Friday, 24 May

15:00

That magical super material Apple hopes will hit backspace on its keyboard woes? Nylon [The Register]

iFixit ters dwn ew Macbook Pro wth utterfl eyoard atst fixs

The magicc new materil emedded in Apple’s vry latest Macbook Pro keyaords, to prevnt them from malfutioning, is nylon, iFixit, the popular DIY repair shop, reveled on Friay.…

14:41

An Algorithm May Decide Who Gets Suicide Prevention [Slashdot]

An algorithm, it seems, could determine, in some cases, who gets shown lifesaving information, and who doesn't. From a report: The researchers behind the New Media & Society paper set out to understand this odd quirk of Google's algorithm, and to find out why the company seemed to be serving some markets better than others. They developed a list of 28 keywords and phrases related to suicide, Sebastian Scherr at the University of Leuven says, and worked with nine researchers from different countries who accurately translated those terms into their own languages. For 21 days, they conducted millions of automated searches for these phrases, and kept track of whether hotline information showed up or not. They thought these results might simply, logically, show up in countries with higher suicide rates, but the opposite was true. Users in South Korea, which has one of the world's highest suicide rates, were only served the advice box about 20% of the time. They tested different browser histories (some completely clean, some full of suicide-related topics), with computers old and new, and tested searches in 11 different countries. It didn't seem to matter: the advice box was simply much more likely to be shown to people using Google in the English language, particularly in English-speaking countries (though not in Canada, which Scherr speculates was probably down to geographical rollout). "If you're in an English-speaking country, you have over a 90% chance of seeing these results -- but Google operates differently depending on which language you use," he said. Scherr speculates that using keywords may simply have been the easiest way to implement the project, but adds that it wouldn't take much to offer it more effectively in other countries, too. A Google spokesperson, who asked not to be quoted directly, said that the company is refining these algorithms. The advice boxes require the cooperation of local organizations which may not always be available, they said, but that relevant resources will still show up in regular search results. Google said the service does not have comprehensive global coverage, and while it is actively working on new languages and locations, rolling that out takes time.

Read more of this story at Slashdot.

14:01

Microsoft's Game Streaming Service Project xCloud Technically Supports 3,500 Games [Slashdot]

Microsoft today shared more details about its Project xCloud game streaming service, revealing that developers won't have to make any modifications to their games for their titles to be supported by xCloud. From a report: That means that technically, Project xCloud supports the over 3,500 games that are playable on the Xbox One, even including the Backward Compatibility list. That means that Xbox and Xbox 360 games will work as well. Moreover, Microsoft said that there are over 1,900 games in development for the Xbox One, so that brings the total to well over 5,000 games. And when a game is updated on the Xbox Store, it's automatically updated for xCloud. Of course, the key words to pay attention to in the blog post are "technical capability." Just because a game is technically able to stream doesn't mean that it will. Presumably, this will be left up to the developer.

Read more of this story at Slashdot.

13:37

Activist shareholders to target Zuck with giant angry emoji inflatable at Facebook AGM [The Register]

Eight total resolutions seek to make antisocial network more accountable (the US tech giant opposes them all)

Facebook stock-owning activists are planning to deliver an eight-foot angry-looking emoji to CEO Mark Zuckerberg at the company's annual general meeting next week to highlight widespread frustration with the US web goliath.…

13:25

'Sonic the Hedgehog' Movie is Getting Delayed To Redesign the Title Character [Slashdot]

Director Jeff Fowler has announced that Paramount had delayed the release of 'Sonic the Hedgehog' by three months, to allow the visual effects team some more time to work on the central character's redesign. A report adds: To say that reaction to the first 'Sonic the Hedgehog' trailer was mixed would be overly diplomatic. But at least fans were able to look beyond the thin premise and bizarre Jim Carrey turn for long enough to focus on what was really important: the weird-ass Sonic design.

Read more of this story at Slashdot.

12:53

DXC: We axed 10k staff, shut nine data centres, closed 4.6m sq ft of office space... and sales tumbled, funnily enough [The Register]

On the plus side it did hire 2,000 cheap staff in fiscal 2019

Beleaguered outsourcing badass DXC Technology has just reported another uneventful year in which $1bn in revenues evaporated, and it saved $500m in overheads, in part, by chopping 10,000 employees.…

12:41

Uber and Lyft's Rise Tanked Wheelchair Access To Taxis [Slashdot]

A new San Francisco city report details the devastating drop in on-demand rides for the disability community after the rise of Uber and Lyft. From a report: The financial blow to the taxi industry, the report alleges, was also a blow to the availability of on-demand trips for anyone who uses a wheelchair. The report also points a way forward for the multi-billion dollar ride-hail industry to roll out wheelchair accessible vehicles and inclusive transportation for people with disabilities more broadly. It's a bit of an uncharacteristic kumbaya moment between old-school taxicab regulators and the tech transportation darlings, but one San Francisco Municipal Transportation Agency Director of Taxi and Accessible Services Kate Toran said is necessary to provide people with disabilities the service they need. "We take a positive view because we're trying to increase service on the street," Toran told the San Francisco Examiner. "Really, the end goal is to make sure the rider gets the service, that's what we stay focused on." The report also comes on the heels of recent workshops to implement Senate Bill 1376, authored by State Senator Jerry Hill (D-San Mateo), which implemented a 5-cent per-ride surcharge on ride-hails to set up a fund so Uber and Lyft could finally provide wheelchair accessible vehicles. The bill set up a process for the California Public Utilities Commission, to establish rules requiring ride-hails to provide rides to all Californians regardless of disabilities.

Read more of this story at Slashdot.

12:11

That's just Huawei it goes, shrugs founder as analysts forecast sales slump for embattled biz [The Register]

Don't worry, they have Plan Bs and spare tyres apparently

Analysts are predicting a big slump in sales for Huawei thanks to the US Department of Commerce and the ongoing trade wars.…

12:01

NASA Executive Quits Weeks After Appointment To Lead 2024 Moon Landing Plan [Slashdot]

A top NASA executive hired in April to guide strategy for returning astronauts to the moon by 2024 has resigned, the space agency said on Thursday, the culmination of internal strife and dwindling congressional support for the lunar initiative. From a report: Mark Sirangelo, named six weeks ago as special assistant to NASA Administrator Jim Bridenstine, left the agency as NASA abandoned a reorganization plan due to a chilly reception on Capitol Hill, Bridenstine said in a statement. His departure came after lawmakers rejected NASA's proposal to create a separate directorate within the space agency to oversee future lunar missions and ultimately develop human exploration of Mars. [...] Last week, the Trump administration asked Congress to increase NASA's spending next year by $1.6 billion as a "down payment" on the accelerated goal of landing Americans back on the moon by 2024, more than half a century after the end of the U.S. Apollo lunar program.

Read more of this story at Slashdot.

11:45

AMD Staging Another Fix To Try Correcting Some Raven Ridge Systems On Linux [Phoronix]

AMD Raven Ridge APUs have been out for more than one year now and at least under Linux can still be quite problematic depending upon the particular motherboard BIOS and other factors. Fortunately, while Raven 2 and Picasso APU support is appearing to be in better shape, the AMD open-source developers haven't forgot about these problematic Raven 1 systems...

11:20

Delivery App Orders Restaurants To Cook Almost Whatever You Want [Slashdot]

Russia's largest tech company is launching a delivery service that allows a customer to tell a restaurant what to cook, whether it's on the menu or not. From a report: Yandex NV will prepare meal kits with ingredients based on a customer's requested dish and send it to a nearby restaurant for cooking. Once the food is ready, Yandex couriers will handle delivery. Yandex has been rapidly expanding its delivery services. In 2017 it merged with Uber Technologies' Russian ride-hailing and food-ordering businesses. The new offering, which it calls a "cloud restaurant" service, mashes together Yandex.Eats, which delivers cooked food from restaurants, and Yandex.Chef, which already supplies meal kits for home cooking. For now, customers won't be able to create completely bespoke delicacies, but Yandex has created a list of hundreds of the most popular dishes among users of its food businesses, which will be priced typically for no more than 250 rubles ($3.86) per dish. The service will be initially available in Moscow and St. Petersburg.

Read more of this story at Slashdot.

10:40

Mobile Chrome, Safari and Firefox Failed To Show Phishing Warnings For More Than a Year [Slashdot]

An anonymous reader writes: For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week. "We identified a gaping hole in the protection of top mobile web browsers," the research team said. "Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection." The issue only impacted mobile browsers that sued the Google Safe Browsing link blacklisting technology. The research team -- consisting of academics from Arizona State University and PayPal staff -- notified Google of the problem, and the issue was fixed in late 2018. "Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended," researchers said.

Read more of this story at Slashdot.

10:01

A Group of Independent Linux App Developers Has Asked Wider GNOME Community To 'Stop Theming' Its Apps [Slashdot]

The letter is addressed to the maintainers of Linux distributions who elect to ship custom GTK and icons themes by default in lieu of upstream defaults. From a report: By publicizing the issues they feel stem from the practice of "theming" it's hoped that distros and developers might work together to create a "healthier GNOME third party app ecosystem." So what's the actual rub here? It often feels like the ability to control how our desktop looks and works is part of some unwritten Linux constitution, one we're all secret adherents to. But theming on the GNOME platform isn't all it seems. It's not without complications or compromises. As superficial as these changes might seem, usability is actually more than skin deep. Now, elephant in the room time: many leading Linux distros use custom GTK themes and icon sets as a way create a brand identity for themselves; an experience that feels uniquely their own. This includes Ubuntu (with Ambiance and Yaru), Linux Mint (with Mint-X), Pop OS (with Pop GTK) and Manjaro.

Read more of this story at Slashdot.

10:00

HP's delayed Reverb: Jesus-headset dribbles out of the echo chamber and into the channel [The Register]

There were manufacturing problems! Oh, no there weren't! Oh, yes there were!

The great flagship hope of Windows Mixed Reality, the HP Reverb, has finally stumbled its way out the UK gate a month behind schedule.…

09:55

GNOME's Mutter Makes Another Step Towards X11-Less, Starting XWayland On-Demand [Phoronix]

GNOME 3.34 feature development continues at full-speed with a lot of interesting activity this cycle particularly on the Mutter front. On top of the performance/lag/stuttering improvements, today Mutter saw the merging of the "X11 excision" preparation patches...

09:20

Anti-Loot Box Bill Could Radically Change How Video Games Are Sold [Slashdot]

Democratic and Republican senators can hardly agree on what to order for lunch, but as of Thursday they seem to agree that the video game industry requires additional government oversight. From a report: Proposed legislation could ban loot boxes and other kinds of microtransactions, and its co-sponsors include members from both major parties. The devil is in the details, of course, and the bill itself could have far reaching implications for the game industry. The full text of the proposed bill is available online. Its intention is to "regulate certain pay-to-win microtransactions and sales of loot boxes." In order to do so, it first has to define what those things are. The bill says, "an add-on transaction to a interactive digital entertainment product that [...] eases a user's progression through content otherwise available within the game without the purchase of such transaction; assists a user in accomplishing an achievement within the game that can otherwise be accomplished without the purchase of such transaction; assists a user in receiving an award associated with the game that is otherwise available in association with the game without the purchase of such transaction; or permits a user to continue to access content of the game that had previously been accessible to the user but has been made inaccessible after the expiration of a timer or a number of gameplay attempts; or with respect to an interactive digital entertainment product that, from the perspective of a reasonable user of the product, is a game featuring competition with other users, provides a user with a competitive advantage with respect to the game's competitive aspects over users who do not make such a transaction." The only exclusions listed in the bill are additional difficulty modes, cosmetic items, and downloadable expansions. So, if a company wanted to charge for a new game plus mode, they could do that. Also, the sale of skins in Fortnite and new content expansions for The Elder Scrolls Online would be perfectly acceptable. But, these guidelines as written leave a lot open to interpretation. Would it call into question selling experience point boosters in games like Anthem, Destiny 2, and World of Tanks? What about the practice of selling access to characters in Mortal Kombat 11 and Apex Legends, and even new Champions in League of Legends? Do we get to the point where, somewhere in the future, senators are arguing whether or not a particular weapon or perk is overpowered and should not be for sale?

Read more of this story at Slashdot.

09:17

Rough quarter? Just blame falling sales on China and US trade tensions – right, HPE? [The Register]

Customer delay purchaes amid uncertainty, claims CEO

HPE has blamed "trade tensions" between the US and China on customers delaying purchases amid the uncertainty as the company reported yet another quarter of declining sales.…

09:00

What do our IT pro readers make of virtualization in 2019? Here are the poll results, plus our insight and tips [The Register]

Download 'The Economics of Application Platforms' for free today

Sponsored  If you dig back through El Reg's archives to 2007 and 2008, you'll find a lot of coverage of how x86 virtualisation was changing the world. The name of the game was server consolidation, and IT teams were waking up to both the cost-saving benefits and the prospect of eliminating a lot of server admin drudgery.…

08:56

Vulkan 1.1.109 Released With Two New Intel Extensions [Phoronix]

Vulkan 1.1.109 was released today as the latest update to this graphics/compute specification ahead of the US holiday weekend...

08:41

World's First AI-Generated Whiskey Coming Later This Year [Slashdot]

Microsoft, best known for developing Windows, has a thirst for something new: whiskey. The tech giant is co-developing the world's first computer-generated blend using artificial intelligence. From a report: For centuries whiskey has been cultivated by craftsmen drawing on knowledge and experience passed through generations. Single-malts have long been considered superior to blends, which are made by combining a number of single malts. One of the world's most expensive single-malts, a Macallan 1946, sold at an auction for a $460,000, while a Chivas Regal Royal Salute blend, which was created in 2002 to celebrate the golden jubilee of Britain's Queen Elizabeth, has sold for $10,000 a bottle. But now Microsoft has teamed up with Swedish distillery Mackmyra and Finnish consultancy Fourkind to use what's being dubbed as the world's first "bionic blender" to create the perfect tipple. Machine learning analyzes existing recipes, sales data and customer preferences to generate a dataset of more than 70 million recipes that a robot predicts will be popular. While Microsoft's leap from software to spirits might raise eyebrows in the Highlands of Scotland, the American software giant says its digital distiller will not replace the expertise and knowledge of human experts.

Read more of this story at Slashdot.

08:10

Uber JUMPs at chance to dump load of electric bikes across Islington [The Register]

Trial starts in London borough with £25 fine for crap parking

From today folk in Islington, London, can hire an electric bike off Uber rather than a cab.…

08:01

Theresa May, Undone by Brexit, To Resign as UK Prime Minister [Slashdot]

Prime Minister Theresa May of Britain surrendered to mounting pressure from her lawmakers on Friday and said she would step aside as leader, after almost three years of trying and failing to lead Britain out of the European Union. From a report: Mrs. May said she would stand aside as leader of the Conservative Party on June 7, but remain as prime minister until a successor was chosen. Though she still has a little more time in Downing Street, the announcement puts an end to one of the most turbulent -- and at times shambolic -- premierships in recent British history. Her departure is likely to set off a vicious contest to succeed her within the governing Conservative Party. In truth, Mrs. May's rivals have been jockeying for position for months as her authority ebbed and lawmakers, and ultimately cabinet ministers, mutinied. Speaking outside 10 Downing Street, Mrs. May acknowledged that she had been unable to persuade lawmakers to support her plan to pull Britain out of the European Union, despite her best efforts. "I believe I was right to persevere, even when the odds against success seemed high," she said. "But it is now clear to me that it is in the best interests of the country for a new prime minister to lead that effort." Her failure to reach a deal, she said, would remain a matter of "deep regret." Voice cracking, she noted at the end that she was "the second female prime minister, but certainly not the last."

Read more of this story at Slashdot.

07:30

Murdoch-backed adtech startup Unlockd ditches Google lawsuit: That'll be £200k, ta very much [The Register]

Could have been a million times (or pounds) worse

A Murdoch-backed adtech startup that sued Google for anticompetitive behaviour has abandoned its lawsuit – and been landed with a £200,000 legal bill for its troubles.…

07:00

Intel SVP Gregory Bryant Opens Up On Project Athena Laptop Initiative [Slashdot]

MojoKid shares a report from HotHardware: Earlier this year, Intel revealed its Project Athena initiative and earlier this month gave us a broad overview on what to expect with future computing designs. Like Centrino (which brought laptops into the Wi-Fi age) and Ultrabooks (which touted the idea of thin and light premium laptops), Project Athena encompasses a collection of technologies and design goals that Intel hopes OEMs will employ when developing new products. At its heart, Intel is looking to help foster the introduction of premium laptops that adhere to specific key tenets, in an effort to enhance the PC user experience. "One of the things we've learned over the years is that a great PC experience means different things to different people, from gamers to content creators to office workers," said Gregory Bryant, Intel SVP of And GM of Intel's Client Computing Group. "This is where you see us focusing. We want to give our partners everything they need to create incredible and differentiated PCs, purpose-built to what real people want." Powering these systems will be Intel's new 10nm Sunny Cove processor platform. Additional details regarding the use of 5G and harnessing AI to optimize software on the fly for common use cases were also disclosed. Intel noted the first round of Project Athena devices will launch in the latter half of 2019 and we should expect to see production ramp in 2020.

Read more of this story at Slashdot.

06:56

Benchmarking AMD FX vs. Intel Sandy/Ivy Bridge CPUs Following Spectre, Meltdown, L1TF, Zombieload [Phoronix]

Now with MDS / Zombieload being public and seeing a 8~10% performance hit in the affected workloads as a result of the new mitigations to these Microarchitectural Data Sampling vulnerabilities, what's the overall performance look like now if going back to the days of AMD FX Vishera and Intel Sandybridge/Ivybridge processors? If Spectre, Meltdown, L1TF/Foreshadow, and now Zombieload had come to light years ago would it have shaken that pivotal point in the industry? Here are benchmarks looking at the the performance today with and without the mitigations to the known CPU vulnerabilities to date.

06:45

Coverage concerns dog UK Emergency Services Network as boss admits scheme too ambitious [The Register]

Civil servants hauled before spending watchdog again

The UK Home Office has had to once again explain the ongoing Emergency Services Network farrago as part of an inquiry by the Public Accounts Committee (PAC).…

06:11

Headsup for those managing Windows 10 boxen: Microsoft has tweaked patching rules [The Register]

One category to rule them all? Er, maybe not...

Administrators dealing with the rollout of Microsoft's latest and greatest Windows 10 were warned last night that some tinkering of their finely tuned setups would be required.…

05:44

Saturday Morning Breakfast Cereal - Automation [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
There will be no softcover edition because it will only be touched by robot hands which are too powerful for flimsy cardstock covers.


Today's News:

Have I mentioned that my new book on immigration comes in an elegant hardcover edition?

05:09

Arm SVE2 Support Aligning For GCC 10, LLVM Clang 9.0 [Phoronix]

Given the significant performance benefits to Arm's Scalable Vector Extension 2 (SVE2), they are working on ensuring the open-source Linux compiler toolchains support these new CPU instructions ahead of SoCs shipping that support this big addition...

04:50

Ofcom to Openreach: Thou shalt prise open thy network for firms targeting biz customers [The Register]

Comms regulator demands BT sub lets more fibre cable layers access its poles and ducts

Updated  Ofcom has ordered BT's Openreach to open its telegraph poles and underground ducts to more companies wishing to lay their own fibre networks aimed at business customers.…

04:16

Gee, SEC, how did that get out?! 'Leaked' Tesla email claims big boost in Model 3 production [The Register]

Small comfort to Oracle's Larry Ellison, who's $420m *weyyy* poorer after ill-timed punt

A "leaked" email from Tesla boss Elon Musk to all employees claims the company is now making 900 Model 3 vehicles a day – a whisker (well, 11 per cent) away from its 1,000-a-day target.…

03:46

HP: Based on our Intel, don't hold your breath waiting for Chipzilla's CPU shortage to end [The Register]

PC maker's chief bean counter warns Wall Street moneymen of 'constraints' until at least calendar Q3

Intel was wrong, it seems. HP Inc, the world's second-largest PC maker, has forecast that Chipzilla's CPU shortages won't be over by anytime soon – not until at least the third quarter.…

03:15

Let's make laptops from radium. How's that for planned obsolescence? [The Register]

Come on, guys, get a half-life

Something for the Weekend, Sir?  Its international reputation trashed by Brexit shenanigans, the UK government has been desperately trying to distract its citizens with a promise to extend the ban on single-use plastic products. It all began with disposable carrier bags. But now they're clutching at straws.…

03:00

A Rocket Built By Students Reached Space For the First Time [Slashdot]

In the early morning of April 21, 10 students from the University of Southern California's Rocket Propulsion Lab successfully launched a rocket above the Karman Line, the imaginary boundary that separates earth's atmosphere and space. As Wired reports, this is the first time a collegiate rocket has made it to space. The team may have successfully accomplished this feat last September with their Traveler III rocket, but the team "failed to activate the avionics payload, so none of its flight data got recorded." From the report: Like the Civilian Space Exploration Team, the USC lab focused on solid fuel rockets, which require far less complicated -- and dangerous -- motors than the liquid fuel rockets launched by SpaceX or Blue Origin. Some of the rockets being developed by the leaders of the collegiate space race have two stages, but the USC team opted for a single-stage rocket. If you're trying to get to orbit, which requires reaching speeds of more than 17,000 mph, a two-stage rocket is a must, so as to jettison the dead weight of empty propellant tanks. But for lower altitudes and speeds, a single-stage rocket can do the trick. In 2013, the USC rocket team attempted its first space shot with the Traveler I, which exploded just seconds after launch. A similar fate befell Traveler II, which was launched the following year. Clearly, it was time to make some changes. Following the failure of the first two Traveler rockets, the USC team began to develop the Fathom rocket and Graveler motor as testbeds for flight systems that would be used on subsequent space shots. The Fathom rocket was effectively a scaled-down version of the Traveler rocket that allowed the USC team to build multiple rockets in quick succession to see how the subsystems worked together. After extensive ground tests, the team's Fathom II rocket set a record when it reached an altitude of 144,000 feet in 2017. Other collegiate rocket teams had reached only about 100,000 feet. The time seemed ripe to attempt another spaceshot.

Read more of this story at Slashdot.

02:40

Want to train a dragon? You'll need 500 million files, 730TB of data, 54,000 CPU cores... [The Register]

DreamWorks picks Gremlin to weave digital marvels

DataStax Accelerate  Family favourite DreamWorks Animation has built a cloud platform powered by microservices that uses a graph database and Gremlin query language to guide the production of its films.…

02:10

Microsoft? Oh it's just another partnership, insists GitHub CEO [The Register]

We're a strong, independent company

"GitHub has to be both independent and neutral," CEO Nat Friedman said at the company's Satellite event in Berlin – despite its acquisition by Microsoft in October 2018.…

01:31

Gain clear visibility into your network with app intelligence from Gigamon: We chat to the biz about its tech [The Register]

A new way to ease your path to a digital transformation

Sponsored webcast  As applications grow increasingly numerous and complex, it becomes ever harder for organisations to maintain service delivery and ensure good security.…

01:30

Packit – auto-package your projects into Fedora [Fedora Magazine]


What is packit

Packit (https://packit.dev/) is a CLI tool that helps you auto-package your upstream projects into the Fedora operating system. But what does it really mean?

As a developer, you might want to add or update your package in Fedora. If you’ve done it in the past, you know it’s no easy task. If you haven’t let me reiterate: it’s no easy task.

And this is exactly where packit can help: with just one configuration file in your upstream repository, packit will automatically package your software into Fedora and update it when you update your source code upstream.

Furthermore, packit can synchronize downstream changes to a SPEC file back into the upstream repository. This could be useful if the SPEC file of your package is changed in Fedora repositories and you would like to synchronize it into your upstream project.

Packit also provides a way to build an SRPM package based on an upstream repository checkout, which can be used for building RPM packages in COPR.

Last but not least, packit provides a status command. This command provides information about upstream and downstream repositories, like pull requests, release and more others.

Packit provides also another two commands: build and create-update.

The command packit build performs a production build of your project in Fedora build system – koji. You can Fedora version you want to build against using an option –dist-git-branch. The command packit create-updates creates a Bodhi update for the specific branch using the option —dist-git-branch.

Installation

You can install packit on Fedora using dnf:

sudo dnf install -y packit

Configuration

For demonstration use case, I have selected the upstream repository of colin (https://github.com/user-cont/colin). Colin is a tool to check generic rules and best-practices for containers, dockerfiles, and container images.

First of all, clone colin git repository:

$ git clone https://github.com/user-cont/colin.git
$ cd colin

Packit expects to run in the root of your git repository.

Packit (https://github.com/packit-service/packit/) needs information about your project, which has to be stored in the upstream repository in the .packit.yaml file (https://github.com/packit-service/packit/blob/master/docs/configuration.md#projects-configuration-file).

See colin’s packit configuration file:

$ cat .packit.yaml
specfile_path: colin.spec
synced_files:
 -.packit.yaml
 - colin.spec
upstream_project_name: colin
downstream_package_name: colins

What do the values mean?

  • specfile_path – a relative path to a spec file within the upstream repository (mandatory)
  • synced_files – a list of relative paths to files in the upstream repo which are meant to be copied to dist-git during an update
  • upstream_project_name – name of the upstream repository (e.g. in PyPI); this is used in %prep section
  • downstream_package_name – name of the package in Fedora (mandatory)

For more information see the packit configuration documentation (https://github.com/packit-service/packit/blob/master/docs/configuration.md)

What can packit do?

Prerequisite for using packit is that you are in a working directory of a git checkout of your upstream project.

Before running any packit command, you need to do several actions. These actions are mandatory for filing a PR into the upstream or downstream repositories and to have access into the Fedora dist-git repositories.

Export GitHub token taken from https://github.com/settings/tokens:

$ export GITHUB_TOKEN=<YOUR_TOKEN>

Obtain your Kerberos ticket needed for Fedora Account System (FAS) :

$ kinit <yourname>@FEDORAPROJECT.ORG

Export your Pagure API keys taken from https://src.fedoraproject.org/settings#nav-api-tab:

$ export PAGURE_USER_TOKEN=<PAGURE_USER_TOKEN>

Packit also needs a fork token to create a pull request. The token is taken from https://src.fedoraproject.org/fork/YOU/rpms/PACKAGE/settings#apikeys-tab

Do it by running:

$ export PAGURE_FORK_TOKEN=<PAGURE_FORK_TOKEN>

Or store these tokens in the ~/.config/packit.yaml file:

$ cat ~/.config/packit.yaml

github_token: <GITHUB_TOKEN>
pagure_user_token: <PAGURE_USER_TOKEN>
pagure_fork_token: <PAGURE_FORK_TOKEN>

Propose a new upstream release in Fedora

The command for this first use case is called propose-update (https://github.com/jpopelka/packit/blob/master/docs/propose_update.md). The command creates a new pull request in Fedora dist-git repository using a selected or the latest upstream release.

$ packit propose-update

INFO: Running 'anitya' versioneer
Version in upstream registries is '0.3.1'.
Version in spec file is '0.3.0'.
WARNING  Version in spec file is outdated
Picking version of the latest release from the upstream registry.
Checking out upstream version 0.3.1
Using 'master' dist-git branch
Copying /home/vagrant/colin/colin.spec to /tmp/tmptfwr123c/colin.spec.
Archive colin-0.3.0.tar.gz found in lookaside cache (skipping upload).
INFO: Downloading file from URL https://files.pythonhosted.org/packages/source/c/colin/colin-0.3.0.tar.gz
100%[=============================>]     3.18M  eta 00:00:00
Downloaded archive: '/tmp/tmptfwr123c/colin-0.3.0.tar.gz'
About to upload to lookaside cache
won't be doing kinit, no credentials provided
PR created: https://src.fedoraproject.org/rpms/colin/pull-request/14

Once the command finishes, you can see a PR in the Fedora Pagure instance which is based on the latest upstream release. Once you review it, it can be merged.

Sync downstream changes back to the upstream repository

Another use case is to sync downstream changes into the upstream project repository.

The command for this purpose is called sync-from-downstream (https://github.com/jpopelka/packit/blob/master/docs/sync-from-downstream.md). Files synced into the upstream repository are mentioned in the packit.yaml configuration file under the synced_files value.

$ packit sync-from-downstream

upstream active branch master
using "master" dist-git branch
Copying /tmp/tmplvxqtvbb/colin.spec to /home/vagrant/colin/colin.spec.
Creating remote fork-ssh with URL git@github.com:phracek/colin.git.
Pushing to remote fork-ssh using branch master-downstream-sync.
PR created: https://github.com/user-cont/colin/pull/229

As soon as packit finishes, you can see the latest changes taken from the Fedora dist-git repository in the upstream repository. This can be useful, e.g. when Release Engineering performs mass-rebuilds and they update your SPEC file in the Fedora dist-git repository.

Get the status of your upstream project

If you are a developer, you may want to get all the information about the latest releases, tags, pull requests, etc. from the upstream and the downstream repository. Packit provides the status command for this purpose.

$ packit status
Downstream PRs:
 ID  Title                             URL
----  --------------------------------  ---------------------------------------------------------
 14  Update to upstream release 0.3.1  https://src.fedoraproject.org//rpms/colin/pull-request/14
 12  Upstream pr: 226                  https://src.fedoraproject.org//rpms/colin/pull-request/12
 11  Upstream pr: 226                  https://src.fedoraproject.org//rpms/colin/pull-request/11
  8 Upstream pr: 226                  https://src.fedoraproject.org//rpms/colin/pull-request/8

Dist-git versions:
f27: 0.2.0
f28: 0.2.0
f29: 0.2.0
f30: 0.2.0
master: 0.2.0

GitHub upstream releases:
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0

Latest builds:
f27: colin-0.2.0-1.fc27
f28: colin-0.3.1-1.fc28
f29: colin-0.3.1-1.fc29
f30: colin-0.3.1-2.fc30

Latest bodhi updates:
Update                Karma  status
------------------  ------- --------
colin-0.3.1-1.fc29        1  stable
colin-0.3.1-1.fc28        1  stable
colin-0.3.0-2.fc28        0  obsolete

Create an SRPM

The last packit use case is to generate an SRPM package based on a git checkout of your upstream project. The packit command for SRPM generation is srpm.

$ packit srpm
Version in spec file is '0.3.1.37.g00bb80e'.
SRPM: /home/phracek/work/colin/colin-0.3.1.37.g00bb80e-1.fc29.src.rpm

Packit as a service

In the summer, the people behind packit would like to introduce packit as a service (https://github.com/packit-service/packit-service). In this case, the packit GitHub application will be installed into the upstream repository and packit will perform all the actions automatically, based on the events it receives from GitHub or fedmsg.

01:26

XWayland Receive An EGL-Based GLX Provider, Helping Various Games On Linux [Phoronix]

A notable improvement was merged into the "xserver" Git tree for the eventual X.Org Server 1.21 release that will improve the support for various Linux games relying on XWayland for running under a Wayland compositor...

01:10

Never let something so flimsy as a locked door to the computer room stand in the way of an auditor on the warpath [The Register]

Employees kicking down the doors? Happens all the time, guv

On Call  It's Friday! And Friday means beer, bacon and basking in the glow of another's misfortune thanks to The Register's regular On Call column.…

Thursday, 23 May

23:18

GNU Binutils Begins Landing eBPF Support [Phoronix]

The GNU Binutils is finally getting wired up around the Extended BPF (eBPF) as the modern, in-kernel virtual machine that stretches the Berkeley Packet Filter beyond the networking subsystem...

23:08

SpaceX Launches 60 Starlink Satellites On Thrice-Flown Rocket, Sticks Landing [Slashdot]

SpaceX's fifth Falcon 9 rocket of the year successfully launched from Cape Canaveral this evening, sending 60 internet-beaming satellites into space. Space.com reports: Following the successful launch, the rocket's first stage gently touched down on a floating platform at sea, marking the company's 40th booster recovery. It was the third flight for this particular booster, marking just the second time SpaceX has flown a Falcon 9 first stage more than twice. The third time was a charm for SpaceX as the Falcon 9 lifted off at 10:30 p.m. EDT (0230 GMT on May 24) from Space Launch Complex 40 at Florida's Cape Canaveral Air Force Station here, following several delays: first a 24-hour delay due to high upper-level winds on May 15, and then a weeklong delay so SpaceX could give the onboard satellites a software software upgrade. Tucked inside the rocket's nose cone were 60 satellites -- the first batch of SpaceX's Starlink megaconstellation, which the company hopes will help provide affordable internet coverage to the world. Each of the Starlink satellites weighs 500 lbs. (227 kg). The 60-spacecraft haul is the heaviest payload that a Falcon 9 has yet hoisted to orbit, SpaceX representatives have said. The aerospace company plans to launch nearly 12,000 of these satellites in total, "which will park themselves in low-Earth orbit and beam internet coverage to the world below," the report says. "There will be two Starlink flocks: one constellation of 4,409 satellites and a second constellation of 7,518 satellites, according to an agreement with the FCC." The one caveat is that the FCC approvals require SpaceX to launch half of the planned satellites within the next six years.

Read more of this story at Slashdot.

22:12

OpenGL 4.6 / SPIR-V Support Might Be Inching Closer For Mesa Drivers [Phoronix]

We're quickly approaching the two year anniversary of the OpenGL 4.6 release and it's looking like the Intel/RadeonSI drivers might be inching towards the finish line for that latest major revision of the graphics API...

21:30

Synthesizer Pioneer Bob Moog Gets His Own 'Moogseum' [Slashdot]

harrymcc writes: In the 1960s, Bob Moog helped invent electronic music as we know it by popularizing the synthesizer. He died in 2005, but Moog synthesizers are still widely used by top musical acts. And now his life, work, and legacy are the subject of a new museum in Asheville, NC, his hometown. Over at Fast Company, Sean Captain took a look at the museum, Moog's accomplishments, and the history of music produced with his instruments -- from the classical blockbuster "Switched-On Bach" onwards.

Read more of this story at Slashdot.

20:10

GitHub Launches Sponsors, Lets You Pay Your Favorite Open-Source Contributors [Slashdot]

GitHub today launched Sponsors, a new tool that lets you give financial support to open-source developers through recurring monthly payments. Developers will be able to opt into having a "Sponsor me" button on their GitHub repositories and open-source projects will also be able to highlight their funding models, no matter whether that's individual contributions to developers or using Patreon, Tidelift, Ko-fi or Open Collective. TechCrunch reports: The mission here, GitHub says, is to "expand the opportunities to participate in and build on open source." That's likely to be a bit controversial among some open-source developers who don't want financial interests to influence what people will work on. And there may be some truth to that as this may drive open-source developers to focus on projects that are more likely to attract financial contributions over more esoteric projects that are interesting and challenging but aren't likely to find financial backers on GitHub. The program is only open to open-source developers. During the first year of a developer's participation, GitHub (and by extension, its corporate overlords at Microsoft) will also match up to $5,000 in contributions. For the next 12 months, GitHub won't charge any payment processing fees either (though it will do so after this time is over). GitHub tells me that developers will be able to set up multiple sponsorship tiers with benefits that can be set by the developer, too. In many ways, then, this isn't all that different from sponsoring a Twitch streamer, for example, with monthly payments and special benefits depending on how much you pay.

Read more of this story at Slashdot.

19:30

Third time's a charm? SpaceX hopes to launch 60 Starlink broadband sats into orbit tonight [The Register]

At 13,620 kilograms, it's the heaviest payload yet for the Elon Musk-run biz

Updated  SpaceX’s Falcon 9 rocket could be lobbing 60 Starlink satellites, the company's heaviest payload yet, this Thursday evening.…

19:30

Senate Passes Bill Cracking Down On Robocalls [Slashdot]

The Senate on Thursday passed a bill that aims to crack down on unwanted robocalls. "The legislation would impose stiffer fines of as much as $10,000 per call on robocallers who knowingly flout the rules on calls and would increase the statute of limitations to three years, up from one year," reports CNN. "It also instructs the Federal Communications Commission to develop further regulations that could shield consumers from unwanted calls." From the report: The legislation would accelerate the rollout of so-called "call authentication" technologies the industry is currently developing, which could cut down on the number of calls coming from unverified numbers. Proponents say the new industry standards -- known as SHAKEN/STIR -- could increase phone users' confidence in their caller ID. The protocols are designed to authenticate callers who are using their rightful phone numbers and to eliminate calls from spammers who are using phone numbers they don't rightfully own. The legislation passed the Senate 97-1, with Republican Sen. Rand Paul of Kentucky casting the lone dissenting vote. The legislation must still pass the House and be signed by President Donald Trump. Senate Minority Leader Chuck Schumer urged House lawmakers to vote on the bill immediately. The legislation's passage follows a move by the FCC last week to clarify that phone companies may legally block unwanted robocalls and can even apply the technologies to their customers' accounts by default. But lawmakers want the FCC to do more.

Read more of this story at Slashdot.

19:29

Valve's Proton Pulls In Latest DXVK, Steam Networking Updates, Controller Layout Fixes [Phoronix]

The Valve developers maintaining their Proton fork of Wine for use by Steam Play have outed a new update, version 4.2-5...

18:50

Deepfakes Can Now Be Made From a Single Photo [Slashdot]

Samsung has developed a new artificial intelligence system for creating deepfakes -- fabricated clips that make people appear to do or say things they never did -- that only needs as little as one photo. CNET reports: The technology, of course, can be used for fun, like bringing a classic portrait to life. The Mona Lisa, whose enigmatic smile is animated in three different videos to demonstrate the new technology, exists solely as a single still image. A Samsung artificial intelligence lab in Russia developed the technology, which was detailed in a paper earlier this week. Here's the downside: These kinds of techniques and their rapid development also create risks of misinformation, election tampering and fraud, according to Hany Farid, a Dartmouth researcher who specializes in media forensics to root out deepfakes. The system starts with a lengthy "meta-learning stage" in which it watches lots of videos to learn how human faces move. It then applies what it's learned to a single still or a small handful of pics to produce a reasonably realistic video clip. Unlike a true deepfake video, the results from a single or small number of images fudge when reproducing fine details. For example, a fake of Marilyn Monroe in the Samsung lab's demo video missed the icon's famous mole, according to Siwei Lyu, a computer science professor at the University at Albany in New York who specializes in media forensics and machine learning. It also means the synthesized videos tend to retain some semblance of whoever played the role of the digital puppet. That's why each of the moving Mona Lisa faces looks like a slightly different person. [...] The glitches in the fake videos made with Samsung's new approach may be clear and obvious. But they'll be cold comfort to anybody who ends up in a deepfake generated from that one smiling photo posted to Facebook.

Read more of this story at Slashdot.

18:10

5G Could Mean Less Time To Flee a Deadly Hurricane, Heads of NASA and NOAA Warn [Slashdot]

An anonymous reader quotes a report from The Verge: As reported by The Washington Post and CNET, the heads of NASA and the National Oceanic and Atmospheric Administration (NOAA) warn [5G wireless networks] could set back the world's weather forecasting abilities by 40 years -- reducing our ability to predict the path of deadly hurricanes and the amount of time available to evacuate. It's because one of the key wireless frequencies earmarked for speedy 5G millimeter wave networks -- the 24 GHz band -- happens to be very close to the frequencies used by microwave satellites to observe water vapor and detect those changes in the weather. They have the potential to interfere. And according to NASA and NOAA testimony, they could interfere to the point that it delays preparation for extreme weather events. Last week, acting NOAA head Dr. Neil Jacobs told the House Subcommittee on the Environment that based on the current 5G rollout plan, our satellites would lose approximately 77 percent of the data they're currently collecting, reducing our forecast ability by as much as 30 percent. "If you looked back in time to see when our forecast skill was 30 percent less than today, it's somewhere around 1980. This would result in the reduction of hurricane track forecast lead time by roughly 2 to 3 days," he said. If we hadn't had that data, Jacobs added, we wouldn't have been able to predict that the deadly Hurricane Sandy would hit. A European study showed that with 77 percent less data, the model would have predicted the storm staying out at sea instead of making landfall. Jacobs said later that we currently have no other technologies to passively observe water vapor and make these more accurate predictions. On April 19th, NASA administrator Jim Bridenstine made similar comments to the House Science Committee. "That part of the electromagnetic spectrum is necessary to make predictions as to where a hurricane is going to make landfall," he told the committee. "If you can't make that prediction accurately, then you end up not evacuating the right people and/or you evacuate people that don't need to evacuate, which is a problem."

Read more of this story at Slashdot.

18:09

Clear Linux Discovers Another AVX2/AVX512 Fix/Optimization To Yield Better Performance [Phoronix]

For those running a system with AVX-512 support, Clear Linux builds as of this week should be yielding even better performance on top of their existing AVX2 and AVX-512 optimizations...

17:45

Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online [The Register]

Perceptics confirms intrusion and theft, stays quiet on details

Exclusive  The maker of vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants has been hacked. Its internal files were pilfered, and are presently being offered for free on the dark web to download.…

17:30

Panasonic 'Suspends Transactions' With Huawei After US Ban [Slashdot]

Japan's Panasonic has said it is scrutinizing whether any of its products break U.S. restrictions on trading with Huawei. "Panasonic announced in [an] internal notification that it should suspend transactions with Huawei and its 68 affiliates that were banned by the U.S. government," the company said in a statement provided to the BBC. From the report: Panasonic caused confusion earlier by appearing to announce that it had suspended business with Huawei. But it later said that business operations that were not in breach of U.S. regulations would continue to trade normally with Huawei. "Panasonic will continue to strictly abide by the laws and regulations of the countries and regions in which we conduct business," it said.

Read more of this story at Slashdot.

17:07

AI can now animate the Mona Lisa's face or any other portrait you give it. We're not sure we're happy with this reality [The Register]

Warning: It's creepy AF – and your pic is next

Video  AI code can breathe life into portrait paintings, photos of dead celebrities, and your Facebook selfies, transforming single still images into moving and talking heads.…

16:50

Elon Musk's Boring Company Wins Contract To Build Las Vegas Tunnel [Slashdot]

Elon Musk's Boring Company now has a paying customer. "Late Wednesday, the board of directors of the Las Vegas Conventions and Visitors Authority voted to grant a $48,675,000 contract to the Boring Company to build a 0.83-mile, three-station version of the company's Loop mass-transit system inside of Vegas' sprawling, revamped convention center, which is currently under construction," reports Wired. From the report: As previously outlined by BoCo, the Loop system is made up of 8- to 16-passenger battery-powered autonomous electric vehicles, built to shoot people from station to station at speeds of up to 150 mph. This Las Vegas system is slated to transport at least 4,400 passengers per hour between the center's new exhibit and south halls, about a 20-minute walk by foot. The Boring Company has also pledged to build an escalator or elevator system for each of the three stations, pedestrian entrances and exits, tunnel lighting, power and video surveillance systems, a control room, and cell phone, Wi-Fi, intercom, and ventilation systems. The convention center hopes to time the opening of the Loop with the 2021 Consumer Electronics Show. Las Vegas Mayor Carolyn Goodman was the only board member to vote against granting the Boring Company its bid. During the bidding process, Goodman had asked fellow board members to consider a more expensive proposal from another company, Doppelmayr. "Doppelmayr has been in existence for 125 years," Goodman wrote in a letter, according to the Las Vegas Sun. "They already have projects here that are operating successfully. The Boring Co. is 3 years old and has yet to deliver a final package on anything." Goodman's office did not immediately respond to a request for comment.

Read more of this story at Slashdot.

16:18

Facebook removes about as many fake accounts as it has actual monthly users (yes, billions) in effort to clean up online [The Register]

Social ad biz details effort to cleanse community

Analysis  Just as the US Environmental Protection Agency allows up to 9 mg of rodent waste per kilogram of wheat and 0.15 μg/m3 of lead in the air over three months, Facebook expects toxic content will always be a part of its service.…

16:10

Comcast Does So Much Lobbying That It Says Disclosing It All Is Too Hard [Slashdot]

An anonymous reader quotes a report from Ars Technica: Comcast may be harming its reputation by failing to reveal all of its lobbying activities, including its involvement in trade associations and lobbying at the state level, a group of shareholders says in a proposal that asks for more lobbying disclosures. Comcast's disclosures for its lobbying of state governments "are often cursory or non-existent," and Comcast's failure to disclose its involvement in trade associations means that "investors have neither an accurate picture of the company's total lobbying expenditures nor an understanding of its priorities, interests, or potential risks from memberships," the proposal said. "Comcast's lack of transparency around its lobbying poses risks to its already troubled reputation, which is concerning in a highly regulated industry, especially given the rise of public Internet alternatives." The proposal is on the ballot for Comcast's June 5 annual shareholder meeting and was filed by Friends Fiduciary, which "invest[s] based on Quaker values" and says it "actively screen[s] companies for social responsibility." Friends Fiduciary and other investors who joined the proposal collectively hold "over 1 million shares of Comcast stock," they said. The shareholder resolution would be non-binding even if it passed. It asks for an annual report disclosing, among other things, "Payments by Comcast used for (a) direct or indirect lobbying or (b) grassroots lobbying communications" and information on "Comcast's membership in and payments to any tax-exempt organization that writes and endorses model legislation." Comcast's board unanimously recommended that shareholders vote against the Friends Fiduciary resolution, saying that Comcast "already disclose[s] most of our government lobbying interactions" as required by law. "[O]ur Board believes that the requirements in this proposal are burdensome and an unproductive use of our resources and are not in the best interests of our shareholders," Comcast said in a rebuttal included in its proxy statement.

Read more of this story at Slashdot.

16:00

Rust 1.35 Released With Support For Empty Debug Macro, ~4x Faster ASCII Case Conversions [Phoronix]

Version 1.35 of the Rust programming language implementation was released today with a variety of different usability and convenience improvements...

15:51

WikiLeaks boss Assange acted as a foreign spy, Uncle Sam exclaims in fresh rap sheet [The Register]

Prosecutors try to paint a line between journos and internet dump lord in case with significant free speech implications

Julian Assange has been formally accused by the US government of breaking the Espionage Act, expanding the legal case against him and raising significant free speech issues.…

15:41

GNOME 3.34's Mutter Gets Important Fix To Avoid Stuttering / Frame Skips [Phoronix]

In addition to GNOME's Mutter compositor / window manager seeing an important fix recently lowering the output lag under X11 so it matches GNOME's Wayland performance, another important Mutter fix also landed...

15:30

Facebook Removed 2.2 Billion Fake Accounts This Year [Slashdot]

Facebook released its community standards enforcement report Thursday morning, offering a much more in-depth look at the inner workings of the company than previously seen. From a report: One of the most surprising insights came from Facebook's removal of fake accounts. The company said it removed 2.2 billion accounts in the first quarter of the 2019. That's a jump of nearly double compared to the fourth quarter of 2018 when 1.2 billion accounts were removed. That number seems astronomical, especially when considering that Facebook says it has 2.38 billion monthly active users overall. The reason that the social network can boast nearly as many removals as it has active users is that it typically finds and removes bogus accounts within minutes of them signing up. As a result, Facebook estimates that only 5% of its monthly active users are fake.

Read more of this story at Slashdot.

14:50

Mark Zuckerberg Dismisses Calls To Break Up Facebook [Slashdot]

Facebook CEO Mark Zuckerberg on Thursday rebuffed calls for the company to be broken up over competition concerns, disputing claims the firm has grown too dominant. From a report: During a call with reporters, Zuckerberg was pressed to address recent calls from Democratic officials and one Facebook co-founder for federal regulators to force the company to spin off WhatsApp and Instagram, previously acquired in two blockbuster deals. "I think it kind of almost goes without saying that we exist in a very competitive and dynamic environment where new services are constantly coming up," Zuckerberg said. He later disputed arguments that the company has grown too dominant as an advertising player as "a little stretched," noting the company controls just around a fifth of the global digital ad market. "I don't really think that the remedy of breaking up the company is going to address those," he said. "I actually think it's going to make it a lot harder." Further reading: Facebook's Sheryl Sandberg: Chinese Tech Companies Are Also Powerful, and Will Not Be Broken Up.

Read more of this story at Slashdot.

14:44

Why telcos 'handed over' people's GPS coords to a bounty hunter: He just had to ask nicely [The Register]

Privacy slip allegations dog US cellular network giants... while FCC twiddles its thumbs

A bounty hunter was able to get the live location of a number of different individuals from American cellphone networks through a single phone call, it is claimed.…

14:19

Julian Assange Charged in 18-Count Indictment For WikiLeaks Disclosures [Slashdot]

Julian Assange was charged Thursday in an 18-count superseding indictment for his role in orchestrating the 2010 WikiLeaks disclosures, described by the U.S. government as "one of the largest compromises of classified information in the history of the United States." From a report: According to the Justice Department, the new charges from a federal grand jury in the Eastern District of Virginia allege that "Assange's actions risked serious harm to United States national security to the benefit of our adversaries." According to the DOJ announcement, Assange faces a maximum penalty of 10 years in prison on each charge with the exception of one charge related to conspiracy to commit computer intrusion. Assange was previously indicted in April on a single-count conspiracy to commit computer intrusion charge for his role in Chelsea Manning's disclosure of classified materials made public by WikiLeaks in 2010, which the government has called "one of the largest compromises of classified information in the history of the United States."

Read more of this story at Slashdot.

14:04

Ubuntu 19.10 To Bundle NVIDIA's Proprietary Driver Packages As Part Of Its ISO [Phoronix]

For Ubuntu 19.10 the developers are adding the NVIDIA driver packages onto the ISO. The NVIDIA binary drivers won't be activated by default, but will be present on the install media to make it easier to enable post-install...

13:53

Snapchat Employees Abused Data Access To Spy on Users [Slashdot]

Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard reported on Thursday. From the report: Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story). [...] Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on user's private information or profiles.

Read more of this story at Slashdot.

13:30

Many Google Duplex Calls Are From Real People Instead of AI [Slashdot]

Google's Duplex reservations might be more widely available, but that doesn't mean the AI is ready to handle every call. From a report: The company has confirmed to the New York Times that about 25 percent of the Assistant-based calls start with a human in a call center, while 15 percent require human intervention. In the newspaper's tests, the ratio was higher -- real people completed three out of four of their successful bookings. There are multiple reasons for relying on the human touch. In one case, Duplex didn't appear to pick up the cues that reservations were available. It may also need training on more real-world calls before it can handle every situation. More importantly, the company argued that it was taking a cautious approach. It wants to treat businesses with respect, and that means gradually transitioning to the AI as it becomes better-suited to dealing with staff.

Read more of this story at Slashdot.

13:13

ZFS On Linux 0.8 Released With Native Encryption, TRIM, Device Removal [Phoronix]

The feature-packed and long-desired ZFS On Linux 0.8 release has finally taken place! ZoL 0.8 is out there!..

12:50

Redditor Allowed To Stay Anonymous, Court Rules [Slashdot]

Online free speech has been given a victory, with a federal court ruling that a Redditor can remain anonymous in a copyright lawsuit. From a report: This means anyone from around the globe who posts on Reddit can still rely on First Amendment protections for anonymous free speech, because Reddit is a US platform with a US audience. The Electronic Frontier Foundation fought on behalf of Reddit commenter Darkspilver, a Jehovah's Witness who posted public and internal documents from The Watch Tower Bible and Tract Society online. Watch Tower subpoenaed Reddit to provide identity information on Darkspilver for the court case, but the EFF filed a motion to quash this, citing "deep concerns that disclosure of their identity would cause them to be disfellowshipped by their community." In February 2019, Darkspilver posted an advertisement by the Jehovah's Witness organization that asks for donations, as well as a chart showing what personal data the organization keeps. Watch Tower said both of these were copyrighted items. The Redditor argued it was fair use, because he posted the ad for commentary and criticism purposes.

Read more of this story at Slashdot.

12:13

Antergos Linux Has Been Discontinued [Slashdot]

Suren Enfiajyan writes: An Arch Linux based distribution, Antergos, has been discontinued. The project's primary goal was to make Arch Linux available to a wider audience of users by providing a streamlined, user friendly experience including a safe place for users to communicate, learn, and help one another. There have been 931,439 unique downloads of Antergos Linux since 2014. The primary reason for ending support for it was that the developers no longer have enough free time to properly maintain the distribution. They came to this decision because they believe that continuing to neglect the project would be a huge disservice to the community. Taking this action now, while the project's code still works, provides an opportunity for interested developers to take what they find useful and start their own projects. For existing Antergos users: there is no need to worry about installed systems as they will continue to receive updates directly from Arch. Soon, an update will be released that will remove the Antergos repos from system along with any Antergos-specific packages that no longer serve a purpose due to the project ending. Once that is completed, any packages installed from the Antergos repo that are in the AUR will begin to receive updates from there. The Antergos Forum and Wiki will continue to be available until such time it becomes clear that users have moved on to other projects.

Read more of this story at Slashdot.

11:38

Wikipedia To Fight Turkey Ban in European Human Rights Court [Slashdot]

Wikmedia, the foundation that runs Wikipedia said Thursday it had filed a lawsuit with the European Court of Human Rights to lift Turkey's two-year block on the online encyclopedia. From a report: Wikipedia said the ban violates fundamental freedoms, including the right to freedom of expression, which is guaranteed under the European Convention. The application, which was announced today during a press call, comes after Wikipedia's "continued and exhaustive" attempts to overturn the ban in Turkish courts failed to bear fruit. "Wikipedia is a global resource that everyone can be actively part of shaping," said Katherine Maher, Wikimedia executive director. "It is through this collective process of writing and rewriting and debate that Wikipedia becomes more useful, more comprehensive, and more representative. It is also through this process that we, a global society, establish a more comprehensive consensus on how we see the world." Turkey rolled out a blanket ban on Wikipedia citing national security concerns, in a move that has been widely condemned as a crackdown on free speech.

Read more of this story at Slashdot.

11:07

ZombieLoad Mitigation Costs For Intel Haswell Xeon, Plus Overall Mitigation Impact [Phoronix]

With tests over the past week following the disclosure of the Microarchitectural Data Sampling (MDS) vulnerabilities also known as "Zombieload", we've looked at the MDS mitigation costs (and now the overall Spectre/Meltdown/L1TF/MDS impact) for desktop CPUs, servers, and some laptop hardware. I've also begun doing some tests on older hardware, such as some Phoronix readers curious how well aging Intel Haswell CPUs are affected...

10:50

Rotten Tomatoes Tackles Review Bombing By Requiring Users To Verify Ticket Purchase Before Rating a Film [Slashdot]

More changes are coming to review site Rotten Tomatoes. As of Thursday, the audience score for new movies added to the site will default to show ratings from fans confirmed to have purchased tickets to those films. From a report: "The goal is to strengthen consumer confidence around that audience score," said Greg Ferris, vice president of product for Rotten Tomatoes' parent company, Fandango. Here's how it'll work: Any site user will still be able to write a review of a film. But now users can opt to have their rating and review marked as "verified." That means they bought their film ticket on Fandango, the movie-ticketing site that owns Rotten Tomatoes. Later this year, AMC Theatres and Regal and Cinemark ticketing sites will also be participating. So if you buy your ticket for Aladdin at the box office, for example, sorry, but you can't get verified for that review. (At least for now: Dana Benson, Fandango vice president for communications, says that the site is "exploring options" for ways to verify box office purchases.) Reviews associated with a ticket purchase will be marked with a "verified" icon. By default, the verified reviews will be used to make up the audience score shown on Rotten Tomatoes. To see the total audience score, including reviews by those who didn't purchase through Fandango or didn't opt in to the verification, users can select the "all audience" tab. "Every rating counts, but the score that we're putting out there is verified," Ferris said. The Rotten Tomatoes site will automatically verify that a ticket was purchased and that the time for that movie showing has already passed. For now, only one verified review will be allowed per transaction, no matter how many tickets were purchased.

Read more of this story at Slashdot.

10:10

Walmart Debuts Three Sub-$100 Tablets With Google Services [Slashdot]

Walmart is rolling out three Android-powered tablets this week, all priced under $100. From a report: The devices, under Walmart's Onn store brand, include an 8-inch version for $64, a 10.1-inch model for $79 and one at the same larger size with a detachable keyboard for $99, the retailer said in an email Monday. All have Google's Android operating system, 16 gigabytes of storage and promise 5.5 hours of use before a charge is needed. The new gadgets are part of Walmart's broader push to revitalize its electronics section and, if successful, could provide a jolt to the sluggish tablet market, which declined in 2018, according to data tracker Strategy Analytics.

Read more of this story at Slashdot.

10:01

IBM Begins Plumbing "Future" Processor Into GCC Compiler - POWER10? [Phoronix]

IBM engineers have landed initial support for "-mcpu=future" into the GCC compiler... As they say in the commit message, "a future architecture level, as yet unnamed."..

09:43

British Army cyber 'n' psyops unit 77 Brigade can't even brainwash civvies into helping it meet recruitment targets [The Register]

Part-timers needed

The British Army's psyops unit 77 Brigade is still falling short of recruiting targets, despite cyber skills being bigged up repeatedly by the military and government.…

09:30

Amazon Preparing a Wearable That 'Reads Human Emotions', Says Report [Slashdot]

Amazon is said to be working on a wrist-worn, voice-activated device that's supposed to be able to read human emotions. This would be a rather novel health gadget, of the sort we're more used to seeing in tenuous crowdfunding campaigns instead of from one of the world's biggest tech companies. From a report: Bloomberg has spoken to a source and reviewed internal Amazon documents, which reportedly show the Alexa voice software team and Amazon's Lab126 hardware division are collaborating on the wearable in development. The device, working in sync with a smartphone app, is said to have microphones that can "discern the wearer's emotional state from the sound of his or her voice." In a mildly dystopian twist, Bloomberg adds that "eventually the technology could be able to advise the wearer how to interact more effectively with others."

Read more of this story at Slashdot.

09:20

Firefox 68 Performance Is Looking Good With WebRender On Linux [Phoronix]

With Firefox 67 having released this week, Firefox 68 is in beta and its performance from our tests thus far on Ubuntu Linux are looking real good. In particular, if enabling the WebRender option that remains off by default on Linux, there are some nice performance gains especially.

08:50

Senators Propose Bill Requiring Warrants To Search Devices at the Border [Slashdot]

An anonymous reader shares a report: If you're taking a trip in to or out of the US, border agents currently have free rein to search through your digital devices. Unlike police, agents don't need a warrant to look through your phones, laptops and other electronics. Two US senators are hoping to change that with a bipartisan bill. Sen. Ron Wyden, a Democrat from Oregon, and Sen. Rand Paul, a Republican from Kentucky, on Wednesday introduced the Protecting Data at the Border Act, which would require agents to obtain a warrant before they can search Americans' devices at the border. The number of electronic searches at the border has spiked in the last four years. In 2018, the Department of Homeland Security conducted more than 33,000 searches on devices, compared with 4,764 searches in 2015. Customs and Border Protection declined to comment. "The border is quickly becoming a rights-free zone for Americans who travel. The government shouldn't be able to review your whole digital life simply because you went on vacation, or had to travel for work," Wyden said in a statement.

Read more of this story at Slashdot.

08:35

GParted 1.0 Release Approaching For Linux Partition Editor - Live 1.0 Beta Released [Phoronix]

The GParted graphical partition editor for Linux systems has been around for 14 years and finally it's looking like the version 1.0 release is on the horizon...

08:29

Weak AF array sales at NetApp leave analysts feeling cold [The Register]

Looking for flash, private cloud and public cloud data services to bump up revenues

NetApp reported quarterly revenues that were weaker than expected last night – reduced by feeble sales across flash arrays, OEM and EMEA.…

08:11

Veteran Software Developer Panic Unveils Playdate Handheld Game Player [Slashdot]

Veteran software developer firm Panic, which has made its name through high-end Mac software as well as titles such as Firewatch, is expanding its work in games and moving in a very unexpected direction. This week, Panic unveiled Playdate, a tiny, yellow Game Boy-like device with a black-and-white screen, a few chunky buttons, and... a hand crank for controlling quirky games. From a report: Playdate is adorable and exciting and fun and technically impressive. They're making their own hardware (in conjunction with Swedish device makers Teenage Engineering). They wrote their own OS (there's no Linux). It has a high resolution 400 x 240 black and white display with no backlighting. It has a crank. It's going to cost only $149 -- $149! -- and that includes a "season" of 12 games from an amazing roster of beloved video game creators, delivered every Monday for 12 weeks. The idea of a new upstart, a company the size of Panic -- with only software experience at that -- jumping into the hardware game with a brand new platform harkens back to the '80s and '90s. But even back then, a company like, say, General Magic or Palm, was VC-backed and aspired to be a titan. To be the next Atari or Commodore or Apple. In today's world all the new computing devices and platforms come from huge companies. Apple of course. All the well-known Android handset makers building off an OS provided by Google. Sony. Nintendo. Panic is almost cheating in a way because they're tiny. The Playdate platform isn't competing with the state of the art. It's not a retro platform, per se, but while it has an obviously nostalgic charm it is competing only on its own terms. Its only goal is to be fun. And aspects of Playdate are utterly modern: Wi-Fi, Bluetooth, apps and software updates delivered over-the-air. They're taking advantage of an aspect of today's world that is brand new -- the Asian supply chain, the cheapness of Asian manufacturing, the cheapness of CPU and GPU cycles that allows things like Raspberry Pi to cost just $35.

Read more of this story at Slashdot.

08:07

Saturday Morning Breakfast Cereal - Wolves [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
A patreon subscriber referred to this as 'Revenge Selection' and I'm embarrassed I didn't come up with it first, dammit.


Today's News:

07:28

AMD GCN GPU Target Continuing To Improve For The GCC 10 Compiler [Phoronix]

With the recent release of the GCC 9 stable compiler there is the initial "AMD GCN" GPU target/back-end merged. However, for this GNU Compiler Collection release the AMD GCN target isn't all that useful but continued work on it gives us hope of seeing it in good shape for next year's GCC 10 release...

07:12

PostgreSQL 12 Beta Released With Performance Improvements [Phoronix]

Out today is the first beta of the upcoming PostgreSQL 12.0 database server...

07:03

While big orange spectre haunts certain Chinese firms, fiscal '19 treated Lenovo rather well [The Register]

Pre-tax profits up 459% but 'geopolitical uncertainties' aren't lost on PC maker

Despite growing political tensions engulfing some Chinese tech firms, Lenovo managed to get back in the black after peddling higher-spec PCs and cutting losses in its data centre and smartphone lines. But the tech giant has warned that things might just be set to change.…

06:09

We'll hack back at Russians, declare UK ministers in cyber-Blitz blitz [The Register]

NATO's getting in on the action too

British ministers are stepping up their rhetoric on cyber warfare, with £22m to be splurged on embiggening an "offensive hacking" unit as Foreign Secretary Jeremy Hunt vowed to retaliate against Russian cyber-attacks.…

06:09

Wine & Mingw-w64 Might Tighten Up Their Relationship - Possible "WineSDK" [Phoronix]

Developers between the Wine and Mingw-w64 projects are discussing the potential for further embracing their relationship given the overlap in trajectory and both benefiting from close collaboration. This extended relationship could also involve Mingw-w64 potentially adopting Wine's branding...

05:49

Huawei Linux Laptop Driver Improvements On The Way [Phoronix]

While Microsoft is severing its relationship with Huawei, those with Huawei laptops may find a better experience on Linux...

05:06

Total War: Three Kingdoms Sees Same-Day Linux Release [Phoronix]

Feral Interactive has managed to deliver a same-day release of their Linux and macOS ports to coincide with today's Windows release of Total War: Three Kingdoms...

05:04

GitLab looks for users to CI to eye: Come join us on the happy path [The Register]

Source code, pipelines and boiling frogs

Interview  While many cloudy companies aim for four nines of uptime, it was four ones for GitLab today as the source shack celebrated the release of version 11.11 with a chat with The Register.…

04:05

Phisher folk reel in Computacenter security vetting mailbox packed with sensitive staff data [The Register]

Haul included employee passports, driving licences, bank statements and more

The third-party mailbox used by Computacenter employees and contractors to deposit data for security clearance applications has been hacked and used in phishing scams.…

03:15

Programmers' Question Time: Tiptoe through the tuples [The Register]

Addressing the pro-horticulture/anti-nerdiculture bias

Stob  When the BBC announced a rejig at Radio 4's Gardeners' Question Time, Stob hoped for a much more radical change of format than a mere replacement head composter.

02:56

GitHub slurps open-source bug zapping automator Dependabot, chucks cash at devs [The Register]

Matched funds for open source developers, plus new features for enterprise accounts

GitHub has acquired Dependabot, a tool that helps developers avoid introducing security issues via bugs in open-source libraries.…

02:06

Minecraft's my Nirvana. I found it hard, it's hard to find. Oh well, whatever... Never Mined [The Register]

What on Earth are you playing at, Microsoft?

Column  The future often arrives looking like an expensive toy. From the first microcomputer to the latest self-piloting drone, these "toys" hide a larger truth: they're the canvas upon which our imagination plays, as we dream up braver, bolder visions. We think physically, with our bodies, and our toys help us get our hands around what we think.…

00:55

DataStax has stars in its eyes over Constellation, its latest tweak on Apache Cassandra [The Register]

It’s not just a hosted version of the database, says the CEO

Datastax Accelerate  DataStax, the business built around the Apache Cassandra open source database, is creating a new system-as-a-cloud service using the platform.…

00:09

NASA boffins may just carve your name on a chip and send it to Mars if you ask nicely [The Register]

You probably won't ever get to go to space – but your name can

NASA is giving you the chance to send your name off into space.…

Wednesday, 22 May

23:18

Serverless Computing London: Agenda on its way, blind birds heading off [The Register]

When the agenda goes up, the tickets do too...

Event  Whether your serverless ambitions are AWS Lambda, Azure Functions, or Google Cloud focused, you should really join us at Serverless Computing London in November.…

23:00

Tim Peake's Soyuz lands in London after jaunt around the UK [The Register]

No word if a trip through Manchester was scarier than atmospheric reentry

Having spent the last 20 months being lugged around the UK, the Soyuz capsule used to ferry British Astronaut Tim Peake safely back to Earth is returning to London's Science Museum.…

19:52

No Huawei out: Prez Trump's game of chicken with China has serious consequences [The Register]

No cybersecurity rules means networks are destined to be balkanized

Analysis  Chinese telecom giant Huawei – the most prominent target of the Trump administration's decision to declare a national emergency to protect American IT infrastructure by banning technology provided by foreign adversaries – on Monday received a reprieve that allows it to do business with US suppliers.…

17:50

We listened to more than 3 hours of US Congress testimony on facial recognition so you didn't have to go through it [The Register]

Long story short: Models are ineffective, racist, dumb...

Analysis  AI experts, lawyers, and law enforcement urged US Congress to regulate the use of facial recognition technology during a hearing held by the House Committee on Oversight and Reform on Wednesday.…

17:28

OpenSUSE Adds Option To Installer For Toggling Performance-Hitting CPU Mitigations [Phoronix]

With the newly released openSUSE Leap 15.1 they have added an option to their installer for toggling the CPU mitigations around Spectre / Meltdown / Foreshadow / Zombieload to make it very convenient should you choose to retain maximum performance while foregoing the security measures. But it also allows disabling SMT/HT from the installer should you prefer maximum security...

15:54

NVIDIA 418.52.07 Linux Driver Wires In Two More Extensions [Phoronix]

NVIDIA today released the 418.52.07 Linux driver as an updated build intended for Vulkan developers with it introducing support for two more extensions...

15:28

Comcast – the cable giant America loves and trusts – confirms in-home health device to keep tabs on subscribers [The Register]

Meanwhile, privacy advocates run screaming from news, trip, end up in hospital

Comcast is working on a health device complete with motion sensors that will keep tabs on elderly or disabled people in their own homes.…

15:01

Apple arms web browser privacy torpedo, points it directly at Google's advertising model [The Register]

Safari tech ready to be ignored by online ad giants like all other privacy proposals

Apple's WebKit team, which develops the plumbing beneath the iGiant's Safari browser, has proposed a way that online ads can be measured while maintaining the privacy of those browsing the internet.…

13:52

Problems Being Investigated Under Wayland Itches Program, Including Gaming Performance [Phoronix]

Last week we wrote about a "Wayland Itches" program being devised by prolific open-source contributor Hans de Goede of Red Hat. The goal of this program is to address itches/paper-cuts/problems in using GNOME Shell atop Wayland. He's received a fair amount of feedback so far and has some early indications to share...

13:26

Koh-MG: Qualcomm guilty of abusing chip patent monopoly, biz promises to appeal [The Register]

Snapdragon giant 'strangled competition' and forced others to pay unfair fees

Qualcomm abused its monopoly on critical chip patents for decades, a US federal judge in California said on Wednesday in a decision with radical implications for the cellphone market.…

12:30

Kelway founder slurps Brit public sector supplier SBL, financials undisclosed [The Register]

Never say never as reseller veteran returns to reselling land with reseller buy

Phil Doye, the former majority owner of Kelway who sold the business to CDW for $431m, is dipping into his cash pile to slurp public sector reseller SBL.…

11:45

Apple reckons mystery new material will debug butterfly keyboard woes in latest MacBook Pros [The Register]

It's so confident, 2019 models are on the free repair scheme

Apple has such confidence in the new MacBook Pro's reimagined butterfly mechanism that the laptop qualifies from day one for inclusion in its expansive keyboard repair scheme.…

11:00

Irish data cops are shoving a probe right into Google's ads [The Register]

Doubleclick complaint alleges Chocolate Factory's data handling breaches GDPR

Updated  Ireland's Data Protection Commission has launched a formal investigation into adtech giant Google over alleged breaches of the EU's General Data Protection Regulation (GDPR), potentially costing the company £1.12bn.…

10:15

AMD Radeon VII Linux Performance vs. NVIDIA Gaming On Ubuntu For Q2'2019 [Phoronix]

It's been three months now since the AMD Radeon VII 7nm "Vega 20" graphics card was released and while we hopefully won't be waiting much longer for Navi to make its debut, for the time being this is the latest and great AMD Radeon consumer graphics card -- priced at around $700 USD. Here are some fresh benchmarks of the Radeon VII on Linux and compared to various high-end NVIDIA graphics cards while all testing happened from Ubuntu 19.04.

09:45

Microsoft gently leads workhorse Windows Server 1903 for a pad around the paddock [The Register]

Don't mind me, I'm just the thing you run your business on

KubeCon Europe  While customers gawped at the shiny bauble of Windows 10, Microsoft trotted out the 1903 version of its workhorse big brother, Windows Server.…

08:59

US Air Force probes targeted malware attack, blames... er, the US Navy? What? [The Register]

War crimes trial takes a fresh twist

The US Air Force has opened an investigation into a "malware" infection – which it is blaming on lawyers employed by the US Navy who are working on a war crimes case.…

08:59

An Early Look At Some PHP 7.4 Performance Benchmarks [Phoronix]

The initial PHP 7.4 Alpha 1 release is just two weeks away already... Curious about the performance of this yearly update to PHP7, I ran some benchmarks on the latest development code as of this morning compared to the earlier PHP7 releases and even PHP-8.0 that is in development on Git master...

08:22

Saturday Morning Breakfast Cereal - Wishes [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
There should be a story about a guy who gets three wishes and uses them perfectly.


Today's News:

07:43

Saturday Morning Breakfast Cereal - Beautiful [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Unless you're not trying to control me in which case you don't not control me!


Today's News:

Expect more bonus comics as we go. Thanks, geeks!

07:19

EE's 5G rollout: Oi, where are your Mates? Yes, we mean the Huawei phones [The Register]

NSA services switched on next Thursday. No not THAT NSA

UK mobile firm EE unveiled a lineup of launch devices this morning for when it flicks the switch on 5G services in six British cities, with one notable absence: Huawei.…

06:41

Twist my Arm why don't you: Brit CPU behemoth latest biz to cease work with Huawei – report [The Register]

Leaked staff memo reveals immediate halt to co-operation

Updated  Brit chip designer Arm has now severed its links with Huawei in accordance with US sanctions, depriving the Chinese smartphone maker of a crucial supplier.…

06:19

OpenSUSE Leap 15.1 Released - Based Off SUSE Linux Enterprise 15 SP1 [Phoronix]

OpenSUSE Leap 15.1 is now available as the latest openSUSE released that is in turn based off SUSE Linux Enterprise 15 Service Pack 1 sources...

05:59

This is a sett-up! Mum catches badger feasting on contents of freezer [The Register]

Elusive critter loves mashed potato, not so keen on scallops

Compelling evidence for the existence of UK cryptid "the badger" has been recorded in the south-coast town of Gosport – and it appears to have a penchant for ice lollies.…

05:30

All aboard the Windows Server container train as Google punts out Rapid Release GKE channel [The Register]

Docker: Hey, remember us? We've got Windows Server containers too!

Kubecon Europe  The ongoing game of tit-for-tat feature updates among the Big Three cloud players continued this week, with Google confirming support for Windows Server Containers at Kubecon.…

05:28

Intel Open-Source 19.19.12968 Compute Runtime Released [Phoronix]

For those making use of Intel's OpenCL "NEO" Compute Runtime, a new tagged release is now available...

05:09

Intel Icelake Brings New Top-Down Performance Counters [Phoronix]

While the Linux support for Intel's long awaited Icelake support has been out there for months and all fundamentals seemingly mature, there have been a few last-minute additions around some non-essential functionality. One of the latest Linux kernel patch series around Icelake is adding support for new Top-Down performance counters for these next-generation Intel processors...

04:52

AMD Begins Queueing Graphics Driver Changes For The Linux 5.3 Kernel [Phoronix]

Being past the Linux 5.2 kernel merge window, AMD's open-source Linux graphics driver developers have already begun queuing changes anticipated for Linux 5.3 via a work-in-progress tree...

04:50

Another disappointing quarter for Pure Storage as expanded sales team fails to close large deals [The Register]

Might be some delayed gratification there, friends

Pure Storage sales for its first fiscal 2020 quarter grew 28 per cent on last year, but losses were deeper than expected as those sought after large enterprise wins eluded an expanded salesforce.…

04:14

Illumos-Powered OmniOS Gets Updated Against MDS / ZombieLoad Vulnerabilities [Phoronix]

While it was just earlier this month that the OpenSolaris/Illumos-based OmniOS saw a big LTS release, it's already been succeeded by a new release given the recent Intel MDS / Zombieload CPU vulnerabilities coming to light...

04:05

Come join the Mirantis Kubernetes party, just be sure to BYOD – the D being distro, not drinks [The Register]

Because all developers are special, afterall

KubeCon Europe  Darling of the OpenStack world Mirantis has continued its march into Kubernetes with a Bring Your Own Distribution support.…

03:06

Bring it on, Chipzilla! Nvidia swipes back at Intel in CPU-GPU AI performance brouhaha [The Register]

Dodgy numbers, new kit versus old... neither side comes out well

The machine-learning-performance beef between Intel and Nvidia has stepped up a notch, with the GPU giant calling out Chipzilla for spreading misleading benchmark results.…

02:03

Revealed: Facebook, Google's soft-money 'blackmail' to stall Euro fake news crackdown [The Register]

EU experts claim US tech giants use funding carrot to influence findings

Comment  Facebook and Google used grants and other funding to academics and journalistic organizations to pressure a group of experts in Europe to water down proposals on fake news, it was claimed yesterday.…

02:00

Securing telnet connections with stunnel [Fedora Magazine]

Telnet is a client-server protocol that connects to a remote server through TCP over port 23. Telnet does not encrypt data and is considered insecure and passwords can be easily sniffed because data is sent in the clear. However there are still legacy systems that need to use it. This is where stunnel comes to the rescue.

Stunnel is designed to add SSL encryption to programs that have insecure connection protocols. This article shows you how to use it, with telnet as an example.

Server Installation

Install stunnel along with the telnet server and client using sudo:

sudo dnf -y install stunnel telnet-server telnet

Add a firewall rule, entering your password when prompted:

firewall-cmd --add-service=telnet --perm
firewall-cmd --reload

Next, generate an RSA private key and an SSL certificate:

openssl genrsa 2048 > stunnel.key
openssl req -new -key stunnel.key -x509 -days 90 -out stunnel.crt

You will be prompted for the following information one line at a time. When asked for Common Name you must enter the correct host name or IP address, but everything else you can skip through by hitting the Enter key.

You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []

Merge the RSA key and SSL certificate into a single .pem file, and copy that to the SSL certificate directory:

cat stunnel.crt stunnel.key > stunnel.pem
sudo cp stunnel.pem /etc/pki/tls/certs/

Now it’s time to define the service and the ports to use for encrypting your connection. Choose a port that is not already in use. This example uses port 450 for tunneling telnet. Edit or create the /etc/stunnel/telnet.conf file:

cert = /etc/pki/tls/certs/stunnel.pem
sslVersion = TLSv1
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[telnet]
accept = 450
connect = 23

The accept option is the port the server will listen to for incoming telnet requests. The connect option is the internal port the telnet server listens to.

Next, make a copy of the systemd unit file that allows you to override the packaged version:

sudo cp /usr/lib/systemd/system/stunnel.service /etc/systemd/system

Edit the /etc/systemd/system/stunnel.service file to add two lines. These lines create a chroot jail for the service when it starts.

[Unit]
Description=TLS tunnel for network daemons
After=syslog.target network.target

[Service]
ExecStart=/usr/bin/stunnel
Type=forking
PrivateTmp=true
ExecStartPre=-/usr/bin/mkdir /var/run/stunnel
ExecStartPre=/usr/bin/chown -R nobody:nobody /var/run/stunnel

[Install]
WantedBy=multi-user.target

Next, configure SELinux to listen to telnet on the new port you just specified:

sudo semanage port -a -t telnetd_port_t -p tcp 450

Finally, add a new firewall rule:

firewall-cmd --add-port=450/tcp --perm
firewall-cmd --reload

Now you can enable and start telnet and stunnel.

systemctl enable telnet.socket stunnel@telnet.service --now

A note on the systemctl command is in order. Systemd and the stunnel package provide an additional template unit file by default. The template lets you drop multiple configuration files for stunnel into /etc/stunnel, and use the filename to start the service. For instance, if you had a foobar.conf file, you could start that instance of stunnel with systemctl start stunnel@foobar.service, without having to write any unit files yourself.

If you want, you can set this stunnel template service to start on boot:

systemctl enable stunnel@telnet.service

Client Installation

This part of the article assumes you are logged in as a normal user (with sudo privileges) on the client system. Install stunnel and the telnet client:

dnf -y install stunnel telnet

Copy the stunnel.pem file from the remote server to your client /etc/pki/tls/certs directory. In this example, the IP address of the remote telnet server is 192.168.1.143.

sudo scp myuser@192.168.1.143:/etc/pki/tls/certs/stunnel.pem
/etc/pki/tls/certs/

Create the /etc/stunnel/telnet.conf file:

cert = /etc/pki/tls/certs/stunnel.pem
client=yes
[telnet]
accept=450
connect=192.168.1.143:450

The accept option is the port that will be used for telnet sessions. The connect option is the IP address of your remote server and the port it’s listening on.

Next, enable and start stunnel:

systemctl enable stunnel@telnet.service --now

Test your connection. Since you have a connection established, you will telnet to localhost instead of the hostname or IP address of the remote telnet server:

[user@client ~]$ telnet localhost 450
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

Kernel 5.0.9-301.fc30.x86_64 on an x86_64 (0)
server login: myuser
Password: XXXXXXX
Last login: Sun May  5 14:28:22 from localhost
[myuser@server ~]$

01:00

Mirantis teases Kubernetes-as-a-Service to terrorise bare metal, public clouds, everything in between [The Register]

KaaS and carry, friend?

KubeCon Europe  At the Linux Foundation's KubeCon this week cloudy services biz Mirantis gave some sneaky previews of its upcoming Kuberentes-as-a-Service product, a technology aimed at self-managing and provisioning multi-cloud clusters.…

00:12

Uncle Sam to blow millions on mind-control weapon tech that can be fitted without surgery [The Register]

DARPA eggheads want brain-machine interfaces that work at the speed of soldiers' thoughts. No further comment...

DARPA, the US military's boffinry nerve center, is trying to fulfill the science-fiction dream of developing non-surgical brain-machine interfaces so soldiers can comfortably control weapon systems with their minds.…

Tuesday, 21 May

23:03

UK Space Agency cracks open its wallet, fishes out a paltry £2m for Brit plans to return to orbit [The Register]

Cash for horizontal launchers and PowerPoint slides

The UK Space Agency has flung open the doors on a mighty £2m fund aimed imbuing Blighty with spaceflight capabilities.…

22:07

Intel Iris Gallium3D Driver Gets On-Disk Shader Cache Support [Phoronix]

In helping to speed-up game load times when switching to the new Intel "Iris" Gallium3D OpenGL Linux driver and smooth out frame-rates for games sporadically loading shaders, Mesa 19.2-devel has added on-disk shader cache support for the driver...

21:59

Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from' [The Register]

Vulnerability can be exploited to turn users into system stars, no patch available yet

Updated  A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems.…

18:58

Microsoft Windows 10 'Burger King' build 1903: Have it your way... and it may still leave a nasty taste in your mouth [The Register]

The May 2019 update is out and it's optional, for a while

Microsoft on Tuesday released Windows 10, version 1903, aka the May 2019 Update, without forcing it on folks.…

18:00

G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years [The Register]

Biz app login details encrypted at rest, though, ad giant insists

Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form.…

17:30

systemd Clocks In At More Than 1.2 Million Lines [Phoronix]

Five years ago today was the story on Phoronix how the systemd source tree was approaching 550k lines so curiosity got the best of me to see how large is the systemd Git repository today. Well, now it's over 1.2 million lines...

16:58

Mesa 19.0.5 Released As The Series Approaches The End [Phoronix]

Mesa 19.0.5 is now available as what is expected to be the second to the last release in the Mesa 19.0 series...

15:11

if developer_docs == bad then app_quality = bad; Coders slam Apple for subpar API manuals [The Register]

Sorry state of documentation baffles programmers as iGiant launches new MacBook Pros, promises better keyboards

Apple developers are becoming increasingly vocal about their displeasure with the state of the iGiant's programmer documentation, which they depend upon to craft iOS and macOS software.…

14:25

Jeff Bezos finally gets .Amazon after DNS overlord ICANN runs out of excuses to delay decision any further [The Register]

Persistence pays off for online super-souk, but not for South American states

Analysis  It's taken seven years but online mega-mall Amazon will finally get its hands on the .amazon top-level domain name.…

13:30

Microsoft shoves serverless container baby Virtual Kubelet at KubeCon crowds [The Register]

Touts 'vast improvements' in performance with 1.0 release

KubeCon Europe  The shadow of Microsoft loomed large over KubeCon with the version 1.0 release of its serverless container tech, Virtual Kubelet.…

11:24

Arch-Based Antergos Linux Distribution Calls It Quits [Phoronix]

The Arch-based Antergos Linux distribution that aimed to make Arch Linux more accessible to the Linux desktop masses is closing up shop...

11:10

Looks like we've got ourselves into another fine mesh: Enter the Service Mesh Interface [The Register]

Microsoft pushing standard for new containery hotness

KubeCon Europe  Microsoft took to the stage at KubeCon in Barcelona today to push its take on the proliferation of mesh technologies that have sprung up around the container-happy tech.…

11:00

GNOME 3.34's Mutter Lowers Output Lag On X11 To Match Wayland Performance [Phoronix]

Adding to the list of positive changes with GNOME 3.34 due out this September is lowering possible output lag when running GNOME's Mutter on X11/X.Org...

10:20

Now Chinese-made drones rubbing US govt up the Huawei: 'Strong concerns' DJI kit threat to national security [The Register]

Memo warns of regime having access to American data – remind you of anything?

A US government agency has claimed drones pose a threat to national security in an echo of its wider campaign against all things Chinese.…

09:21

Oh 4G, I'm speechless: EE network outage smacks rare breed of customer that talks into their mobile phone [The Register]

Scottish Virgin Media users also down and out after lunch

Updated  UK mobile operator EE has been struggling to get its VoLTE services back on their feet, after a seven-hour flood of angry complaints from customers unable to place voice calls over the 4G network.…

09:07

Mesa 19.1-RC3 Brings NIR, Vulkan Driver Fixes & Other Changes [Phoronix]

If all goes well the Mesa 19.1 release will be happening in the next week or two. But for those wanting to help test this open-source graphics driver stack, Mesa 19.1-RC3 was released today as the newest weekly release candidate...

08:20

Oh my Tosh, WD: Storage firms etch for a stretch – 15 more years of fab flash hookup [The Register]

Plus: Fujitsu and Veeam hook up, cloudy IBM upgrade, Iguazio on Azure, and more

Storage roundup  It's a garage sale of storage info this morning, including faster IBM object storage, Rubrik hiring a Google veteran, Nakivo backup supporting Nutanix AHV systems and much, much more.…

08:15

Red Hat Enterprise Linux 8.0 Benchmarks On AMD EPYC - Big Speed-Ups Over RHEL7 [Phoronix]

Since the release of Red Hat Enterprise Linux 8.0 at the start of May we've been running various benchmarks of this latest enterprise Linux platform. Our tests to date have been with Intel Xeon hardware where it's been performing well and a nice speed-up over RHEL 7 with modern Xeon Scalable CPUs. Similarly, AMD EPYC is also much faster with RHEL 8.0 thanks to the much newer Linux kernel, compiler, and other software updates.

07:25

Firefox 67.0 Released With Better Performance, Switches To Dav1d AV1 Decoder [Phoronix]

Mozilla set sail Firefox 67.0 this morning as the newest version of this web browser and the update is heavy on the feature front...

07:22

Team OpenCensus or OpenTracing? It'll be neither and both now: Hello, OpenTelemetry [The Register]

How do open-source projects play nicely? They get off Twitter

KubeCon Europe  Something odd happened at KubeCon 2019. Rather than snipe at each other from the safety of Twitter, two very similar open-source projects opted to pool their ideas into one: OpenTelemetry.…

07:03

Saturday Morning Breakfast Cereal - Thin Ice [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
I have nothing pithy to say. This is my Magnum Opus.


Today's News:

06:55

Raspberry Pi Close To Seeing CPUFreq Support [Phoronix]

Nicolas Saenz Julienne of SUSE has been working on CPUFreq support for the Raspberry Pi single board computers to allow for the Linux kernel to provide CPU frequency scaling controls...

06:23

Honey, hive had it with this drone: Couple lived for years with thousands of bees in bedroom wall [The Register]

Come for the enterprise tech, stay for the tortured puns

Most of us not fortunate enough to dwell in gated manors in the countryside hive to endure a simple truth – noisy neighbours can bee annoying. One Spanish couple had 80,000 of them, living in their bedroom wall.…

05:25

iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2 [The Register]

Cheapskate fandroids get a pass on this one, though

Your iPhone can be uniquely fingerprinted by apps and websites in a way that you can never clear. Not by deleting cookies, not by clearing your cache, not even by reinstalling iOS.…

Monday, 20 May

05:47

Saturday Morning Breakfast Cereal - Captcha [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Things get ugly later when he starts sending unsolicited pics of his peripherals.


Today's News:

02:00

Getting set up with Fedora Project services [Fedora Magazine]

In addition to providing an operating system, the Fedora Project provides numerous services for users and developers. Services such as Ask Fedora, the Fedora Project Wiki and the Fedora Project Mailing Lists provide users with valuable resources for learning how to best take advantage of Fedora. For developers of Fedora, there are many other services such as dist-git, Pagure, Bodhi, COPR and Bugzilla that are involved with the packaging and release process.

These services are available for use with a free account from the Fedora Accounts System (FAS). This account is the passport to all things Fedora! This article covers how to get set up with an account and configure Fedora Workstation for browser single sign-on.

Signing up for a Fedora account

To create a FAS account, browse to the account creation page. Here, you will fill out your basic identity data:

Account creation page

Once you enter your data, an email will be sent to the email address provided, with a temporary password. Pick a strong password and use it.

Password reset page

Next, the account details page appears. If you intend to become a contributor to the Fedora Project, you should complete the Contributor Agreement now. Otherwise, you are done and your account can now be used to log into the various Fedora services.

Account details page

Configuring Fedora Workstation for single sign-On

Now that you have your account, you can sign into any of the Fedora Project services. Most of these services support single sign-on (SSO), allowing you to sign in without re-entering your username and password.

Fedora Workstation provides an easy workflow to add SSO credentials. The GNOME Online Accounts tool helps you quickly set up your system to access many popular services. To access it, go to the Settings menu.

GNOME Online Accounts

Click on the ⋮ button and select Enterprise Login (Kerberos), which provides a single text prompt for a principal. Enter fasname@FEDORAPROJECT.ORG (being sure to capitalize FEDORAPROJECT.ORG) and click Connect.

Kerberos principal dialog

GNOME prompts you to enter your password for FAS and given the option to save it. If you choose to save it, it is stored in GNOME Keyring and unlocked automatically at login. If you choose not to save it, you will need to open GNOME Online Accounts and enter your password each time you want to enable single sign-on.

Single sign-on with a web browser

Today, Fedora Workstation supports two web browsers “out of the box” with support for single sign-on with the Fedora Project services. These are Mozilla Firefox and Google Chrome. Due to a bug in Chromium, single sign-on does not currently work properly in many cases. As a result, this has not been enabled for Chromium in Fedora.

To sign on to a service, browse to it and select the “login” option for that service. For most Fedora services, this is the only thing you need to do and the browser handles the rest. Some services such as the Fedora Mailing Lists and Bugzilla support multiple login types. For them, you need to select the “Fedora” or “Fedora Account System” login type.

That’s it! You can now log into any of the Fedora Project services without re-entering your password.

Special consideration for Google Chrome

In order to enable single sign-on out of the box for Google Chrome, Fedora needed to take advantage of certain features in Chrome that are intended for use in “managed” environments. A managed environment is traditionally a corporate or other organization that sets certain security and/or monitoring requirements on the browser.

Recently, Google Chrome changed its behavior and it now reports “Managed by your organization” under the ⋮ menu in Google Chrome. That link leads to a page that states “If your Chrome browser is managed, your administrator can set up or restrict certain features, install extensions, monitor activity, and control how you use Chrome.” Fedora will never monitor your browser activity or restrict your actions.

Enter chrome://policy in the address bar to see exactly what settings Fedora has enabled in the browser. The AuthNegotiateDelegateWhitelist and AuthServerWhitelist options will be set to *.fedoraproject.org. These are the only changes Fedora makes.

Sunday, 19 May

18:00

09:16

Saturday Morning Breakfast Cereal - Lottery [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
We could also kill all the happiness researchers, but that would only produce a short-term uptick in happiness.


Today's News:

Saturday, 18 May

08:21

Saturday Morning Breakfast Cereal - Their [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Our electronics division will be called Your'e.


Today's News:

Friday, 17 May

06:55

Saturday Morning Breakfast Cereal - Free Hugs [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Thinking too much about opportunity cost has an enormous opportunity cost.


Today's News:

Thursday, 16 May

18:00

07:47

Saturday Morning Breakfast Cereal - The Satan Gene [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
It's all fun and games until the Evil Genome-Wide Association Study comes out.


Today's News:

02:00

Building Smaller Container Images [Fedora Magazine]

Linux Containers have become a popular topic, making sure that a container image is not bigger than it should be is considered as a good practice. This article give some tips on how to create smaller Fedora container images.

microdnf

Fedora’s DNF is written in Python and and it’s designed to be extensible as it has wide range of plugins. But Fedora has an alternative base container image which uses an smaller package manager called microdnf written in C. To use this minimal image in a Dockerfile the FROM line should look like this:

FROM registry.fedoraproject.org/fedora-minimal:30

This is an important saving if your image does not need typical DNF dependencies like Python. For example, if you are making a NodeJS image.

Install and Clean up in one layer

To save space it’s important to remove repos meta data using dnf clean all or its microdnf equivalent microdnf clean all. But you should not do this in two steps because that would actually store those files in a container image layer then mark them for deletion in another layer. To do it properly you should do the installation and cleanup in one step like this

FROM registry.fedoraproject.org/fedora-minimal:30 
RUN microdnf install nodejs && microdnf clean all

Modularity with microdnf

Modularity is a way to offer you different versions of a stack to choose from. For example you might want non-LTS NodeJS version 11 for a project and old LTS NodeJS version 8 for another and latest LTS NodeJS version 10 for another. You can specify which stream using colon

# dnf module list  
# dnf module install nodejs:8

The dnf module install command implies two commands one that enables the stream and one that install nodejs from it.

# dnf module enable nodejs:8 
# dnf install nodejs

Although microdnf does not offer any command related to modularity, it is possible to enable a module with a configuation file, and libdnf (which microdnf uses) seems to support modularity streams. The file looks like this

/etc/dnf/modules.d/nodejs.module 
[nodejs]
name=nodejs
stream=8
profiles=
state=enabled

A full Dockerfile using modularity with microdnf looks like this:

FROM registry.fedoraproject.org/fedora-minimal:30 
RUN \
echo -e "[nodejs]\nname=nodejs\nstream=8\nprofiles=\nstate=enabled\n" > /etc/dnf/modules.d/nodejs.module && \
microdnf install nodejs zopfli findutils busybox && \
microdnf clean all

Multi-staged builds

In many cases you might have tons of build-time dependencies that are not needed to run the software for example building a Go binary, which statically link dependencies. Multi-stage build are an efficient way to separate the application build and the application runtime.

For example the Dockerfile below builds confd a Go application.

# building container 
FROM registry.fedoraproject.org/fedora-minimal AS build
RUN mkdir /go && microdnf install golang && microdnf clean all
WORKDIR /go
RUN export GOPATH=/go; CGO_ENABLED=0 go get github.com/kelseyhightower/confd

FROM registry.fedoraproject.org/fedora-minimal
WORKDIR /
COPY --from=build /go/bin/confd /usr/local/bin
CMD ["confd"]

The multi-stage build is done by adding AS after the FROM instruction and by having another FROM from a base container image then using COPY –from= instruction to copy content from the build container to the second container.

This Dockerfile can then be built and run using podman

$ podman build -t myconfd .
$ podman run -it myconfd

Wednesday, 15 May

05:22

Saturday Morning Breakfast Cereal - Stress [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Honestly, do brains ever actually help with anything other than breathing?


Today's News:

Tuesday, 14 May

07:58

Saturday Morning Breakfast Cereal - Confidence [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
I wonder if this has ever happened in the history of showers.


Today's News:

Monday, 13 May

07:43

Saturday Morning Breakfast Cereal - Meditation [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Personally, I like my inner voice's constant expression of completely correct political views.


Today's News:

02:00

Manage business documents with OpenAS2 on Fedora [Fedora Magazine]

Business documents often require special handling. Enter Electronic Document Interchange, or EDI. EDI is more than simply transferring files using email or http (or ftp), because these are documents like orders and invoices. When you send an invoice, you want to be sure that:

1. It goes to the right destination, and is not intercepted by competitors.
2. Your invoice cannot be forged by a 3rd party.
3. Your customer can’t claim in court that they never got the invoice.

The first two goals can be accomplished by HTTPS or email with S/MIME, and in some situations, a simple HTTPS POST to a web API is sufficient. What EDI adds is the last part.

This article does not cover the messy topic of formats for the files exchanged. Even when using a standardized format like ANSI or EDIFACT, it is ultimately up to the business partners. It is not uncommon for business partners to use an ad-hoc CSV file format. This article shows you how to configure Fedora to send and receive in an EDI setup.

Centralized EDI

The traditional solution is to use a Value Added Network, or VAN. The VAN is a central hub that transfers documents between their customers. Most importantly, it keeps a secure record of the documents exchanged that can be used as evidence in disputes. The VAN can use different transfer protocols for each of its customers

AS Protocols and MDN

The AS protocols are a specification for adding a digital signature with optional encryption to an electronic document. What it adds over HTTPS or S/MIME is the Message Disposition Notification, or MDN. The MDN is a signed and dated response that says, in essence, “We got your invoice.” It uses a secure hash to identify the specific document received. This addresses point #3 without involving a third party.

The AS2 protocol uses HTTP or HTTPS for transport. Other AS protocols target FTP and SMTP. AS2 is used by companies big and small to avoid depending on (and paying) a VAN.

OpenAS2

OpenAS2 is an open source Java implemention of the AS2 protocol. It is available in Fedora since 28, and installed with:

$ sudo dnf install openas2
$ cd /etc/openas2

Configuration is done with a text editor, and the config files are in XML. The first order of business before starting OpenAS2 is to change the factory passwords.

Edit /etc/openas2/config.xml and search for ChangeMe. Change those passwords. The default password on the certificate store is testas2, but that doesn’t matter much as anyone who can read the certificate store can read config.xml and get the password.

What to share with AS2 partners

There are 3 things you will exchange with an AS2 peer.

AS2 ID

Don’t bother looking up the official AS2 standard for legal AS2 IDs. While OpenAS2 implements the standard, your partners will likely be using a proprietary product which doesn’t. While AS2 allows much longer IDs, many implementations break with more than 16 characters. Using otherwise legal AS2 ID chars like ‘:’ that can appear as path separators on a proprietary OS is also a problem. Restrict your AS2 ID to upper and lower case alpha, digits, and ‘_’ with no more than 16 characters.

SSL certificate

For real use, you will want to generate a certificate with SHA256 and RSA. OpenAS2 ships with two factory certs to play with. Don’t use these for anything real, obviously. The certificate file is in PKCS12 format. Java ships with keytool which can maintain your PKCS12 “keystore,” as Java calls it. This article skips using openssl to generate keys and certificates. Simply note that sudo keytool -list -keystore as2_certs.p12 will list the two factory practice certs.

AS2 URL

This is an HTTP URL that will access your OpenAS2 instance. HTTPS is also supported, but is redundant. To use it you have to uncomment the https module configuration in config.xml, and supply a certificate signed by a public CA. This requires another article and is entirely unnecessary here.

By default, OpenAS2 listens on 10080 for HTTP and 10443 for HTTPS. OpenAS2 can talk to itself, so it ships with two partnerships using http://localhost:10080 as the AS2 URL. If you don’t find this a convincing demo, and can install a second instance (on a VM, for instance), you can use private IPs for the AS2 URLs. Or install Cjdns to get IPv6 mesh addresses that can be used anywhere, resulting in AS2 URLs like http://[fcbf:fc54:e597:7354:8250:2b2e:95e6:d6ba]:10080.

Most businesses will also want a list of IPs to add to their firewall. This is actually bad practice. An AS2 server has the same security risk as a web server, meaning you should isolate it in a VM or container. Also, the difficulty of keeping mutual lists of IPs up to date grows with the list of partners. The AS2 server rejects requests not signed by a configured partner.

OpenAS2 Partners

With that in mind, open partnerships.xml in your editor. At the top is a list of “partners.” Each partner has a name (referenced by the partnerships below as “sender” or “receiver”), AS2 ID, certificate, and email. You need a partner definition for yourself and those you exchange documents with. You can define multiple partners for yourself. OpenAS2 ships with two partners, OpenAS2A and OpenAS2B, which you’ll use to send a test document.

OpenAS2 Partnerships

Next is a list of “partnerships,” one for each direction. Each partnership configuration includes the sender, receiver, and the AS2 URL used to send the documents. By default, partnerships use synchronous MDN. The MDN is returned on the same HTTP transaction. You could uncomment the as2_receipt_option for asynchronous MDN, which is sent some time later. Use synchronous MDN whenever possible, as tracking pending MDNs adds complexity to your application.

The other partnership options select encryption, signature hash, and other protocol options. A fully implemented AS2 receiver can handle any combination of options, but AS2 partners may have incomplete implementations or policy requirements. For example, DES3 is a comparatively weak encryption algorithm, and may not be acceptable. It is the default because it is almost universally implemented.

If you went to the trouble to set up a second physical or virtual machine for this test, designate one as OpenAS2A and the other as OpenAS2B. Modify the as2_url on the OpenAS2A-to-OpenAS2B partnership to use the IP (or hostname) of OpenAS2B, and vice versa for the OpenAS2B-to-OpenAS2A partnership. Unless they are using the FedoraWorkstation firewall profile, on both machines you’ll need:

# sudo firewall-cmd --zone=public --add-port=10080/tcp

Now start the openas2 service (on both machines if needed):

# sudo systemctl start openas2

Resetting the MDN password

This initializes the MDN log database with the factory password, not the one you changed it to. This is a packaging bug to be fixed in the next release. To avoid frustration, here’s how to change the h2 database password:

$ sudo systemctl stop openas2
$ cat >h2passwd <<'DONE'
#!/bin/bash
AS2DIR="/var/lib/openas2"
java -cp "$AS2DIR"/lib/h2* org.h2.tools.Shell \
-url jdbc:h2:"$AS2DIR"/db/openas2 \
-user sa -password "$1" <<EOF
alter user sa set password '$2';
exit
EOF
DONE
$ sudo sh h2passwd ChangeMe yournewpasswordsetabove
$ sudo systemctl start openas2

Testing the setup

With that out of the way, let’s send a document. Assuming you are on OpenAS2A machine:

$ cat >testdoc <<'DONE'
This is not a real EDI format, but is nevertheless a document.
DONE
$ sudo chown openas2 testdoc
$ sudo mv testdoc /var/spool/openas2/toOpenAS2B
$ sudo journalctl -f -u openas2
... log output of sending file, Control-C to stop following log
^C

OpenAS2 does not send a document until it is writable by the openas2 user or group. As a consequence, your actual business application will copy, or generate in place, the document. Then it changes the group or permissions to send it on its way, to avoid sending a partial document.

Now, on the OpenAS2B machine, /var/spool/openas2/OpenAS2A_OID-OpenAS2B_OID/inbox shows the message received. That should get you started!


Photo by Beatriz Pérez Moya on Unsplash.

Sunday, 12 May

11:29

Contribute at the Fedora Test Week for kernel 5.1 [Fedora Magazine]

The kernel team is working on final integration for kernel 5.1. This version was just recently released, and will arrive soon in Fedora. This version has many security fixes included. As a result, the Fedora kernel and QA teams have organized a test week from Monday, May 13, 2019 through Saturday, May 18, 2019. Refer to the wiki page for links to the test images you’ll need to participate. Read below for details.

How does a test week work?

A test day/week is an event where anyone can help make sure changes in Fedora work well in an upcoming release. Fedora community members often participate, and the public is welcome at these events. If you’ve never contributed before, this is a perfect way to get started.

To contribute, you only need to be able to do the following things:

  • Download test materials, which include some large files
  • Read and follow directions step by step

The wiki page for the kernel test day has a lot of good information on what and how to test. After you’ve done some testing, you can log your results in the test day web application. If you’re available on or around the day of the event, please do some testing and report your results.

Happy testing, and we hope to see you on test day.

08:52

Saturday Morning Breakfast Cereal - Meaning [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
God is laughing because she's actually a dreaming brain in a tank of nutrient fluid.


Today's News:

Saturday, 11 May

09:16

Saturday Morning Breakfast Cereal - Proposal [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
If she says no, he has a snake prepared to show 'Why not?'


Today's News:

Friday, 10 May

02:00

Check storage performance with dd [Fedora Magazine]

This article includes some example commands to show you how to get a rough estimate of hard drive and RAID array performance using the dd command. Accurate measurements would have to take into account things like write amplification and system call overhead, which this guide does not. For a tool that might give more accurate results, you might want to consider using hdparm.

To factor out performance issues related to the file system, these examples show how to test the performance of your drives and arrays at the block level by reading and writing directly to/from their block devices. WARNING: The write tests will destroy any data on the block devices against which they are run. Do not run them against any device that contains data you want to keep!

Four tests

Below are four example dd commands that can be used to test the performance of a block device:

  1. One process reading from $MY_DISK:
    # dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache
  2. One process writing to $MY_DISK:
    # dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct
  3. Two processes reading concurrently from $MY_DISK:
    # (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache &); (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache skip=200 &)
  4. Two processes writing concurrently to $MY_DISK:
    # (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct &); (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct skip=200 &)

– The iflag=nocache and oflag=direct parameters are important when performing the read and write tests (respectively) because without them the dd command will sometimes show the resulting speed of transferring the data to/from RAM rather than the hard drive.

– The values for the bs and count parameters are somewhat arbitrary and what I have chosen should be large enough to provide a decent average in most cases for current hardware.

– The null and zero devices are used for the destination and source (respectively) in the read and write tests because they are fast enough that they will not be the limiting factor in the performance tests.

– The skip=200 parameter on the second dd command in the concurrent read and write tests is to ensure that the two copies of dd are operating on different areas of the hard drive.

16 examples

Below are demonstrations showing the results of running each of the above four tests against each of the following four block devices:

  1. MY_DISK=/dev/sda2 (used in examples 1-X)
  2. MY_DISK=/dev/sdb2 (used in examples 2-X)
  3. MY_DISK=/dev/md/stripped (used in examples 3-X)
  4. MY_DISK=/dev/md/mirrored (used in examples 4-X)

A video demonstration of the these tests being run on a PC is provided at the end of this guide.

Begin by putting your computer into rescue mode to reduce the chances that disk I/O from background services might randomly affect your test results. WARNING: This will shutdown all non-essential programs and services. Be sure to save your work before running these commands. You will need to know your root password to get into rescue mode. The passwd command, when run as the root user, will prompt you to (re)set your root account password.

$ sudo -i
# passwd
# setenforce 0
# systemctl rescue

You might also want to temporarily disable logging to disk:

# sed -r -i.bak 's/^#?Storage=.*/Storage=none/' /etc/systemd/journald.conf
# systemctl restart systemd-journald.service

If you have a swap device, it can be temporarily disabled and used to perform the following tests:

# swapoff -a
# MY_DEVS=$(mdadm --detail /dev/md/swap | grep active | grep -o "/dev/sd.*")
# mdadm --stop /dev/md/swap
# mdadm --zero-superblock $MY_DEVS

Example 1-1 (reading from sda)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 1)
# dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.7003 s, 123 MB/s

Example 1-2 (writing to sda)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 1)
# dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.67117 s, 125 MB/s

Example 1-3 (reading concurrently from sda)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 1)
# (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache &); (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.42875 s, 61.2 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.52614 s, 59.5 MB/s

Example 1-4 (writing concurrently to sda)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 1)
# (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct &); (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct skip=200 &)
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.2435 s, 64.7 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.60872 s, 58.1 MB/s

Example 2-1 (reading from sdb)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 2)
# dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.67285 s, 125 MB/s

Example 2-2 (writing to sdb)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 2)
# dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.67198 s, 125 MB/s

Example 2-3 (reading concurrently from sdb)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 2)
# (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache &); (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.52808 s, 59.4 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.57736 s, 58.6 MB/s

Example 2-4 (writing concurrently to sdb)

# MY_DISK=$(echo $MY_DEVS | cut -d ' ' -f 2)
# (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct &); (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.7841 s, 55.4 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 3.81475 s, 55.0 MB/s

Example 3-1 (reading from RAID0)

# mdadm --create /dev/md/stripped --homehost=any --metadata=1.0 --level=0 --raid-devices=2 $MY_DEVS
# MY_DISK=/dev/md/stripped
# dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 0.837419 s, 250 MB/s

Example 3-2 (writing to RAID0)

# MY_DISK=/dev/md/stripped
# dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 0.823648 s, 255 MB/s

Example 3-3 (reading concurrently from RAID0)

# MY_DISK=/dev/md/stripped
# (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache &); (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.31025 s, 160 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.80016 s, 116 MB/s

Example 3-4 (writing concurrently to RAID0)

# MY_DISK=/dev/md/stripped
# (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct &); (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.65026 s, 127 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.81323 s, 116 MB/s

Example 4-1 (reading from RAID1)

# mdadm --stop /dev/md/stripped
# mdadm --create /dev/md/mirrored --homehost=any --metadata=1.0 --level=1 --raid-devices=2 --assume-clean $MY_DEVS
# MY_DISK=/dev/md/mirrored
# dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.74963 s, 120 MB/s

Example 4-2 (writing to RAID1)

# MY_DISK=/dev/md/mirrored
# dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.74625 s, 120 MB/s

Example 4-3 (reading concurrently from RAID1)

# MY_DISK=/dev/md/mirrored
# (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache &); (dd if=$MY_DISK of=/dev/null bs=1MiB count=200 iflag=nocache skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.67171 s, 125 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 1.67685 s, 125 MB/s

Example 4-4 (writing concurrently to RAID1)

# MY_DISK=/dev/md/mirrored
# (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct &); (dd if=/dev/zero of=$MY_DISK bs=1MiB count=200 oflag=direct skip=200 &)
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 4.09666 s, 51.2 MB/s
200+0 records in
200+0 records out
209715200 bytes (210 MB, 200 MiB) copied, 4.1067 s, 51.1 MB/s

Restore your swap device and journald configuration

# mdadm --stop /dev/md/stripped /dev/md/mirrored
# mdadm --create /dev/md/swap --homehost=any --metadata=1.0 --level=1 --raid-devices=2 $MY_DEVS
# mkswap /dev/md/swap
# swapon -a
# mv /etc/systemd/journald.conf.bak /etc/systemd/journald.conf
# systemctl restart systemd-journald.service
# reboot

Interpreting the results

Examples 1-1, 1-2, 2-1, and 2-2 show that each of my drives read and write at about 125 MB/s.

Examples 1-3, 1-4, 2-3, and 2-4 show that when two reads or two writes are done in parallel on the same drive, each process gets at about half the drive’s bandwidth (60 MB/s).

The 3-x examples show the performance benefit of putting the two drives together in a RAID0 (data stripping) array. The numbers, in all cases, show that the RAID0 array performs about twice as fast as either drive is able to perform on its own. The trade-off is that you are twice as likely to lose everything because each drive only contains half the data. A three-drive array would perform three times as fast as a single drive (all drives being equal) but it would be thrice as likely to suffer a catastrophic failure.

The 4-x examples show that the performance of the RAID1 (data mirroring) array is similar to that of a single disk except for the case where multiple processes are concurrently reading (example 4-3). In the case of multiple processes reading, the performance of the RAID1 array is similar to that of the RAID0 array. This means that you will see a performance benefit with RAID1, but only when processes are reading concurrently. For example, if a process tries to access a large number of files in the background while you are trying to use a web browser or email client in the foreground. The main benefit of RAID1 is that your data is unlikely to be lost if a drive fails.

Video demo

Testing storage throughput using dd

Troubleshooting

If the above tests aren’t performing as you expect, you might have a bad or failing drive. Most modern hard drives have built-in Self-Monitoring, Analysis and Reporting Technology (SMART). If your drive supports it, the smartctl command can be used to query your hard drive for its internal statistics:

# smartctl --health /dev/sda
# smartctl --log=error /dev/sda
# smartctl -x /dev/sda

Another way that you might be able to tune your PC for better performance is by changing your I/O scheduler. Linux systems support several I/O schedulers and the current default for Fedora systems is the multiqueue variant of the deadline scheduler. The default performs very well overall and scales extremely well for large servers with many processors and large disk arrays. There are, however, a few more specialized schedulers that might perform better under certain conditions.

To view which I/O scheduler your drives are using, issue the following command:

$ for i in /sys/block/sd?/queue/scheduler; do echo "$i: $(<$i)"; done

You can change the scheduler for a drive by writing the name of the desired scheduler to the /sys/block/<device name>/queue/scheduler file:

# echo bfq > /sys/block/sda/queue/scheduler

You can make your changes permanent by creating a udev rule for your drive. The following example shows how to create a udev rule that will set all rotational drives to use the BFQ I/O scheduler:

# cat << END > /etc/udev/rules.d/60-ioscheduler-rotational.rules
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"
END

Here is another example that sets all solid-state drives to use the NOOP I/O scheduler:

# cat << END > /etc/udev/rules.d/60-ioscheduler-solid-state.rules
ACTION=="add|change", KERNEL=="sd[a-z]", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="none"
END

Changing your I/O scheduler won’t affect the raw throughput of your devices, but it might make your PC seem more responsive by prioritizing the bandwidth for the foreground tasks over the background tasks or by eliminating unnecessary block reordering.


Photo by James Donovan on Unsplash.

Thursday, 09 May

07:48

Saturday Morning Breakfast Cereal - Fundamental [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
You can also count up to 10 if you look at your fingers and see how many fingers there are.


Today's News:

Wednesday, 08 May

08:14

Saturday Morning Breakfast Cereal - Lie [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
If you don't know what to do with the katana, I sure as hell won't explain it for you.


Today's News:

02:00

Check out the new AskFedora [Fedora Magazine]

If you’ve been reading the Community blog, you’ll already know: AskFedora has moved to Discourse! Read on for more information about this exciting platform.

Discourse? Why Discourse?

The new AskFedora is a Discourse instance hosted by Discourse, similar to discussion.fedoraproject.org. However, where discussion.fedoraproject.org is meant for development discussion within the community, AskFedora is meant for end-user troubleshooting.

The Discourse platform focuses on conversations. Not only can you ask questions and receive answers, you can have complete dialogues with others. This is especially fitting since troubleshooting includes lots of bits that are neither questions nor answers. Instead, there are lots of suggestions, ideas, thoughts, comments, musings, none of which necessarily are the one true answer, but all of which are required steps that together lead us to the solution.

Apart from this fresh take on discussions, Discourse comes with a full set of features that make interacting with each other very easy.

Login using your Fedora account

Users accounts on the new AskFedora are managed by the Fedora account system only. A Fedora account gives you access to all of the infrastructure used by the Fedora community. This includes:

This decision was made mainly to combat the spam and security issues previously encountered with the various social media login services.

So, unlike the current Askbot setup where you could login using different social media services, you will need to create a Fedora Account to use the new Discourse based instance. Luckily, creating a Fedora Account is very easy!

  1. Go to https://admin.fedoraproject.org/accounts/user/new
  2. Choose a username, enter your name, and a valid e-mail address, a security question.
  3. Do the “captcha” to confirm that you are indeed a human, and confirm that you are older than 13 years of age.

That’s it! You now have a Fedora account.

Get started!

If you are using the platform for the first time, you should start with the “New users! Start here!” category. Here, we’ve put short summaries on how to use the platform effectively. This includes information on how to use Discourse, its many features that make it a great platform, notes on how to ask and respond to queries, subscribing and unsubscribing from categories, and lots more.

For the convenience of the global Fedora community, these summaries are available in all the languages that the community supports. So, please do take a minute to go over these introductory posts.

Discuss, learn, teach, have fun!

Please login, ask and discuss your queries and help each other out. As always, suggestions and feedback are always welcome. You can post these in the “Site feedback” category.

As a last note, please do remember to “be excellent to each other.” The Fedora Code of Conduct applies to all of us!

Acknowledgements

The Fedora community does everything together, so many volunteers joined forces and gave their resources to make this possible. We are most grateful to the Askbot developers who have hosted AskFedora till now, the Discourse team for hosting it now, and all the community members who helped set it up, and everyone that helps keep the Fedora community ticking along!

Tuesday, 07 May

07:45

Saturday Morning Breakfast Cereal - Sexual Reproduction [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
It turns out the only species in the universe that it's okay to eat is humans.


Today's News:

06:36

Sailfish OS Hossa is now available [Jolla Blog]

It has been a long time since my previous blog post, but I thought it was time to give a bit more tech savvy update for a change. I want to open up a bit more in details how things go and the reasoning behind those actions. So, without further a due, let’s proceed.

We are pleased to announce the new 3.0.3 update, which is named after Hossa National Park. Hossa National Park is located in North-East Finland in the region of Kainuu. The park is home to Värikallio, an area that has some of the most important rock paintings in Finland. The paintings tell the story of the Stone Age men that used to be located in the area, and used the water routes next to the stone wall.

The update

Hossa release is primarily a technical software release that brings many under the hood upgrades, such as the long-awaited updates for C-library (glibc), compiler toolchain (gcc), browser engine, as well as the integrated Near Field Communication (NFC) framework. Also included are a number of security vulnerability fixes, stability improvements, and better compatibility in different areas.

Maintaining an operating system is a huge effort and there are lots of things that are not visible to the naked eye. To keep the maintenance burden under control, so that we will not deviate from the upstream and do not need to start maintaining our own version of the components, at times one needs to take a step back and look at the whole picture. With the 3.0.3 upgrade, we took such a step and concentrated a bit more on the not-so-visible items. At the same time we worked on bigger items for the upcoming updates, such as file system encryption, which some of you noted being referenced in the 3.0.3 update already 🙂

This time we decided to make some improvements that our community has been asking for a while, including glibc , gcc and browser engine. These couple of components have not got much attention in a while and needed it quite a bit.

Updating glibc

Our glibc has been for some time now in the eglibc version 2.19, which was already merged a while ago back to the upstream glibc. When a component is this far behind the upstream, it is quite common that going directly to the latest and greatest version is not possible, and one needs to first look on the dependencies to be able to know this information. In addition to reducing the maintenance burden, the new glibc also brings us security improvements, as well as support for new features, such as a new version of Unicode. After checking some of the dependencies on the glibc side, we noted that the first feasible step would be to move to glibc version 2.25 version with security patches on top of it. Reasoning for this was that glibc 2.26 required at least gcc 4.9, which was not there at the time we started the glibc update. Also, glibc 2.28 requires make version 4.0 or newer, which we did not have yet either. Thus, the 2.25 was selected as the first step to ensure that we did not make too many changes at the same time in one release.

It should be noted though that since the branching of the 3.0.3 release we have worked more on glibc and as some of you might have already noted, we have version 2.28 in our repositories, which is coming in the next release. You can follow the progress at glibc repository. To get to such new version we had to touch on tens of different packages including e.g., m4, bison, automake, gzip, groff, iproute, libdrm, mkdevnodes, procps, qemu-usermode, qemu-usermode-static, squashfs-tools, systemd, and many others. This should give you a better picture as to why this change is not only about updating this particular component, but also about ensuring that all other components building on top of it builds properly.

Updating gcc

The second big update that we worked on was gcc, which is also lagging a bit behind in the latest releases. Because of this, and the fact that we have not been updating gcc in a while, we decided to split the update to smaller parts similar to the glibc. In gcc’s case we decided to take the first step by updating it to the latest version of the 4.x branch, i.e. 4.9.4. This gave us a bit more solid base for the platform and also more visibility of how the gcc upgrades go. Going from 4.8 to 4.9 also brought us improved C++14 support. Similarly to the glibc update, this gcc update touched a lot of components, such as, sb2-tools, buteo-mtp-qt5, maliit, lipstick-jolla-home-qt5, gdb and so on.  After this we are planning on the next step of the gcc upgrade, which hopefully will still land for the latter part of the ongoing year.

Browser engine

The last big item that improves usability is the browser engine upgrade, i.e., Gecko, which is used to render web content to the user’s display. This time the update was up to the Extended Support Release version 45 (ESR45), which we know isn’t the latest version but was the next step in the upgrade path that was relatively easy to take. By updating Gecko, the browser functionality within websites has been improved, and it is able to show the web pages more accurately. However, there are some features that we didn’t finish in time like double tap to zoom. The browser’s default user agent string was updated at the same time. If you are interested in contributing and fixing user-agent based errors you can find more information here. Like with the glibc and gcc, this browser engine update is just the first step, and the target is to take the next step in the browser engine soon.

 

“The update target usually is the latest version, but at times one needs to take intermediate steps so that the delta for one upgrade does not get out of hand and that one can integrate and release things earlier.”

 

In addition to the items above there were a few other items, e.g. updating of icu to version 63.1, which has been also pending for a while as it has had dependencies to the lower level even on package management level i.e. rpm. In this case, the dependency chain was libicu > sqlite > nss > rpm, which meant that in the worst case while doing the icu upgrade the rpm, which had dependencies to it, could stop working (similar to the problems with sqlite and nss also in the past). After looking into this particular issue, we noted that we can drop the libicu from the rpm chain, by changing rpm to use openssl instead of nss by default. In addition to libicu this also made it possible to more easily handle updates to sqlite and nss as both of those also dropped out from the rpm’s dependency chains. Similar change was done to p11-kit to use openssl instead of nss .

As explained earlier, when touching some lower level components like glibc and gcc, many other packages might fail to build because of changes in libraries, headers, paths, etc. These of course needs fixing before the release can be pushed out. The simplest thing quite often would be to patch the component with the needed fix. However, as we have limited resources and we do not want to pile up the maintenance burden, we rather try to update a component to newer version instead of just fixing the issue with a simple patch. Surely there are always considerations needed as updating a component always brings in bigger change and risk. This is why applying the patch is preferable when we are further in the releasing process. As pointed out earlier, the update target usually is the latest version, but at times one needs to take intermediate steps so that the delta for one upgrade does not get out of hand, and that one can integrate and release things earlier.

While some of the team worked on the bigger items like these glibc and gcc updates, there were also many others who touched on different parts of Sailfish OS. Thus, we also managed to include quite a notable set of component upgrades including, but not limited to: updating of iptables to version 1.8.2, pcre to version 8.42, pulseaudio to version 12.2, shared-mime-info to version 1.12, util-linux to version 2.33.1, valgrind to version 3.14, and zlib to version 1.2.11. The aim is to have a few package updates always in each release, to keep up with the upstream.

On top of all of the above, we also worked on reducing the image size by moving extra documentations to separate packages and unifying the packaging conventions. Also, work was done to exclude some tools/libraries to separate packages, which are not needed without developer mode to reduce the size of the updates. Also, tools depending on ncurses were moved to sub packages if possible, which allowed dropping ncurses from the image. Some of such tools to mention are sqlite and connmanctl, which no longer are part of the default image. However, all the tools will still remain in the repositories so that all of you who want to tinker with the cmdline have the tools still available. We also dropped e.g. kbd from the image by default to save some more space, and build e.g. our browser engine with system icu enabling also significantly shorter build time. These and other fixes saved around 15M in the Sailfish OS core.

Surely some fixes on the user interface level also got in touching different parts like email, keyboard, messages etc. You can read more about those from the release notes and detailed change log.

Oh, and one more thing…

We did not forget Sailfish X and the XA2 device, to which we brought some very welcome fixes, such as fixing the sensor behaviour when doing phone calls. We also improved the high power drain in the wlan usecase. Also, one new addition to our Sailfish OS core offering was Near Field Communication (NFC) support, which is in its first version with URL tags available with 3.0.3 hossa. For anyone wanting to give it a bit deeper look you can check the source codes of our NFC daemon and the plugin for the XA2.

Additional items to XA2 were related to improvements for the Android 8.1 App Support, including:

  • Mobile data works now with both SIM cards for Android apps on XA2 devices
  • Recently added files to the Sailfish side appear now on the Android side immediately
  • System UI notifications from the Android side are now hidden (Sailfish OS to handle)
  • Notification handling is now improved, new notifications will not receive grouped notifications
  • SSH file transfer no longer crashes Android App Support

Surely there are still places to improve and we are already preparing for the next set of fixes for the Android App Support, which will include at least improvements with notifications to not show that many duplicates, fix for display blank prevention so that your display stays on while you navigate or watch videos via Android apps, and initial support for clipboard between Sailfish OS and Android apps.

Br,

Sage

Ps. Let us know what you think of this more technical blog post and if we should start going into more details like this also in the future.

The post Sailfish OS Hossa is now available appeared first on Jolla Blog.

Monday, 06 May

06:30

Saturday Morning Breakfast Cereal - Utilitarian [Saturday Morning Breakfast Cereal]



Click here to go see the bonus panel!

Hovertext:
Before you tell me I've misunderstood, bear in mind that your email will decrease my happiness.


Today's News:

Soonish is out in paperback for just 12 bucks!


Image result for soonish paperback amazon

02:00

Use udica to build SELinux policy for containers [Fedora Magazine]

While modern IT environments move towards Linux containers, the need to secure these environments is as relevant as ever. Containers are a process isolation technology. While containers can be a defense mechanism, they only excel when combined with SELinux.

Fedora SELinux engineering built a new standalone tool, udica, to generate SELinux policy profiles for containers by automatically inspecting them. This article focuses on why udica is needed in the container world, and how it makes SELinux and containers work better together. You’ll find examples of SELinux separation for containers that let you avoid turning protection off because the generic SELinux type container_t is too tight. With udica you can easily customize the policy with limited SELinux policy writing skills.

SELinux technology

SELinux is a security technology that brings proactive security to Linux systems. It’s a labeling system that assigns a label to all subjects (processes and users) and objects (files, directories, sockets, etc.). These labels are then used in a security policy that controls access throughout the system. It’s important to mention that what’s not allowed in an SELinux security policy is denied by default. The policy rules are enforced by the kernel. This security technology has been in use on Fedora for several years. A real example of such a rule is:

allow httpd_t httpd_log_t: file { append create getattr ioctl lock open read setattr };

The rule allows any process labeled as httpd_t to create, append, read and lock files labeled as httpd_log_t. Using the ps command, you can list all processes with their labels:

$ ps -efZ | grep httpd
system_u:system_r:httpd_t:s0 root 13911 1 0 Apr14 ? 00:05:14 /usr/sbin/httpd -DFOREGROUND
...

To see which objects are labeled as httpd_log_t, use semanage:

# semanage fcontext -l | grep httpd_log_t
/var/log/httpd(/.)? all files system_u:object_r:httpd_log_t:s0
/var/log/nginx(/.)? all files system_u:object_r:httpd_log_t:s0
...

The SELinux security policy for Fedora is shipped in the selinux-policyRPM package.

SELinux vs. containers

In Fedora, the container-selinux RPM package provides a generic SELinux policy for all containers started by engines like podman or docker. Its main purposes are to protect the host system against a container process, and to separate containers from each other. For instance, containers confined by SELinux with the process type container_t can only read/execute files in /usr and write to container_file_t files type on host file system. To prevent attacks by containers on each other, Multi-Category Security (MCS) is used.

Using only one generic policy for containers is problematic, because of the huge variety of container usage. On one hand, the default container type (container_t) is often too strict. For example:

  • Fedora SilverBlue needs containers to read/write a user’s home directory
  • Fluentd project needs containers to be able to read logs in the /var/log directory

On the other hand, the default container type could be too loose for certain use cases:

  • It has no SELinux network controls — all container processes can bind to any network port
  • It has no SELinux control on Linux capabilities — all container processes can use all capabilities

There is one solution to handle both use cases: write a custom SELinux security policy for the container. This can be tricky, because SELinux expertise is required. For this purpose, the udica tool was created.

Introducing udica

Udica generates SELinux security profiles for containers. Its concept is based on the “block inheritance” feature inside the common intermediate language (CIL) supported by SELinux userspace. The tool creates a policy that combines:

  • Rules inherited from specified CIL blocks (templates), and
  • Rules discovered by inspection of container JSON file, which contains mountpoints and ports definitions

You can load the final policy immediately, or move it to another system to load into the kernel. Here’s an example, using a container that:

  • Mounts /home as read only
  • Mounts /var/spool as read/write
  • Exposes port tcp/21

The container starts with this command:

# podman run -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash

The default container type (container_t) doesn’t allow any of these three actions. To prove it, you could use the sesearch tool to query that the allow rules are present on system:

# sesearch -A -s container_t -t home_root_t -c dir -p read 

There’s no allow rule present that lets a process labeled as container_t access a directory labeled home_root_t (like the /home directory). The same situation occurs with /var/spool, which is labeled var_spool_t:

# sesearch -A -s container_t -t var_spool_t -c dir -p read

On the other hand, the default policy completely allows network access.

# sesearch -A -s container_t -t port_type -c tcp_socket
allow container_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };
allow sandbox_net_domain port_type:tcp_socket { name_bind name_connect recv_msg send_msg };

Securing the container

It would be great to restrict this access and allow the container to bind just on TCP port 21 or with the same label. Imagine you find an example container using podman ps whose ID is 37a3635afb8f:

# podman ps -q
37a3635afb8f

You can now inspect the container and pass the inspection file to the udica tool. The name for the new policy is my_container.

# podman inspect 37a3635afb8f > container.json
# udica -j container.json my_container
Policy my_container with container id 37a3635afb8f created!

Please load these modules using:
# semodule -i my_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}

Restart the container with: "--security-opt label=type:my_container.process" parameter

That’s it! You just created a custom SELinux security policy for the example container. Now you can load this policy into the kernel and make it active. The udica output above even tells you the command to use:

# semodule -i my_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil,home_container.cil}

Now you must restart the container to allow the container engine to use the new custom policy:

# podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash

The example container is now running in the newly created my_container.process SELinux process type:

# ps -efZ | grep my_container.process
unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 root 2275 434 1 13:49 pts/1 00:00:00 podman run --security-opt label=type:my_container.process -v /home:/home:ro -v /var/spool:/var/spool:rw -p 21:21 -it fedora bash
system_u:system_r:my_container.process:s0:c270,c963 root 2317 2305 0 13:49 pts/0 00:00:00 bash

Seeing the results

The command sesearch now shows allow rules for accessing /home and /var/spool:

# sesearch -A -s my_container.process -t home_root_t -c dir -p read
allow my_container.process home_root_t:dir { getattr ioctl lock open read search };
# sesearch -A -s my_container.process -t var_spool_t -c dir -p read
allow my_container.process var_spool_t:dir { add_name getattr ioctl lock open read remove_name search write }

The new custom SELinux policy also allows my_container.process to bind only to TCP/UDP ports labeled the same as TCP port 21:

# semanage port -l | grep 21 | grep ftp
ftp_port_t tcp 21, 989, 990
# sesearch -A -s my_container.process -c tcp_socket -p name_bind
allow my_container.process ftp_port_t:tcp_socket name_bind;

Conclusion

The udica tool helps you create SELinux policies for containers based on an inspection file without any SELinux expertise required. Now you can increase the security of containerized environments. Sources are available on GitHub, and an RPM package is available in Fedora repositories for Fedora 28 and later.


Photo by Samuel Zeller on Unsplash.

Sunday, 05 May

Saturday, 04 May

Friday, 03 May

02:00

Mirror your System Drive using Software RAID [Fedora Magazine]

Nothing lasts forever. When it comes to the hardware in your PC, most of it can easily be replaced. There is, however, one special-case hardware component in your PC that is not as easy to replace as the rest — your hard disk drive.

Drive Mirroring

Your hard drive stores your personal data. Some of your data can be backed up automatically by scheduled backup jobs. But those jobs scan the files to be backed up for changes and trying to scan an entire drive would be very resource intensive. Also, anything that you’ve changed since your last backup will be lost if your drive fails. Drive mirroring is a better way to maintain a secondary copy of your entire hard drive. With drive mirroring, a secondary copy of all the data on your hard drive is maintained in real time.

An added benefit of live mirroring your hard drive to a secondary hard drive is that it can increase your computer’s performance. Because disk I/O is one of your computer’s main performance bottlenecks, the performance improvement can be quite significant.

Note that a mirror is not a backup. It only protects your data from being lost if one of your physical drives fail. Types of failures that drive mirroring, by itself, does not protect against include:

Some of the above can be addressed by other file system features that can be used in conjunction with drive mirroring. File system features that address the above types of failures include:

This guide will demonstrate one method of mirroring your system drive using the Multiple Disk and Device Administration (mdadm) toolset. Just for fun, this guide will show how to do the conversion without using any extra boot media (CDs, USB drives, etc). For more about the concepts and terminology related to the multiple device driver, you can skim the md man page:

$ man md

The Procedure

  1. Use sgdisk to (re)partition the extra drive that you have added to your computer:
    $ sudo -i
    # MY_DISK_1=/dev/sdb
    # sgdisk --zap-all $MY_DISK_1
    # test -d /sys/firmware/efi/efivars || sgdisk -n 0:0:+1MiB -t 0:ef02 -c 0:grub_1 $MY_DISK_1
    # sgdisk -n 0:0:+1GiB -t 0:ea00 -c 0:boot_1 $MY_DISK_1
    # sgdisk -n 0:0:+4GiB -t 0:fd00 -c 0:swap_1 $MY_DISK_1
    # sgdisk -n 0:0:0 -t 0:fd00 -c 0:root_1 $MY_DISK_1

    – If the drive that you will be using for the second half of the mirror in step 12 is smaller than this drive, then you will need to adjust down the size of the last partition so that the total size of all the partitions is not greater than the size of your second drive.
    – A few of the commands in this guide are prefixed with a test for the existence of an efivars directory. This is necessary because those commands are slightly different depending on whether your computer is BIOS-based or UEFI-based.


  2. Use mdadm to create RAID devices that use the new partitions to store their data:
    # mdadm --create /dev/md/boot --homehost=any --metadata=1.0 --level=1 --raid-devices=2 /dev/disk/by-partlabel/boot_1 missing
    # mdadm --create /dev/md/swap --homehost=any --metadata=1.0 --level=1 --raid-devices=2 /dev/disk/by-partlabel/swap_1 missing
    # mdadm --create /dev/md/root --homehost=any --metadata=1.0 --level=1 --raid-devices=2 /dev/disk/by-partlabel/root_1 missing
    # cat << END > /etc/mdadm.conf
    MAILADDR root
    AUTO +all
    DEVICE partitions
    END
    # mdadm --detail --scan >> /etc/mdadm.conf

    – The missing parameter tells mdadm to create an array with a missing member. You will add the other half of the mirror in step 14.
    – You should configure sendmail so you will be notified if a drive fails.
    – You can configure Evolution to monitor a local mail spool.


  3. Use dracut to update the initramfs:
    # dracut -f --add mdraid --add-drivers xfs

    – Dracut will include the /etc/mdadm.conf file you created in the previous section in your initramfs unless you build your initramfs with the hostonly option set to no. If you build your initramfs with the hostonly option set to no, then you should either manually include the /etc/mdadm.conf file, manually specify the UUID’s of the RAID arrays to assemble at boot time with the rd.md.uuid kernel parameter, or specify the rd.auto kernel parameter to have all RAID arrays automatically assembled and started at boot time. This guide will demonstrate the rd.auto option since it is the most generic.


  4. Format the RAID devices:
    # mkfs -t vfat /dev/md/boot
    # mkswap /dev/md/swap
    # mkfs -t xfs /dev/md/root

    – The new Boot Loader Specification states “if the OS is installed on a disk with GPT disk label, and no ESP partition exists yet, a new suitably sized (let’s say 500MB) ESP should be created and should be used as $BOOT” and “$BOOT must be a VFAT (16 or 32) file system”.


  5. Reboot and set the rd.auto, rd.break and single kernel parameters:
    # reboot

    – You may need to set your root password before rebooting so that you can get into single-user mode in step 7.
    – See “Making Temporary Changes to a GRUB 2 Menu” for directions on how to set kernel parameters on compters that use the GRUB 2 boot loader.


  6. Use the dracut shell to copy the root file system:
    # mkdir /newroot
    # mount /dev/md/root /newroot
    # shopt -s dotglob
    # cp -ax /sysroot/* /newroot
    # rm -rf /newroot/boot/*
    # umount /newroot
    # exit

    – The dotglob flag is set for this bash session so that the wildcard character will match hidden files.
    – Files are removed from the boot directory because they will be copied to a separate partition in the next step.
    – This copy operation is being done from the dracut shell to insure that no processes are accessing the files while they are being copied.


  7. Use single-user mode to copy the non-root file systems:
    # mkdir /newroot
    # mount /dev/md/root /newroot
    # mount /dev/md/boot /newroot/boot
    # shopt -s dotglob
    # cp -Lr /boot/* /newroot/boot
    # test -d /newroot/boot/efi/EFI && mv /newroot/boot/efi/EFI/* /newroot/boot/efi && rmdir /newroot/boot/efi/EFI
    # test -d /sys/firmware/efi/efivars && ln -sfr /newroot/boot/efi/fedora/grub.cfg /newroot/etc/grub2-efi.cfg
    # cp -ax /home/* /newroot/home
    # exit

    – It is OK to run these commands in the dracut shell shown in the previous section instead of doing it from single-user mode. I’ve demonstrated using single-user mode to avoid having to explain how to mount the non-root partitions from the dracut shell.
    – The parameters being past to the cp command for the boot directory are a little different because the VFAT file system doesn’t support symbolic links or Unix-style file permissions.
    – In rare cases, the rd.auto parameter is known to cause LVM to fail to assemble due to a race condition. If you see errors about your swap or home partition failing to mount when entering single-user mode, simply try again by repeating step 5 but omiting the rd.break paramenter so that you will go directly to single-user mode.


  8. Update fstab on the new drive:
    # cat << END > /newroot/etc/fstab
    /dev/md/root / xfs defaults 0 0
    /dev/md/boot /boot vfat defaults 0 0
    /dev/md/swap swap swap defaults 0 0
    END

  9. Configure the boot loader on the new drive:
    # NEW_GRUB_CMDLINE_LINUX=$(cat /etc/default/grub | sed -n 's/^GRUB_CMDLINE_LINUX="\(.*\)"/\1/ p')
    # NEW_GRUB_CMDLINE_LINUX=${NEW_GRUB_CMDLINE_LINUX//rd.lvm.*([^ ])}
    # NEW_GRUB_CMDLINE_LINUX=${NEW_GRUB_CMDLINE_LINUX//resume=*([^ ])}
    # NEW_GRUB_CMDLINE_LINUX+=" selinux=0 rd.auto"
    # sed -i "/^GRUB_CMDLINE_LINUX=/s/=.*/=\"$NEW_GRUB_CMDLINE_LINUX\"/" /newroot/etc/default/grub

    – You can re-enable selinux after this procedure is complete. But you will have to relabel your file system first.


  10. Install the boot loader on the new drive:
    # sed -i '/^GRUB_DISABLE_OS_PROBER=.*/d' /newroot/etc/default/grub
    # echo "GRUB_DISABLE_OS_PROBER=true" >> /newroot/etc/default/grub
    # MY_DISK_1=$(mdadm --detail /dev/md/boot | grep active | grep -m 1 -o "/dev/sd.")
    # for i in dev dev/pts proc sys run; do mount -o bind /$i /newroot/$i; done
    # chroot /newroot env MY_DISK_1=$MY_DISK_1 bash --login
    # test -d /sys/firmware/efi/efivars || MY_GRUB_DIR=/boot/grub2
    # test -d /sys/firmware/efi/efivars && MY_GRUB_DIR=$(find /boot/efi -type d -name 'fedora' -print -quit)
    # test -e /usr/sbin/grub2-switch-to-blscfg && grub2-switch-to-blscfg --grub-directory=$MY_GRUB_DIR
    # grub2-mkconfig -o $MY_GRUB_DIR/grub.cfg \;
    # test -d /sys/firmware/efi/efivars && test /boot/grub2/grubenv -nt $MY_GRUB_DIR/grubenv && cp /boot/grub2/grubenv $MY_GRUB_DIR/grubenv
    # test -d /sys/firmware/efi/efivars || grub2-install "$MY_DISK_1"
    # logout
    # for i in run sys proc dev/pts dev; do umount /newroot/$i; done
    # test -d /sys/firmware/efi/efivars && efibootmgr -c -d "$MY_DISK_1" -p 1 -l "$(find /newroot/boot -name shimx64.efi -printf '/%P\n' -quit | sed 's!/!\\!g')" -L "Fedora RAID Disk 1"

    – The grub2-switch-to-blscfg command is optional. It is only supported on Fedora 29+.
    – The cp command above should not be necessary, but there appears to be a bug in the current version of grub which causes it to write to $BOOT/grub2/grubenv instead of $BOOT/efi/fedora/grubenv on UEFI systems.
    – You can use the following command to verify the contents of the grub.cfg file right after running the grub2-mkconfig command above:

    # sed -n '/BEGIN .*10_linux/,/END .*10_linux/ p' $MY_GRUB_DIR/grub.cfg

    – You should see references to mdraid and mduuid in the output from the above command if the RAID array was detected properly.


  11. Boot off of the new drive:
    # reboot

    – How to select the new drive is system-dependent. It usually requires pressing one of the F12, F10, Esc or Del keys when you hear the System OK BIOS beep code.
    – On UEFI systems the boot loader on the new drive should be labeled “Fedora RAID Disk 1”.


  12. Remove all the volume groups and partitions from your old drive:
    # MY_DISK_2=/dev/sda
    # MY_VOLUMES=$(pvs | grep $MY_DISK_2 | awk '{print $2}' | tr "\n" " ")
    # test -n "$MY_VOLUMES" && vgremove $MY_VOLUMES
    # sgdisk --zap-all $MY_DISK_2

    WARNING: You want to make certain that everything is working properly on your new drive before you do this. A good way to verify that your old drive is no longer being used is to try booting your computer once without the old drive connected.
    – You can add another new drive to your computer instead of erasing your old one if you prefer.


  13. Create new partitions on your old drive to match the ones on your new drive:
    # test -d /sys/firmware/efi/efivars || sgdisk -n 0:0:+1MiB -t 0:ef02 -c 0:grub_2 $MY_DISK_2
    # sgdisk -n 0:0:+1GiB -t 0:ea00 -c 0:boot_2 $MY_DISK_2
    # sgdisk -n 0:0:+4GiB -t 0:fd00 -c 0:swap_2 $MY_DISK_2
    # sgdisk -n 0:0:0 -t 0:fd00 -c 0:root_2 $MY_DISK_2

    – It is important that the partitions match in size and type. I prefer to use the parted command to display the partition table because it supports setting the display unit:

    # parted /dev/sda unit MiB print
    # parted /dev/sdb unit MiB print

  14. Use mdadm to add the new partitions to the RAID devices:
    # mdadm --manage /dev/md/boot --add /dev/disk/by-partlabel/boot_2
    # mdadm --manage /dev/md/swap --add /dev/disk/by-partlabel/swap_2
    # mdadm --manage /dev/md/root --add /dev/disk/by-partlabel/root_2

  15. Install the boot loader on your old drive:
    # test -d /sys/firmware/efi/efivars || grub2-install "$MY_DISK_2"
    # test -d /sys/firmware/efi/efivars && efibootmgr -c -d "$MY_DISK_2" -p 1 -l "$(find /boot -name shimx64.efi -printf "/%P\n" -quit | sed 's!/!\\!g')" -L "Fedora RAID Disk 2"

  16. Use mdadm to test that email notifications are working:
    # mdadm --monitor --scan --oneshot --test

As soon as your drives have finished synchronizing, you should be able to select either drive when restarting your computer and you will receive the same live-mirrored operating system. If either drive fails, mdmonitor will send an email notification. Recovering from a drive failure is now simply a matter of swapping out the bad drive with a new one and running a few sgdisk and mdadm commands to re-create the mirrors (steps 13 through 15). You will no longer have to worry about losing any data if a drive fails!

Video Demonstrations

Converting a UEFI PC to RAID1
Converting a BIOS PC to RAID1
  • TIP: Set the the quality to 720p on the above videos for best viewing.

Thursday, 02 May

Wednesday, 01 May

18:00

Introducing Bento [Yelp Engineering and Product Blog]

Today we’re proud to introduce Bento, an open source framework for building modularized Android user interfaces, created here at Yelp. Over the past year, we’ve seen great developer productivity gains and product design flexibility from using Bento on our most critical screens. In this post we’ll explain a bit about how Bento works, why you might want to use it, and where we want to go next. What is Bento? We named this framework after the wonderfully compartmentalized Japanese lunch container. A Bento box is a container with dividers to separate different food items from each other. If you squint...

10:28

Tips for a Successful *aaS [@misterdorm]

This is a more detailed write-up of a lightning talk I gave at the Open Infrastructure Summit in 2019. Slides are available here, and the video here. (See also the related talk, “Don’t Repeat Our Mistakes: Lessons Learned from Running Go Daddy’s Private Cloud“) Currently I work on the TechOps team at Twilio SendGrid, which

Read full post.

02:00

3 apps to manage personal finances in Fedora [Fedora Magazine]

There are numerous services available on the web for managing your personal finances. Although they may be convenient, they also often mean leaving your most valuable personal data with a company you can’t monitor. Some people are comfortable with this level of trust.

Whether you are or not, you might be interested in an app you can maintain on your own system. This means your data never has to leave your own computer if you don’t want. One of these three apps might be what you’re looking for.

HomeBank

HomeBank is a fully featured way to manage multiple accounts. It’s easy to set up and keep updated. It has multiple ways to categorize and graph income and liabilities so you can see where your money goes. It’s available through the official Fedora repositories.

A simple account set up in HomeBank with a few transactions.

To install HomeBank, open the Software app, search for HomeBank, and select the app. Then click Install to add it to your system. HomeBank is also available via a Flatpak.

KMyMoney

The KMyMoney app is a mature app that has been around for a long while. It has a robust set of features to help you manage multiple accounts, including assets, liabilities, taxes, and more. KMyMoney includes a full set of tools for managing investments and making forecasts. It also sports a huge set of reports for seeing how your money is doing.

A subset of the many reports available in KMyMoney.

To install, use a software center app, or use the command line:

$ sudo dnf install kmymoney

GnuCash

One of the most venerable free GUI apps for personal finance is GnuCash. GnuCash is not just for personal finances. It also has functions for managing income, assets, and liabilities for a business. That doesn’t mean you can’t use it for managing just your own accounts. Check out the online tutorial and guide to get started.

Checking account records shown in GnuCash.

Open the Software app, search for GnuCash, and select the app. Then click Install to add it to your system. Or use dnf install as above to install the gnucash package.

It’s now available via Flathub which makes installation easy. If you don’t have Flathub support, check out this article on the Fedora Magazine for how to use it. Then you can also use the flatpak install GnuCash command with a terminal.


Photo by Fabian Blank on Unsplash.

Tuesday, 30 April