of normal runc # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877329 Package: runc Pin: release * Pin-Priority: -1 Package: containderd Pin: release * Pin-Priority: -1 Package: docker.io Pin: release * Pin-Priority: -1" | sudo tee /etc/apt/preferences.d/docker.pref

Thanks to coderwall for tips on manipulating deb files.

Categories: FLOSS Project Planets

KDE neon 5.11 is Out

Planet KDE - Tue, 2017-10-10 11:54

Plasma 5.11 was out this morning with many bugfixes, Plasma Vaults to keep your private files secure, System Settings redesign, a new wallpaper of course and many other nice features.

The KDE neon scalable cloud devops build farm has been working hard to compile it and the packages were available for KDE neon User Edition users to upgrade a few hours ago.

The installable ISO images are built but it takes a few hours for them to get mirrored around the world.  Please don’t download from the KDE server directly, it kills the server’s limited bandwidth.  Instead browse the mirror list and grab fro m a mirror near you.

Updated Docker images are also building away.

 

Categories: FLOSS Project Planets

Lars Wirzenius: Debian and the GDPR

Planet Debian - Tue, 2017-10-10 11:11

GDPR is a new EU regulation for privacy. The name is short for "General Data Protection Regulation" and it covers all organisations that handle personal data of EU citizens and EU residents. It will become enforceable May 25, 2018 (Towel Day). This will affect Debian. I think it's time for Debian to start working on compliance, mainly because the GDPR requires sensible things.

I'm not an expert on GDPR legislation, but here's my understanding of what we in Debian should do:

  • do a privacy impact assessment, to review and document what data we have, and collect, and what risks that has for the people whose personal data it is if the data leaks

  • only collect personal information for specific purposes, and only use the data for those purposes

  • get explicit consent from each person for all collection and use of their personal information; archive this consent (e.g., list subscription confirmations)

  • allow each person to get a copy of all the personal information we have about them, in a portable manner, and let them correct it if it's wrong

  • allow people to have their personal information erased

  • maybe appoint one or more data protection officers (not sure this is required for Debian)

There's more, but let's start with those.

I think Debian has at least the following systems that will need to be reviewed with regards to the GDPR:

  • db.debian.org - Debian project members, "Debian developers"
  • nm.debian.org
  • contributors.debian.org
  • lists.debian.org - at least membership lists, maybe archives
  • possibly irc servers and log files
  • mail server log files
  • web server log files
  • version control services and repositories

There may be more; these are just off the top of my head.

I expect that mostly Debian will be OK, but we can't just assume that.

Categories: FLOSS Project Planets

Zivtech: Drupal is Not Just for Your Marketing Site

Planet Drupal - Tue, 2017-10-10 10:51

As a Drupal expert, many of the projects I’ve done over the years have been marketing websites. Drupal is widely understood as a content management system that’s used to power sites like ours, but this is actually only the tip of the iceberg of what Drupal can do for an organization. Our team has used Drupal to build a variety of complex custom web applications that help companies work more efficiently.

Do you need an intranet?

We’ve used Drupal to build intranets that securely keep internal content and documents for staff eyes only. Drupal has an abundance of community features that make it easy to have wikis, commenting, user profiles, and messaging. Many organizations we’ve worked with integrate their intranet with their LDAP or other Single Sign On system. 

Radial's intranet allows team members to quickly locate information about co-workers

We’ve also used Drupal for our own intranet for the past eight years. Our intranet helps keep our internal knowledge base easy to access and organizes information like our servers, sites, clients, and projects.

Read more
Categories: FLOSS Project Planets

4 reasons why the librem 5 got funded

Planet KDE - Tue, 2017-10-10 10:21

Librem 5 Plasma MobileIn the past days, the campaign to crowd-fund a privacy-focused smartphone built on top of Free software and in collaboration with its community reached its funding goal of 1.5 million US dollars. While many people doubted that the crowdfunding campaign would succeed, it is actually hardly surprising if we look what the librem 5 promises to bring to the table.

1. Unique Privacy Features: Kill-switches and auditable code

Neither Apple nor Android have convincing stories when it comes to privacy. Ultimately, they’re both under the thumbs of a restrictive government, which, to put it mildly doesn’t give a shit about privacy and has created the most intrusive global spying system in the history of mankind. Thanks to the U.S., we now live in the dystopian future of Orwell’s 1984. It’s time to put an end to this with hardware kill switches that cut off power to the radio, microphone and camera, so phones can’t be hacked into anymore to listen in on your conversations, take photos you never know were taken and send them to people you definitely would never voluntarily share them with. All that comes with auditable code, which is something that we as citizens should demand from our government. With a product on the market supplying these features, it becomes very hard for your government to argue that they really need their staff to use iphones or Android devices. We can and we should demand this level of privacy from those who govern us and handle with our data. It’s a matter of trust.
Companies will find this out first, since they’re driven by the same challenges but usually much quicker to adopt technology.

2. Hackable software means choice

The librem 5 will run a mostly standard Debian system with a kernel that you can actually upgrade. The system will be fully hackable, so it will be easy for others to create modified phone systems based on the librem. This is so far unparalleled and brings the freedom the Free software world has long waited for, it will enable friendly competition and collaboration. All this leads to choice for the users.

3. Support promise

Can a small company such as Purism actually guarantee support for a whole mobile software stack for years into the future? Perhaps. The point is, even in case they fail (and I don’t see why they would!), the device isn’t unsupported. With the librem, you’re not locked into a single vendor’s eco system, but you buy into the support from the whole Free software community. This means that there is a very credible support story, as device doesn’t have to come from a single vendor, and the workload is relatively limited in the first place. Debian (which is the base for PureOS) will be maintained anyway, and so will Plasma as tens of millions of users already rely on it. The relatively small part of the code that is unique to Plasma Mobile (and thus isn’t used on the desktop) is not that hard to maintain, so support is manageable, even for a small team of developers. (And if you’re not happy with it, and think it can be done better, you can even take part.)

4. It builds and enables a new ecosystem

The Free software community has long waited for this hackable device. Many developers just love to see a platform they can build software for that follows their goals, that allows development with a proven stack. Moreover, convergence allows users to blur the lines between their devices, and advancing that goal hasn’t been on the agenda with the current duopoly.
The librem 5 will put Matrix on the map as a serious contender for communication. Matrix has rallied quite a bit of momentum to bring more modern mobile-friendly communication, chat and voice to the Free software eco-system.
Overall, I expect the librem 5 to make Free software (not just open-source-licensed, but openly developed Free software) a serious player also on mobile devices. The Free software world needs such a device, and now is the time to create it. With this huge success comes the next big challenge, actually creating the device and software.

The unique selling points of the librem 5 definitely strike a chord with a number of target groups. If you’re doubtful that its first version can fully replace your current smart phone, that may be justified, but don’t forget that there’s a large number of people and organisations that can live with a more limited feature set just fine, given the huge advantages that private communication and knowing-what’s-going-on in your device brings with it.
The librem 5 really brings something very compelling to the table and those are the reasons why it got funded. It is going to be a viable alternative to Android and iOS devices that allows users to enjoy their digital life privately. To switch off tracking, and to sleep comfortably.
Are you convinced this is a good idea? Don’t hesitate to support the campaign and help us reach its stretch goals!

Categories: FLOSS Project Planets

Drupal Modules: The One Percent: Drupal Modules: The One Percent —Content connected (video tutorial)

Planet Drupal - Tue, 2017-10-10 08:32
Drupal Modules: The One Percent —Content connected (video tutorial) NonProfit Tue, 10/10/2017 - 07:32 Episode 39

Here is where we seek to bring awareness to Drupal modules running on less than 1% of reporting sites. Today let's consider Content connected, a module which displays where content has been referenced.

Categories: FLOSS Project Planets

ADCI Solutions: Web Designers methods and tools for enhancing a workflow

Planet Drupal - Tue, 2017-10-10 07:28

Designers do love order, so don’t believe in stereotypes. Our Drupal team’s designer created her own approach of the working files organization. It helps her to communicate with the rest of the team - developers and managers - efficiently.

 

Try out our approach and improve the workflow

 

 

Categories: FLOSS Project Planets

KDAB, MyScript and Qt Company to create new, non-distractive input method for the Automotive Industry

Planet KDE - Tue, 2017-10-10 07:13

https://youtu.be/Su2Xxx_fEmo?rel=0&showinfo=0

KDAB will be partnering with MyScript and The Qt Company to incorporate MyScript’s handwriting input technology into the Qt Automotive Suite. This integration will enable multimodal input capabilities using either the existing Qt Virtual Keyboard or a new handwriting input panel powered by MyScript technology.

KDAB's Jan Arne Petersen will demonstrate some of the potential of this integration in his "Using Virtual Keyboards on Qt Embedded Devices" presentation at Qt World Summit 2017.

Volker Krause, Director Automotive at KDAB, said, “MyScript technology offers a highly intuitive user interface and is a great complement to the Qt Automotive framework. We are very excited to partner with MyScript and bring the advantages of multimodal functionality to the automotive cockpit. We look forward to a successful business relationship for the benefit of our mutual partners and customers.”

Read the recent press release...

also on Myscript's website...

continue reading

The post KDAB, MyScript and Qt Company to create new, non-distractive input method for the Automotive Industry appeared first on KDAB.

Categories: FLOSS Project Planets

Reproducible builds folks: Reproducible Builds: Weekly report #128

Planet Debian - Tue, 2017-10-10 04:08

Here's what happened in the Reproducible Builds effort between Sunday October 1 and Saturday October 7 2017:

Media coverage Documentation updates Packages reviewed and fixed, and bugs filed Reviews of unreproducible packages

32 package reviews have been added, 46 have been updated and 62 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (27)
diffoscope development strip-nondeterminism development

Rob Browning noticed that strip-nondeterminism was causing serious performance regressions in the Clojure programming language within Debian. After some discussion, Chris Lamb also posted a query to debian-devel in case there were any other programming languages that might be suffering from the same problem.

reprotest development

Versions 0.7.1 and 0.7.2 were uploaded to unstable by Ximin Luo:

  • New features:
    • Add a --auto-build option to try to determine which specific variations cause unreproducibility.
    • Add a --source-pattern option to restrict copying of source_root, and set this automatically in our presets.
  • Usability improvements:
    • Improve error messages in some common scenarios.
      • Fiving a source_root or build_command that doesn't exist
      • Using reprotest with default settings after not installing Recommends
    • Output hashes after a successful --auto-build.
    • Print a warning message if we reproduced successfully but didn't vary everything.
  • Fix varying both umask and user_group at the same time.
  • Have dpkg-source extract to different build dir if varying the build-path.
  • Pass --exclude-directory-metadata to diffoscope(1) by default as this is the majority use-case.
  • Various bug fixes to get the basic dsc+schroot example working.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

tests.reproducible-builds.org Misc.

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Categories: FLOSS Project Planets

Aten Design Group: Form and View Modes vs. Field Access in Drupal 8

Planet Drupal - Tue, 2017-10-10 03:13

Drupal 8 advertised many new, promising features after its release. One of the exciting new changes was the addition of form modes. Form modes promised to let you manage the content entry side of your site just as you often managed content display with view modes. This change seemed like it would eliminate the need for much of the custom and repetitive code I often needed to write inside a hook_form_alter.

Over time, I've realized that form modes aren't everything I had hoped they would be. While it's easy to create new form modes, it's literally impossible to use them without custom code or contributed modules. Drupal simply doesn't have a way to know when to use one form mode over another. Should it be based on role? Permissions? A field on the node? Content moderation state? There are contributed modules for most if not all of these, but nothing out-of-the-box.

This forced me to think about why I needed a form mode in the first place. Almost always, the answer was to disable or hide a field from a user because that user shouldn't be allowed to change that field. The same was also often true of my view modes (only to a lesser extent). I realized that this particular problem is not one of user experience, but of access control.

Drupal 8 has hook_entity_field_access(). This hook is called for every field for the specified entity type when the entity is viewed or when its form is shown. When you deny access to a field, either for viewing or editing, that field will not be shown to the user. In any scenario. This should be your preferred method for hiding fields that certain users should not be able to access.

Using field access over form and view modes to hide fields when a user should not be allowed to see or edit a field is the secure and "Drupal way" to do things. This prevents mistakes in configuration, which might accidentally leak field information via teasers, searches, and Views. It also future proofs your site. If you ever turn on REST or JSON API or add a new form or view mode down the line, you can never accidentally expose a field that needs to be kept private.

Best of all, using the field access hook is much easier to implement than all the hoops you'll have to jump through to get the right form modes displayed at the right times.

How to use hook_entity_field_access()

First, make a custom module in the standard way. Create a .module file and create the following function:

<?php use Drupal\Core\Access\AccessResult; use Drupal\Core\Field\FieldDefinitionInterface; use Drupal\Core\Session\AccountInterface; use Drupal\Core\Field\FieldItemListInterface;     /** * Implements hook_entity_field_access(). */ function yourmodule_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { } ?>

From this hook, you should always return an AccessResult. By default, you should simply return a neutral access result. That is, your hook is not concerned with actually allowing or preventing access yet. Add the following to your function.

<?php function yourmodule_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { $result = AccessResult::neutral(); if ($field_definition->getName() == 'field_we_care_about') { if (/* a condition we'll write later... */) { $result = AccessResult::forbidden(); } } return $result; } ?>

The above code will deny access when our still unwritten condition is true, in every other case, we're just saying "we don't care".

There's an infinite number of scenarios in which you might want to deny access, but let's say that we want to make a field only editable by an administrator. We would add the following:

<?php function yourmodule_node_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) { $result = AccessResult::neutral(); if ($field_definition->getName() == 'field_we_care_about') { if ($op == 'update' && !in_array('administator', $account->getRoles())) { $result = AccessResult::forbidden(); } } return $result->addCacheContexts(['user.role:administrator']); } ?>

Now, for every user without the administrator role that attempts to update field_we_care_about, the field will not be accessible. This works for more than just forms. For example, if we had the REST module installed, this would block the user from updating the field in that way as well.

The last part to note is that we added a cache context to our AccessResult. This ensures that our access decision is only relevant when the current user does or does not have the 'administrator' role. It's important to understand that we added the cache context both when we did and when we did not deny access. If we had just added the context when we denied access, if a user with the 'administrator' role happened to be the first person to attempt to access the field, then that result would be cached for all users no matter what.

Categories: FLOSS Project Planets

Appnovation Technologies: Appnovator Spotlight: Janice Cheer

Planet Drupal - Tue, 2017-10-10 03:00
Appnovator Spotlight: Janice Cheer Meet Janice Cheer, Sales Enablement from Vancouver, BC. 1. Who are you? What's your story? /*-->*/ /*-->*/ /*-->*/ I’m a Chinese-Canadian who grew up in a small town called Squamish. After finishing high school, I moved out to Vancouver for school and obtained my Bachelor’s Degree in Business Administration with a minor in Marketing. Sin...
Categories: FLOSS Project Planets
Syndicate content