Feeds

It can be incredibly easy for a frontend developer to accidentally write a client-side cross-site-scripting (DOM-XSS) security issue, and yet these are hard for security teams to detect. Vulnerability scanners are slow, and suffer from false positives. Can smarter collaboration between development, operations and security teams provide a way to eliminate these problems altogether?

Google claims that Trusted Types has all but eliminated DOM-XSS exploits on those of their sites which have implemented it. Let’s find out how this can work!

DOM-XSS vulnerabilities are easy to write, but hard for security teams to catch

It is very easy to accidentally introduce a client-side XSS problem. As an example of what not to do, suppose you are setting an element’s text to the current URL, on the client side:

// Don't do this para.innerHTML = location.href;

Unfortunately, an attacker can now manipulate the URL (and e.g. send this link in a phishing email), and any HTML tags they add will be interpreted by the user’s browser. This could potentially be used by the attacker to send private data to a different server.

Detecting DOM-XSS using vulnerability scanning tools is challenging - typically this requires crawling each page of the website and attempting to detect problems such as the one above, but there is a significant risk of false positives, especially as the complexity of the logic increases.

There are already ways to avoid these exploits — developers should validate untrusted input before making use of it. There are libraries such as DOMPurify which can help with sanitization.1

However, if you are part of a security team with responsibility for preventing these issues, it can be complex to understand whether you are at risk. Different developer teams may be using different techniques and tools. It may be impossible for you to work closely with every developer — so how can you know that the frontend team have used these libraries correctly?

Trusted Types closes the DevSecOps feedback loop for DOM-XSS, by allowing Ops and Security to verify good Developer practices

Trusted Types enforces sanitization in the browser2, by requiring the web developer to assign a particular kind of JavaScript object rather than a native string to .innerHTML and other dangerous properties. Provided these special types are created in an appropriate way, then they can be trusted not to expose XSS problems.

This approach will work with whichever tools the frontend developers have chosen to use, and detection of issues can be rolled out by infrastructure engineers without requiring frontend code changes.

Content Security Policy allows enforcement of security policies in the browser itself

Because enforcing this safer approach in the browser for all websites would break backwards-compatibility, each website must opt-in through Content Security Policy headers.

Content Security Policy (CSP) is a mechanism that allows web pages to restrict what actions a browser should execute on their page, and a way for the site to receive reports if the policy is violated.

Figure 1: Content-Security-Policy browser communication

This is revolutionary, because it allows servers to receive feedback in real time on errors that may be appearing in the browser’s console.

Trusted Types can be rolled out incrementally, with continuous feedback

Web.dev’s article on Trusted Types explains how to safely roll out the feature using the features of CSP itself:

• Deploy a CSP collector if you haven’t already
• Switch on CSP reports without enforcement (via Content-Security-Policy-Report-Only headers)
• Iteratively review and fix the violations
• Switch to enforcing mode when there are a low enough rate of reports

Static analysis in a continuous integration pipeline is also sensible — you want to prevent regressions shipping in new releases before they trigger a flood of CSP reports. This will also give you a chance of finding any low-traffic vulnerable pages.

Smart security teams will use techniques like Trusted Types to eliminate entire classes of bugs at a time

Rather than playing whack-a-mole with unreliable vulnerability scanning or bug bounties, techniques such as Trusted Types are truly in the spirit of ‘Secure by Design’ — build high quality in from the start of the engineering process, and do this in a way which closes the DevSecOps feedback loop between your Developer, Operations and Security teams.

1. Sanitization libraries are especially needed when the examples become more complex, e.g. if the application must manipulate the input. DOMPurify version 1.0.9 also added Trusted Types support, so can still be used to help developers adopt this feature. ↩︎

2. Trusted Types has existed in Chrome and Edge since 2020, and should soon be coming to Firefox as well. However, it’s not necessary to wait for Firefox or Safari to add support, because the large market share of Chrome and Edge will let you identify and fix your site’s DOM-XSS issues, even if you do not set enforcing mode, and users of all browsers will benefit. Even so, it is great that Mozilla is now on board. ↩︎

Happy new year. 2023 saw my first foreign travels since COVID lockdown happened, and that was fun. I felt I had more than enough travel for me. Work life was challenging due to the lay offs and economic environment we are operating in, needs a different mode of operation. Family life is facing a different phase as kids grow, the eldest is approaching the teens.

During the last month we mainly focused on fixing bugs, adjusting how things work, improving performance and adding new features.

Changes for the User Sales, Purchases and Projects

Related shipments and moves are now reset and cancelled when a purchase request is cancelled.

When creating a sale from an opportunity the sale now has default addresses and payment terms, if they are not defined on the opportunity.

The blanket agreement record names now contain the reference and will fallback to the id if there isn’t a number or a reference available, like we do for sales and purchases.

We added some UTM parameters to emails sent by the marketing modules. The following parameters were added:

• utm_campaign
• utm_medium
• utm_source

The create purchase wizard on purchase requests now opens the newly created purchases.

Since Tryton defaults to the most used currency for new purchases, we’ve now updated it to also do the same for purchase requests.

Accounting, Invoicing and Payments

When using sale advance payments Tryton no longer sets the invoice date if the advance payment condition has no invoice delay. If you’d like the invoice date to default to today’s date, set a delay of 0.

Stock, Production and Shipments

On an unaltered system modification of product locations is now restricted to the Stock Administrator access group.

The progress of a move is now rounded to four digits.

Tryton now only checks if a lot is required when a move is going to the done state.

The stock location code is now included in the record name of a location.

We added a confirmation dialogue to the cancel- buttons on shipments.

When moving consumable products the default to-location is now preset with the default product location.

User Interface

The URL button is now hidden, when a URL field is empty, as disabling it did not prevent the user from clicking on it.

Each button in a list-view is now rendered read-only when the appropriate record is also read-only.

We improved the behaviour of button clicks. Now clicking rapidly on a button only launches the action once. This same behaviour has also been implemented for widget buttons.

Now labels are aligned to the start of the line on extra small screens.

On small screens we now hide the search widget on list views. A toolbar button shows the search widget on demand.

The workflow graphs for models no longer overlap and incorrectly share states.

More (click for more details) Documentation

We reworked parts of the Tryton documentation.

In validation error messages the record name is now prefixed with the word “record” in order to make the message clearer.

New Releases

We released bug fixes for the currently maintained long term support series
7.0 and 6.0, and for the penultimate series 6.8.

Changes for the System Administrator

For the Tryton desktop client we now support the arm64 darwin architecture allowing it to be built on Apple Silicon.

Changes for Implementers and Developers

The order of keys is now retained when changing a fields.Dictionary through an on_change method.

For selection and multiselection fields we now use the string version of the value in error messages.

Authors: @dave @pokoli @udono

1 post - 1 participant

Read full topic

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• swh-web: direct replies better, strip whitespace
• Debian screenshots:
  • deleted freecell-solver-bin (not a graphical program)
• Debian BTS usertags: fix ports/archive usertags
• Debian wiki pages: DebianAlternatives, LoongArch, Mobian/Devices, Software that can't be packaged, Statistics, Teams/Cinnamon
• FOSSjobs wiki pages: Resources

Issues

• Feature in UDD
• Conffile removal needed in neomutt
• dpkg vendor config needed in Armbian
• New SWH listers needed for depp & depp (different projects)

Review

• Debian packages: sponsored harmony
• Debian wiki: RecentChanges for the month
• Debian BTS usertags: changes for the month
• Debian screenshots:
  • approved fonts-arphic-bkai00mp fonts-dejavu fonts-freefont-ttf fonts-liberation-sans-narrow fonts-mathjax fonts-noto-cjk fonts-noto-mono fonts-quicksand fonts-urw-base35 freecol lincity-ng qnetload
  • rejected librte-bbdev0.200 (library with no UI), freecell-solver-bin (not a graphical program)

Administration

• Debian wiki: approve accounts

Communication

• Respond to queries from Debian users and contributors on the mailing lists and IRC

Sponsors

The SWH work was sponsored. All other work was done on a volunteer basis.

Dear CTT translators:

Thank you very much for your contribution in the past year.
We have done a good job as always.

1. keep on localizing www.gnu.org to Simplified Chinese
2. help review the new translation of GNU licence: GFDL
3. welcomed several new members, including Jing
4. welcomed several contributors: Ventus Uta, Peaksol, and Chen Jingge

The following is the summary from GNU. Please take you time to read.

Dear GNU translators!

2023 was a very quiet year; the total number of new translations
was four times as low as in 2022, and in terms of size the amount
was twice as low.  Most translations were made in the "Simplified"
Chinese and in the Turkish team.  A few unmaintained translations
were decommissioned this year, so the total number of translations
didn't grow, for the first time since the start of CVS logs in 2001.

      General Statistics

In most working teams, the amount of outdated translations was
unprecedently close to zero.  We could only wish more teams were
active; as a result, the average percentage of outdated translations
remained as high as in 2022, and grew slowly.

The table below shows the number and size of newly translated
articles in important directories and typical number of outdated
GNUNified translations throughout the year.

+--team--+------new-----+--outdated---+
|  es    |  0 (  0.0Ki) | 0.4 ( 0.2%) |
+--------+--------------+-------------+
|  fa    |  2 ( 29.1Ki) |  25 (  81%) |
+--------+--------------+-------------+
|  fr    |  2 ( 46.8Ki) | 0.1 (0.04%) |
+--------+--------------+-------------+
|  ja    |  0 (  0.0Ki) |  35 (  25%) |
+--------+--------------+-------------+
|  pl    |  0 (  0.0Ki) |  67 (  45%) |
+--------+--------------+-------------+
|  ru    |  4 ( 68.6Ki) | 0.3 ( 0.1%) |
+--------+--------------+-------------+
|  sq    |  0 (  0.0Ki) | 1.5 (   2%) |
+--------+--------------+-------------+
|  tr    |  5 (195.1Ki) | 0.3 ( 0.2%) |
+--------+--------------+-------------+
|  zh-cn | 12 (214.7Ki) | 0.8 ( 0.3%) |
+--------+--------------+-------------+
+--------+--------------+
| total  | 25 (554.3Ki) |
+--------+--------------+

For the reference: 2 new articles were added, amounting to 47Ki
(which is considerably less than in 2022); the number of commits
(about 400 changes in approximately 100 English files) was just
a little lower than in 2022.

      Orphaned Teams, New and Reformed Teams

No teams were orphaned, and no new teams were established.

Volunteers requested taking over the teams for Esperanto, Punjabi,
Marathi, Indonesian, Brazilian Portuguese, Arabic---in all cases
with little further outcome.

      Changes in the Page Regeneration System

GNUN 1.4 was released this year, fixing a few minor bugs, updating
the HTML validation script for new xmllint, supporting localized
URLs in templates, and a configure option to reduce the number
of generated locales used for the sorting feature.

Happy GNU year, and thank you for your contributions!

Happy Hacking
wxie

Drupal Advent Calendar 2023 Retrospective and Thank Yous james Mon, 01/01/2024 - 00:00 Image Body

This December was the second incarnation of the Drupal Advent Calendar project.

This started on a whim in 2022, and while fun, I knew I didn’t want to write it all myself the second year.

So at DrupalCon Lille, I started asking people to get involved in this year’s calendar, initially focusing on people I know. The response was generally positive, with most people eager to take part.

My aim was to have a different person talk about an aspect of Drupal behind each door, and that was more or less how it worked out.

When I thought of asking people to take part, my aim was to cover 24 topics without…

I'm very pleased to announce the release of a new version of GNU PSPP.  PSPP is a program for statistical analysis of sampled data.  It is a free replacement for the proprietary program SPSS.

Changes from 1.6.2-pre2 to 2.0.0:

• The CTABLES command is now implemented.
• FREQUENCIES now honors the LAYERED setting on SPLIT FILE.
• AGGREGATE:
  • New aggregation functions CGT, CLT, CIN, and COUT.
  • Break variables are now optional.
• ADD FILES, MATCH FILES, and UPDATE now allow string variables with the same name to have different widths.
• CROSSTABS now calculates significance of Pearson and Spearman correlations in symmetric measures.
• DISPLAY MACROS is now implemented.
• SET SUMMARY is now implemented.
• SHOW ENVIRONMENT is now implemented.
• Removed the MODIFY VARS command, which is not in SPSS.
• Building from a Git repository, which previously required GIMP, now requires rsvg-convert from librsvg2 instead.
• The pspp-dump-sav program is no longer installed by default.
• Improved the search options in the syntax editor.
• Localisations for the ar (Arabic) and ta (Tamil) locales have been added.  Other translations have been updated.
• Journaling is now enabled by default when PSPP or PSPPIRE is started interactively.  In PSPPIRE, use Edit|Options to override the default.

Please send PSPP bug reports to bug-gnu-pspp@gnu.org.

Allowing your content creators to embed images in text fields is a big risk if you don't have the right measures in place to get properly rendered images without jeopardizing your site's performance. We faced this issue first-hand with embedded images due to not using the right configuration and this lead to extremely large images being rendered. In this post I'll go over the techniques I took for addressing those issues and set up a system for image embeds that is solid and performant.

I started by writing a seven-part guide on how to setup responsive images. In this post I'll focus on image embeds. If you followed or read the responsive images guide, you should be able to take advantage of some of the work we did there in this post. The guidelines covered here include:

• Defining requirements
• Image styles
• Media view modes
• Text format configuration

Defining requirements

Before you write the first line of code or set the first drupal configuration for this issue, you need to have a clear understanding of your requirements. Here is a summary of my requirements:

• Only certain user roles can embed images

  This means we need to figure out if the text formats used in our site will allow us to set the restrictions we need. Otherwise we may need to create or edit a text format for our target user roles.

• Users need to be able to choose the image size and aspect ratio when embedding images

  We defined the image sizes and aspect ratios and assigned names that were user-friendly for non-technical users. We came up with name options we think our users will find easy to work with such as:

  • Small square, Small portrait, Small rectangular
  • Medium square, Medium portrait, Medium rectangular, Medium rectangular wide
  • Large square, Large rectangular, Large rectangular wide
  • Extra large square, Extra large rectangular, Extra large rectangular wide

• If no option is selected by users, set a default image size

  For the default option when no selection is made by the user, we decided to use the Medium rectangular option. This has an aspect ratio of 3:2 and it measures about 720x480.

• Existing Media items need to be available for embedding

  This was a tricky one because my original inclination was to create a new Media type so we can isolate all configuration for its view modes and not overpopulate our default Media type. However, this ended up not working for us because when you limit your image embeds to only use a new Media type, you don't get access to any of the media items (images), that have already been uploaded to the Media library using other media types. Ultimately we ended up using Drupal core's Media type, Image, and our dev team had to compromise on having a very busy list of view modes for this media type.

• Images need the ability to be cropped wihin the Media page

  Since most of our images already provide the ability to be cropped at different aspect ratios, using the core Media type in the previous bullet point made this an easy solution.

Image styles

It all starts with image styles. I'm not going to go over how to create image styles, you can read my post Image styles in Drupal. The one thing I am going to repeat however is the importance of creating reusable image styles. Reusable image styles can help you reduce the number of image styles you create while providing the flexibility you need with each use case.

Image styles are key as each of the size options we defined above translate into image styles. So Small square for example, is an image style that is defined as 1:1 (250px). Medium rectangular would be something like 3:2 (720x480), etc. You may be wondering, how do you plan on using fiendly names for your content editors when your image styles names are not very friendly? Great question. Since we are using Drupal's Media, content editors do not interact directly with image styles, they do with Media view modes and this is where we will use more friendly names.

Media view modes

View modes are one of Drupal's powerful features. Being able to display content is different ways with little effort can turn a simple website into a dynamic content hub. The example I always give when someone asks me what view modes are or how do they work is the Amazon website. When you are viewing a product in amazon.com, or most retail websites for that matter, you will notice that the same product or similar ones appear all over the page but in slightly different ways, with different fields or styles. See the page below for an example.

The image above shows many ways in which a product can be displayed. I've numbered each display.

In Drupal, every entity such as content types, media types, blocks, etc., offer the ability to create view modes. For the purpose of image embeds, we will create a Media type view mode for each image style we plan on using. The view modes is what content editors will interact with when choosing an image size or aspect ratio during the image embed process. This is where we will use the user-friendly names we defined earlier. Let's go over how this relationship between view modes and image styles works for image embeds.

Configure view modes for the Image media type

1. In your Drupal site, create an image style for each image size option you wish to provide to users when embedding images.

2. Next, create a Media view mode for each image style (/admin/structure/display-modes/view). Very iimportant: Remember the view mode's label (name) is where we are going to use the friendly name (i.e. Medium rectangular (720x480)). I like to keep the machine name similar to the label so it's easier to debug or identify in code (i.e. medium_rectangular_720x480).

3. Now, let's tie 1 & 2 together:

   • Go to the media type you plan on using for media embeds (/admin/structure/media/manage/image/display). I am using Drupal core's Image media type.
   • Scroll down and expand the Custom display settings fieldset.
   • Check each of the view modes you created in step 2 and click Save.

4. Now click each of the view modes and update the image field to use the respective/matching image style.

Configure the text format

View modes and image styles are all configured. Now let's configure the Text format that authorized users will use to embed images.

1. Go to the Text formats and editors page (/admin/config/content/formats)
2. Click Configure next to the text format you plan on using (i.e. Full HTML)
3. Ensure the right user roles are selected
4. Within the Toolbar configuration section, drag the Drupal media button from the Available buttons options to the Active toolbar section. You could probably remove the original insert image button since you won't be using it.
5. Scroll to the Enabled filters section and check the Embed media checkbox
6. Scroll to the Filter settings section and set the following:

   • Default view mode: This is the default display that will be used if content editors don't pick an option when embedding images. Select any of the view modes that represents the image size you want to use as default.

   • Media types selectable in the Media Library: Select the Media type you plan on using. In my case is Image.

   • View modes selectable in the 'Edit media' dialog: Finally, select each of the view modes you created in the previous section. FYI: View modes will be sorted in alpha order by their machine name. In my case I had to prefix some of the machine names with either "a" or "b" so the list of options for the users to choose from would be nicely organized by their label name. See screnshot below.

   • Click Save configuration

Testing your configuration

Now that we've completed all the configuration we should be able to take it for test drive.

• Go to any page where there is a text field with a WYSIWYG editor
• Make sure you are using the right text format by selecting it at the bottom of the text field where you want to embed an image
• Click the Insert media button from the editor's toolbar
• Select or upload the image you'd like to embed
• When the image has been inserted, click on it and you should see several options of actions you can do with the image. Things like align the image, add a caption, link it, and you should also see a selection box listing all the view modes you created.
• After making your selection you should immediately see the image size/aspect ratio change to the one you selected. When you are happy with your selection, click the Save button to save your page.

Important: Depending on your site's configuration, the options for changing your image size may look different than mine. In my case, I am only using Drupal's core modules and this is how the options look for me:

In closing

Putting a system like this for your image embeds will give you the piece of mind that content editors have options to choose how big or small they would like images to be displayed, and from a performance point of view, if your image styles are done properly, you can rest assurred that bloated images will never be rendered because you have put the guard rails in place to avoid this from happening.

I hope you found this article useful and can put these techniques to use in your own Drupal project. Happy New Year! 🎉 🎊 🎆 👋

This post should have marked the beginning of my yearly roundups of the favourite books and movies I read and watched in 2023.

However, due to coming down with a nasty bout of flu recently and other sundry commitments, I wasn't able to undertake writing the necessary four or five blog posts… In lieu of this, however, I will simply present my (unordered and unadorned) highlights for now. Do get in touch if this (or any of my previous posts) have spurred you into picking something up yourself…

§

Books Peter Watts: Blindsight (2006) Reymer Banham: Los Angeles: The Architecture of Four Ecologies (2006) Joanne McNeil: Lurking: How a Person Became a User (2020) J. L. Carr: A Month in the Country (1980) Hilary Mantel: A Memoir of My Former Self: A Life in Writing (2023) Adam Higginbotham: Midnight in Chernobyl (2019) Tony Judt: Postwar: A History of Europe Since 1945 (2005) Tony Judt: Reappraisals: Reflections on the Forgotten Twentieth Century (2008) Peter Apps: Show Me the Bodies: How We Let Grenfell Happen (2021) Joan Didion: Slouching Towards Bethlehem (1968)Erik Larson: The Devil in the White City (2003)

§

Films Recent releases

• The Blue Caftan (Maryam Touzani, 2022)
• The Eight Mountains (Felix van Groeningen & Charlotte Vandermeersch, 2022)
• Evil Does Not Exist (Ryusuke Hamaguchi, 2023)
• Killers of the Flower Moon (Martin Scorcese, 2023)
• Monster (Hirokazu Kore-eda, 2023)
• Passages (Ira Sachs, 2023)
• Poor Things (Yorgos Lanthimos, 2023)
• The Tuba Thieves (Alison O’Daniel, 2023)
• Theater Camp (Molly Gordon and Nick Lieberman, 2023)
• TÁR (Todd Field, 2022)

Unenjoyable experiences included Alejandro Gómez Monteverde's Sound of Freedom (2023), Alex Garland's Men (2022) and Steven Spielberg's The Fabelmans (2022).

Older releases

(Films released before 2022, and not including rewatches from previous years.)

• Brief Encounter (David Lean, 1945)
• Clouds of Sils Maria (Olivier Assayas, 2014)
• Daisy Miller (Peter Bogdanovich, 1974)
• First Reformed (Paul Schrader, 2017)
• Forbidden Games (René Clément, 1952)
• La Noire de... (Ousmane Sembène, 1966)
• The Queen of Spades (Thorold Dickinson, 1949)
• The River (Jean Renoir, 1951)
• Topsy-Turvy (Mike Leigh, 1999)
• Le Trou (Jacques Becker, 1960)

Distinctly unenjoyable watches included Ocean's Eleven (1960), El Topo (1970), Léolo (1992), Hotel Mumbai (2018), Bulworth (1998) and and The Big Red One (1980).

What’s new in 1.14.0? add python 3.12 to test matrix add sort-by-year action

Happy New Year everyone!

Goodbye 2023: you were a… difficult year. Along multiple axes. Learned new things, learned not pleasant things, and mostly failed at becoming better.

Hello 2024: I’m hoping I can do better in the coming year. We’ll see. My goal list is quite long, and ambitious. But all plans meet reality at one point, so who knows where 2024 will end.

In any case - wishing all good people health, wisdom, and a good year.

The other day I uploaded a new version of the VLC bittorrent plugin to Debian, version 2.14-4, to fix a few packaging issues. This plugin extend VLC allowing it to stream videos directly from a bittorrent source using both torrent files and magnet links, as easy as using a HTTP or local file source. I believe such protocol support is a vital feature in VLC, allowing efficient streaming from sources such at the 11 million movies in the Internet Archive. Bittorrent is one of the most efficient content distribution protocols on the Internet, without centralised control, and should be used more.

The new version is now both in Debian Unstable and Testing, as well as Ubuntu. While looking after the package, I decided to ask the VLC upstream community if there was any hope to get Bittorrent support into the official VLC program, and was very happy to learn that someone is already working on it. I hope we can see some fruits of that labour next year, but do not hold my breath. In the mean time we can use the plugin, which is already installed by 0.23 percent of the Debian population according to popularity-contest. It could use a new upstream release, and I hope the upstream developer soon find time to polish it even more.

It is worth noting that the plugin store the downloaded files in ~/Downloads/vlc-bittorrent/, which can quickly fill up the user home directory during use. Users of the plugin should keep an eye with disk usage when streaming a bittorrent source.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

GNU Boot December 2023 News

Announcements:

The last project announcement was made in the gnuboot mailing
list[1][2] at a time where we didn't have a website or an announce
mailing list yet.

So this announce and the next ones will be published in multiple
places:

- On the gnuboot[3] and gnuboot-announce[4] mailing lists

- On the GNU Boot website[5].

GNU Boot 0.1 RC3:

We just released GNU Boot 0.1 RC3. We also need help from testers for
this release, especially because few intrusive changes were made.

We also release GNU Boot 0.1 RC2 just before but some bugs that don't
affect the installable images were introduced in the last minute fixes
so we ended up making an RC3 as well (some tests were broken and some
website pages also needed fixes).

Nonfree software found in the source release of GNU Boot 0.1 RC1.

In the GNU Boot source release (gnuboot-0.1-rc1_src.tar.xz) we found
the 3 files (F12MicrocodePatch03000002.c, F12MicrocodePatch0300000e.c,
F12MicrocodePatch03000027.c) that contain microcode in binary form,
without corresponding source code. GNU Boot 0.1 RC1 corresponding
source code tarball was remade without these files (and renamed). The
images for the Asus KCMA-D8, KFSN4-DRE and KGPE-D16 were also removed
as they may contain the nonfree code as well. The rest of the files
are unaffected.

Website:

Since the last announce a lot of work was done on the code to deploy
the website to make to make it easy for contributors and maintainers
to do changes to the website and review them.

The website has also been published. Not everything is ready in
it, but it contains enough to understand how to contribute to GNU Boot.

The pages that are not ready yet were also published with a special
banner to indicate that.

Since we now have a website, contribution instructions[6], and even a
list of areas where we are looking for contributions[6], we can now
accept patches.

The website is also now integrated in the GNU Boot source code and we
have special code to make it easy to test it locally (and deploy it
semi-automatically). So it should make contributions easier.

Testing:

We would also like to thank all the people who tested GNU Boot 0.1 RC1
since the last announce, especially since this can be a lot of
work, especially because there are many computers to test.

The following computers were tested with GNU Boot 0.1 RC1 and they all
boot fine:

• Lenovo Thinkpad R400, T400, T500, T60, W500, X60, X60T, X200, X301
• Asus: KGPE-D16
• Apple: MacBook 2.1

Since some popular computers were tested[7], we are now also looking
for testers and contributions on the installation instructions. Even
if GNU Boot 0.1 RC3 has already been published, it's probably easier
to do the tests with GNU Boot 0.1 RC1 and a computer that was already
tested (unless the computer is an Asus KCMA-D8, see above for more
details) as there is no changes that could affect the installation
instructions between 0.1 RC1 and 0.1 RC3.

The following computers / mainboards weren't tested yet with the 0.1
RC1 yet so we also need testers for them (ideally on the 0.1 RC3):

• Chromebook: C201
• Intel: D410PT, D510MO, D945GCLF2D
• Gigabyte: D945GCLF, GA-G41M-ES2L
• Asus: KCMA-D8, KFSN4-DRE
• Apple: MacBook 1.1, iMac 5,2
• Lenovo Thinkpads: R500, T400s, X60s, X200s, X200T, X60T.

And as stated above we also need to re-test with the RC3 the computers
that were already tested with the RC1 to make sure that we didn't
break anything.

GNU Boot running nonfree software:

GNU Boot is still in its early stages and many of the directions the
project can take are still being evaluated.

So it's a good time to warn people that in some cases GNU Boot does
run nonfree software on computers other than laptops, and that it
may change in the future (we have to decide how to deal with this
problem).

The issue is that ATI and Nvidia external GPUs do contain nonfree
software. That nonfree software is stored on the card in a memory chip.

At least in some configurations[8], if such GPU is present, GNU Boot
downloads and executes that software. Then later on in the boot,
Linux-libre also downloads and execute another nonfree software from
that same GPU.

If we decide to block that (it's relatively easy to do that in GNU
Boot) then users won't be able to use such GPU anymore. If we don't
block it, many users will not know about this freedom issue and will
think that they only run free software while nonfree software is
being executed behind their back.

This is also why the FSF RYF (Respect Your freedom) certification[9] is
important: it takes care of details like that and these GPUs or systems
with such GPUs are not certified by it.

Work in progress and future directions:

Work also started to improve the build system to make it easier to
understand and contribute. We also started adding tests along the way.

Though we still use old versions of Coreboot especially for the Asus
KCMA-D8, KFSN4-DRE and KGPE D16. Compiling GNU Boot images for these
computers requires specific distributions like PureOS 10 (byzantium)
or Trisquel 10 (nabia).

We plan to try to change that after the GNU Boot 0.1 release.

To do it we plan to update the versions of the software we build (like
Coreboot, GRUB, etc) but also to progressively switch to Guix to build
more and more parts of the images.

So far we managed to use Guix to building a GRUB payload (part of
that work was already upstreamed in Guix) and to build a custom Flashrom
that can be used to do installation on the I945 Thinkpads (X60, T60,
etc) but more work is needed (code cleanup, documentation, making it
easy to use for contributors) before we can integrate that code.

Integrating it now instead of waiting for the release would increase
the risk of introducing new bugs and inconsistencies (for instance in
the documentation), and reduce the amount of help we can get, and
since it is a big task there is also the risk of never finishing
it[10]. So we chose to do that step by step without breaking the
documentation or current usage of GNU Boot.

As for the website we are currently using Untitled, a static website
generator that use files in markdown with a custom header format.

We plan to migrate at least part of the website to Texinfo to generate a
proper manual with it and we already have code to convert from the
special markdown used to Texinfo, but the conversion sometimes needs
some manual intervention.

We're also not ready yet to do that conversion as keeping the markdown
a bit longer might make it easier for contributors to help us fix the
website.

We also evaluated Haunt, a static website generator that supports
markdown and Texinfo and that is also used by Guix for their website.

We managed to validate that we could easily write code to make it use
the custom markdown used by untitled. However we didn't invest time in
trying to make it generate a website (by default it generate blog
posts), so if some people already know haunt well or want to learn it
and are interested in helping it could be very useful. For that the
best would be to contact us on the gnuboot mailing list.

This is also important because according to its author, Untitled has
some design issues (and it is written in shell scripts) and so it will
most likely be rewritten from scratch in another programming language
by its author at some point.

In the meantime we sent patches upstream to fix some of the issues we
had with it and the patches were accepted.

Toward the 0.1 release:

What is missing before we release GNU Boot 0.1 is basically more
testing and help on the website, especially the installation
instructions.

References:

 [1]"Testers needed for GNU Boot 0.1 RC1".

 [2]https://lists.gnu.org/archive/html/gnuboot/2023-09/msg00000.html

 [3]https://lists.gnu.org/mailman/listinfo/gnuboot

 [4]https://lists.gnu.org/mailman/listinfo/gnuboot-announce

 [5]https://gnu.org/software/gnuboot/web/news/gnuboot-december-2023.html

 [6]https://www.gnu.org/software/gnuboot/web/git.html

 [7]https://savannah.gnu.org/bugs/?64754

 [8]We know for sure that when SeaBIOS is used, it will download and
    execute nonfree software from GPU cards that are added to the
    computer. But we're not sure what happens if SeaBIOS is not
    used. An easy way to find out is if the GPU works under GNU/Linux
    and that the display is initialized, then at least some nonfree
    bytecode has been downloaded and executed by the operating system.

 [9]https://ryf.fsf.org/

[10]See "General tips on maintaining GNU software" in
    https://www.gnu.org/software/maintainer-tips for more details
    about common issues when maintaining a new project.

2023 year in review About • Blog • Newsletter • Links 2023 year in review

Published 2023-12-31 by Seth Larson
Reading time: minutes

2023 was a great year! So much happened, but a few things in particular stood out to be when putting together this post.

I got married to my wife, Trina after 9 years of being together. We met in college and fell in love with each others' passion for adventure, food, and life. Our ceremonies included both of our cultures and we had family and friends from all over the globe together to celebrate with us.

"Vu Quy" or "tea ceremony" with family. Photo credit: Summer Street Photography

We were married near where we first met on the University of Minnesota east bank campus and the Mississippi river. The photo below is my favorite of the whole day:

Stone Arch Bridge with the Minneapolis downtown in the background. Photo credit: Summer Street Photography

I traveled to many new places this year and got to see friends everywhere I went. This was my first year traveling to New York, Florida, Texas, Rhode Island, and northern Nevada. Places I'm looking forward to exploring in 2024 include Japan, Seattle, and Pittsburgh (see you at PyCon US!)

Elastic had its first Engineering All Hands in-person since COVID to start off 2023 where I got to meet my long-time friend and colleague Quentin Pradet. Quentin and I have been working on open source together for over 5 years and this was our first opportunity to meet in person.

Quentin and I together at Elastic EAH 2023

After 3 great years at Elastic I was hired by the Python Software Foundation to be the Security Developer-in-Residence. I still have days when I think I'm dreaming, I'm so grateful I have the opportunity to work full-time serving a community I love.

Banner included in OpenSSF's announcement of my hiring.

This blog saw a huge burst of activity thanks to my new position where I publish weekly reports on what I've been working on. There were 34 new publications to the blog in 2023 (up from 12 in 2022), of those 24 were related to the Security Developer-in-Residence role.

The top posts by readership for this year were:

• Python 3.12.0 from a supply-chain perspective
• Quirks of Python package versioning (PEP 440)
• Visualizing the CPython release process
• Patching the libwebp vulnerability across the Python ecosystem
• Python Security Response Team handling of CVE-2023-40217

If I had to pick a favorite post outside of this list it would be “For You” is not for me discussing my current outlook on internet consumption. Look forward to more posts on the blog, hopefully continuing the trend that I'm on of shorter but more frequent publications.

Outside of software I plan to spend more time playing games (beat Pikmin 4 and Super Mario RPG is in-progress) and learning some hardware-hacking for retro gaming like Gameboy and GameCube modding.

Hope you all had a lovely 2023, looking forward to what we can do in 2024! 🥳

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0

As in 2022 I took another look back at what changed in Phosh in 2023 and instead of just updating my notes why not share it here. In short: While collecting these bits I became really impressed about the progress we made 🚀: Some numbers Link to heading We were discussing at this years Phosh Community Get Together at Froscon if we should lengthen the Phosh release cycle a bit but we kept the one release per month schedule to get improvements out to users quickly.

The review of my 2023, trying to remember all the things done in this year, in which more than anyone I met many fantastic people and visited new countries.

A few weeks ago, right before the holidays, some chatter in the VDG channel happened where the desire to change our icons to a 24x24px size came up.

Most modern interfaces use this icon size as a base. Plasma has been encouraged many times to adopt this size. However, manpower is always something not readily available.

The conversation picked my interest. In the past, I have worked making icons using Inkscape. At the time, the interface didn’t have all the shortcut helpers that it does today. Also, with the advent of UI-specific graphical applications like Figma and Penpot, I figured it might be much easier to edit icons today than in the past. I am talking many years, FYI.

With this in mind, I downloaded a copy of the most current Breeze icon collection, accessed the 22px folder for actions and begun editing.

At first sight, most might think this is just a matter of mass-resizing from 22 to 24 and merge. However, the reality is much different. These icons feature mostly 1px lines. They also contain pixel fractions that lead to misalignment and blurriness. Since we don’t have the actual graphical original files, as they have been flattened in export, the shapes are only workable through editing nodes, which is a pain!

Another issue is that our Breeze icons contain a css sheet that correlates colors to colors in Plasma. This allows for easy color transformations on the system without much hassle. However, graphical applications like Figma and Penpot remove the css.

For this reason @manuelijin created a nice plugin for Figma called Icon Jetpack. This plugin will allow designers to export the updated icons with all the necessary pieces for production.

In the public Figma file, I created the colors needed for action icons and they are now embedded into the exported file.

Another criticism of our current icons we would like to address is how thin they feel in high-DPI screens. To address this, we have been making our lines 2px (for the most part) where it makes sense.

Given this is an update, and who knows how long it will take for another time when an update is done, I also feel it’s necessary to update many of the shapes we have. We are using rounding for making shapes a little more approachable. Some icons have been transformed inspired by the original files. For other files, I usually check on other icon providers to see how different or similar we are to most icons today. That way, if there is a need for more editing, we can land on something recognizable.

The editing process that seems the fastest involves recreating the shapes, using an icon grid, aligning to the grid as much as possible, reusing icons for consistency. This should help future designers consult the Figma file and edit en-masse.

For now, we are in the middle of editing icons. My intention is that we do a first pass and seek feedback. Do another refinement pass and then see how the community reacts to the edits. Hopefully the work is useful and can be merged eventually.

We have a total of 1206 icons. So far, we have edited 262.

Here is a before/after:

There are some more edits at the bottom of the file that I didn’t include.

Hope you like.

I also made a couple of videos to show the process and see if any other designers would like to contribute some time to update the icons.

Discover the Debian Project's evolution and aspirations through an insightful interview with the Debian Project Lead, Jonathan Carter. Learn about the Debian ecosystem's path, objectives, problems, and future ambitions, shining light on Debian's transforming landscape, attracting contributors, DPL's role complexities, Debian's progress, and the project's guiding values. Jonathan's experiences unveil the dynamic world of Debian, shaping the future of this influential open-source project.

49th issue of Andrei Neagoie's must-read monthly Python Newsletter: Python Errors, Tools in Python Land, Architecting Monorepos, and much more. Read the full newsletter to get up-to-date with everything you need to know from last month.

Looking at the options for blocking ads, people usually first look at browser extensions. Google's plan is to disable adblock extensions in 2024. The alternative is usually an app (on phones) or a "VPN" that does filtering for you. All these methods are quite heavyweight, and require installing software on your phone or PC. What is less known, is that you can you DNS-over-TLS or DNS-over-HTTPS for ad blocking. What is DNS-over-TLS and DNS-over-HTTPS Since Android 9, Google has provided a setting calledPrivate DNS. Traditional DNS is unencrypted UDP so anyone can monitor your requests and/or return false records. With private DNS, DNS-over-TLS or DNS-over-HTTPS is used to guarantee the DNS request is sent to the server you configured. Which Google hopes is of course Google's own public servers. If you do so, your ISP and hotspot providers no longer can monitor, monetize and enshittify your DNS requests - only Google can do so. Subverting private DNS for ad blocking This is where AdGuard DNS comes useful. By setting the AdGuard DNS server as your "private DNS" server following the instructions,you can start blocking right away. Note, on PC you can also configure the Adguard DNS server on the Browser settings (Firefox -> Enable secure DNS and Chrome -> Use Secure DNS) instead of configuring a system-wide DNS server. Blocking via DNS, of course, limits effectiveness to ads distributed from 3rd party servers. Other uses for AdGuard DNS If you register for Adguard DNS, you get your "own", customizable DNS server address to point to. You can, for example, create your own /etc/hosts style records that are now available to all you devices you have connected to the Adguard DNS server - whether your a are home or not. Of course, you choose to use the personal DNS server, your DNS query privacy is in the hands of AdGuard. Going further What else is ruining the web than Ads? Well commercial social media. An article ("Ei näin! – Algoritmiähky") from the latest Finnish Magazine SKROLLI (mainos: jos luet suomeksi, Tilaa skrolli!) hit a chord for me. The algorithms of social media sites are designed not to serve you, but to addict you. For example, If you stop to watch a hateful meme image, the algorithm will record "The user spent time watching this, show more of the same!". It doesn't help block or mute - yeah that spefic hate engager will be blocked, but all the dozens similar hate pages will still be shown to you. Worse, the social media sites are being overrun by AI-generated crap. Unfortunately the addictive nature of the algorithms works. You reload in vain, hoping this time the algorithmic god will show something your friends share. How do you cure addiction? By blocking yourself out:

Epilogue I didn't block myself out of Fediverse - yet. It's not engineered to be addictive, which is also probably why it isn't as popular as the commercial alternatives...