You are here

Planet Ubuntu

Subscribe to Feed Planet Ubuntu
Planet Ubuntu - http://planet.ubuntu.com/
Përditësimi: 3 ditë 8 orë më parë

Ubuntu Podcast from the UK LoCo: S11E22 – Catch-22 - Ubuntu Podcast

Pre, 10/08/2018 - 10:56pd

Alan and Mark shoot the breeze about stuff, you know? They miss Martin and hope he comes back soon.

It’s Season 11 Episode 22 of the Ubuntu Podcast! Alan Pope and Mark Johnson are connected and speaking to your brain.

In this week’s show:

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

David Tomaschik: I'm the One Who Doesn't Knock: Unlocking Doors From the Network

Pre, 10/08/2018 - 9:00pd

Today I’m giving a talk in the IoT Village at DEF CON 26. Though not a “main stage” talk, this is my first opportunity to speak at DEF CON. I’m really excited, especially with how much I enjoy IoT hacking. My talk was inspired by the research that lead to CVE-2017-17704, but it’s not meant to be a vendor-shaming session. It’s meant to be a discussion of the difficulty of getting physical access control systems that have IP communications features right. It’s meant to show that the designs we use to build a secure system when you have a classic user interface don’t work the same way in the IoT world.

(If you’re at DEF CON, come check it out at 4:45PM on Friday, August 10 in the IoT Village.)

The TL;DR of it is that encryption (particularly with a key hardcoded in the device firmware) does not guarantee authenticity and that an attacker can forge messages triggering behavior on the door access controller. What’s more interesting is to discuss how to fix this problem in product designs going forward.

Getting encryption right is hard at the best of times. Doing it in a way that allows reasonable management of the devices, with proper authentication of connection, when you have devices that may not have hostnames (or if they do, may be internal only hostnames), that don’t have classic user interfaces, that may fail and need to be replaced, is very hard.

It’s also worth noting that the amount we should care about security really does depend on the product involved. While I don’t deny that an RCE in a light bulb could become part of a botnet, authentication bypass in an access control system is pretty scary. It literally has one job: to deny unauthorized access. Having the ability to bypass it over the network is clearly impactful.

I hope my talk will inspire conversations about how to do network trust among networks of embedded & IoT devices. As security professionals, we haven’t offered the device developers the tools to bootstrap the trust relationships in the real world. Here’s to hoping that next year, I can be discussing a different type of bug.

Slides

PDF: I’m the One Who Doesn’t Knock: Unlocking Doors From the Network

The Fridge: Ubuntu Weekly Newsletter Issue 539

Pre, 10/08/2018 - 4:55pd

Welcome to the Ubuntu Weekly Newsletter, Issue 539 for the week of July 29 – August 4, 2018. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

Sergio Schvezov: Reporting Metrics Back to Ubuntu

Enj, 09/08/2018 - 1:22pd
A short lived ride After some time on Kubuntu on this new laptop, I just re-discovered that I did not want to live in the Plasma world anymore. While I do value all the work the team behind it does, the user interface is just not for me as it feels rather busy to my liking. In that aforementioned post I wrote about running the Ubuntu Report Tool on this system, it is not part of the Kubuntu install or first boot experience but you can install it by running apt install ubuntu-report followed by running ubuntu-report to actually create the report and if you want, send it too.

Stuart Langridge: If you can do it with CSS do it with CSS

Enj, 09/08/2018 - 1:19pd

I read Twitter with Tweetdeck. And I use the excellent Better Tweetdeck to improve my Tweetdeck experience. And I had an idea.

You see, emoji, much as they’re the way we communicate now, they’re actually quite hard to read. And Slack does this rather neat thing where if …

Valorie Zimmerman: Ade visits, and the weather changes so we can walk about Deventer

Mër, 08/08/2018 - 6:00md
A lovely lunch and a shared afternoon and evening with Ade was a pleasant interlude in our time together here in beautiful Deventer. We changed tables a few times to avoid the sun! Last night we were wakened at around 2am with wind blowing rain into the open windows, which was quite exciting. Thunder roared in the south. It was still quite cool and breezy this morning so we ate inside.




After lunch, Boud proposed a walk around the town while the temperatures were moderate. We walked over much of the old town of Deventer, and spend some time in the Roman Catholic church, the old church on the "hill" with twin spires, the old Brush Shop, and back past the Weighing House and a lovely cast bronze map of Deventer.

Our favorite tree:


The Roman Catholic church whose steeple we see from the terrace:
On the wall of the Weighing House:


Our little corner of Deventer:

Tomorrow we travel by fast train to Vienna! I hope there is time to drink a cup of coffee. :-)

Sean Davis: Mugshot 0.4.1 Released

Mër, 08/08/2018 - 12:04md

Mugshot 0.4.1, the latest release of the lightweight user profile editor, is now available! This release includes a number of bug fixes and will now run in the most minimal of environments.

What’s New? Code Quality Improvements
  • Replaced deprecated logger.warn with logger.warning (Python 2.x)
  • Replaced deprecated module optparse with argparse (Python 2.7)
  • Resolved Pylint and PEP8 errors and warnings
Bug Fixes
  • TypeError in _spawn(): The argument, args, must be a list (LP: #1443283)
  • User-specified initials are not correctly loaded (LP: #1574239)
  • Include Mugshot in Xfce Settings, Personal Settings (LP: #1698626)
  • Support -p and -w office phone flags in chfn. This flag varies between chfn releases. (LP: #1699285)
  • FileNotFoundError when comparing profile images (LP: #1771629)
Support for Minimal Chroot Environments
  • Fix crash when run without AccountsService
  • Handle OSError: out of pty devices
  • Specify utf-8 codec for desktop file processing when building
Translation Updates

Catalan, Chinese (Simplified), Danish, Lithuanian, Spanish

Downloads

Source tarball (md5sig)

Benjamin Mako Hill: Lookalikes

Mar, 07/08/2018 - 11:00md

Am I leading a double life as an actor in several critically acclaimed television series?

I ask because I was recently accused of being Paul Sparks—the actor who played gangster Mickey Doyle on Boardwalk Empire and writer Thomas Yates in the Netflix version of House of Cards. My accuser reacted to my protestations with incredulity. Confronted with the evidence, I’m a little incredulous myself.

Previous lookalikes are here.

Lubuntu Blog: This Week in Lubuntu Development #8

Mar, 07/08/2018 - 12:09pd
Here is the eighth issue of This Week in Lubuntu Development. You can read the last issue here. Translated into: español Changes General Lubuntu 18.04.1 has been released! Lubuntu 16.04.5 has been released! We’re taking a new direction. The past couple of weeks have been focused on more desktop polish and some heavy infrastructure and […]

Valorie Zimmerman: In my heart

Hën, 06/08/2018 - 11:57pd
Last night we were living outside as usual. It had cooled a bit and a stiff cool breeze began blowing, so we moved inside for the first time in a week. We had a wonderful discussion about the state of the world (worrying) and what we might do about it beyond working for freedom in our KDE work. I think I'm not alone in being concerned about visiting Austria since politics there turned "populist". Since I'm living in a country where the same is true at least on the Federal level, that might seem hypocritical. Perhaps it is, but I'm not the only one working to expand the scope of people we welcome, rather than the reverse. I believe the most fortunate--including me--should pay the highest taxes, to provide public goods to all: excellent schools, medical and social care, fine public transport, free libraries, and free software.

We can only do that last bit well with a healthy KDE community. This means uniting around our goals, contributing to the community along with the software; by creating good documentation, helping promote news, contributing timely information for release announcements, joining a working group or the e.V. itself and most important: living up to our Code of Conduct. Our Code of Conduct is one of the best and most positive in free software, and is a key reason I came to KDE and stayed to contribute. It is of little value, however, unless we occasionally re-read it and resolve to personally hold ourselves to a high standard of conduct, and in addition, daring to step up to help resolve situations where it requires courage to do so. This is an important bit:
If you witness others being attacked, think first about how you can offer them personal support. If you feel that the situation is beyond your ability to help individually, go privately to the victim and ask if some form of official intervention is needed. Similarly you should support anyone who appears to be in danger of burning out, either through work-related stress or personal problems.It is sometimes very difficult and discouraging to confront distressing situations, when those whom you respect and even love deeply disappoint. However if we are to grow and thrive as a family, and we are a huge family, this must be done.

I've recently stolen from Boud and Irina's huge library In Search of the Indo-Europeans: Language, Archaeology and Myth by J.P. Mallory. A bit old, but a lovely survey of Eurasia up to historical times. Just this morning with my breakfast I read:
In what did the Proto-Indo-Europeans believe, or, to use their own words, to what did they 'put in their hearts'? This archaic expression is still preserved in a roundabout way in English where the Latin verb credo 'I believe' has been borrowed to fashion our English creed. After our talk last night, this passage prompted me to write today.


More photos from Deventer:
Flower cheese!
Sage, parsley
Sunset
IPA even in Deventer!

Sam Hewitt: Moving Beyond Themes

Dje, 05/08/2018 - 5:00md

FreeDesktop platforms have come a long way in terms of usability and as we strive to make them better platforms for application developers, I think it’s time to shed one more shackle that slows that down: themes.

Now, coming from me that view may be a surprise (because of all those themes that I call personal projects) but I do feel it’s necessary mainly because the level of visual customisation that is being done at the distribution level has led to widespread visual fragmentation which impacts both user- and developer-friendliness.

Letting the Past Go

What themes used to be were sets of preset or configuration files that would only tweak the details of the user interface such as the window borders or how buttons and scrollbars looked but the overall layout and function stayed the same.

But user interfaces of the past were much simpler, there were fewer window states, fewer points of interaction, less visual feedback, and just plain fewer pixels. These limitations in old toolkits meant that they largely stayed the same from theme to theme and things were relatively stable.

Fast-forward to today where we have modern toolkits like GTK+ 3 with more complex visuals and detailed interactions means that without the same level of quality control that you find at the toolkit level, maintaining a separate theme is a very fiddly and potentially buggy prospect. Not to mention getting all the details right matters for both usability and accessibility.

“Look and Feel” as a Toolkit Component

It’s unfortunate that “Adwaita” is thought of as a theme when in fact it is a core component of the toolkit, but this is mostly a holdover from how we’re used to thinking about look and feel as it relates to the user interface. Adwaita is as closely tied to GTK+ as Aqua is to the macOS user interface, and as a result it has broad implications applications built with GTK+.

The reality is that GTK+ 3 has no theme framework (there is no API or documentation for “themes”) and “Adwaita” is simply the name of the stylesheet deeply integrated in GTK+. So when third-party developers build GNOME apps, they rely on this stylesheet when determining the look and feel of their apps and, if necessary, use it as a reference when writing their own custom stylesheets (since it is a core toolkit component).

Today’s themes aren’t themes

GTK+ 3 themes are not themes in the traditional sense. They are not packages of presets designed to work with the user interface toolkit, they are more like custom stylesheets which exist outside of the application-UI framework and only work by essentially overriding the toolkit-level stylesheet (and quite often only the toolkit-level stylesheet).

When GTK+ 3 applications are being used under third-party themes, what is being broken is the boundary an application developer has set up to control both the quality of their application and how it looks and feels and this becomes really problematic when applications have custom CSS.

In order for third party themes to work properly and not cause cascading visual bugs, they have to either become monolithic and start incorporating all the custom stylesheets for all the applications that have them, or work with application developers to include stylesheets in their applications that support their themes. Neither of these solutions are good for platform or application development since it will become a task of never-ending maintenance.

Visual Fragmentation

Across the GNOME desktop ecosystem exists “visual fragmentation” and it’s a very real problem for app developers. Since very few distributions ship GNOME as-is, it is hard to determine what the visual identity of GNOME is and therefore it’s difficult to know which visual system to build your application for.

Integrating the stylesheet with the user interface toolkit, in theory, should have solved many issues regarding visual inconsistency across the GNOME platform, but that’s an unsolveable problem so long as themes persist.

The biggest offenders continue to be downstream projects that theme GNOME extensively by overriding the default icons and stylesheet, and insist that that’s part of their own brand identity, but so long as that practice carries on then this fragmentation will continue.

Upstream vs. Downstream Identity

It is extremely rare for a Linux distribution to also be the platform vendor, so it can be said that nearly all distros that ship a desktop platform (like GNOME) are “downstream” vendors.

Platforms like GNOME and KDE exist irrespective of distributions and they have their own visual and brand identities, and own guidelines around the user interface. On the other hand, distribution vendors see a need to have unique identities and some decide to extend that to the look and feel of the desktop and apply themes.

But this practice raises questions about whether it is right or not for distributions to cut out or override the upstream platform vendor’s identity to favour their own. Should distributions that ship GNOME be asked to leave the default look and feel and experience intact? I think yes.

A similar situation exists on Android where Google is trying to control the look and feel of Android and hardware OEMs all over the place are skinning it for their phones, but the blame for issues gets conflated with issues in Android (unless you do some monumental branding effort and effectively erase Android, like Samsung)

Distributions owe a lot to the desktop platforms, as such I think that effort should be made to respect the platform’s intended experience. Not to mention, the same concerns for quality assurance regarding applications also applies to the platform, GNOME developers lose out when then forced to dedicate time and resources to dealing with bugs related to issues created by downstream theming and deviations.

The Future

If ending the wild west of visual customisation (which would probably end all of those projects of mine) on GNOME is necessary to grow the ecosystem, so be it.

I would rather see GNOME evolve as a platform and become a little less developer-hostile by dropping support for third-party themes, than stagnate. Doing so would also bring us in line with the how the major (successful) platforms maintain a consistent look and feel and consider app developers’ control over their apps and their rights to their brand identities.

That said, I doubt such a hardline position will be widely warmly recieved, but I would like to see a more closed approach to look and feel. Though, perhaps actually building some sort of framework that allows for custom stylesheets (so that downstreams can have their unique visual identities) that doesn’t involve totally overriding the one at the toolkit level would be the best solution.