It's been a while. And to be honest, I'm overdue with a few things that I want to get out. One of those things is … Brazil doesn't let me go. I'm watching this country since over a year now, hopefully understandable with the political changes last year and this year's debconf being there, and I promise to go into more details with that in the future because there is more and more to it …
Because one of those things that showed me that Brazil doesn't want to let me go was stumbling upon this artist. They were shared by some friends, and I instantly fell for them. This is about Oxa, but see for yourself:
Toy: Their first performance at the show »The Voice of Germany«, where they also stated that they are non-binary. And the song is lovely.
Born This Way: With this one, the spoken word interlude gave me goosebumps and I'm astonished that this was possible to get into the show. Big respect!
I'm Still Standing: The lyrics in this song are also just as powerful as the other chosen ones. Extremely fine selection!
I'm absolute in love with the person on so many levels–and yes, they are from Brazil originally. Multo brigado, Brazil!
This week we’ve been talking to the BBC about Thinkpads and Ubuntu goes Pro. We round up the news from the Ubuntu community and discuss our picks from the wider tech news.
It’s Season 12 Episode 35 of the Ubuntu Podcast! Alan Pope and Martin Wimpress are connected and speaking to your brain.
The linux-aws 4.15 based kernel, which is the default kernel in the Ubuntu 18.04 LTS AMIs, is moving to a rolling kernel model.
Why is this changing?
The Ubuntu rolling kernel model provides the latest upstream bug fixes and performance improvements around task scheduling, I/O scheduling, networking, hypervisor guests and containers to our users. Canonical has been following this model in other cloud environments for some time now, and have found it to be an excellent way to deliver these benefits while continuing to provide LTS level stability.
What is the rolling kernel model?
A rolling kernel model transitions the default linux-aws kernel from one base version to the next as part of its regular patching cycle. That new kernel is the kernel of the latest interim Ubuntu release. Applying this model directly to 18.04 today, the linux-aws kernel is a 4.15 based kernel and when we roll, it will become a 5.0 based kernel which was part of our 19.04 interim release.
Today that 5.0 kernel is currently available for preview as the linux-aws-edge kernel, which we encourage all users to run with their workloads in non-production deployments. It is important to keep in mind that both the -edge kernels and the rolling release kernels are fully baked prior to being made available for our customers to use and meet exactly the same quality and durability standards all our kernels must meet for release.
When the linux-aws kernel rolls forward, a user would see this change in 1 of 2 ways, 1) launching the latest AMI would have the newer kernel, and 2) users applying packaging updates, or via automatic security updates, will also see the newer kernel.
How do I prepare for the “roll”?
To install the 5.0 linux-aws-edge kernel, which is currently available for customer testing today please follow these short instructions using a terminal window:
Note that the instance is running the standard linux-aws kernel (v4.15.0):
If you do not want to roll to a new kernel but instead stay on the 4.15 based kernel (which will continue to get full support and updates for the length of the LTS) just type the following instructions into a terminal window ssh’d into your instance:
November, for robotics, was a good month. We’re seeing new things develop, current projects finish and more cute animals in our future. So who can complain? The news we’re covering here are things that have crossed our path and that we’ve found interesting. If you have suggestions for next months post or your own projects you would like us to highlight, don’t hesitate to get in touch. Send an email and a brief summary to robotics.community@canonical.com and we can start the discussion. As ever we want this to be a highlight reel for cool robot stuff because we like cool robot stuff. Happy December everyone.
Create your first robot with snaps and Ubuntu Core
Kyle Fazzari from the Ubuntu Robotics team recently wrapped up a series of blog/video tutorials to get you started with ROS on Ubuntu Core. The 5-part series makes use of an inexpensive robot and the CamJam EduKit #3, so that anyone can do it! You can find more info and all video links here, on ROS Discourse. (Psst. Christmas is around the corner if you know what I mean 😉 ).
ROS 2 Eloquent Elusor is officially released!
Read the announcement in all its glory. As always, you can order a t-shirt, hoodie, or (new this year) a pair of socks with the release logo. As the old saying goes, keep your Elusor eloquent, and your feet warm.
Researchers target LiDAR to spoof obstacles
It’s nice to have a reminder every once in a while, that security in robotics isn’t just about keeping intruders out of your robot’s systems, but also about making sure your sensor data is valid. Researchers from the University of Michigan have published an interesting paper and a video where they target an autonomous car’s LiDAR system.
ROS 2 Crystal Clemmys reaches end-of-life
The Crystal release of ROS 2 reaches end-of-life this month (December). If you’re still using it, it’s time to upgrade at least to Dashing (the LTS release, supported for the standard support period of Ubuntu Bionic, until May 2021). And while we are talking about release end-of-life, have you seen the ROS Clock? There is still time though, the clock measures time in days so it might seem soon, but who knows what will happen between then and now…
DSM source code is out!
Direct Sparse Mapping, or DSM, is a novel direct approach to monocular SLAM. Unlike the many other direct sparse algorithms that were released in years past, DSM detects and handles map point re-observations to ensure consistent global maps and odometry correction. The paper detailing DSM is available on Arxiv, and its source code on GitHub.
ROS 2 F Name Revealed
The next ROS 2 release has an official name “Foxy Fitzroy”! After a long, open suggestion period on Discourse, where you can see heaps of possibles, the name was settled. Look forward to the cute logos next year! 🦊🐢
ROS Discourse Glamour Shots
In October (I know I know, this is about November, but I only just found it) Katherine Scott created a new topic on the ROS discourse titled “Semi-regular Glamour Shots Thread”. The topic came out of a discussion about wanting a place to share videos, images and just generally interesting visuals of robotics projects that folks in the community are working on. If this manages to get some traction, then it might become a regular feature in this very series. Head over and take a look at what people shared in October.
ROS-Industrial
The last event of the year for the Ubuntu robotics team is ROS-Industrial. An event dedicated to discussing the benefits of shared, open-source frameworks for industrial robotics. Fraunhofer IPA will host the event, held in Stuttgart, Germany, with attendees from all over the world discussing all types of things, from agriculture to autonomous driving and from security to DDS. Speakers from all around the industrial space will be recorded for your viewing pleasure. If you’re reading this pre-December 12th, have a look on twitter for the hashtag #RCIEU for the blow by blow news, or if you’re reading this post-December 12th you can search for another blog discussing the event and our observations in their entirety.
The Ubuntu Robotics team on the ROS Developers Podcast
The ROS Developers Podcast is a podcast which primarily targets an audience of ROS developers and enthusiasts. It is home to many great interviews, and is a valuable source of information where you can find a variety of discussions from ROS experts. Ricardo Tellez, CEO of The Construct, who hosts the show kindly invited a couple of our team for an interview between coffees at ROSCon 2019.
Grab a coffee, a cookie and head to the Construct website to listen to the interview.
Outro
It was November. Robotics was done in November. And that’s good. But now November is again just the month before December. So naturally, the Ubuntu robotics team have been thinking about how our next blog, given the holidays, will work. At the moment we’re thinking a kind of Christmas special. With less technical aspects and more flashy robotics projects from all over the internet. We would discuss how they were done, if or how they could be done with ROS and if or how they could be done with Ubuntu. Anyhow. Send us projects and ideas for next month that you want us to talk about or consider and we can discuss more personally. Send to robotics.community@canonical.com
Every few months we release a Snapcraft update, with improvements to both Linux development, and snap user experience. Last week, we released Snapcraft 3.9, and this blog post will focus on the remote build feature that is now a fully accessible preview.
Let’s dig deeper into why you need to try remote build, and how you can use it today.
Manage less, develop more
Remote build decreases the number of hardware toolchains you have to manage as part of linux development, by allowing access to Ubuntu’s infrastructure when building a snap. Instead of cross-building, emulating an architecture you do not own, or running a Raspberry Pi ragged, now you can use our infrastructure that is designed to be a build-farm and fully supported by our IS team.
Don’t try this at home, use our servers instead
Still need a reason to try this out? Consider the local compute freed up, as your build runs remotely. Imagine all the time freed up, building on multiple architectures in parallel. We’re looking forward to the next snap you make, given all the extra time you’ll have on your hands.
Simplifying linux development
With support for arm64 and armhf, all the way to i386 and ppc64el, there’s a variety of architectures that can be built on and tested. Check out the remote build documentation to see a list of all architectures covered.
To get started, you can either add the build architecture in the snapcraft.yaml file and execute:
When you execute remote build, your local project will be transferred to a remote build server and become publicly available. Also, if you do not define a build architecture in snapcraft.yaml or at the command line, amd64 will be used as the default.
Finally, to check the status of the build, execute:
$ snapcraft remote-build --status
Expect a series of tutorials on our YouTube page soon.
How else did Linux development get better in Snapcraft 3.9?
For users who want the latest Qt5 and KDE Framework libraries, and snap desktop applications that use them, the KDE Neon extension is now available in the stable release of Snapcraft. If you want to develop a snap for KDE Neon, this extension makes it easier than ever. It comes off the back of the work we did on the Gnome 3.28 extension in recent months.
Error messages have also been improved and now provide information on what went wrong, why it went wrong and how to fix. While we don’t recommend triggering an error just to check this out, the next time it happens, we hope you’ll be pleasantly surprised.
Check out the full release notes for detailed information on all of the above, and more.
What to do next? Jump right into Snapcraft, check out our latest featured apps, or this blog post to get to know what we are excited about.
The mirror is now added to the download pages and you can select the Hungarian mirror repository from the SolydXK System Settings application, repositories tab.
You can also add the following line manually to the /etc/sources.list file:
deb http://quantum-mirror.hu/mirrors/pub/solydxk/repository solydxk-10 main upstream import
MAAS (metal as a service), is a Canonical product which allows for very fast server provisioning and data centre management. Around 2014, work began to build a rich UI for MAAS, primarily using the AngularJS JavaScript framework from Google. AngularJS today is in long term support (LTS) and due to reach end-of-life in 2021. This year we began the work of transitioning away from AngularJS in anticipation of this impending EOL to more contemporary tooling.
Evaluating Angular vs React
Google’s recommended upgrade path for applications built in AngularJS is to transition to the Angular framework. Despite the similarity in naming, Angular is very different from AngularJS architecturally, and the migration process is non-trivial. While components (allowing for the now ubiquitous uni-directional data architectural pattern) were later backported from Angular to AngularJS, most of MAAS UI predated this and consequently migration to Angular would require significant app-wide refactoring.
Since the inception of the MAAS UI, a number of other products had been built at Canonical using React. As we had developed significant experience using React, and tooling in the surrounding ecosystem, ultimately it made more sense to invest in transitioning the MAAS UI to React rather than Angular. This choice conferred additional benefits, such as standardising our build and testing infrastructure, and allows for component reuse across products. We also just generally enjoy working with React, and feel that the most significant developments in web UI technology are happening within the React ecosystem (hooks, concurrent mode, suspense, CRA).
Migrating to React
A number of potential approaches were considered for the migration, big-bang, in-situ and hybrid.
Big Bang
As delightful as it is to work on a greenfields project, rewriting the entirety of the MAAS UI, particularly while still delivering features and bugfixes for our supported product in one go, was simply not feasible.
In-situ
An in-situ migration would involve rendering new react components within the existing AngularJS code, using a library such as react2angular. While this may initially feel like the path of least resistance, it presents essentially the same issue as migrating to Angular – requiring that the AngularJS code is architecturally aligned with React, using uni-directional data flow and components. Significant refactoring to a codebase that we ultimately intended to replace, felt like a questionable use of time.
Hybrid
We eventually settled on a hybrid approach to migration, which involved creating an entirely new react-redux application, initially implementing a portion of the MAAS UI (settings and preferences in MAAS 2.7), and routing between the legacy and react app from Django.
UI Codebase Separation
As part of the work to transition to a hybrid application, we took the opportunity to separate the MAAS UI codebase from MAAS core. While this work shouldn’t be obvious to users of MAAS, it has provided a number of benefits to our development teams that will help us continue to build a great product. We also took the opportunity to make UX improvements to the Settings & Preferences experience as we migrated to React.
Benefits
Separation of the UI codebase from MAAS core has provided a number of benefits:
Better separation of concerns – MAAS core now exclusively provides APIs.
Faster tests – MAAS core CI is now faster.
Fit for purpose – build and configuration tooling can be better tailored to the needs of each project.
Team agility – more flexibility for both the UI and Core engineering teams.
Easier QA – designers are now able to point their development UI at a persistent MAAS server, rather than setting up and configuring MAAS on their own hardware.
Designers can now point their maas-ui at a remote MAAS.
Process
Before (Single repo – UI in AngularJS & Django) ⟶ After (Multiple Repos maas-ui, maas-core – UI in Angularjs & React)
The AngularJS UI was migrated from the MAAS core codebase, to a project called legacy in the maas-ui repository.
The maas-ui repository uses yarn’s implementation of monorepos, yarn workspaces, allowing us host multiple yarn projects within the same git repository with shared dependencies.
A new react application was bootstrapped using Create React App in a project simply called ui. The new ui project is a React 16 app, built exclusively on the hooks API, redux (with immer) and redux-sagas.
A third project, shared, contains components common to both legacy and ui (e.g. header, footer components).
Development Proxying
While routing between both legacy (AngularJS) and ui (React) apps is simply handled by Django in production, in development we needed a way to work on both projects seamlessly. We created a simple proxying server, using ExpressJS and http-proxy-middleware to route requests between both the legacy and ui apps. The server also correctly proxies requests to the webpack devserver to support reloading for both projects, preserving the nice developer experience we would have for a single project.
Into the Future
From MAAS 2.7 onwards, new UI features in MAAS will be developed exclusively in React. We now have an excellent foundation on which to continue delivering UX and performance improvements to our MAAS users.
If working on products like MAAS interests you, we’re currently looking for UX Designers to join our team, and may be looking for frontend engineers in the near future.
Neste “Episódio 67 – PicoHoHoHo” estivemos novamente em dupla, com actualizações sobre os trabalhos da Comunidade UBPorts, PicoCMS um poderoso CMS, voltaram também as impressões 3D, enfim… mais 1 semana normal.
Este episódio foi produzido e editado por Alexandre Carrapiço (Thunderclaws Studios – captação, produção, edição, mistura e masterização de som) contacto: thunderclawstudiosPT–arroba–gmail.com.
Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.
Se estiverem interessados em outros bundles se acrescentarem no fim do link para qualquer bundle: ?partner=pup (da mesma forma como no link da sugestão) e vão estar também a apoiar-nos.
Atribuição e licenças
A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da [CC0 1.0 Universal License](https://creativecommons.org/publicdomain/zero/1.0/).
We have to keep in mind that if a DNS lookup is slow, the
entire internet feels sluggish. Slow DNS = Slow internet.
Right now my current domestic broadband provider is providing
inconsistent service as it is. Having requests to a variety of
known-good sites mysteriously timeout and crash is not unheard of.
Having sites become mysteriously inaccessible is not unheard of
either. I’m not living anywhere drastic either as this is just
northeast Ohio about fifty miles outside Cleveland. It should not
provide me with a performance boost when I disable this
feature in Firefox.
Unfortunately I get such a performance boost. I don’t think it
is something wrong with my machine or my in-house LAN. I’ve looked
at the maps of the concept and frankly there are spots where this
paradigm breaks down hard if viewed from a Red Team
perspective.
I’ve looked at the lack of competition in my local area on the
FCC broadband deployment
map. I’ve even considered dumping the current provider for
somebody else. Unfortunately I don’t really have a choice beyond my
current provider’s random loss of packets, disappearances of known
active sites, and generally horrible maintenance of inherited rural
legacy infrastructure that they probably aren’t making much revenue
from.
Looking at traceroute output like this is getting unreal…
The Free Software Foundation (FSF), like Purism believe in promoting worldwide user freedoms. The FSF have been championing people’s software freedom rights for 34 years and have created the guidelines and compliance that most of the free software world relies on. This is why we are so proud that our operating system, PureOS, has previously been certified by the FSF and now, our Librem 5 smartphone, has been added to their Ethical Tech Gift Giving guide. The FSF had this to say about why the Librem 5 is on their guide:
Although it won’t be released until Q2 2020, this phone is one to keep an eye on. We’re giving it a tentative recommendation because the company has publicly committed to doing the right things for prioritizing user freedom and privacy, and because we have evaluated and endorsed the operating system it will run.
The Ethical Tech Gift Giving guide is a list of gifts approved by the FSF for our loved ones this festive season. It prioritizes devices that respect the freedoms of our friends and families over the latest gadget from Facebook, Amazon, Apple, Google, and countless other companies because “freedom is the gift that keeps on giving”. Big Tech require our complete trust in their proprietary exploitative systems, whether using a free email account, buying a heavily subsidized phone or tablet and even using a search engine. We pay for them by giving up the freedom over our lives and give them control to exploit us and our loved ones to increase shareholder value.
The Librem 5, and all of Purism’s products and services, put people’s freedoms first. It is not an easy task, because Big Tech has tight control on so much of our world, but we are growing to create a better future. In some areas we are advancing on low-level freedoms and with the Librem 5 we are boldly marching forward to challenge a multi-trillion-dollar duopoly.
When you pre-order a Librem 5 today what you get is the peace of mind that you or your loved ones won’t be exploited or manipulated for profit and power. Putting your trust in us does not require you to give up any freedoms. In fact, your trust can be verified because the software and hardware of the Librem 5 are open and auditable. We don’t subsidize the cost of our hardware by selling your data or locking you in, you aren’t paying part of the cost with your privacy and your freedom.
Discover the Librem 5
Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the-people stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.
Sparky Bonsai is a GNU/Linux distribution based on Debian/Sparkylinux in a portable form. Taking advantage of the experience of portable distros such as Slax, Porteus, Puppy and DebianDog, we made a remix of our favor Debian-based distro SparkyLinux. The idea was to make a portable version of the linux distro having already installed at home, in cases we can’t, don’t need or wish to install it properly…
…Sparky Bonsai lives in a USB flash 4GB minimum and run with 512 MB of RAM on x86 processors. At the moment it’s only available in 64bit version. It fits on a DVD or CD optical disk and runs in ext2/3/4, fat32, xfs, exFAT file systems. In order to load it to RAM, 1GB is recommended.
It is a minimal Debian Buster file system using Debian linux kernel v. 4.19.0.6 with the BusterDog’s modules for porteus boot, live-boot-3x and aufs support. Kernel updates are not available the way they are on a properly installed linux system. As you may know, BusterDog uses the Antix Linux init system. Sparky Bonsai uses systemd as pure Debian and Sparky Linux. If you don’t wish to use systemd, check the BusterDog (based on Antix) or Beowolf (based on Devuan).
Sparky Bonsai use PCmanFM as file/desktop manager and JWM as windows manager. JWM’s menu construction is based on xdgmenumaker. It comes with Pale Moon as the default web browser, Mousepad as the default text editor and LXterminal as default terminal emulator. All DebianDog’s module and remaster scripts are included as well.
Synaptic package manager is present and you can install all Debian and Sparkylinux packages. The BusterDog’s repository is inactive because of some Antix packets incompatible with Debian. You can use some packets if you’re sure they are compatible but DONT update your system with this repository enabled…
Targeting the web platform is increasingly complex. Tim McNamara, Developer Advocate in the Juju team at Canonical, recently interviewed Marc André Audet, Security Expert at Absolunet to discuss how Juju charms can be used for web application development. In the interview, you’ll learn about how to use Juju for web apps.
Tim: How do you find working with Juju for working the web? Would you recommend it for other agencies?
Marc: It might be overkill to develop custom charms for a single website. But if you are a business that makes websites, Juju is great.
I’ve done it for our client’s websites that all have the exact same structure and it’s worked very well. We can spin up a custom proof of concept for a sales pitch with almost no effort.
The best thing about Juju is that it is very flexible. It is easy to look for existing charms in the charm store and you adapt them to your needs.
That’s great to hear. How big is your team?
I’m alone in my team that works on Juju charms. I’ve built about 15 custom charms in order to make everything work. Magento sites represent at least half of our eCommerce projects and integrations, though I have also adapted the code to support WordPress and others.
Has your work paid off for you and your team?
Absolutely. Right now we have 2 clients in production using Juju, but we have spun up many sites for development, testing and sales purposes.
I’ve automated everything so much that we only have to deploy a bundle and we get a ready-to-use environment from scratch in under 20 minutes on the AWS cloud. And for any version of Magento. As long as Magento retains backwards compatibility, no changes are needed.
In the near future, we have plans to make it possible for anyone to spin up a new site with a single click, regardless of the intended use. With this, we expect to see an important increase in Juju usage and adoption at Absolunet.
Your colleagues must think that you have superpowers.
The developers are mostly enthusiastic about the project, other times I get “it should be faster”. The sales team is very happy with it though, because I’m able to setup a demonstration sandbox for every prospect now, rather than have two or three generic demo sites that they share across the team.
I don’t remember seeing Magento in the charm store. Did you write the charm yourself?
Yes, but I have actually made charms for several upstream applications.
The web frameworks we support are all charmed: Magento 1, Magento 2 and WordPress. They all operate behind NGINX as a base layer.
Databases, including MariaDB and Redis. My MariaDB charm includes the ability to create a Galera Cluster when needed. We can also deploy Redis Sentinel behind HAproxy with no effort.
HAproxy with support for HTTP & HTTPS, MySQL and Redis Sentinel. The HAproxy charm has 2 failover modes. The first mode connect to the nearest backend server and uses the others as a round-robin backup. The second failover mode is simply a round-robin—or least-connections—load balancer depending on which integration we want to support. For example, Redis doesn’t offer a choice because it’s a single-master setup.
We have a subordinate charm that can install PHP 5.6, 7.0, 7.1, 7.2, or 7.3 when needed. I support the use of multiple PHP versions for each of the web charms. We can have Magento instances on any PHP version, or even multiple PHP versions. With Juju, we have complete flexibility about which PHP version to use.
We manage our GlusterFS cluster with charms. We use Juju actions heavily here.
To connect our web charms to the file system, we use a subordinate charm as a “mount point”. The web charms all create their structures automatically based on the directory communicated from the subordinate charm. It sets up the mounts that are required and sends the mounted directory to its principal. The principal charm is then able to create its directory structure as required.
Interesting. Very impressive! So, that’s quite a lot of custom work.
Thanks. The reason why I used custom charms all the way is because there were some slight gaps in the public charms at the time. Plus I really wanted to learn how things work.
I’ve written all that in a bit less than a year—part time, I technically work in cybersecurity—what took most of my time was reducing complexity.
Now I can create a fully-featured charm in less than half a day if I use the “framework” I’ve built (over the reactive charming one). The only exceptions being clustered charms where it might take me about a week depending on the complexity.
Tell me more about how have you extended reactive.
Well, I’ve been using reactive for some time. I have added a layer on top of it to simplify it and clean the resulting code a bit by allowing maximum re-usability.
Basically, I have separated the logic parts into “actions” that are being called from the reactive parts. Therefore I can create lists of actions to execute for particular events which allows me to simplify the reactive parts.
Let me take you back to the idea of using subordinate charms for multiple versions of PHP. I haven’t heard of that before. Did you think of it yourself?
I thought of it myself. Most other charms that I saw integrated PHP directly in the charm, but I was required to work in an environment that uses many different versions of PHP.
I thought about subordinates because it would give me a lot more flexibility in terms of maintenance and would allow me to completely separate the automation code and provide a better service-level isolation.
The fact that we can install multiple versions at the same time is a consequence of this isolation and was actually a requirement for more legacy systems, so it ended up being extremely useful.
In terms of GlusterFS, it’s in order to manage the charm-local part of the mount and allows me to write more connectors in the future. Even if it could be integrated within the charms, I prefer to support services separately.
That all makes sense. It sounds like the Juju architecture has enabled you to tailor Juju to do exactly what you want.
Yes, more or less. I usually will create a base layer that includes all the actions and one or more charm layers that will use that base layer that will override some actions to change how it works.
I have a three layer structure.
Base layers. They all include one “master” base layer and provide the basis for MariaDB, Redis, NGINX, PHP-based web platforms and Node.js-based web platforms.
In the middle are “Integration Layers”. They provide tools to integrate other charms or to add new features. For example I have a Sendmail integration layer that automatically installs sendmail and configures it for Amazon SES if the configuration enables it. I have another one for periodic task management. It manages cron and the /etc/cron.d directory. The charm can accept files from the user via the attach-resource command. When a new file is detected, the integration charm installs to /etc/cron.d.
Charm layers sit on top. They pull everything together to complete the application.
This three layer structure means that I have less maintenance to do for charms like MariaDB and Galera MariaDB or Redis and Redis with Sentinel. The structure allows me to quickly create variants and reuse most of the code.
It also keeps the code a lot cleaner since there are only the Galera or Sentinel-specific code for the charm layers. I also have a few “global” actions that I usually use everywhere, so I only have to change it once in a base layer for it to apply to all my charms.
How do you recommend other developers get started with charming?
I would suggest getting started with a very simple charm written without frameworks and then move on to something like the reactive framework.
Writing a simple charm that responds to hooks makes it much easier to learn what Juju is doing. The documentation for getting started is very complete. Once you have written a few charms, you’ll find patterns.
I extended reactive mainly because I have logical paths that cross. It became very hard to manage using flags only. Doable of course, but not that clean.
What comes next?
A common problem to solve is managing configuration settings. Juju allows users to update configuration dynamically. So your charms will need to support this.
I use a “only change what you have to change” model by verifying the current state at all times before doing an action and correcting the situation. I usually end up just deleting whole configuration directories and rewriting them using templates and files. My charms make use of Jinja2 templates.
Relations are a very important concept to learn. Information comes from other applications. That information can be used to update your application’s current settings. So in effect, the whole system can configure itself.
I have also made good use of Juju’s attach-resource feature to increase automation. I use it as the entry point for artifacts like source code. If the charm detects a change in the “code” resource, then we run a synchronized deployment. I have also made good use of Juju’s attach-resource feature to increase automation. I use it as the entry point for artifacts like source code. If the charm detects a change in the “code” resource, then we run a synchronized deployment.
Applications with multiple units—what I call “clustered charms”—are complicated. I’ve introduced the idea of a “cluster state” into my charms. Deployments are synchronized by using cluster states—managed under the hood by Juju interfaces—and can only switch to the next state if every cluster members are at their state or higher. This way all units can all go into maintenance mode, apply database modifications and remove maintenance mode all at the same time.
Database modifications are only run on the leader unit, the other units only wait on the leader. I also have error detection where if the leader breaks and changes to a new node during deployment, then the new leader will execute the code, but not the previous leader.
These are great lessons. It sounds like you have really enjoyed writing your framework.
It’s been fun. I’m planning on adding new features next year and start doing more production environments. I see Juju as an opportunity to remove root access to the servers. I won’t sleep well at night until the day no devs have root access to production!
Speaking seriously though – there should be no need to provide root access to production servers. Charms actions for common operations. If needed, tools like “juju scp” and “juju run” can be used so that developers can still run arbitrary commands if they need to.
I’m also planning on open-sourcing some parts of it and sending patches to add more features to currently existing interfaces next year. As time allows, I’ll try to integrate with the ecosystem a bit more. It will depend a lot on my planning, but I’m getting a devops engineer in my team, we’ll see how that goes.
Speaking from a security perspective, are you happy with Juju? Can you see anything that needs hardening from its defaults?
The thing I would personally love to see would be SSO integration directly on the controller. I imitate that through a synchronisation script that I have created. The script works with Okta and Juju to take public keys from Okta and install them on the right models. It also creates users with a register command and sends them an email so that they can get started. Anyway I think that SSO would be something most companies like to see support for.
That’s a great recommendation. And well done! You’ve answered all the questions I have. Thanks for your time, Marc.
No trouble at all. Thank you, Tim. And thanks to the Juju team!
Marc André Audet is an Information Security Expert at Absolunet, where he uses DevOps tools to help protect information assets. He’s been coding since age 11 and knows more about GDPR than he ever thought he would.
Absolunet is a North-American eCommerce agency who works with retailers, brands and distributors on their digital transformations – helping them bridge the gap between how they sell and how their customers buy and expect to interact. Their back of house IT operations make use of Juju.
Juju is an open source application modelling tool, developed and maintained by Canonical. Its primary focus is to simplify deployments and operations of complex software stacks by providing a model-driven, declarative framework that cooperates nicely with other devops tools. Juju is an open source application modelling tool, developed and maintained by Canonical. Its primary focus is to simplify deployments and operations of complex software stacks by providing a model-driven, declarative framework.
Announcing the Librem 5 USA–the same freedom, security, and privacy-respecting phone, now with Made in USA electronic fabrication
We continue to enjoy seeing the reactions from customers who have received their Librem 5 units from the Birch batch. Now that Birch is out and we continue to make progress on the Librem 5 (with more updates to come!), we are excited to be able to reveal another important project we have been working on for many months. Purism now offers an important Librem 5 option for our customers that have particular concerns around security and the supply chain.
We are committed to constantly improving the security of our products. One concern we hear repeatedly from our customers is over attacks in the hardware and software supply chain. We have written about the importance of protecting the digital supply chain before, and as we grow we continue to find new opportunities to further strengthen the security of our own supply chain, including most recently by offering the PureBoot Bundle–tamper-evident firmware straight from our facility.
While we continue to improve the security of our Librem laptops, we also recognize that one of the most important computers many people own is their smart phone. This is the device you carry with you everywhere you go and likely has some of your most sensitive and personal data–it’s the device most at risk from a security and privacy standpoint. If there’s any device that should have as secure of a supply chain as possible, it’s a phone. Our experience in making our Librem 5 devkits in the USA and most recently moving Librem Key production to the same US facility has led to today, where we are excited to announce a new USA-produced version of the Librem 5 phone!
“Having a secure auditable US based supply chain including parts procurement, fabrication, testing, assembly, and fulfillment all from within the same facility is the best possible security story.” — Todd Weaver
The Librem 5 USA is similar to our existing Librem 5 on the outside and has the same form factor and specs, but on the inside the PCBA (Printed Circuit Board Assembly) will be fabricated in the same US facility that made our Librem 5 devkits and Librem Key. By moving the supply chain into the same facility complex as our assembly and fulfillment center, we can directly oversee each stage of the production. The Librem 5 USA exists alongside our regular Librem 5 as a premium product for customers who are concerned about the hardware supply chain and want to support us as we expand our own US operations.
Librem 5 PCBA
Since the Librem 5 USA is being made in parallel with the regular Librem 5, we are able to offer this version quickly with shipping starting in Q3 2020 (meaning about a 6 to 9 month lead time from order placement to order delivery). Existing Librem 5 orders can also upgrade to the Librem 5 USA without losing your place in line by using their order number as a coupon code. Pre-order now so you can reserve your place in line! For more information about the Librem 5 USA, check out our product page.
When you build snaps, the process of composing a complete snapcraft.yaml file will usually revolve around three main activities: parts, build requirements and runtime components. Sometimes, you may discover that you’re missing certain libraries in the compilation stage, or that they are required for your application to run. In most cases, you will iterate on your build a few times, and perhaps use our faster development guide to quickly nail down the missing elements.
From snapcraft release 3.7 onward, things have become ever so easier. Now, it is possible to have snapcraft automatically detect and list missing runtime libraries, and allow you to complete your build with fewer errors and in less time.
Missing files detection
The core principle behind the change is that snapcraft will now generate a list of entries you need to include as your stage packages in snapcraft.yaml. This means you will not have to manually run your application, or use ldd to trace the dynamic dependencies, to figure out if any library is missing. This streamlines the user experience, and makes builds more elegant and faster.
For instance, on the command line, you will see something like the output below:
Staging dosbox-x Priming desktop-glib-only Priming fdk-aac Priming nv-codec-headers Priming ffmpeg Priming dosbox-x The 'dosbox-x' part is missing libraries that are not included in the snap or base. They can be satisfied by adding the following entries to the existing stage-packages for this part:
Once the prime step of the build process runs, snapcraft checks for missing entries. The printed message is meaningful, and will be particularly useful to new snapcraft users.
Now, it is possible there might be assets that are not available in the standard repository archives, and you will have to manually download and satisfy the runtime requirements. You can achieve this by using the dump plugin, for instance.
Upcoming versions of snapcraft will have extended missing file detection functionality. Snapcraft will be able to take into account plugs using the content interface, allowing for an ever more streamlined experience.
Summary
Snapcraft has many useful features and options. Sometimes, it can take a little time and practice to discover them, and put them to good use into your snap development. Missing library detection is an essentially simple yet powerful functionality that should make the overall development experience fresher and more efficient.
We hope you appreciate the occasional tip and trick we share here, like the introduction of the KDE neon extension (and GNOME extension), or this guide. If you have any specific asks, or comments, please join our forum and let us know what you think.
Griefers are a hazard of being on any kind of social network, or blog if it has comments enabled. So in Epicyon I've used a few methods to mitigate annoyances.
Big messages
The easiest way for someone to do a denial of service would just be to send a gigantic post. Hundreds of megabytes or larger, and have your server clogged up trying to process it. Most often this kind of problem is mitigated by the web server configuration, but in Epicyon there's also a maximum overall message size of 20K. That includes all the json formatting.
http signatures
This is one of those things which is really a fediverse standard, but isn't in the ActivityPub specification. Combining this with permanent signing keys gives a strong assurance that messages are coming from the account you think they are.
Adversarial instances can try to do blind key rotation and pretend to be someone else, but since public keys are only fetched once they're not going to succeed and messages from accounts doing that will be rejected by the signature check.
Blocklists and federation lists
Usually the most controversial aspect of the fediverse. Fights over who is blocking who are frequent. In Epicyon blocking can be global to the instance and also local to particular accounts. Global blocks override account level ones. Federation lists are the opposite, in which you are choosing to only federate with specified other instances. That can be useful if you wanted to deploy a fediverse-like system in a company or school.
Hellthreads
A hellthread is when someone mentions you in a message containing a very large number of other mentions. In 2016 when I was running GNU Social this happened quite often. Even an upper bound of 20K is room for a lot of mentions. In Epicyon there's a configurable threshold for the maximum number of mentions. Anything above the threshold and the message will be rejected.
Emoji flooding
Similar to hellthread mitigation. An adversary can simply send you posts packed with emoji. So there's a threshold for the maximum number of emoji which a received post can contain.
Follower approvals
This is part of the ActivityPub specification and is optional. Sometimes also called "locked account". Being able to approve the people who are following you can avoid tears later. In Epicyon if follower approval is enabled then you can just select the link to the profile of the request and see if their timeline makes sense. Have they made any recent posts which are interesting? Is their timeline full of chuds using dog whistle catchphrases? Are they being followed by or interacting with spooks or neo-nazis?
Driveby DMs
In Epicyon you can also restrict incoming DMs to only people that you follow. It's a feature blatantly copied from Twitter and is intended to mitigate the driveby griefer problem. If you're not interested in having random chuds from the interwebs send you their latest ALLCAPS hot take about why they are now convinced beyond reasonable doubt that the Earth is flat then this can save you time and disk storage.
The Reply Guy
Constantly replying to a message long after the point at which it made any sense to do so was a common griefer tactic in the past. So in Epicyon there's an upper limit on the number of replies a post can have. The reply guy won't be able to send you his 100th sealioning sermon about why you need to immediately provide him with painstakingly researched evidence for some earlier flippant remark, cited in the peer-reviewed academic journal of their choosing.
Word filtering
If adversaries always use common catchphrases, or if you just have zero interest in certain politicians or celebrities, then these things can be added to the word filter.
Snooze
Maybe someone is not deliberately griefing you but they're just having a bad hair day. You don't want to unfollow or block because they're mostly ok. In this situation you can hit the snooze button and not hear from them again for 24 hours. Their posts won't be deleted, just made invisible for a while, and after the time is up you could go back to see what they were ranting about yesterday if you were thus inclined to do so.
Mute
Mute is something quick and easy you can do to not show the content of an individual post. So if some un-CW'd photo is annoying you then you can quickly remove it from the timeline.
That lead to this analysis paper about everything you ever wanted to know about how the Linux RNG works, its security assumptions and precautions for backward and forward security. Particularly of interest is info on reusing urandom output as a seed on next boot:
2.5 Initialization
herefore, the designer of the Linux PRNG recommends ascript which, at shutdown, generates data from/dev/urandomand saves it in a file, and at startup, writes the saved data to/dev/urandom. This mixes the same data into the blocking and nonblocking pools without increasing their entropy counters.Such a script is provided in the default installation of most Linux distributions. In situations where this procedure is not possible, for example in Live CD systems, the nonblocking random number generator should be used with caution directly after the boot process since it might not contain enough entropy
This is how it is implemented with systemd. Only useful if system had a clean shutdown:
^^ On why seeds are absolutely important to RNG security:
The thing to remember about PRNGs is that they are not random . They are entirely deterministic. If one knows the initial input values and the particular PRNG algorithm, one can determine every single future “random” output value.
In this case, the algorithm is well known. It is after all, published as part of an open source kernel. So the key to randomness is the seed . The level of “randomness” that is provided is unpredictability , from one output to the next. Knowing the algorithm and the previous outputs but not the seed, it is unfeasibly hard to predict what the next random output will be. (This is not a formal nor a complete definition of what it means for a PRNG to be cryptographically secure ; but will do as a limited approximation for the purposes of this answer.)
This is the basic reason for the widely-discussed problems with Linux’s /dev/urandom , which I am just going to gloss over here. At bootstrap, the seed is also well known. The random outputs are all entirely predictable until the PRNG is re-seeded , i.e. supplied with a fresh seed that is unique (or as near as one can get) to that run of that operating system installation, for the first time.
Great info on early boot entropy seeding, especially problematic on amnesic systems. twuewand is a neat workaround that is unfortunately not packaged for Debian but is small enough:
In the meantime until we can convince upstream to disable hwrng trust on boot which they probably won’t accept until the changes by Linus in 5.4 are in the stable kernel, we should try to drown out the untrusted input as much as possible by installing as many entropy solutions as possible.
I’m voting for Owen Thompson and the SNP at the UK election on December 12th. Normally for an election I would look through the manifestos and compare them along with consideration of the candidates and the party leaders to decide. But this election is a single issue election. It was called because the flawed 2016 referendum on EU membership did not ask what people wanted, it asked what they didn’t want (EU citizenship) but because there was no question asking what people did want instead it led to three years of parliament being stuck. The SNP policy is for a double proposal to have a referendum on the UK’s EU membership against the Withdrawal Deal as currently negotiated, and then to have a referendum on Scottish independence. This offers me the best chance to keep my EU citizenship and the freedoms it brings, while offering a good chance to get rid of a corrupt and pointless layer of government.
As I’ve said before all the political parties let us down in 2016 by not effectively campaigning for EU membership and letting the racists and populists win over. They continue to let us down here on those measures. Not one party proposes to ban political advertising online as done with TV despite the well documented populism that gives. Not one seems to have a commitment to reform the rules of election and referendum campaigns to stop the illegal behaviour that Johnson’s Vote Leave campaign used in 2016. And I’ve never heard anyone point out that asking a referendum question which only says what you don’t want and not what you do want instead is a pointless question.
But here’s a quick look at the manifestos anyway.
SNP Good stuff about refendums, no nuclear bombs and critique of why Westminster if broken. The usual vague stuff about ending austerity without defining it and promises for the NHS with no explanation of why that public service deserves them more than every other public service. Various good ideas for things to be devolved like broadcasting or employment law. They do want to fix the voting franchise for UK elections to include non-UK EU citizens and people from age 16. They seem to think the UK government will allow an independence referendum while also de-legitimising the idea that there is no need for anyone to allow Scotland to have a referendum, this is a dangerous stance to take as well as incorrect, no other country considers that it has to ask its neighbour for permission for independence. Climate emergency comes in a bit later in the manifesto than I’d like to see but I suppose there’s not much the SNP can do at the UK level since the right layer of government for this is the EU and Scottish layers. Complying with international law to allow the return of residents of Diego Garcia is pleasingly in there but not on Catalonia. I’ve done door knocking with their candidate Owen Thompson this election who is an experienced politican from local and UK layers and I’m happy to support him.
Labour doesn’t get round to the Brexit question until page 80. The central issue of the election which defines if I will have freedoms and a functional economy in a year’s time and they can’t be arsed to highlight their policy on it. When they do they say they’ll negotiate a hard Brexit (outside the customs union; outside the single market) and then have a referendum on it. This sounds faffy and dislikeable. The leaflet from their candidate said she would campaign to remain and reform but with no suggestion of what they reform would be and there’s nothing about it in this manifesto so I think she’s lying on that point. They support weapons of mass destruction despite the party membership in Scotland voting against them and UK and Scottish leaders campaigning against them, which shows what a mess this organisation is. Lots of interesting stuff about renationalising public services which I think is a strong part of the cause for the party leadership wanting to leave the EU, EU law will mean having to pay full rate for renationalising these industries while outwith the EU they can pay below market rate, but on the whole I’m against cheating the rules of a functional economy, after all this is my pension scheme they’d be cheating. No mention of complying with international law about Diego Garcia or Catalonia. Fixing the voting franchise is in there. Climate emergency is pleasingly put as a headline item.
The Lib Dems have clear constitutional positions which is fine but being against referendum on them is hypocritical. They compare Scottish independence to Brexit, which is nonsense. Climate emergency doesn’t come until half way through. No mention of Diego Garcia or Catalonia. No mention of nuclear bombs. Nothing devolved to Scotland. Pleasingly they do want to fix the undemocratic where we get a prime minister without a vote of parliament or people and they do want to fix the shutting down of parliament. Otherwise largely underwhelming.
The Conservative party is now a radicalised dangerous nationalistic vehicle which support shutting down parliament, corruption of referendums, limiting the voting franchise, blocking the release of reports on foreign interference in voting and ignoring international law. Everyone should vote to stop them from getting power. They will start the Brexit process with the Withdrawal Agreement but still with only a minimal plan for how to implement Brexit, but their lie that this will “get Brexit done” rather than the truth that it is only the start of the process seems to be ignored by the media. Their hard Brexit will put up new borders, shut off supply chains, limit the economy and take away my freedoms. The headline item of course is to stop a referendum on independence which is as hypocritical as it comes. Climate emergency doesn’t seem to feature. There is scary protectionist British nationalism like “When we leave the EU, we will be able to encourage the public sector to ‘Buy British’” which goes against basic economics and shows how far they have fallen from their Margaret Thatcher free-market politices, which as simplitic and damaging as they were, at least were consistent. This party is run by people who ran illegal campaigns in 2016, take power without a vote, ignore international and national law and shut down parliament, they are not democratically accountable, they need to be stopped.
The Greens aren’t standing in my constituency and don’t have a manifesto and because of the voting system won’t get any result except maybe help the SNP lose where they should win so despite being a party member I can’t advocate voting for them. They make the point that the climate emergency is more important than Brexit, but alas the EU is the right layer of government to take the lead on it so EU membership is vital to helping prevent or limit it and the votes this election need to be directed towards that.
So hopefully an SNP win in Scotland (like they have in every election for the last decade) will help them support a Labour government in England to have a referendum (with rules fixed to make it a valid and fair one) on EU membership vs Johnson’s hard brexit proposal and then a referendum on Scottish independence. But it probably won’t be that simple.
One of Purism’s core beliefs is to ensure that to the best of our ability, all new features, fixes, and improvements will be applied to all products, past and present. With that in mind, we’re excited to share with you the many improvements to our coreboot-based firmware over the past few months:
Updated to latest coreboot release (4.11)
Removed the VGA BIOS (VBIOS) blob from all firmware images
Eliminated display flicker from video mode changes at boot
Updated the CPU microcode to help mitigate speculative execution type vulnerabilities
We’ve also been busy improving our tamper-evident PureBoot firmware:
Fixed issue with Qubes VMs failing to run at startup
Fixed issue booting distros using a bootloader spec (BLS) format grub configuration (ie, Fedora 30/31 and derivatives)
Fixed graphical corruption/flicker when booting an OS (may still happen occasionally on the Librem 15v4)
Added automatic detection of boot device
Added a Factory Reset option to automatically reset and configure the TPM, Librem Key, and boot device
Improved error handling and status messages
coreboot 4.11 Update
coreboot 4.11 was mostly a clean-up release, but since we skipped over 4.10 (due to some regressions affecting Skylake/Kabylake platforms) this release effectively includes over a year’s progress on the coreboot codebase. Rather than enumerate all the changes, we’ll just link to the release notes:
One of the biggest additions to coreboot as part of the 4.11 release was the addition of coreboot native graphics init (libgfxinit – a Spark-based ancillary project to coreboot) support for the Broadwell, Skylake, and Kabylake platforms. This allowed us to give the VBIOS the old heave-ho, and replace it with clean, auditable, safe code. Ditching this legacy blob also helped us with the next improvement…
Display Flicker Elimination
One of the biggest issues with the use of the VBIOS to initialize the display was we had no control over what it did. It would init the display in VGA text mode (640×400), switch to a VESA-compatible mode (1280×1024) to show the boot splash, switch back to VGA text mode before booting, and finally switch to the panel native resolution when the OS driver loads. Now, we use a single resolution up until the OS driver loads, and have ensured that the boot splash is the first thing displayed.
CPU Microcode Updates
Shortly after the first speculative execution vulnerabilities were discovered back in early 2018, Intel released microcode updates to help mitigate them, and has continued to do so in the time since. While microcode updates can also be loaded by the OS, the user is best protected when they are done by the system firmware, and applied in conjunction with mitigations at the OS level. To that end, Purism aims to release firmware updates quickly whenever new CPU microcodes are released. Our current 4.11-Purism-1 release (and PureBoot beta-11 release) include the latest microcode for each platform.
Qubes VM Autostart
A problem that had plagued all PureBoot betas to date, this issue was caused by HEADS not correctly passing some command-line arguments to the Xen hypervisor. Qubes 4.1 should now be fully functional on Librem devices running PureBoot, same as those running our standard coreboot/SeaBIOS firmware.
Bootloader Spec Distros
With the release of Fedora 30, a new dynamic format grub.cfg was introduced, which stores boot menu entries in individual files using bootloader spec (BLS) format. Patches were added to the upstream HEADS project to parse these files and allow booting of distros using them.
Display Corruption Elimination
Another long-standing issue had been the corruption of the display (often seen as a brief rainbow flicker) when booting an OS from PureBoot. This was caused by a misconfiguration of IOMMU for the HEADS Linux payload and has now been fixed.
Automatic Boot Device Detection
Until now, HEADS/PureBoot assumed a static default boot device, and if the user’s config differed, required non-trivial intervention to select and save the boot device, update the firmware, reboot, and then re-sign all files in the /boot partition. Now PureBoot will automatically detect the correct /boot device at startup (the user can still change/override if needed). Although a relatively small change, it has a big improvement in user experience, and is one of the many such improvements Purism has contributed to the HEADS project.
Factory Reset Function
On the flip side, the Factory/OEM Reset Function is one of the larger changes Purism has contributed. While the impetus for the change was to streamline setup at the factory, this can be used anytime a clean start is desired and essentially makes the configuration of PureBoot (and HEADS) a 1-click operation. It will reset the TPM, reset your Librem key, generate new GPG keys (and back up to USB), load them into the firmware, configure the boot device, and sign all files in /boot.
Improved Error Handling
We’re continually working to make the PureBoot user experience simpler, easier, and more friendly. One of the ways we do that is to provide error messages, dialogs, etc which give the user a clear understanding of what happened, why it happened, and what action they need to take. The past few PureBoot betas have made significant strides on that front.
On the Horizon
While there aren’t any specific feature of which to speak, we certainly have no intention of slowing down. For instance, PureBoot is currently undergoing an internal UX review and once we have smoothed out some more rough edges in the UI we hope to be announcing the 1.0 release of PureBoot. A big thanks to all our current beta testers who have provided their feedback and ideas.
Purism closes a $2.5m note series, all from inbound investment inquiries.
Purism as a Social Purpose Company (SPC) ensures the rights of humanity by creating products that fully respect people, and that mission has garnered a lot of attention and growth. One of the reasons Purism registered as an SPC was so that we could accept inbound investment without the risk that a toxic investor could force us to violate our values for profit (a common problem in C corporations). As a social purpose company Purism enshrines in its articles of incorporation that we must do what is good for society, therefore avoiding any and all toxic funding by virtue of the strictness of those articles.
Funding growth—in addition to the triple-digit (yes that is over doubling) shipped revenue growth year-over-year since 2014 that Purism has been fortunate to see—can come in many forms, be that inventory financing, lines of credit, investment, and equity financing, to name a few.
“Growth financing through convertible notes is an easy way secure the future of our vision, without compromising our beliefs. Having it come from inbound customers who love what we do is the best possible story.” — Todd Weaver
Convertible notes have a cap and ours has been reached–even if you have more investors who would oversubscribe the note. Like a show that sells out, you can either turn fans away or open a second night. While our growth has nearly entirely come from revenue, we continue to get inbound inquiries from people who believe in what we are doing and who would like to support us with investment. With this convertible note coming to a close yet still having investors who would like to participate, it opens the door to a second note series, so we can continue to invest in larger growth in US operations, and a future that we all can be proud to live in.
Summary
The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable:
Figure 1: Simplified diagram of how the Great Cannon operates
The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below.
Most recent attacks against LIHKG
The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses...
New premium Ubuntu images with extended security, kernel live patching and more
4th December 2019 – Canonical today announced the availability of Ubuntu Pro images for Amazon Web Services (AWS). Available via AWS Marketplace, covering Ubuntu 14.04 LTS, 16.04 LTS and 18.04 LTS, these new premium images allow enterprises to purchase extended maintenance, broader security coverage, and critical compliance features by simply selecting and running an image on Amazon Elastic Compute Cloud (Amazon EC2) — with no contract required.
The new Ubuntu Pro images include all the optimisations in the standard Ubuntu Amazon Machine Images (Amazon AMIs), which Canonical publishes across AWS Regions, plus key security and compliance subscriptions automatically enabled. Customers can purchase Ubuntu Pro directly through AWS for a streamlined procurement process, enabling quicker access to these commercial features offered by Canonical.
Key features of Ubuntu Pro include:
10 years of package updates and security maintenance*
Kernel Livepatch, which allows for continuous security patching and higher uptime and availability by allowing kernel security updates to be applied without a reboot**
Customised FIPS and Common Criteria EAL-compliant components for use in environments under compliance regimes such as FedRAMP, PCI, HIPAA and ISO
Patch coverage for Ubuntu’s infrastructure and application repositories, spanning hundreds of open source workloads including Apache Kafka, MongoDB, Node.js, RabbitMQ, Redis and more.
Integration with AWS security and compliance features, including AWS Security Hub, AWS CloudTrail and more — available from Q1 2020.
“The new Ubuntu Pro images will deliver a further optimised experience to our customers, providing additional security and performance to their Ubuntu instances,” said Deepak Singh, VP of Compute Services at AWS. “Available directly through AWS Marketplace, Ubuntu Pro can be purchased, deployed and launched on AWS in a seamless and effortless manner, removing the need for additional provisioning or procurement processes.”
“Users have been running Ubuntu on AWS since 2006. As Canonical assists enterprises moving their mission-critical workloads to AWS, the feedback we receive is that they demand expanded security coverage, greater operational efficiency and native compatibility with AWS features,” said Christian ‘Kiko’ Reis, Vice President, Public Cloud at Canonical. “It has been exciting to collaborate with AWS to fulfil that demand through Ubuntu Pro for AWS, available now directly in AWS Marketplace.”
Enterprises wishing to also take advantage of Canonical-backed technical support can add a subscription to the Ubuntu Advantage Advanced or Standard support packages through AWS Marketplace, adding an extra layer of confidence and assurance when running Ubuntu on AWS.
“Delivering commercial IoT solutions requires us to track large fleets of devices in a manner that is secure and scalable. The optimisations built into Ubuntu Pro on AWS provide us with the performance requirements needed and a trusted platform to run our operations and fleet,” said Justin Rigling, CTO at Rigado. “Utilising Ubuntu in the cloud and across our edge devices also accelerates our customers’ time to market and decreases development cycles via a consistent platform.”
Canonical is an Advanced Tier Technology Partner in the AWS Partner Network (APN), and has now achieved AWS Internet of Things (IoT) Competency status. The APN Advanced Technology Partner status is the highest for APN Technology Partners and it reflects rigorous qualification through AWS’s technical certification, including validation with a wide range of customer references. Canonical can now deliver projects to AWS customers in an even more streamlined and efficient manner.
The Ubuntu Pro images can be found here in the AWS Marketplace.
<Ends>
* Maintenance commitment for Ubuntu 18.04 LTS onwards is 10 years; for 14.04 LTS and 16.04 LTS, it is 8 years.
**18.04 LTS certifications are in-progress and will be available Q1 2020. Certified components and kernel live patches are not available for Ubuntu 14.04 LTS.
About Canonical
Canonical is the publisher of Ubuntu, the leading OS running cloud-based workloads and innovating in the emerging categories of smart gateways, self-driving cars and advanced robots. Canonical provides enterprise security, support and services to commercial users of Ubuntu. Established in 2004, Canonical is a privately held company.
Python runs everywhere, right? All those libraries are just one ‘pip install’
away. And we are used to it. Unless on AArch64.
On AArch64 when you do pip install SOMETHING you may end with “no compiler
installed” or “No lapack/blas resources found.” messages. All due to lack of
wheel files generated for this architecture… And even if you have all
dependencies installed then building takes more time than it takes to install
existing wheel file.
But there is a light!
PEP 599 defined “manylinux2014”
target which is the first supporting something else than just “x86(-64)”
architecture. The new arrivals are AArch64, PPC64 (Big and Little Endian) and
32-bit Arm.
I helped getting them working on
AArch64. Do not remember how I ended there to be honest ;D
If your project uses Travis CI for testing and release then adding support
for non-x86 architectures
is just one edit away. All you need is entry in “arch” list of in “matrix”:
matrix:
include:
- os: linux
arch: amd64
- os: linux
arch: arm64
And it really works!
I added support for it in “dumb-init” so now kolla does not need to use any
workarounds but can grab binary straight from project’s releases. Took just few
simple lines in “.travis.yml” file.
What is left to do now?
There are many Python projects out there. Most of them do not know that
manylinux2014 got released and what it brings. Or that Travis CI can give them
non-x86 architecture support. I slowly started creating issues, bug reports in
them to make sure they are aware.
Your booth team makes or breaks your entire event strategy! If they’re not equipped to be successful, or set up with the rules of the road, then you’ve wasted your time, effort and budget,this is compounded if you’re a start up.
During the event, it’s you and your team of magical pugs who are the first point of interaction with your organisation, your product, and your company culture. Making it a good first time in person memorable experience usually leads to more meaningful conversations down the road. (You know, what the marketing people call engagement.
Your amazing colleagues role is to create and establish a relationship, they’ll follow up via email, maybe arrange a Lunch and Learn at a company office, or just speak more to folks about their individual interests.
Still, if you’re new to setting up a conference presence ,or being a booth amazing pug, you may not know the do’s and don’ts of booth duty. If you’re a busy events human at new start up or just a busy human you may want to copy this list to start from while you’re prepping for your next show.
So here we go …
Here are some best practices and guidelines to follow when preparing for conference season and booth duty!
Before the event:
Best practice: It’s useful, but not always possible to have a briefing call before the event so all the team members know what’s happening.
Always: Create an Event Briefing Document. It should have all relevant details: event date, location, booth number, event themes, key messages for your company, booth staffer list with contact details, and a list of items to expect on your booth. Bonus points if you add the tracking numbers of your swag shipments or items being delivered to your booth. You know at some point you’re going to have to call FedEx. Or DHL. Or ….
Get a good night’s sleep before the conference starts and throughout the event.I know there are often many social events going on the day before you have to stand for 8 hours straight, so try and not make it a late one. You need to be fresh, lively and ready to interface with the people who’ve taken the time to stop by! And remind your magical pugs to do the same in your pre-briefing call.
At the event!
Allow enough time: We are all busy but we must allow enough time to do each event properly. For example, arrive the evening before rather than the morning of the conference. Things often go wrong; let’s give ourselves enough time to fix a delayed flight or lost bag of cables.
Be punctual!Show up way before the attendees. Remember, you’re on duty as a representative of your organisation, so you should be on the show floor 30 mins before it opens for a final briefing and to find out where everything is.
Demos: The demo Gods can be cruel. Check your display each morning to make sure it (still) works.
Dress code: We live in the world of Insta we are professionals., Figure out if your organisation has a preferred way dress code for an event, e.g. if there is a specific t-shirt that needs to be worn for a launch. Trust me when I say this, wear comfortable shoes, I’d go as far as to say bring alternative shoes for different days. Standing is difficult, make it easier on your little twinkle toes!
Be prepared: If you are in charge of a demo, make sure the laptop is set up and ready the day before, turning up to the event to get it setup or installed is not a good use of your time. Make sure the laptop is charged the night before. Bring your charger with you, not everyone has the same connector and an adaptor if you’re travelling in a different country to be on the safe side!
Be approachable.
Avoid eating at the booth, or holding extended conversations with coworkers. It is only human nature not to be rude and want to interrupt peoplomes across like you don’t want to be interrupted. Instead allow for people to leave the booth to go and grab food, just also try and understand you may not get your usual full hour for lunch during a busy conference.
Avoid sitting behind the desks at booth duty — people won’t engage with you if they think you’re working. Do not sit there with your laptop open and working. Your role at these events is to talk to people, there is nothing worse than walking past a booth at a conference, stop to look at it’s messaging and seeing people on their laptops working. Most will continue to walk on, you’ve now lost an opportunity to talk to someone.
Be courteous: there’s always one person who wants to spark a debate that may not be the best place for this to happen. Prepare a disengagement line or two. The best one is “thanks for stopping by, I’m sorry I couldn’t help but if you let me pass your details on to someone who can help you”… or “how would you like me to follow up?”
Take notes. There are so many people and so little time. Brief notes will help you to be more effective with your follow-up. Most of the time you will have some sort of scanning tool, either your phone or a device that has been given to you. There should be a note ability on here, take notes it’s useful for following up. If not, use contact cards or something like notes, or evening opening up a blank email to send to yourself.
Stay upbeat It’s easy to get discouraged when person after person walks by your booth seemingly without a glance in your direction. Even if you go with the best booth out there, this will happen sometimes. The key is staying motivated and remaining approachable. Look for opportunities to engage with passers-by, even if they don’t initiate a conversation. Try and make the first move and engage with people, draw them in by asking them have you heard of Couchbase, or if we’re running a competition ask them have they entered. Booths are hard work, social interaction is hard work: that’s the job we have.
Stay refreshed. Let workers take turns going on a break, either for a brisk walk around the venue to get some oxygen, or a relaxing sit down at the snack bar. Fresh workers bring more liveliness into their presentations and encounters, and people will respond better.
This one causes a debate depending on your role or the size of your team and organisation. No sessions. Being on booth duty and at a conference does not mean you are there to go to sessions. In most cases the sponsorship will not cover attendance to talks. Your role at the event is to be on the booth and not sitting in lecture rooms.
Know Your Stuff.Grab Their Attention Fast. You will only have a few seconds to capture attendees’ attention in the midst of all the other lights, sounds, and happenings at the event.
Social Media: Use it, it can help drive people to you booth, to let them know what you have to offer, if you have demos going on, raffles or if you have a guest to meet on the booth.
Tweet pictures using you conference and product tag if you have one and the event hashtag. Work with your social medial team before the event to schedule tweets encouraging people to stop by your booth or attend a talk you are presenting.
I hope this list helps, it’s definitely not a definitive list but it can certainly help you starting out!
This is another beta version of Rescatux. The last Rescatux beta was released on November 2019. That’s about three weeks ago.
This new version has two major improvements. Extra xorg packages have been added so that more videocards are supported in Rescatux without having to use the non-free Rescatux. The second one is that many options have been reworked so that they manage devices like hard disks not being found properly.
Many thanks to all of you for supporting our open-source projects! Your donations help keeping them alive.
The last October and November all donations brought what we need to pay monthly bills and to cover our VPS as well, thank’s lot! The server bill is already paid so the new one will be ordered soon, and I will tell you know when, via social media, to make sure some problems are possible.
Anyway, counting all our bills and basic needs, we will be trying (asking all of you) to collect PLN 1000/€ 250/$ 270 every month, starting from the January 2020. It is really difficult to survive doing our works for free, selling nothing, as you know that, having the present amount of donations and a few Euros from the adds only. Sad but true.
Anyway, thank’s again for your last donations and don’t forget to send a small tip in December too
Kata Containers can significantly improve the security and isolation of your container workloads. It combines the benefits of using a hypervisor, such as enhanced security, and container orchestration capabilities provided by Kubernetes.
Together with Eric Erns from Intel, we have recently performed a webinar in which we presented the benefits of using Kata Containers in a Charmed Kubernetes environment. In this blog, we aim to highlight the key outcomes from this webinar.
Security and isolation issues with containers
Over the last few years, container technologies have dominated the market and become the de facto standard for implementing modern IT infrastructure. Because of their lightweight nature and bare-metal-like performance, they are usually preferred over traditional VMs (virtual machines). However, one of the main adoption concerns is around security and isolation.
This is because the traditional OCI runtime – runC – relies on Linux kernel features, such as cgroups and namespaces to provide isolation when spawning containers. As a result, containers share the same kernel which is usually considered less secure than using traditional virtualisation. In order to deal with the aforementioned challenges the Kata Containers project has been founded.
What is Kata Containers?
Wait a second, “What is Kata Containers” or “What are Kata Containers”? It may not be intuitive. This is because Kata Containers is a name of the project under the governance of the OpenStack Foundation. It is also a name of the OCI (Open Container Initiative) runtime which the project uses. So now as we know what is Kata Containers, let’s focus on its architecture and the benefits it brings.
Contrary to the runC runtime, the Kata Containers runtime uses a hypervisor to provide isolation when spawning containers. It creates lightweight VMs and puts containers inside. The figure below demonstrates this concept. As a result, each container runs on its own kernel eliminating security limitations of the traditional runC runtime.
One of the biggest advantages of Kata Containers over traditional VMs is that it seamlessly plugs to existing container orchestration platforms like Kubernetes. While you are launching VMs, native Kubernetes features, such as auto-scaling or rolling updates are still available. This allows to combine the benefits of using virtualisation technology and container orchestration capabilities.
Explore Kata Containers
One of the fastest ways to get started with Kata Containers is to deploy it in the Charmed Kubernetes environment. Once you have Charmed Kubernetes up and running, there are just four commands to deploy this extension:
$ juju deploy cs:~containers/kata
$ juju add-relation kata kubernetes-master
$ juju add-relation kata kubernetes-worker
$ juju add-relation kata:untrusted containerd:untrusted
The first one deploys the Kata Containers runtime, while the other ones configure Kubernetes services to use it. Such an approach is scalable even in clusters consisting of hundreds of nodes.
Once deployed, you can use the new runtime in a very intuitive way. First, create a RuntimeClass object:
$ echo <EOF >> kata.yaml
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
name: kata
handler: kata
EOF
$ kubectl create -f kata.yaml
runtimeclass.node.k8s.io/kata created
Then you can refer it when creating a pod or deployment. Simply add a runtimeClassName parameter to the spec section of your YAML file and refer to the class you created. for example:
If you are looking for a solution to secure your container workloads while still running them on top of Kubernetes then Kata Containers is the answer. Regardless of the size of your cluster, you can enable the extension in Charmed Kubernetes by running just four commands.
To learn more about Canonical’s solutions for Kubernetes visit our website.
For more information about Kata Containers, refer to the official project website.
keys.openpgp.org is more trustworthy than other OpenPGP public key
servers because it only references an OpenPGP public key after
sending a confirmation email to the email addresses listed in the
key.
keys.openpgp.org does not distribute third-party signatures, which
are the signatures on a key that were made by some other key.
Third-party signatures are the signatures used to create the OpenPGP
Web of Trust.
About a decade ago I started running a server on a SheevaPlug. Initially just Apache and MediaWiki. So for me the 2010s have been the decade of personal servers, ARM hardware and the practicalities of maintaining servers.
My subjective impression is that in 2010 there was a lot more optimism about technology generally, although the Great Recession was by that time in full swing. People tended to like Google, and Google Wave (now Apache Wave) was perhaps the last of "late Google stage 1" in which they were still supporting open protocols.
About a year later I started running my own email server. Initially purely as an experiment. I didn't know whether it would be possible, but it worked. I had a Gmail account which remained dormant from about 2011 onwards and by 2013 I was confident enough about my own server that I ditched Gmail altogether. Perhaps an early example of de-Googling.
For the first few years that I was running my own email people were constantly telling me not to do it. The common viewpoint was that only Experts At Google could competently run an email server. That it was not something which mortals could aspire to, and if they tried they would be instantly owned by the badest hombreys from the Wild West of the interwebs. I waited for the ownage to happen, but it didn't. Even if it had, my plan was always to be able to recover fast from failures, not expecting the technology to be perfect or unbreakable.
Until the 2010s my knowledge of web technologies was quite limited. I had mostly been doing things like programming industrial motion controllers in the decades prior. Over the last ten years I learned a lot about the unglamorous side of the web. The part that the Silicon Valley people never mention. How a lot of it is held together by crude hacks and rough consensus. How shockingly bad the documentation is. Most people building web systems expected the web 2.0 monolithic "everyone on my server" model and so having coherent installation instructions obviously wasn't a priority if you only ever expect to do one deployment. Another assumption I often came across was that of unlimited storage space. Often web systems don't have any way to keep the amount of storage space used within a finite upper bound. In the Silicon Valley model if you run low on space you just install another hard drive, but on something like a SheevaPlug or a Beaglebone that's not possible.
The big technology event of the 2010s was the Snowden revelations of 2013. Much has been written about this, but now existing in the post-postSnowden era I think it can be said that a lot of the security advice during the postSnowden phase was really quite bad. There was a scramble to fix encryption systems and apply them, usually retroactively to existing things. My thinking during the various news events of 2013 was something like:
"Well, this all looks horribly broken, and the bad guys are totally screwing everyone in every way we imagined in the worst case scenarios, plus a few more. Is there anything I can do about this?"
The robotics stuff I was working on at the time wasn't going anywhere. The direction of travel of the field wasn't heading where I had expected, and I was quite burned out on it. So I thought I'd formalize the server project a bit more and give it a name. Thus the Feedombone project began.
Since then I've been pretty much doing Freedombone, and things related to it. After 2013 the overall direction of technology went the way I expected. i.e. towards ever greater abuses of power by increasingly gigantic and monopolistic tech companies. The part that I hadn't quite anticipated was that a significant fraction of the mindshare in those companies would after 2016 adopt a far right political posture, epitomised by "the sexist manifesto" from a now former Google employee. It makes the tech monopolies even more of an existential threat that the people in the driving seats also are following a misanthropic or misogynistic ideology.
The 2010s was also the decade when Open Source won. And here I specifically mean Open Source and not Free Software. If you go back and read about the original context from 1998, Open Source always was a business strategy following a pragmatic agenda, particularly around lowering labor cost and time to market. I think we can now say with confidence that this has become the dominating paradigm in software production. Even the "made men" of Microsoft had to follow along - however reluctantly - or else risk becoming totally irrelevant. The purpose of Open Source was never to improve society or strive for gender equality or anything like that, but the public relations of various companies successfully conflated the issues, primarily as a recruiting method. Today the most despotic companies and governments on the planet are all running on Open Source, and don't give two hoots about whether or not you have any kind of freedom.
Another aspect of the 2010s in the UK context is the lost decade of austerity. It's not that the government directly purged a bunch of people, but the withdrawal of public support systems meant that some could no longer survive. Sometimes it's called "excess deaths", but it's less abstract than that for me. Before 2010 food banks and absolute poverty were practically unknown in the UK. What little welfare remains has become a kind of punitive system of constant surveillance and punishment.
In the last six months I diverted from Freedombone to write an ActivityPub server. There were various reasons for doing that, but this is the first time that I've written any non-trivial web system using an open standard. Possibly I could write more federated web systems in future.
In the 2020s the forces which have been gathering in this decade will clash. So things like the differing priorities of Free Software and Open Source. Maybe Free Software will become part of a larger solidarity movement. The tech monopolies will either have to somehow resolve/externalize their contradictions or change their business model. Regulation will be tried, and have unintended consequences.
The Lubuntu Team is pleased to announce we are running a Focal Fossa wallpaper competition, giving you, our community, the chance to submit, and get your favorite wallpapers included in the Lubuntu 20.04 LTS (Long Term Support) release. Show Your Artwork To enter, simply post your image into this thread on our Discourse forum. We […]
There’s a lot to be thankful for this month- and not just for open networking in general. Why? Well we’ve officially headed into the holidays at full steam with the recent Cumulus Linux 4.0 announcement, Cumulus NetQ 2.4 and more!
Catch up on all the latest Cumulus news, releases, and what’s to come in November’s content roundup. If you’re feeling extra thankful, head over to our last #BeEPIC game of 2019 here and share why you’re thankful for open networking. If you do, you’ll be entered to win a LEGO set and Hall of Fame status.
Prevent lateral compromise with microsegmentation: Good network design can minimize the damage incurred during an attack. There are more ways to approach this than will fit in a single article, so this blog will only focus on networks segmentation, and its smaller sibling, microsegmentation.
When we announced the Librem 5 crowdfunding campaign we promised we would publish the Librem 5 hardware schematics when we ship. That promise is also rooted in our articles of incorporation to release schematics of any hardware we author. We’ve shipped the first Librem 5 phones from the Birch batch to backers and photos, videos and positive early impressions are being shared.
You may be wondering why anyone would share their hardware schematics with the world? After all making a ground breaking open and freedom respecting phone is expensive and takes a long time. We are doing it because we believe in the freedom to choose hardware and software that treats you like a person and not a commodity to be exploited for profit.
We believe that you should have full ownership of your hardware, you shouldn’t have to essentially rent it from a company to be safe. While privacy and security are popular marketing terms these days, when many companies use those words they expect your complete and blind trust and reliance. While we believe you should trust us, we don’t require you to put blind trust in us. By publishing our schematics we give you the ability to verify that trust on your own (or with the help of someone else).
We’ve previously released hardware schematics for the Librem 5 devkits and now the Librem 5 Birch batch and will continue to share up-to-date specifications for future products and iterations. Why is this important for you even if you have no interest in looking at the specifications? Open hardware schematics allow anyone to audit, verify and contribute to more freedom respecting products. You shouldn’t have to blindly trust that any corporation has your best interests in mind.
X-Ray Images
In addition to us publishing our hardware schematics we are also sharing X-Ray scans of the components to empower anyone with access to the tools to be able compare their hardware to the reference and ensure no nefarious components have been added. By being completely transparent, we are showing you can trust us rather than just telling you. We are also giving you the tools to verify that trust.
Discover the Librem 5
Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.
There are new live/install media of Sparky 2019.12 “Po Tolo” available to download, which is based on the testing branch of Debian “Bullseye”.
Goals:
• system upgraded from Debian testing “Bullseye” repos as of December 1, 2019
• Calamares installer 3.2.17
• Linux kernel 5.3.9 as default (5.4.1 & 5.3.14 in Sparky unstable repos)
No reinstallation is required if you have Sparky 2019.xx (of the line 6) installed, simply make full system upgrade.
But first, we are pleased that the donation campaign has been pretty successful so far. We received
around 50 000 € already, which is 69% more than last year.
Still, these good results are due to some large donations and
fewer people have been donating so far, 16% less than in 2018.
We hope that after reading this post many of you will consider donating to Tails.
Less manual upgrades (January 2020)
Tails ships an automatic upgrade mechanism since 2013. But this
mechanism only works for a limited amount of upgrades, after which a
"manual" upgrade is needed.
These manual upgrades are a major pain point and we know that users often
think their Tails is "broken" when automatic upgrades are not
possible anymore.
In 2020, we will
remove the need for most of these manual upgrades. And as automatic
upgrades are also often too painful we will research ways to make them
lighter and more robust.
New homepage and outreach material (April 2020)
Leveraging all the work that we have done in the past years to
make Tails easier to install and use, in 2020, we will
explain better what Tails is and why people should use it.
The text on our Home and About pages have not changed significantly
since 2011. It is too verbose, too technical for most people, and
not sufficiently engaging visually. Since then Tails has come a long way: the number
of people using Tails has been multiplied by 16. Tails is no longer an
experimental project for privacy experts but a well-established reference.
For the less technical part of our target audience, Tails is a
technological object like nothing they have used before. Some of the
core concepts of Tails are particularly innovative and hard to understand before using it:
Tails is a full operating system that is started from a USB stick.
To reach critical communities of users and digital security trainers
worldwide, we will also print outreach materials based on this new
explanation, make it available in 4 languages, and send it to partner
organizations worldwide.
If your organization works with journalists, activists, or
human-defenders and is interested in receiving leaflets about
Tails in 2020, please get in
touch with us.
Secure Boot for better hardware support (July 2020)
In 2019, we worked on making it much easier for users to start Tails on Mac and as
a consequence, their numbers more than
doubled.
For years, Secure Boot has been among the main sources of issues
reported to our help desk and prevented less tech-savvy users to adopt Tails.
Currently, many have to learn how to disable Secure Boot on their
computer. This process is slightly different on every computer, is very
complicated to learn on your own, and can lead to scary problems on
Windows computers, for example BitLocker asking you for a recovery key.
Next year, we will add support for Secure Boot to Tails, making it
easier to start on PC, for which 90% of people download Tails.
In 2020, we will keep the focus on improving Tails usability
and outreaching to the people the most in
need of digital security. If you also think that this is important,
please take a moment to donate to Tails.
The 11th monthly report of the 2019 of the Sparky project:
• waterfox package changed its name to waterfox-classic-kpe
• Sparky 2019.11 Special Editions: GameOver, Multimedia & Rescue released
• Sparky 2019.11.1 MinimalGUI released to fix: GNOME Shell and KDE Plasma fresh installation; and removing some packages from live
• added new locales to Sparky tools: Greek provided by jidan; and updated Italian and Japanese locales as well; thank’s a lot for translations
• Linux kernel updated up to version 5.4.1 & 5.3.14
• CDE desktop updated up to 2.3.1 (stable & testing lines)
• added to repos: Videomass
Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.
Industrial robots, home appliances, advertising screens, office information boards… devices of every type around us are getting connected. As they do, their screens turn from single purpose displays to reconfigurable, multi-purpose smart display. As the amount of code required to build these displays, the production time and maintenance burden have increased, this has prompted device manufacturers to reconsider how they can build smart display devices faster and more securely based on open source frameworks.
Mir is a library for writing graphical shells for Linux and similar operating systems. Compared to traditional display servers, it offers numerous benefits that are important for IoT devices: efficiency, speed of development, security, performance, and flexibility. All are required by the devices of today, and even more so for the devices of tomorrow. In this whitepaper we’ll explain how Mir, alongside Ubuntu Core and Snapcraft, lets developers build devices that are ready for the future of IoT, while offering stable, secure and performant solutions to the problems the industry faces today.
In this whitepaper you will learn:
The history of Mir and why it was developed to solve reusability and security issues in IoT2
The technical architecture of the Mir display library and how Mir compares to alternative IoT technologies
Example use cases of Mir and how to get started on your smart display project with Mir
I've just been reading the first critical article about Tim Berners-Lee's Contract for The Web. The criticisms are quite valid, but they miss an important point.
There's a conflict of interest at the heart of all this, which explains why the Contract for The Web is the way that it is. Tim Berners-Lee is director of the web standards organization W3C. W3C is a corporate consortium with 446 members. So who are these members and how much cash are they donating to the organization?
It turns out that they're a fairly diverse crowd which include curiosities such as Duck Duck Go and Volvo cars. But among the menagerie are...yes...the monopolist platforms which the article criticizes. Facebook, Google and Amazon are there, though strangely Twitter is absent from the list. If you are a big US company like Google then you'll be paying in $77,000 annually in membership fees. Pocket money for Google, but if you're one of the 63 staff of W3C and consider that there are multiple consortium members paying membership fees at that level then this kind of income is definitely not trivial.
I expect that TBL gets a salary from the university of Oxford, but it's also likely to be the case that part of his income will be coming from the monopoly platforms which are the cause of the web's current problems. So he can't really push the boat out in terms of being overly critical of those companies, otherwise there could be blowback with direct impact upon himself and his staff. Just in case you think companies threatening to stop paying consortium membership fees if they don't get what they want is theoretical hyperbole, this is what happened during the last W3C DRM debacle.
Personally, I don't think Contract for The Web is going to fix anything. It should be taken as being a simple public relations exercise at a time of growing technology skepticism, and nothing any less superficial than that.
It has become an odd tradition in America to effectively “battle
shop” on the Friday following the Thanksgiving holiday. It is
already weird that we even have the Thanksgiving holiday
here as it is something that pretty much only Canada and the USA
have. Having previously worked in consumer electronics retail I
have effectively sworn it off after a few too many rounds of
handling people who actually like to “battle shop”.
If you’re safe at home and want to do something else to push
Ubuntu forward, may I put forward some ideas? How about:
Talk to the great folks at VideoLAN about helping keep VLC great
in our package archive even if it means donating some
recalcitrant hardware you want to part with so they can test it and
learn from it
Fedora 29 has reached EOL (end-of-life). We strongly recommend that
all Qubes users upgrade their Fedora 29 TemplateVMs and StandaloneVMs to
Fedora 30 immediately. We provide step-by-step upgrade instructions for
upgrading Fedora TemplateVMs. For a complete list of TemplateVM
versions supported for your specific version of Qubes, see Supported
TemplateVM Versions.
We also provide a fresh Fedora 30 TemplateVM package through the
official Qubes repositories, which you can install in dom0 by following
the standard installation instructions.
Neste “Episódio 66 – Bestas à solta!”: Mais um episódio em que contámos novamente com a companhia do Luís da Costa, director da Libretrend, e domador de Wildbeests nos tempos tempos livres para partilhar com os nossos ouvintes os pormenores dos seus novos equipamentos.
Este episódio foi produzido e editado por Alexandre Carrapiço (Thunderclaws Studios – captação, produção, edição, mistura e masterização de som) contacto: thunderclawstudiosPT–arroba–gmail.com.
Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.
Se estiverem interessados em outros bundles se acrescentarem no fim do link para qualquer bundle: ?partner=pup (da mesma forma como no link da sugestão) e vão estar também a apoiar-nos.
Atribuição e licenças
A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da [CC0 1.0 Universal License](https://creativecommons.org/publicdomain/zero/1.0/).
This post is the first in a new series, “Install Linux Apps…”, and explains how Snapcraft development tools make developing and installing Linux apps, easier than ever.
ARM hardware is on the up-and-up, especially with the release of the Raspberry Pi 4. Planning to install Linux Apps on ARM hardware? Looking to develop on ARM hardware? Read below as we deep dive into Snapcraft 3.9, and Remote Build. This feature will improve the experience of developing on ARM, and when you install Linux Apps on ARM devices.
Mi Casa, Su Casa
Remote Build is a developer tool that supports the release of consistent, high quality public snaps. Snapcraft 3.9 and Remote Build lets developers write and test on ARM architecture they do not own. We provide the ARM architecture so you don’t have to. Expect a set of videos on our webinar page soon.
By providing the resources to build and test snaps, we are aiming for robust – it works as expected, all the time – Linux apps for ARM hardware. Developers no longer have to shell out for expensive set-ups or consume local compute. At the same time, those installing a Snap get the peace of mind that snaps they install have been tested on the hardware it will be used on.
Install Linux Apps
We’re excited to develop on the Raspberry Pi 4, especially with Ubuntu Core 20 just around the corner. That new and exciting hardware from ARM such as the Pi 4 will have a number of tried and tested snaps, is something our communities from Robotics to Digital Signage will be really excited about.
Other news from Snapcraft 3.9
We wrote about the progress in KDE Neon support here, and this is now available in Stable
Error messages should be a lot less rage inducing. They now provide information on what went wrong, why it went wrong and how to fix
That’s all for this issue of Installing Apps on Linux. What to do next? Jump right into Snapcraft, check out our latest featured apps, or this blog post to get to know what we are excited about.
For the past few decades, the digital office formula has not changed much. It still revolves around three main components – text documents, data spreadsheets and visual slide decks, designed to convey a powerful business message.
While simple in essence, this model is quite complex in practice, and choosing the best tools for the job is essential. In this article, we would like to help you make the right choice – and examine several modern, powerful and free office suites.
ONLYOFFICE Desktop Editors
This open-source office suite offers a full range of office productivity, with a clean, tabbed interface. You have the ability to view and create documents, spreadsheets and presentations in multiple formats: DOC, DOCX, ODT, RTF, TXT, PDF, HTML, EPUB, XPS, DjVu, XLS, XLSX, ODS, CSV, PPT, PPTX, ODP, DOTX, XLTX, POTX, OTT, OTS, OTP, and PDF-A. Compatibility with Microsoft Office is quite decent, which is important when sharing files with other people.
The users also get some interesting extras like translation, change tracking and clip art. You can embed video clips directly from URLs, edit images, use the built-in optical character recognition (OCR), and there’s even encryption as a development preview. Style management can be extended and simplified, but you do have an option to create your own custom styles from existing text selection and re-use them for later work.
The list of capabilities does not end there. Desktop Editors also comes with strong collaboration features, although these require a few extra steps to set up and use. A mandatory component for this functionality is ONLYOFFICE Document Server, which is also available as a snap package. Real-time collaboration is then possible with the ONLYOFFICE cloud as well as Nextcloud and ownCloud.
Desktop Editors is a flexible, handy office suite. The simple visual layout, good format support, and nifty plugins make it a solid choice both in the home and work environments.
WPS
True to the established office formula, WPS offers the three components. Indeed, the software name is an acronym, which stands for Writer, Presentation and Spreadsheet. These are also the names of the individual programs available in the suite. WPS focuses on strong Microsoft Office compatibility, with support for Office OpenXML formats. Additionally, the suite supports HTML, RTF and PDF.
WPS comes with a tabbed, skinnable interface. Users can change the look-and-feel of the suite to several existing UI templates, including older and newer design. The styles are modeled after Microsoft Office, ranging from 2007 to 2016 edition. The office suite interface is available in nine languages, with spellcheck support for twenty languages. People familiar with Microsoft Office will find WPS easy to navigate and use. The software comes with styles, animations, image and video art, change tracking, and text conversion to Simplified and Traditional Chinese.
For people looking for a simple, powerful suite to create their documents and presentations, WPS is a good candidate.
LibreOffice
Linux users are surely familiar with LibreOffice. This free, open-source office suite includes not only the three essential programs, but also database management, vector graphics editor, and math formula editor. LibreOffice is available in more than 110 languages.
Each component has its own interface, which can be further changed with different icon themes as well as multiple layouts using the Notebookbar functionality. For instance, users can style the Writer application to have a Ribbon-like setup or a classic file menu & toolbar view.
LibreOffice provides the necessary environment for work, with change tracking, extensive style management, bibliography database, clip art, animations, and templates. The suite also supports extensions, including examples like cloud storage support, collaboration, OCR, barcode generator, and many others.
Most importantly, LibreOffice has support for numerous file formats, like OpenDocument, OpenOffice.org XML, Office Open XML 2007-2016, Word 97-2003, StarOffice, WordPerfect, HTML, PDF, EPUB, FB2, AbiWord, and many more. Many users will undoubtedly care about the compatibility with Microsoft Office files, and it is worth trying and testing LibreOffice to ascertain the suitability of its use for this particular purpose. Furthermore, macro creation is available through LibreOffice Basic, which is somewhat similar to Microsoft VBA, but again warrants testing when working with non-native documents.
You may already have LibreOffice available through the distribution repositories. However, it might not necessarily be the latest edition of the suite, which is where the snap build comes handy – you can use the snap on older Linux releases (for instance, even Ubuntu 14.04), without a need to upgrade the entire operating system. Overall, LibreOffice is a highly versatile suite, and it bundles a lot of features that enhance the basic functionality, and gives its users a full spectrum of office productivity.
Summary
Nailing down the perfect office formula isn’t easy. Fortunately, the choice does not have to be binary, or a compromise. Nowadays, there is a wide range of available software that can help satisfy home and work requirements, with decent cross-compatibility. We believe the three office suites we touched upon in this article offer just the right degree of freedom you need to make the best choice. Of course, it’s only the start of the journey.
If you have any comments or software recommendations, please join our forum and let us know what you think.
This post is the first in a new series, “Install Linux Apps…”, and explains how Snapcraft development tools make developing and installing Linux apps, easier than ever.
ARM hardware is on the up-and-up, especially with the release of the Raspberry Pi 4. Planning to install a Linux app on ARM hardware? Looking to develop on ARM hardware? Read below as we deep dive into Snapcraft 3.9, and Remote Build. This feature will improve the experience of developing on ARM, and when you install apps on ARM devices.
Mi Casa, Su Casa
Remote Build is a developer tool that supports the release of consistent, high quality public Snaps. Snapcraft 3.9 and Remote Build lets developers write and test on ARM architecture they do not own. We provide the ARM architecture so you don’t have to. Check out this forum post to find out more on how developers can use Remote Build now, and expect a set of videos on our webinar page soon.
By providing the resources to build and test Snaps, we are aiming for robust – it works as expected, all the time – Linux apps for ARM hardware. Developers no longer have to shell out for expensive set-ups or consume local compute. At the same time, those installing a Snap get the peace of mind that Snaps they install have been tested on the hardware it will be used on.
Instal Linux Apps
We’re excited to develop on the Raspberry Pi 4, especially with Ubuntu Core 20 just around the corner. That new and exciting hardware from ARM such as the Pi 4 will have a number of tried and tested Snaps, is something our communities from Robotics to Digital Signage will be really excited about.
Other news from Snapcraft 3.9
We wrote about the progress in KDE Neon support here, and this is now available in Stable
Error messages should be a lot less rage inducing. They now provide information on what went wrong, why it went wrong and how to fix
That’s all for this issue of Installing Apps on Linux. What to do next? Jump right into Snapcraft, check out our latest featured apps, or this blog post to get to know what we are excited about.
We are often asked, why does the Librem 5 cost that much? Well, there are several reasons and I will try to explain the most important ones.
First of all, the design of the Librem 5 is unique in many ways. Most importantly the hardware is designed from the ground up by us and for us. The Librem 5 is a complete custom design, not based on any reference design, specifically designed with all the goals we all want to achieve – open, safe, secure, respecting your privacy and digital rights. This rules out existing mobile phone reference designs, like from MTK, Qualcomm and the others. When we first approached hardware manufacturers almost two years ago with this project most of them instantly said “No, sorry, impossible, we can not help you.”. Others warned us, that it could never work, that it was too complicated, “the industry does not do that” and so forth.
And yet here we are, later than we wanted, but we are actually shipping first hardware! It is possible but it comes at a price.
From-scratch Hardware Design
What made and makes the hardware design expensive are several things. First of all the lack of reference design. Most other phones (especially Android phones) are based more or less on reference designs of the chipset, (i.e. from the CPU manufacturers). If you go with a, say, MTK-based design, then the hardware design is more like going shopping. You pick some peripheral hardware choices like display, cameras, storage and very few other things. Your differentiator compared to other MTK-based phones are these choices and the customization of the Android system–as far as you can customize it at all. The nice part is that you get pretty much everything from the chipset maker. The SDK (Software Development Kit) or BSP (Board Support Package) comes with all the drivers ready to go, but beware, many of them are binary-only mystery code.
We did not have this luxury. We had to design the hardware from scratch and we also have to develop many drivers ourselves–everything that is not yet available as free software in upstream mainline Linux kernels. This also includes a lot of low level work we had to do for the support of the i.MX8M Quad CPU we chose. The i.MX8M was, at the time when we made this choice, still pretty young and mainlining its support in the Linux kernel had just begun. Some critical drivers were just barely starting to work, like the GPU support. Other mission critical things like power management, clock scaling (for the CPU, GPU and RAM) are just now starting to hit mainline and still need a lot of work. Peripherals like charge controller, accelerometer, gyroscope and magnetometer were only partially implemented. We had to work around bugs in the display controller of the i.MX8M to support the LCD and so on and so on.
Separated Chipsets
Current smartphone chipsets also make hardware design a lot easier since most of the critical components of a smartphone are already integrated into the main CPU, onto the single silicon die. This has lots of advantages but also a ton of problems concerning security and privacy. These integrated peripherals are sitting on the same silicon, tied tightly to the CPU. Complex parts like the cellular modem or the WiFi can access the very same RAM that is used at runtime to store your most private data, but at the same time they are controlled by binary-only firmware that no one except the manufacturer of that chip has access to. You have to trust that this firmware does not contain any malicious code to eavesdrop or spy on you. Trust in closed non-auditable complex computer systems is something everyone has learned the hard way we should not have. The news is full each day of zero day bugs and exploits throughout the stack–from applications to operating systems and even down to the very silicon the whole stuff runs on.
So we chose to separate the most critical parts from the CPU. The WiFi, Bluetooth and cellular modems are sitting on separate M.2 cards, separated from the CPU by defined interfaces (SDIO and USB) and–a Purism signature feature–can be physically switched off by hardware kill switches. All of that makes the hardware design even more complicated, more parts, more components, more interfaces. But we are convinced this is the only way to be as safe as possible.
Groundbreaking Work
This low level Linux kernel work and the hardware design work do not come for free. We started to research and develop this for the development kit in early 2017, the development kit started shipping in December 2018. We learned a lot from doing the dev kit and this experience is now going into the hardware design of the Librem 5 phone.
We were the first to announce, develop and deliver a Linux based mobile device development platform. Funny fact, a few months after we made the dev kit public others announced development boards following the very same principles (separating CPU and baseband/radios), using very similar hardware design ideas (like the 18650 battery holder) and some more details–even our hardware kill switches found new friends 🙂 We don’t mind this! We made this available, for free, to share, to study, to modify and to use for whatever others see fit. We made it available for the greater public good, to foster ethical products that protect digital rights and don’t exploit.
I am convinced we laid out a path and have been breaking ground, not only for the Librem 5 but also for other projects and products.
But this of course is expensive. The hardware with its separated peripherals costs a lot more just in parts alone than a comparable smartphone. The hardware design effort took many person months of hard work, a lot more than an off-the-shelf smartphone design would have cost.
The Software
And then there is the software. I already talked about all the Linux kernel work we had to invest in, to support peripherals, to tune things and also in parts to–frankly speaking–do NXP’s job in developing free software support for their CPU. Especially in the beginning (early 2018 and into 2019), it was pretty tough, but I also have to point out that NXP has heard us and many others and has significantly ramped up their Linux mainlining efforts – thanks!
But it is not only the kernel and drivers that we had and have to invest in. We also chose not to use a platform like Android, we chose to base on a system and platform that is maintained by a huge open source community, that is openly governed and to which anyone can contribute. We chose to use the same operating system base as we use on the Purism Librem laptops (PureOS), which is a Debian derivative. For applications and the graphical user interface we chose the same pattern: open governance, free software and active community and thus based on the same environment we use on our Librem laptops – GNOME.
In the beginning people called us crazy for that choice. It would be too much effort, there are alternatives (Plasma Mobile, Ubuntu Touch etc.) and that we would never make it with GNOME. Well, here we are, we are shipping with GNOME / GTK+ and we achieved exactly what we wanted: convergence between the desktop / laptop and the phone. Applications written for or modified with some care and not too much effort can now seamlessly run on the desktop and on smaller screens like the phone. This is simply amazing! And all of that with the same tools, the same programming environment and the same libraries and packages as on the desktop–truely write once and run everywhere (maybe having to recompile 🙂 ).
This convergence is a very unique feature now coming to PureOS. Quite a few have tried before us but did not get it this far. We created one of the first truly convergent environments: the same operating system base (Debian, deb packages), the same tools and SDK and the (pretty much) same applications for the desktop and the phone.
Again we are breaking ground, paving the way for many more to follow. All of our code is public, all our changes to upstream projects go upstream as soon as possible. The GNOME project has for a long time been thinking about mobile applications but never came around. Purism is making this a reality now, together with the GNOME community.
Only the Beginning
This development comes at a high price. We have a team of about 15 developers full time working on this for almost two years. You can easily figure how much money we already put into this, and we are not done yet. The release of the Librem 5 is only the beginning. We are committed to continue to develop the software and the hardware, this is not a single-shot project, this is breaking ground and making use of it afterwards.
With the release of the Librem 5 the story has just begun.
Discover the Librem 5
Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.
We are delighted to share that early yesterday we shipped the first Librem 5 Birch devices to backers. US backers should start receiving their devices throughout the day and international backers can expect theirs within a few days. The Librem 5 is just one part of our mission to give the world ethical alternatives to Big Tech products and services that respect your privacy and security. From myself and the rest of the Purism team we would like to thank you for your support and your belief in us, by doing so you’ve made it your mission too.
Birch Hardware Improvements
We made a number of hardware improvements from the Librem 5 Aspen to the Librem 5 Birch batch. We have a much improved antennae design, shield protectors across all components on the PCBA, rubber bumpers to help tighten up the fit of component placement, strong clips to secure the WiFi and Cellular cards, shorter cables to clean-up the cable routing, tighter overall tolerance, improved thermal dissipation into the case. To say that we are proud of what the team was able to accomplish in the short time since our last batch does not do them enough justice.
Ongoing Software Improvements
The largest area new Librem 5 owners will see is the rapid pace of software and kernel development to greatly improve thermal management and power consumption. It is an area with a lot of opportunities to make significant development; mainline Linux and power optimizations on the Librem 5 are green-field opportunities to see giant leaps forward now that we have the hardware in the field. An analogy which may help those who don’t follow the depths of hardware and software innovation, the Librem 5 hardware is sprinting around a track (when it should sit idle until you need it to sprint for a millisecond), so utilizes a lot of power; power equals heat, so you will see a lot of great “better ways to do nothing” while we ask the CPU, RAM, Radios, to all idle to save power and in turn save heat.
If you speak to long term Purism customers they will tell you that we are always constantly improving our products. What we ship today will be better tomorrow and the day after that through software upgrades.
When we created the first crowdfunding campaigns for our Librem 15 and Librem 13 laptops, we announced we would replace the existing proprietary firmware with coreboot and disable the Intel Management Engine. At the time some people criticized us not only to say that we couldn’t do it, but that we didn’t even intend on doing it.
This is why we’ve pledged to offer life time software updates for the Librem 5. We want you to be using your Librem 5 for years to come and this is also echoed in the hardware design with a modular and easy to replace components.
Another humorous example of delivering and updating is when we were deciding to ship our Librem 5 devkit (to developers) in 2018 we confirmed that the screen hardware worked, but the kernel and graphics stack needed more development by our team; rather than wait we told backers that they will get the hardware, then do a future software update to get a working screen (it was a devkit afterall 🙂 ). We subsequently released the software to bring the screen up, and have continued to make improvements rapidly.
Turns out while testing we confirmed the Librem 5 Birch devices have two software issues (outside our larger roadmap of enhancements): a delayed power-up process and a call audio routing bug. What does that mean for Birch backers receiving their phone now? To turn on your Librem 5 disconnect it from a power source and hold down the power button until it turns on. Currently calling is established (e.g. both sides connect fine) but audio is not routed (no voice heard or sent), this will be a few days until the bug is fixed. We will notify Birch backers as soon as an update is ready. To check for updates for your Librem 5 open the Software app and go to “Updates” tab.
Lastly we are constantly making improvements to thermals and power consumption. With the current software image Birch devices will throttle and run through the battery quickly but we decided that we still wanted to get them into the hands of backers so that they can be part of the journey and experience the weekly progress our team ships to you. Over the coming weeks and months we will add software support for more hardware such as camera, video out etc.
Thank You
All of us at Purism can’t wait to hear what the community thinks of the progress we’ve made. We know there are some rough edges and that it currently isn’t an Android or iOS replacement (although it is for me). Two years ago we took on the mission of building a phone on a CPU never put in a mobile device, running PureOS, and writing the mobile bits of the OS, to give people the choice of a truly freedom and privacy respecting phone. Today we are one step closer to realizing that goal. Thank you to everyone who believed in us and stuck with us during the challenges. Here’s to many more shipping announcements and Librem 5 software updates.
Discover the Librem 5
Purism believes building the Librem 5 is just one step on the road to launching a digital rights movement, where we—the people—stand up for our digital rights, where we place the control of your data and your family’s data back where it belongs: in your own hands.
I wanted to put together a few thoughts I had on gifts for my fellow hackers
this holiday season. I’m including a variety of different things to appeal to
almost anyone involved in information security or hardware hacking, but I’m
obviously a bit biased to my own areas of interest. I’ve tried to roughly
categorize things, but they tend to transcend boundaries somewhat. Got a
suggestion I missed? Hit me up on Twitter.
Though some have questioned the usefulness of having this material in printed
form, I sometimes like being able to thumb through these for a quick reference.
The 3 quick references I’ve used a bunch of times are:
Each of these are quick translations of information for cases where you might
not be familiar with the relevant information immediately, such as needed to run
shell commands on a platform that is less familiar to you, or esoteric
post-exploitation information at the last minute. Though internet through a
cell phone makes it less critical, having this when onsite can be a quick win,
and if you ever need to test or assess when in an area with no reception, it’s
even more benefit.
Breaking and Entering
Breaking and Entering: The Extraordinary Story of a Hacker Called
“Alien” is a mostly-true story about a professional
hacker (penetration tester), detailing her start while a student at MIT through
her career as a penetration tester. It details not only some of the information
security-related hacks, but also other clever hacks and explorations in her
life. It’s an exciting read, and I was super happy to see how detailed and
accurate the recollection is.
Cult of the Dead Cow
Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World
is a great history of the early days of hacking and hacking groups.
cDc is probably the single most influential hacking group, and is responsible
for many of the tools that are used by information security professionals today.
With significant overlap with l0pht (another influential group), the group
helped to shape what hacking is today and has had significant influence that
many individuals may not realize. Those outside the hacking scene may take many
things for granted that are influenced by cDc. Whether you realize it or not,
they shaped the internet of today, and this is a well-researched read into their
history and influence.
Electronics
Encrypted Flash Drive
This encrypted flash drive has hardware-based
encryption to protect the data contained on it. Because the security is
hardware based, it’s workable with any operating system or hardware platform.
It’s also immune to hardware keylogging. It uses a PIN pad to support
input of the passcode, and the operating system can’t interact with the drive at
all until it is locked. The downside of hardware encryption is that it is very
hard to verify or audit, but I believe the quality of this particular flash
drive to be relatively high. Though these drives are expensive for the
capacity, they’re not all about dollars per gigabyte – the features are in the
firmware. It’s available at least up to 64GB.
Keysy RFID Duplicator
The Keysy RFID duplicator lets you clone various
forms of RFID credentials either into its internal memory, or into a writable
card. Though it’s dead simple to use, it’s not as flexible or sophisticated as
an RFID hacking tool like the Proxmark. It’s super useful for cloning things
like apartment gate fobs or basic proxcard authentication systems for access
control. It won’t work for anything using encryption or handshaking. It also
only works on low-frequency (125 kHz) RFID technology, which tends to be the
unencrypted cards anyway.
Proxmark3 RDV4
The Proxmark3 RDV4 is
an RFID hacking kit. Unlike the Keysy, this is for those interested in more
advanced RFID hacking, including cracking encrypted RFID cards, or researching
custom RFID implementations. This supports both 125 kHz and 13.56 MHz RFID
cards, and due to the customizable firmware, it can be adapted to run just about
any protocol known. There are even some offline modes that don’t require a
connection to a computer to hack the RFID cards (such as automatic cloning or
replay).
Can pretend to be either a card or reader.
Sniff communications between other readers & cards.
Operate standalone
Multiple RFID modes supported.
Yubikey 5
The Yubikey 5 is a hardware security token for a
variety of purposes. Most obviously, it offers support for U2F/FIDO2/WebAuthn
for account login on sites like Google, GitHub, Dropbox, Coinbase, Lastpass, and
more. This is a 2nd factor authentication mechanism that can’t be phished or
attacked via mobile malware.
The Yubikey 5 also supports a smartcard mode where it can store OpenPGP and/or
SSH keys in its secure memory, protecting them against local malware attempts to
steal the keys.
Packet Squirrel
The Hak5 Packet Squirrel is a
great little Man-in-the-Middle device. With dual ethernet interfaces, it’s a
physical MITM, so not vulnerable to the kinds of detection that work against ARP
spoofing and other techniques. It’s a great option for a penetration test drop
box, as well as things as simple as debugging network problems when you can’t
run a packet capture on the endpoint itself. It’s USB micro powered and
supports pre-programmable payloads via an external switch, so you can have it
ready to perform any of several roles, depending on the situation you find
yourself in. It runs a full Linux stack, so lots of capabilities available
there.
Shark Jack
The Hak5 Shark Jack is a tiny
implant with a small battery built-in. This battery allows it to be completely
self-contained, needing only an ethernet port to plug into. This is perfect for
when you find that ethernet port behind a piece of furniture and can deploy your
implant quickly. This isn’t an implant to leave in place – the battery only
lasts about 10-15 minutes. (Though I suppose you could power it via USB-C, so
it’s not impossible to run it that way.) By default it will do a quick nmap
scan and save it to the internal flash, but you can, of course, script it to do
anything you want when plugged in. Like the Packet Squirrel, theres a switch to
choose the mode you want to run.
Travel
Anker 60W Dual USB-PD Charger
Anker is one of my favorite manufacturers of chargers, USB battery banks, etc.
I’ve had very good experiences with their products, and this 60W USB-PD charger
with 2 USB-C ports is one of the most compact and
capable USB-PD chargers I’ve found. It can charge two phones or laptops at the
same time, or – best of all – one of each, which makes it great for travel
(laptop + phone). Using Gallium Nitride (GaN) instead of Silicon transistors
makes it smaller and more efficient than other models of USB power supplies.
Anker USB-PD Battery Pack
Like their USB-PD chargers, I’m super happy with Anker battery packs. My main
travel USB power supply is a smaller and older version of this battery pack, but
I have no doubt this one is also a great option. This battery is 26800mAh,
which is about 99Wh, so just barely under the FAA 100 Wh limit for lithium ion
batteries – in other words, this is the largest possible battery bank you can
bring on an airplane in the US. It’s about 7 full charges of a cell phone, or a
complete recharge of your USB-C powered laptop.
Travel Router
It’s amazing how useful a travel router is on the road. My current favorite is
the AR-750S (Slate) from GL.iNet. The stock firmware
is based on OpenWRT, which means you can do a wide
variety of things by installing a stock OpenWRT build and then using the wide
OpenWRT ecosystem of packages to enhance your router. Alternatively, you can
build your own custom OpenWRT build with whatever features and configuration
you’d like, using OpenWRT’s buildroot system. The router has a lot of hardware
features, including both a core NOR flash and an expanded NAND flash.
Some of the reasons for using a travel router include:
Single connection for multiple devices when you’re limited to a single
connection (e.g., hotels)
VPN connection for all connected devices.
Drop device for penetration testing engagements.
Local network for client-to-client comms (e.g.,
Chromecast)
There are also cheaper options like the GL-MT300N or
the GL-AR300M if you don’t need all the power of the
Slate.
Keyport Pivot
More than just travel, the Keyport Pivot is part of
my every day carry. I have a tendency to carry too much, and that includes
keys. My keys feel so much more compact and so much more organized when in the
Keyport Pivot, which keeps them all together at once. I also carry the MOCA
Multi-tool in my Pivot, which is a nice multi-tool
that meets TSA guidelines, so is great for those that travel regularly. In
fact, the MOCA is also available in a standalone
format with a handle and paracord pull.
Tools/Maker
Raspberry Pi 4
The Raspberry Pi 4 is the latest generation of the
venerable Raspberry Pi single board computer. This generation has entered the
realm of being a full desktop for web surfing, etc., as well as an option for a
home theater PC or emulating older console game titles. It even has enough
processing power to pair with the Analog Discovery 2
to be a PC-based oscilloscope/logic analyzer. They’ve finally upgraded to
Gigabit ethernet, so much better on the network (though it retains built-in WiFi
support as well).
Circuit Playground Express
Adafruit’s Circuit Playground Express
is the ultimate introduction to embedded devices. Programmable in either the
popular Arduino IDE or CircuitPython, this takes the concept of an Arduino one
step further. Instead of having to hook up lights, buttons, or sensors, they
are all integrated into the one board. It includes two push buttons, an
accelerometer, 10 RGB LEDs, temperature, light and sound sensors, and much more.
It’s powered by an ARM microcontoller at 48 MHz to allow you to make use of all
these inputs and outputs, and can be extended via the connections around the
outside (which are large enough to use with alligator clips). If you or someone
you know wants to learn embedded development without needing to do wiring or
circuits themselves, this is a great way to get started.
iFixit Tool Kit
This iFixit Tool Kit is my go-to toolkit for opening
and working with electronics. It has all the bits I’ve found on devices,
including the “security Torx” bits, precision Phillips and slotted bits, and hex
bits. The handle is a great size to both get a grip but also fit into tight
spaces, and the flex shaft helps in even tighter spaces. The plastic spudgers
and pry tool are great for getting into devices held together with clips instead
of (or in addition to) screws. (Like the base plate on my Lenovo laptop, and so
many electronic devices.) I’ve used some of the cheaper clones of these kits,
and the pieces just don’t hold up as well as these do, or are made with
materials that don’t perform as well.
Pocket Flashlight
This USB-rechargable pocket flashlight is a very
useful tool to have on hand. Flashlights are obviously useful, but being
rechargable is both eco-friendly and convenient, and being pocket-sized ensures
you can always have it with you. (Or carry it in your bag instead of your
pocket, which is my approach so I don’t lose it.) Streamlight is a well known
brand with strong ratings and a history of quality, so this will keep going
reliably.
Sugru
Sugru is a “Mouldable Glue”, which is basically an
adhesive putty that holds fast when it cures. They are useful for making custom
hooks, adding protection or strain relief to cables, waterproofing around
openings, or repairing small breaks. As it’s silicone based, it remains
slightly flexible and holds up well against water. I’ve used it before to seal
around cables going through openings in enclosures and to make custom cable
organizers.
Skeletool CX
Like the pocket flashlight, I like to carry a multitool with me daily. I’ve
carried the Skeletool for a few years now, including
a replacement after I accidentally got to the TSA checkpoint with one. (Oops.)
This has a knife blade, pliers, and the ability to hold interchangable bits in
the handle for a screwdriver. I’ve run into many occassions where this was
useful, ranging from quick repairs to taking something apart on a whim, to
opening packages. There’s even a bottle opener at the base of the handle, which
is perfect for those adult beverages. (No corkscrew for you wine drinkers. Try
screwtop bottles.)
The purpose of this communication is to provide a status update and highlights for any interesting subjects from the Ubuntu Server Team. If you would like to reach the server team, you can find us at the #ubuntu-server channel on Freenode. Alternatively, you can sign up and use the Ubuntu Server Team mailing list or visit the Ubuntu Server discourse hub for more discussion.
Spotlight: Cloud-Init upstream has moved to to GitHub!
For new contributors, please see the HACKING documentation.
For existing contributors who’ve already signed the Canonical Contributors License Agreement, we can verify the link between your Launchpad account and your GitHub account by creating a branch with both your Launchpad and GitHub usernames into both Launchpad and GitHub cloud-init repositories.
Below is a summary of uploads to the development and supported releases. Current status of the Debian to Ubuntu merges is tracked on the Merge-o-Matic page. For a full list of recent merges with change logs please see the Ubuntu Server report. The authorization page: (https://launchpad.net/+authorize-token?oauth_token=w4SjjfNlQhNTNppZZkMV&allow_permission=DESKTOP_INTEGRATION) should be opening in your browser. Use your browser to authorize this program to access Launchpad on your behalf. Waiting to hear from Launchpad about your decision…
Proposed Uploads to the Supported Releases
Please consider testing the following by enabling proposed, checking packages for update regressions, and making sure to mark affected bugs verified as fixed.
On Thursday 5th December AWS and Canonical are hosting an interactive roundtable from 11:00 AM to 1:00 PM at re-Invent, Las Vegas. This will be the opportunity to:
Hear the latest news and announcements by AWS and Canonical
Learn about best practices in running Ubuntu at scale in public cloud and cloud-native environments
Discuss the roadmap of Ubuntu 20.04, the next Long Term Support release with 10-year support
Exchange with other Ubuntu on AWS users
A number of AWS, Canonical and Ubuntu users will be joining the roundtable, for a mix of presentations, whiteboarding and mostly exchanges:
Mikhail Prudnikov – Principal Business Development – AWS
Christian Reis – VP Public Cloud – Canonical
Calvin Hartwell – Director Field Engineering – Canonical
Kapil T – Principal Opensource Technologist – AWS
Rok Zlender – Senior Director, Cloud Engineering – Acquia
This event is invite-only. To register for the event and talk Ubuntu at AWS re:Invent!, use the following form.
There are a ton of updates to go over for this release, but the most in your face item that everyone is going to notice first are the changes to the desktop environment and theme. So let’s cover that first.
An update to the desktop environment has been a long time coming. We have been talking about how to address this, what we wanted to do, experimenting on different approaches, and so on for months now. As a summary we had a few issues we wanted to address head-on:
Performance issues – Gnome is a fully-featured desktop environment with a ton of awesome things it can do. But all these features comes with overhead, often overhead that is not useful for a distribution like Kali. We wanted to speed things up, and have a desktop environment that does only what it’s needed for, and nothing else. Gnome has been overkill for most Kali users, as many just want a window manager that allows you to run multiple terminal windows at once, and a web browser.
Fractured user experience – We support a range of hardware, from the very high end to the very low. Because of this, traditionally our lower-end ARM builds have had a completely different UI than our standard. That’s not optimal, and we wanted to unify this experience so it did not matter if you were running on a bare metal install on a high end laptop or using a Raspberry Pi, the UI should be the same.
Modern look – We have been using the same UI for quite a while now, and our old theme maintainer had moved on due to lack of time. So we wanted to go with something fresh, new, and modern.
To help us address these items, we tracked down Daniel Ruiz de Alegría and started the development of a new theme running on Xfce. Why Xfce? After reviewing the above issues, we felt that Xfce addressed them best while still being accessible to the majority of users.
The solution we’ve committed to is lightweight and can run on all levels of Kali installs. It is functional in that it handles the various needs of the average user with no changes. It is approachable where it uses standard UI concepts we are all familiar with to ensure there is no learning curve. And it looks great with modern UI elements that make efficient use of screen space.
We are really excited about this UI update, and we think you are going to love it. However, as UI can be a bit like religion, if you don’t want to leave Gnome don’t worry. We still have a Gnome build for you, with a few changes already in place. As time goes by, we will be making changes to all of the desktop environments we release installs to get them “close” to a similar user experience no matter what DE you run. There will be limits to this, as we don’t have the resources to heavily invest in tweaking all these different environments. So if there is something you would like to see, feel free to submit a feature request!
We have also released a FAQ about the new theme that you can find on our docs page. This includes some common items like how to switch to the theme on your existing install, how to change off of it if you don’t like it, and so on.
Kali Undercover
With the change to the environment, we thought we would take a side step and do something fun. Thanks to Robert, who leads our penetration testing team, for suggesting a Kali theme that looks like Windows to the casual view, we have created the Kali Undercover theme.
Say you are working in a public place, hacking away, and you might not want the distinctive Kali dragon for everyone to see and wonder what it is you are doing. So, we made a little script that will change your Kali theme to look like a default Windows installation. That way, you can work a bit more incognito. After you are done and in a more private place, run the script again and you switch back to your Kali theme. Like magic!
Kali-Docs is now on Markdown and new home (/docs/)
This may not be as flashy as the new theme, but the changes to the docs we have done is just as significant.
One of our go-forward goals with Kali is to move more of the development into the public and make it as easy as possible for anyone (that means you!) to get involved and contribute to Kali. That’s what our move to GitLab earlier in the year was all about. Another part of this is changing how we deal with docs.
We have since moved all of our documentation into Markdown in a public Git repository. From here on out anyone, not just Kali staff, can contribute to better documentation through merge requests. We will still approve any content changes, but once merged, changes will be automatically available on the docs section of our website.
We encourage everyone to get involved! If you see something wrong in the existing docs, change it! If you have an idea for new docs, write it! These sorts of contributions make Kali better for everyone.
This is just the first step. With this change in place, coming soon watch for a kali-docs package in Kali that gives you full offline access to the documentation on every install of Kali. Perfect for those situations where you are working in a closed-off environment with no Internet access.
One of the most common bug reports is requests for us to add new tools or update existing ones. Oftentimes, by the tool developers themselves as they recognize that having their tool in the Kali repo is the easiest distribution channel for security assessment tools there is. The volume of this has always been difficult to keep up with, and we have to make some hard decisions on where to commit our limited resources.
Now with this work-flow in place and documented, you don’t have to wait on us. Go ahead and package up your tool and submit it off to us for approval. This is an awesome way to get involved with improving Kali.
BTRFS during setup
Another significant new addition to the documentation is the use of BTRFS as your root file system. This is an amazing approach documented by Re4son, that when done gives you the ability to do file system rollbacks after upgrades.
When you are in a VM and about to try something new, you will often take a snapshot in case things go wrong you can easily go back to a known-good state. However, when you run Kali bare metal that’s not so easy. So you end up being extra careful, or if things go wrong have a lot of manual clean up to do. With BTRFS, you have this same snapshot capability on a bare metal install!
As this is new, it’s not integrated into our installer yet. Once we get some feedback on how it’s working for everyone, the next step is to streamline this and make it an easier option in our installer. So if you try it out, be sure to let us know how it works for you!
PowerShell
On to other features, in case you missed it PowerShell is now in Kali. This has been really great to bring the ability to execute PowerShell scripts directly on Kali.
NetHunter Kex – Full Kali Desktop on Android phones
Another feature we are super excited about is the introduction of NetHunter Kex. In a nutshell, this allows you to attach your Android device to an HDMI output along with Bluetooth keyboard and mouse and get a full, no compromise, Kali desktop. Yes. From your phone.
We had a live Penetration Testing with Kali course we were teaching, and NetHunter Kex was just in a beta stage. So we wanted to really push the limits. So, in the live course, what we did was attach a USB-C hub to our OnePlus7. This gave us HDMI and Ethernet access. We attached the HDMI to the projector and used a bluetooth keyboard/mouse. With this, we were able to do an entire PWK module from the phone.
This is a feature you have to see to believe. Until you experience it, you won’t fully understand what this provides. With a strong enough phone, this is very similar to using a nice full-featured portable ARM desktop that happens to fit in your pocket. The possible ways you can leverage this in assessments is huge.
To get a full breakdown on how to use NetHunter Kex, check out our docs at.
ARM
2019.4 is the last release that will support 8GB sdcards on ARM. Starting in 2020.1, a 16GB sdcard will be the minimum we support. You will always be able to create your own image that supports smaller cards if you desire.
RaspberryPi kernel was updated to 4.19.81, and the firmware package was updated to include the eeprom updates for the RaspberryPi 4.
During the release testing, a limited number of devices were not showing the Kali menu properly. This was not critical enough to delay the release, so instead as a work-around you can run the following command to display the menu correctly:
apt update && apt dist-upgrade
Once this completes, log out, so you’re back at the login manager. Then switch to a console via CTRL+ALT+F11 (on the Chromebooks this is the key pointing left next to the ESC key).
Login and then run:
rm -rf .cache/ .config/ .local/ && sync && reboot
After reboot, the menu will have the correct entries. We’re still looking into why it occurs on only some of the images.
Download Kali Linux 2019.4
So what are you waiting for? Start the download now!
Also, just to mention we do also produce weekly builds that you can use as well. If it’s been some time since our last release and you want the latest packages you don’t have to go off our latest release and update. You can just use the weekly image instead, and have fewer updates to do. Just know these are automated builds that we don’t QA like we do our standard release images.
If you already have an existing Kali installation, remember you can always do a quick update:
This iteration we built two webinars with engage pages.
Lessons learned from 100+ private cloud builds webinar
Linux security with Ubuntu webinar
Server guide
The server team have ported the server guide content from help.ubuntu.com to the Ubuntu discourse. This gave us the ability to render the guides on ubuntu.com. And, this is what we have done.
We pull the content from discourse and render the post as HTML for easy reading. The server guide is now live at ubuntu.com/server/docs.
Base
Base is the team that underpins our toolsets and architure of our projects. The team maintains the CI and deployment of all websites we maintain.
We also made sure every project’s README has a CodeCov badge, alongside the CircleCI one.
Investigate GitHub actions
As GitHub Actions have now reached a certain level of maturity, we’ve been looking into whether we could make more use of Actions in our projects. More info soon.
Templates for deployment configs
Our Kubernetes config repository is currently very repetitive, as most services deliberately require very similar configuration.
We’ve been looking into whether we can use templating systems to reduce this duplication and make it clearer what the specific settings are for individual domains, and hope to merge our changes soon.
JAAS
The JAAS squad develops the UI for the JAAS store and Juju GUI projects.
Sprint in Vancouver
During the sprint in Vancouver the team presented the work on the new JAAS dashboard to the company and kept moving forward the implementation on the JAAS dashboard project.
The team also continued working on Juju project website, and presented the work to align the consumption and publishing CLI commands of Juju, Snap, Charm and Snapcraft. CharmHub wise, the team explored new solutions and messages for the home page.
Vanilla
The Vanilla squad design and maintain the design system and Vanilla framework library. They ensure a consistent style throughout web assets.
Tables component
Fixed raised issues against this component:
Update chevron icon inside sortable tables
Fixed JS in sortable table
Allow for table cell truncation
Updated layout of our mobile table card
Contextual menu component
Fixed raised issues against this component:
Updated to now allow items inside to grow to desired width
Update accessibility outline to use Vanilla default
Maintenance
Continued code maintenance to the framework, some key bug fixes have been highlighted below and will come with our imminent v2.5.0 release:
The Snapcraft team work closely with the snap store team to develop and maintain the snap store website.
Sprint in Vancouver
As previously mentioned by the JAAS squad, a planning sprint took place in Vancouver – the main outcomes for Snapcraft is the push towards Charmhub. While the JAAS squad have been focusing on the UX and design of Charmhub, Snapcraft will be repurposing and refactoring the Snap store codebase to make it more modular and reusable.
Release UI: Progressive releases
We’re still working on updates to the release UI’s progressive releases feature, ironing out bugs and preparing it for an internal release.
Progressive releases allow publishers to release a new revision of their snap to a specific % of devices. This is the first part of a series of features that will assist publishers in catching errors.
Build.snapcraft.io
This iteration we’ve also worked on listing the automated builds of build.snapcraft.io in snapcraft.io’s publisher area. Again this is early work and will be released internally first but will be an important addition to snapcraft.io. To implement the table we’ve used our internal react-components library which is a set of components based on Vanilla framework.
Maintenance
We fixed a couple of small issues on Snap details pages (both reported by our very own popey).
When it comes to IoT edge, EdgeX Foundry is a feature-rich platform for accelerated development. Not only is EdgeX Foundry open source, but it also put a strong accent on interoperability. These factors combine to catalyse an ecosystem of components federating the IoT space. The platform thereby accelerates the development of IoT solutions across various industrial and enterprise use cases.
This blog showcases an entry-level stack for IoT edge hacking. Prerequisite for this tutorial is a Raspberry Pi 4, with Ubuntu installed. We will see how to make an IoT edge gateway with EdgeX Foundry.
Quick install of EdgeX Foundry with Snap
With Ubuntu 19.10 installed on the Raspberry Pi 4, the EdgeX Foundry snap can be installed in a single command:
$ sudo snap install edgexfoundry
This simple command, installs all services required to runEdgeX. The services are also launched in the background. Services that come bundled with the edgexfoundry snap can be listed by issuing the snap services command.
$ sudo snap services edgexfoundry
The snap services command also shows if existing services are enabled and active.
Enabling Services
Upon installation, the following services are automatically enabled:
cassandra (persistent storage for Kong)
consul (aka ‘the registry’)
core-command
core-config-seed
core-data
core-metadata
edgexproxy
kong-daemon
mongod
mongo-worker
pkisetup
sys-mgmt-agent
vault
vault-worker
The following services are disabled by default:
support-notifications
support-logging
support-scheduler
export-client
export-distro
device-virtual
device-random
Any disabled service can be enabled and started as follows:
$ sudo snap set edgexfoundry support-notifications=on
Installing the Management Client
EdgeX instances can be conveniently managed in a web browser from a desktop. Management tasks like pairing devices to a gateway, creating device profiles, or visualising data can be carried out through the web UI. The edgex-ui-go snap delivers this interface. To install, run the following:
The web UI for gateway and device management will become available in the browser at http://localhost:4000. The default user credentials are username: admin /password:admin.
Provisioning the Edge Gateway
After login, the user will be redirected to the gateway management page. To provision the Raspberry Pi 4 device as a gateway, a user will add it through the web UI. A name, a description and the network IP address of the board (obtained via command: hostname -I) will be required.
We have just published Qubes Security Bulletin (QSB) #054:
Xen fix for XSA-302 found ineffective in Qubes configuration (XSA-306).
The text of this QSB is reproduced below. This QSB and its accompanying
signatures will always be available in the Qubes Security Pack (qubes-secpack).
---===[ Qubes Security Bulletin #54 ]===---
2019-11-26
Xen fix for XSA-302 found ineffective in Qubes configuration (XSA-306)
Summary
========
In the course of re-verifying the fixes for QSB #52 (XSA-299, XSA-302)
[1], the Qubes Security Team discovered that the fix released by the
Xen Project for XSA-302 [2] is not effective for the configuration used
in Qubes OS.
On 2019-11-26, the Xen Security Team published the following Xen
Security Advisory (XSA):
XSA-306 [3] "Device quarantine for alternate pci assignment methods":
| XSA-302 relies on the use of libxl's "assignable-add" feature to
| prepare devices to be assigned to untrusted guests.
|
| Unfortunately, this is not considered a strictly required step for
| device assignment. The PCI passthrough documentation on the wiki
| describes alternate ways of preparing devices for assignment, and
| libvirt uses its own ways as well. Hosts where these "alternate"
| methods are used will still leave the system in a vulnerable state
| after the device comes back from a guest.
|
| An untrusted domain with access to a physical device can DMA into host
| memory, leading to privilege escalation.
Impact
=======
The original XSA-302 fix provided by the Xen Project is ineffective for
the configuration used in Qubes OS. Therefore, the impact is the same as
as the XSA-302 impact originally reported in QSB #52 (XSA-299, XSA-302).
Discussion
===========
The Qubes Security Team discovered this issue while re-verifying the Xen
Project's fixes for XSA-302. At that time, both XSA-302 and QSB #52 had
already been made public. Whether a disclosure has been made public is
significant to the Xen Security Policy [4]. Therefore, after discussion
with the Xen Security Team, we have decided to treat this as a separate
security issue, with a separate XSA, QSB, and embargo period.
From a security perspective, the new proposed fix for PCI device
isolation is much less fragile, since it no longer depends on toolstack
(libxl) behavior anymore.
Patching
=========
The specific packages that resolve the problems discussed in this
bulletin are as follows:
For Qubes OS 4.0:
- Xen packages version 4.8.5-13
The packages are to be installed in dom0 via the Qubes VM Manager or via
the qubes-dom0-update command as follows:
For updates from the stable repository (not immediately available):
$ sudo qubes-dom0-update
For updates from the security-testing repository:
$ sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
========
See the original Xen Security Advisories.
References
===========
[1] https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-052-2019.txt
[2] https://xenbits.xen.org/xsa/advisory-302.html
[3] https://xenbits.xen.org/xsa/advisory-306.html
[4] https://xenproject.org/developers/security-policy/
--
The Qubes Security Team
https://www.qubes-os.org/security/
Don’t try this at home, use our servers instead
Designers can now point their maas-ui at a remote MAAS.
Before (Single repo – UI in AngularJS & Django) ⟶ After (Multiple Repos maas-ui, maas-core – UI in Angularjs & React) 
Marc André Audet, Security Expert at 
Librem 5 PCBA
Rescatux 0.72-beta6
Source: 
![[RSS 1.0 Feed]](common/rss10.png){kind=small}
![[RSS 2.0 Feed]](common/rss20.png){kind=small}
![[Atom Feed]](common/atom.png){kind=small}
![[FOAF Subscriptions]](common/foaf.png){kind=small}
![[OPML Subscriptions]](common/opml.png){kind=small}
![[Hacker]](common/hacker.png){kind=small}
![[Planet]](common/planet.png){kind=small}