Purism Launches Librem One, a Suite of Privacy-Protecting, No-Track, No-Ad Apps and Services

Some time back, the folks from Purism sent me a question: "Would you like to record some voice-over for a little commercial we're making?"

"Sure," I say. "Why not?"

They give me a script, show me a rough cut of the footage, and I record a few lines. Easy peasy.

The only problem? The commercial was for something that I think is a really great idea. And, the finished commercial gave me a serious case of the giggles. Yet I couldn't tell anyone about it. I was sworn to secrecy.

For a person who runs his mouth for a living, secrecy isn't always so easy. Keeping my big, dumb mouth shut was downright painful. Painful, I say!

Luckily, I can now, as of today, spill the beans without getting into trouble.

Purism has just launched an online service it has dubbed "Librem One", which is, as Purism calls it, a "suite of apps and services designed to provide users with convenient alternatives to Big Tech products".

There are two components of Librem One that are offered free of cost (or, at least, choose your own price): Chat and Social Media.

The chat component—the aptly named "Librem Chat"—is built on Matrix (which I am also a big fan of) and includes end-to-end encrypted text chat plus audio and video chatting. And, since it's built on Matrix, it has access to all the other users on Matrix out there. Which may not be as big of a user pool as, say, Hangouts or something, but the user base is growing. Quickly.

The Social Media component is built using Activity Pub and Mastodon (a federated, free software social network system).

I want to pause right there a moment, because this is really interesting to me.

That means we now have a social media server that is supported via a subscription model.  Not advertisements. Not data collection. Subscription. Which, in my opinion, is just a much better way to build a social network that respects user data and privacy.

Plus, this solves one of the biggest problems with picking and utilizing a Mastodon server up until this point—that they've mostly been run by hobbyists in their spare time. Thus, servers could go up or down or lose data at any time (which happened to me more than once). A professionally administered Mastodon social-media server supported as part of a subscription online service? Heck yes.

Then there are the services that aren't part of the free (in cost) tier, the ones you'll need to pay to gain access to: Librem Mail (encrypted email), Librem Tunnel (a VPN service), and, according to the Purism folks, they have plans to add a few additional services to Librem One in the future:

Fedora 30 Is Here, Raspberry Pi Foundation Announces the Gender Balance in Computing Project, Open ZFS/ZFS On Linux Working on a Code of Conduct, Docker Hub Breach and Help Promote the Coming openSUSE Leap 15.1 Release

News briefs for April 30, 2019.

Fedora 30 was released today. TechRepublic reports that this version brings some "quality-of-life improvements", such as the flicker-free boot process. It includes GNOME 3.32 with all new app icons, but it also includes Fedora spins for KDE, XFCE, LXQT, MATE-Compiz, Cinnamon, and LXDE. In addition, "New to Fedora 30 include packages for DeepinDE and Pantheon, the desktop environments used in Deepin Linux, called "the single most beautiful desktop on the market" by TechRepublic's Jack Wallen, as well as elementaryOS, which Wallen lauded as "spectacularly subtle." While these are only packages—requiring simple, though manual, installation—packaging these desktops is the first step to building a full independent spin." Go here to download, and see the full changelog here.

Raspberry Pi Foundation announces a consortium has been awarded £2.4 million for a new research project to investigate how to engage more girls in computing, as part of its work with the National Centre of Computing Education. The project is called Gender Balance in Computing and "is a collaboration between the consortium of the Raspberry Pi Foundation, STEM Learning, BCS, The Chartered Institute for IT, and the Behavioural Insights Team". Here's how it will work: "Gender Balance in Computing will develop and roll out several projects that aim to increase the number of girls choosing to study a computing subject at GCSE and A level. The consortium has already identified some of the possible reasons why a large percentage of girls don't consider computing as the right choice for further study and potential careers. These include: feeling that they don't belong in the subject; not being sufficiently encouraged; and feeling that computing is not relevant to them. We will go on to research and pilot a series of new interventions, with each focusing on addressing a different barrier to girls' participation."

OpenZFS/ZFS On Linux is working on a code of conduct to help encourage new contributors. According to Phoronix, "The OpenZFS Code of Conduct would apply to OpenZFS, ZFS On Linux, ZFS On OSX, and ZFS On Windows projects. They are working on this CoC to ensure 'The OpenZFS community values respectful, welcoming behavior towards everyone. This enables our members to thrive and contribute, and encourages new participants to join our community.'" You can read the draft here.

There was a Docker Hub breach recently that impacted 190,000 accounts. eWeek reports that the breach was first reported on April 26, and was discovered the day before. From Director of Docker Support Kent Lamb's email to Docker Hub users: "During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds." Docker recommends that impacted users "change their Docker Hub account passwords, review GitHub activity, and unlink and then relink GitHub access."

You can help promote the openSUSE Leap 15.1 release, which is about 3 weeks away. Go here for a counter, or you can get artwork here.

A Conversation with Kernel Developers from Intel, Red Hat and SUSE

Three kernel developers describe what it's really like to work on the kernel, how they interact with developers from other companies, some pet peeves and how to get started.

Like most Linux users, I rarely touch the actual code for the Linux kernel. Sure, I've looked at it. I've even compiled the kernel myself on a handful of occasions—sometimes to try out something new or simply to say I could do it ("Linux From Scratch" is a bit of a right of passage).

But, unless you're one of the Linux kernel developers, odds are you just don't get many opportunities to truly look "under the hood".

Likewise, I think for many Linux users (even the pro users, sysadmins and developers), the wild world of kernel development is a bit of a mystery. Sure, we have the publicly available Linux Kernel Mailing List (LKML.org) that anyone is free to peruse for the latest features, discussions and (sometimes) shenanigans, but that gives only a glimpse at one aspect of being a kernel developer.

And, let's be honest, most of us simply don't have time to sift through the countless pull requests (and resulting discussions of said pull requests) that flood the LKML on a daily basis.

With that in mind, I reached out to three kernel developers—each working at some of the most prominent Linux contributing companies today—to ask them some basic questions that might provide a better idea of what being a Linux kernel developer is truly like: what their days look like and how they work with kernel developers at other companies.

Those three developers (in no particular order):

  • Dave Hansen, Principal Engineer, System Software Products at Intel.
  • Josh Poimboeuf, Principal Software Engineer on Red Hat Enterprise Linux.
  • Jeff Mahoney, Team Lead of Kernel Engineering at SUSE Labs.

Intel, Red Hat and SUSE—three of the top contributors of code to the Linux kernel. If anyone knows what it's like being a kernel developer, it's them.

I asked all three the exact same questions. Their answers are here, completely unmodified.

Bryan Lunduke: How long have you been working with the Linux kernel? What got you into it?

Dave Hansen (Intel): My first experience for the Linux kernel was a tiny little device driver to drive the eight-character display on an IBM PS/2, probably around 20 years ago. I mentioned the project on my college resume, which eventually led to a job with IBM's Linux Technology Center in 2001. IBM is where I started doing the Linux kernel professionally.

Apache Software Foundation Migrates to GitHub, Linux Kernel 5.1-rc7 Is Out, deepin 15.10 Released, Debian 9.9 Update and KaOS 2019.04 Now Available

News briefs for April 29, 2019.

The Apache Software Foundation today announced it has migrated its Git service to GitHub. From the announcement: "As the world's largest Open Source foundation, the ASF's 200M+ lines of code are overseen by an all-volunteer community of 730 individual ASF Members and 7,000 Apache code committers. Over its 20 year history, 1,058,321,099 lines of code have been committed across 3,022,836 code commits." Of the migration, the ASF writes, "GitHub makes it easier for developers to work together, to solve challenging problems, and to create the world's most important technologies. The platform enables teams to host and review code, manage projects, and build software alongside 31M+ developers, 2M+ businesses and organizations, and across 100M+ repositories."

Linux kernel 5.1-rc7 is out. Linus Torvalds writes, "If rc6 was bigger than I wished, it really does seem to have been just due to timing of pull requests. Because rc7 is tiny. Just under half of the patch is various kinds of networking changes: a mix of core networking, network drivers and some netfilter selftests....But it's all pretty tiny. Plus about 30% of the patches are marked for stable, so on the whole it really does feel like 5.1 is on target for a regular release next weekend."

deepin 15.10 was released yesterday. This new version of the distro "devoted to providing beautiful, easy to use, safe and reliable system for global users" includes new features such as "files on desktop auto merge, wallpaper slideshow, separate switches for system sound effects, and supports dragging the tray icon out in fashion mode. In addition, many bugs are fixed and the existing functions are optimized." The announcement also notes that "deepin 15.10 is newly built and released using Debian stable repository, in this way, system stability and security is greatly improved, bringing users more stable and efficient experiences." Go here to download.

Debian 9.9 was released over the weekend. This update mainly adds security fixes; it's not a new version of Debian 9, so it just updates some included packages. To update: "Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at https://www.debian.org/mirror/list. As a special case for this point release, those using the apt-get tool to perform the upgrade will need to ensure that the dist-upgrade command is used, in order to update to the latest kernel packages. Users of other tools such as apt and aptitude should use the upgrade command."

KaOS 2019.04 was released yesterday. This version marks the distro's sixth anniversary and includes a "fully updated Midna theme, a new toolchain and Qt 5.12.3". As a rolling distro, it also has the "latest packages for the Plasma Desktop, this includes Frameworks 5.57.0, Plasma 5.14.4 and KDE Applications 19.04.0. All built on Qt 5.12.3." There are many other new features, so see the announcement for details, and go here to download.

Data in a Flash, Part I: the Evolution of Disk Storage and an Introduction to NVMe

NVMe drives have paved the way for computing at stellar speeds, but the technology didn't suddenly appear overnight. It was through an evolutionary process that we now rely on the very performant SSD for our primary storage tier.

Solid State Drives (SSDs) have taken the computer industry by storm in recent years. The technology is impressive with its high-speed capabilities. It promises low-latency access to sometimes critical data while increasing overall performance, at least when compared to what is now becoming the legacy Hard Disk Drive (HDD). With each passing year, SSD market shares continue to climb, replacing the HDD in many sectors. The effects of this are seen in personal, mobile and server computing.

IBM first unleashed the HDD into the computing world in 1956. By the 1960s, the HDD became the dominant secondary storage device for general-purpose computers (emphasis on secondary storage device, memory being the first). Capacity and performance were the primary characteristics defining the HDD. In many ways, those characteristics continue to define the technology—although, not in the most positive ways (more details on that shortly).

The first IBM-manufactured hard drive, the 350 RAMAC, was as large as two medium-sized refrigerators with a total capacity of 3.75MB on a stack of 50 disks. Modern HDD technology has produced disk drives with volumes as high as 16TB, specifically with the more recent Shingled Magnetic Recording (SMR) technology coupled with helium—yes, that's the same chemical element abbreviated as He in the periodic table. The sealed helium gas increases the potential speed of the drive while creating less drag and turbulence. Being less dense than air, it also allows more platters to be stacked in the same space used by 2.5" and 3.5" conventional disk drives.

Figure 1. A lineup of Standard HDDs throughout Their History and across All Form Factors (by Paul R. Potts—Provided by Author, CC BY-SA 3.0 us, https://commons.wikimedia.org/w/index.php?curid=4676174)

A disk drive's performance typically is calculated by the time required to move the drive's heads to a specific track or cylinder and the time it takes for the requested sector to move under the head—that is, the latency. Performance is also measured at the rate by which the data is transmitted.

Being a mechanical device, an HDD does not perform nearly as fast as memory. A lot of moving components add to latency times and decrease the overall speed by which you can access data (for both read and write operations).

The EFF Asks You to Help End the Call Detail Records Program, FreedomBox Foundation Launches the Pioneer Edition FreedomBox Home Server, Polyverse Announces CVE API Support, IBM Developers Working on System Call Isolation and Scientific Linux Discontinued

News briefs for April 26, 2019.

The EFF asks you to tell Congress to end the Call Detail Records (CDR) program: "For nearly two decades, the NSA has searched millions of Americans' telephone call records—all without a warrant or, for the vast majority of these calls, any suspicion of wrongdoing. But there's a bill in Congress that would finally put an end to the Call Detail Records (CDR) program. Please tell your members of Congress to cosponsor the Ending Mass Collection of Americans' Phone Records Act (S. 936, H.R. 1942)."

The FreedomBox Foundation recently announced the launch of its Pioneer Edition FreedomBox Home Servers. From the announcement: "the product includes pocket-sized server hardware, an SD card with the operating system pre-installed, and a backup battery which can power the hardware for 4-5 hours in case of outages. It sells for 82 euros and ships globally. The FreedomBox community will be offering free technical support for owners of the Pioneer Edition FreedomBox servers on our support forum. The only thing users pay for is hardware." In addition, "FreedomBox is designed around the principle that the exploitation of user data and attention should be technologically impossible. To that end, it is a user-controlled device that enables almost anyone to decentralize the web by hosting their own corner of the internet at home. Its simple user interface empowers individuals to host their own Internet services without any expertise, like an encrypted chat server that can replace Whatsapp, a VoIP server, a personal website, file sharing, a metasearch engine, and much more. The FreedomBox software is fully free and open source, and it is supported by the non-profit FreedomBox Foundation." You can order one via Olimex.

The Polyverse Corporation announces it "is supporting and promoting cveapi.com, an online resource that makes the Common Vulnerabilities and Exposures (CVEs) database more accessible to the open source community." Archis Gore, Polyverse CTO, says "Polyverse is thrilled to support cveapi.com in our shared mission to democratize the cybersecurity industry and foster an environment that encourages collaboration. By encouraging open APIs such as the CVE API, we hope to do our small part in helping ideas flourish and creating usable data."

IBM developers are working on a "system call isolation" concept for the Linux kernel to help increase security. Phoronix reports that the concept was just announced, and some preliminary patches are in the works. The post quotes developer Mike Rapoport: "The idea here is to allow an untrusted user access to a potentially vulnerable kernel in such a way that any kernel vulnerability they find to exploit is either prevented or the consequences confined to their isolated address space such that the compromise attempt has minimal impact on other tenants or the protected structures of the monolithic kernel. Although we hope to prevent many classes of attack, the first target we're looking at is ROP gadget protection."

Scientific Linux is being discontinued. According to BetaNews, the RHEL-based distro maintained by the scientific community at The Fermi National Laboratory and CERN will no longer be developed, and the organizations will switch to CentOS. James Amundson, Head of Scientific Computing Division, Fermi National Accelerator Laboratory, says the change is driven by the need to unify their computing platform with collaborating labs and institutions: "Toward that end, we will deploy CentOS 8 in our scientific computing environments rather than develop Scientific Linux 8. We will collaborate with CERN and other labs to help make CentOS an even better platform for high-energy physics computing. Fermilab will continue to support Scientific Linux 6 and 7 through the remainder of their respective lifecycles. Thank you to all who have contributed to Scientific Linux and who continue to do so."

Plotting on Linux with KmPlot


This issue of Linux Journal marks the magazine's 25th anniversary. So, I thought I'd look back to see when I wrote my first article, and I was horrified to see that it was in 2000. I'm too young to have been writing articles for more than 18 years! Here's to another 25 years for Linux Journal and all of the authors who have made it what it is.

For this article, let's take a look at the KmPlot plotting program. KmPlot is part of the EDU suite of programs from the KDE project, and it was designed to plot functions and interact with them to learn about their behavior. Since it is a part of the KDE project, it should exist in most package management systems. For example, in Debian-based systems, you can install it with the command:

sudo apt-get install kmplot

When you first start KmPlot, you'll see a blank workspace where you can start to play with mathematical functions. On the right-hand side, there's a main plot window where all of the graphical display will happen. On the left-hand side, there's a function list window where you can find all of the functions you've defined and are planning on working with.

Figure 1. Upon start up, you can begin entering functions and learning about their behavior.

The first thing to do is create some functions to use from within KmPlot. Click the Create button at the bottom of the function window to bring up a drop-down menu. Here you can select from a number of plot types, such as Cartesian, polar or differential. As an example, clicking the Cartesian option opens a new window where you can create your function.

Figure 2. You can use the built-in palettes to select functions and constants to build up the functions that you are interested in.

You can use pre-defined constants and simpler functions to build up the specific function you want to study. Once you're finished, KmPlot will update the main window, and you'll see your plot generated.

Several defaults exist that you can assign in terms of its appearance. Click the Advanced button at the bottom of the left-hand pane to open a new dialog window where you can change some of the defaults.

Figure 3. Click the Advanced button to set several options in the plot window.

Nextcloud 16 Is Now Available, Facebook Open-Sources the C++ F14 Hash Table, the Prophet & The Warlock DLC for Total War: WARHAMMER II Is Here, Nintendo Announces Closed Beta of Mario Kart Tour for Android and Google Earth Timelapse Updates

News briefs for April 25, 2019

Nextcloud 16 was released today. From the press release: "Nextcloud 16 is smarter than ever, with machine learning to detect suspicious logins and offering clever recommendations. Group Folders now sport access control lists so system administrators can easily manage who has access to what in organization-wide shares. We also introduce Projects, a way to easily relate and find related information like files, chats or tasks." You can download it from here.

Facebook has open-sourced the C++ F14 hash table. According to ZDNet, "The F14 resolves collisions (multiple keys that map to the same array index) by double hashing. Up to 14 keys are stored in a chunk at a single hash table position. High-speed vector instruction sets -- x86_64 SSE2 and aarch64 NEON -- are used to filter within a chunk. By filtering on up to 14 keys at a time, the hash table can be operated at a high maximum load factor while still keeping probe chains very short."

The Prophet & The Warlock DLC, for the epic fantasy strategy game Total War: WARHAMMER II, is out today on and Linux and macOS. You can get it at the Feral Interactive store for $8.99. See the Total War Blog for more information.

Nintendo announced that a closed beta of Mario Kart Tour will be available as a sneak-preview for Android users between May 22nd and June 4th. Engadget reports that you can sign up via a QR code at the Mario Kart Tour site.

Google announces updates to its Google Earth Timelapse. Google Earth Timelapse is "a global, zoomable time-lapse video that lets anyone explore the last 35 years of our changing planet's surface—from the global scale to the local scale". The update adds two more years of imagery to the visualization, so it now spans from 1984–2018. In addition, Google Earth Timelapse has received mobile support and visual upgrades, making it more accessible and intuitive. Read more about it here.

Linux and the Multiverse

A look at the rich diversity of Linux distributions.

What do Linux distributions and the Nobel Prize-winning work by Saul Perlmutter, Brian P. Schmidt and Adam G. Riess have in common? Well, Linux was originally the hobby project of one Linus Torvalds back in 1991 when he lived in Helsinki, Finland. Perlmutter, on the other hand, worked on the Supernova Cosmology Project at the Lawrence Berkeley National Laboratory and the University of California in Berkeley. Schmidt was part of the High-z Supernova Search Team at Australian National University, and Riess was also on the High-z Supernova Search Team but worked out of Johns Hopkins University and Space Telescope Science Institute in Baltimore.

You see where I'm going with this? The supernova team won the 2011 Nobel Prize for physics for "the discovery of the accelerating expansion of the Universe through observations of distant supernovae". In short, they discovered that the universe is not only expanding, as Edwin Hubble observed back in 1929 when he noticed that everything seemed to be moving away from us, but that the expansion was accelerating. This is a big deal, because everyone assumed that gravity would eventually do its dirty work and slow the whole expanding mess down. That turns out not to be the case.

So what's causing this anti-gravity force? Dark energy, for which the team actually came up with a number, a number which, as it turns out, is super tiny and its source, unknown. Later work, based on these observations, suggests that string theory might hold the answer, while others point to the Higgs Field, long theorized but only recently confirmed. Spoiler alert: nobody knows for sure, but if you follow this whole thing down the proverbial rabbit hole, you wind up concluding that there are countless universes in addition to our own—what we now refer to as the multiverse.

Just as the possibility exists for countless universes, so does the possibility exist for countless Linux distributions, When Linus chose to open the code for his new kernel, he unknowingly set in motion a kind of "distribution Big Bang", where the original code, combined with other open-source projects, began stretching out into the furthest reaches of the internet, where those combinations could spawn other versions of what eventually would form what we now think of as distributions. Just as matter from the early universe coalesced into dust clouds and then into stars that through their eventual cataclysmic destruction in supernovae would spawn the heavier elements that would, in time, create our own solar system with our planetary home, the Earth, so too did this early code evolve to create the rich diversity of Linux distributions.

Mozilla Publishes Its 2019 Internet Health Report, Pop!_OS 19.04 Is Now Availalbe, the Free Software Dictionary Needs Your Help, GNOME Builder 3.331 Is Out and Rancher Labs Launches k3OS

News briefs for April 24, 2019.

Mozilla has released its 2019 Internet Health Report. This year's report focuses on three main issues: the need for better machine decision making, rethinking digital ads and the rise of smart cities. See the Mozilla blog for a summary.

Pop!_OS 19.04 is now available from System76. This release is updated to use version 5.0 of the Linux kernel and version 3.32 of GNOME. In addition, this version brings a new Dark Mode, Slim Mode and refreshed icon designs. Go here to download, or see the instructions on the System76 blog to upgrade from 18.04.

The Free Software Dictionary needs your help. The dictionary is "maintained by countless volunteers dedicated to the promotion of software that respects your personal liberty. As with any group composed of volunteers, the informal Directory team has people who come and go, and right now, it could really use some fresh new members to kick our efforts into high gear." See the FSF post for information on how you can contribute.

GNOME Builder 3.33.1 is out. Highlights include a DBus Inspector inspired by D-feet, some initial Podman support and Git integration has been moved out of process. Click here to download.

Rancher Labs today announced k3OS, the first Kubernetes operating system. k3OS is "an operating system completely managed by Kubernetes. It launches in seconds and runs almost anywhere. As a combined Linux and Kubernetes distribution it has the smallest attack surface and simplest upgrade process of any Kubernetes installation." Go here to download.

Exporting Kernel Headers

Joel Fernandes submitted a module to export kernel headers through the /proc directory to make it easier for users to extend the kernel without necessarily having the source tree available. He said:

On Android and embedded systems, it is common to switch kernels but not have kernel headers available on the filesystem. Raw kernel headers also cannot be copied into the filesystem like they can be on other distros, due to licensing and other issues. There's no linux-headers package on Android. Further, once a different kernel is booted, any headers stored on the filesystem will no longer be useful. By storing the headers as a compressed archive within the kernel, we can avoid these issues that have been a hindrance for a long time.

Christoph Hellwig was unequivocal, saying, "This seems like a pretty horrible idea and waste of kernel memory. Just add support to kbuild to store a compressed archive in initramfs and unpack it in the right place."

But Greg Kroah-Hartman replied, "It's only a waste if you want it to be a waste—i.e., if you load the kernel module." And he pointed out that there was precedent for doing something like Joel's idea in the /proc/config.gz availability of the kernel configuration.

Meanwhile, Daniel Colascione was doing a little jig, saying that Joel's feature would make it much easier for him to play around with Berkeley Packet Filter. He suggested exporting the entire source tree, instead of just the kernel headers. But Joel said this would be too large to store in memory.

H. Peter Anvin, while affirming the value of exporting the kernel headers, had some issues about the right way to go about it. In particular, he said, "I see literally *no* problem, social or technical, you are solving by actually making it a kernel ELF object."

Instead, H. Peter though the whole project could be simplified into a simple mountable filesystem containing the header files.

There was a bit of a technical back and forth before the discussion petered out. It's clear that something along the lines of Joel's idea would be useful to various people, although the exact scope and implementation seem to be completely up in the air.

Note: if you're mentioned above and want to post a response above the comment section, send a message with your response text to ljeditor@linuxjournal.com.

Kodi 18.2 Released, SuperTuxKart 1.0 Is Here, New Strawberry Music Player for Sparky Linux, Fedora 30 Upgrade Test Day on Friday and Netcraft’s April Web Server Survey

News briefs for April 23, 2019.

Kodi 18.2 was released yesterday. This release brings several bug fixes and implements a new issue template and an automated verification system in the GitHub issue tracker. In addition, the Kodi team has optimized database access speed and made many improvements for the Android platform. You can see the full Changelog here.

After 12 years in the making, SuperTuxKart 1.0 is here. This release adds support for networking races, so you can now play with others online instead of split-screen. It also has various new game modes, such as "normal race, time trial, soccer mode, battle mode and the new Capture-The-Flag mode". You can download the new release here.

A new music player and music collection organizer called Strawberry is now available for Sparky Linux users. Strawberry is a fork of Clementine, aimed at music collectors, audio enthusiasts and audiophiles. Jonas Kvinge is the project developer, and it's licensed under the GNU Public License v3.0. The Strawberry GitHub page is here.

Fedora 30 Upgrade Test Day is Friday, April 26, 2019. Fedora is asking for your help to make sure upgrades to Fedora 30 work perfectly. The testing will cover both a GNOME graphical upgrade and an upgrade using DNF. See the Wiki for more information on how to participate.

Netcraft's April 2019 Web Server Survey is now available. From the announcement: "nginx's market share of web-facing computers is now nearly 30%, and this is continuing to grow steadily closer to Apache's leading share of 37.3%. Microsoft and Apache lost shares in every headline metric this month, with both vendors contributing significantly to this month's overall loss of sites. Microsoft lost 18.9 million sites, while Apache lost 17.2 million, causing their shares to decrease by 1.01 and 0.87 percentage points. These changes have pushed nginx into the lead, giving it a 27.5% share of all sites in Netcraft's April 2019 Web Server Survey. Significantly, this is the first time since 1996 that a vendor other than Microsoft or Apache has served the largest number of websites."

The Purism Librem Key

Librem Key

The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

Purism is a new player in the security key and multi-factor authentication markets. With the introduction of the Librem Key, Purism joins the ranks of other players—such as Yubico, Google, RSA and so on—in providing hardware tokens for multi-factor authentication.

In addition, like the YubiKey 5 series, the Librem Key also provides OpenPGP support with cryptographic functions that take place securely on-key. This allows users to generate and use GnuPG public and private keys without exposing any secret key material to the host computer where the USB device is attached.

The Librem Key is based on the German-manufactured Nitrokey Pro 2, but it has been modified to focus on "trusted boot" when used with Purism's Linux laptops. (I take a closer look at what the trusted boot process is and how the Librem Key fits into that process, later in this article.)

Comparing the Librem Key to the YubiKey 5

There is certainly overlap between the features of the Librem Key and the YubiKey 5 series. Let's look at what they have in common before I go into what makes the Librem Key unique.

Table 1. Librem Key and YubiKey Feature Comparison

Feature Librem Key YubiKey 5
OpenPGP support yes yes
PAM support yes yes
PIV smart card no yes
HOTP support yes yes
TOTP support yes yes
Password management yes yes
PKCS#11 support yes yes
S/MIME support yes yes
X.509 support yes yes
FIDO U2F no yes
FIDO2 no yes
Hardware TRNG yes no
USB-A yes yes
USB-C no yes

As you can see from Table 1, the two devices are more alike than they are different. Both devices can be used for the following:

Sam Hartman Is the New Debian Project Leader, Google Cuts Pixel 3 Prices for Project Fi’s Birthday, Linux Kernel v5.1-rc6 Is Out, Kdenlive 19.04 Released and KMyMoney 5.0.4 Now Available

News briefs for April 22, 2019.

Congrats to Sam Hartman, new Debian Project Leader! You can read more details about the election here, and read Sam's DPL 2019 Platform here.

Google cuts Pixel 3 prices for Project Fi's birthday. Engadget reports that the Pixel 3 and Pixel 3XL will be 50% for today only, and the offer is available only to new and existing Google Fi customers, and the savings applies when you connect to the network.

Linux kernel v5.1-rc6 was released yesterday. Linus Torvalds writes: "It's Easter Sunday here, but I don't let little things like random major religious holidays interrupt my kernel development workflow. The occasional scuba trip? Sure. But everybody sitting around eating traditional foods? No. You have to have priorities. There's only so much memma you can eat even if your wife had to make it from scratch because nobody eats that stuff in the US. Anyway, rc6 is actually larger than I would have liked, which made me go back and look at history, and for some reason that's not all that unusual. We recently had similar rc6 bumps in both 4.18 and 5.0. So I'm not going to worry about it."

Kdenlive 19.04 was released today. From the release announcement: "more than 60% of the code base was changed with +144,000 lines of code added and +74,000 lines of code removed. This is our biggest release ever bringing new features, improved stability, greater speed and last but not least maintainability (making it easier to fix bugs and add new features)." Go here to download.

KMyMoney version 5.0.4 is now available. This release of the open-source personal finance manager brings updated documentation and some long-standing bug fixes. See the Changelog for all the details. Try the Appimage build for the latest and greatest version from the stable branch.

Kubernetes Identity Management: Authentication

You've deployed Kubernetes, but now how are you going to get it into the hands of your developers and admins securely?

Kubernetes has taken the world by storm. In just a few years, Kubernetes (aka k8s) has gone from an interesting project to a driver for technology and innovation. One of the easiest ways to illustrate this point is the difference in attendance in the two times KubeCon North America has been in Seattle. Two years ago, it was in a hotel with less than 20 vendor booths. This year, it was at the Seattle Convention Center with 8,000 attendees and more than 100 vendors!

Just as with any other complex system, k8s has its own security model and needs to interact with both users and other systems. In this article, I walk through the various authentication options and provide examples and implementation advice as to how you should manage access to your cluster.

What Does Identity Mean to Kubernetes?

The first thing to ask is "what is an identity?" in k8s. K8s is very different from most other systems and applications. It's a set of APIs. There's no "web interface" (I discuss the dashboard later in this article). There's no point to "log in". There is no "session" or "timeout". Every API request is unique and distinct, and it must contain everything k8s needs to authenticate and authorize the request.

That said, the main thing to remember about users in k8s is that they don't exist in any persistent state. You don't connect k8s to an LDAP directory or Active Directory. Every request must ASSERT an identity to k8s in one of multiple possible methods. I capitalize ASSERT because it will become important later. The key is to remember that k8s doesn't authenticate users; it validates assertions.

Service Accounts

Service accounts are where this rule bends a bit. It's true that k8s doesn't store information about users. It does store service accounts, which are not meant to represent people. They're meant to represent anything that isn't a person. Everything that interacts with something else in k8s runs as a service account. As an example, if you were to submit a very basic pod:

apiVersion: v1
kind: Pod
  name: myapp-pod
    app: myapp
  - name: myapp-container
    image: busybox
    command: ['sh', '-c', 'echo Hello Kubernetes!
     ↪&& sleep 3600']

And then look at it in k8s after deployment by running kubectl get pod myapp-pod -o yaml:

The Mozilla IoT Team Announces Mozilla WebThings, LibreOffice 6.2.3 Released, LabPlot 2.6 Now Available, OpenJDK 11 Is Now the Default in Ubuntu 18.04 LTS and 19.04, and Zend Framework Heads to The Linux Foundation as the Laminas Project

News briefs for April 19, 2019.

The Mozilla IoT team announces that its Project Things is moving on from its experimental phase and now will be known as Mozilla WebThings. The team's mission is to create a "Web of Things" implementation that helps "drive IoT standards for security, privacy and interoperability". Mozilla WebThings is "an open platform for monitoring and controlling devices over the web" and includes WebThings Gateway ("a software distribution for smart home gateways focused on privacy, security and interoperability") and WebThings Framework ("a collection of reusable software components to help developers build their own web things").

LibreOffice 6.2.3 was released yesterday. This version is the third bug- and regression-fix release of the 6.2 series, "targeted at tech-savvy individuals: early adopters, technology enthusiasts and power users". LibreOffice 6.2.3 includes more then 90 bug and regression fixes. See the changelog pages for RC1 and RC2 for all the details. You can download it from here.

LabPlot 2.6 was released today. This new version builds on the ability to create 2D Cartesian plots with other plot types and visualization techniques, such as the histogram. Another new feature is support for the MQTT protocol. See the Changelog for the full list of changes.

OpenJDK 11 is now the default Java package in Ubuntu 18.04 LTS and also will be the default for Ubuntu 19.04. This version is newest LTS version of the open-source implementation of the Java Platform, Standard Edition (Java SE), and "it incorporates key security improvements, including an update to the latest Transport Layer Security (TLS) version, TLS 1.3, and the implementation of ChaCha20-Poly1305 cryptographic algorithms, a new stream cipher that can replace the less secure RC4."

Zend Framework is heading to The Linux Foundation and will be called the Laminas Project. Enterprise Apps Today reports that the move is "to help grow the base of contributors and adopters. Zend Framework was led by Zend and it didn't easily allow others to easily contribute. It's a situation that led to multiple other PHP efforts to emerge, like Symphony among others, which have arguable eclipsed Zend Framework in usage and importance over the past decade". The article quotes the Laminas project page: "Laminas is the plural of lamina, meaning a thin layer. We feel it succinctly summarizes the goals of the project in many ways: Components you can compose or layer into any application; Middleware architectures are often termed layered."

FOSS Project Spotlight: Drupal


Drupal is a content management framework, and it's used to make many of the websites and applications you use every day. Drupal has great standard features, easy content authoring, reliable performance and excellent security. What sets Drupal apart is its flexibility; modularity is one of its core principles. Its tools help you build the versatile, structured content that ambitious web experiences need. With Drupal, you can build almost any integrated experience you can imagine.

Drupal Is for Ambitious Digital Experiences

Dries Buytaert, founder of the project, provides the vision for Drupal. Managing content for ambitious projects that aim to transform digital experiences for their organizations is what Drupal does best. Drupal goes beyond browser-based websites and reaches all digital platforms to provide a flexible, robust and innovative experience.

How to Get Started

Figure 1. Umami Magazine Demo in Drupal Core

What's in Drupal Core

The base Drupal download, known as Drupal Core, contains the PHP scripts needed to run the basic content management functionality, several optional modules and themes, and many JavaScript, CSS and image assets.

Drupal 8's core platform has more than 200 features built in. For an up-to-date list of features, see Drupal.com.

Drupal 8.6.0 was the most significant update to Drupal 8. Expect Drupal 9 to release in June 2020, and if you're already using Drupal, it is expected to be the easiest major version upgrade yet. For the most current information on Drupal's latest version, visit Drupal.org.

Ubuntu 19.04 «Disco Dingo» Released, Eclipse Foundation’s 2019 IoT Developer Survey Results, OpenSSH 8.0 Now Available, digiKam 6.1.0 Is Out and Three New openSUSE Tumbleweeds Released

News briefs for April 18, 2019.

Canonical this morning announced the release of Ubuntu 19.04 "Disco Dingo". According to the press release, Ubuntu 19.04 is "on open infrastructure deployments, the developer desktop, IoT, and cloud to edge software distribution". Of the release, Canonical CEO Mark Shuttleworth says, "The open-source-first on Ubuntu movement in telco, finance, and media has spread to other sectors. From the public cloud to the private data center to the edge appliance or cluster, open source has become the reference for efficiency and innovation. Ubuntu 19.04 includes the leading projects to underpin that transition, and the developer tooling to accelerate the applications for those domains". You can download Ubuntu 19.04 from here.

The Eclipse Foundation yesterday released its 2019 IoT Developer Survey. More than 1,700 developers participated in the survey about their IoT efforts. Some results: "IoT Cloud Platforms (34%), Home Automation (27%), and Industrial Automation / IIoT (26%) were the respondents' three most common industry focus areas", and "The top three CPU architectures for constrained devices used by respondents were ARM-based, with significant use of niche 8-bit, 16-bit and 32-bit MCUs." You can read the full survey results here.

OpenSSH 8.0 was released yesterday. You can get it from the mirrors here. The release has several new features and fixes a weakness with scp: "when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request."

digiKam 6.1.0 was released this week with several new features and fixes. It includes a new plugins interface called "DPlugins", and two new plugins: a plugin to copy items to local storage and a plugin to set an image as Linux desktop wallpaper. Go here for download links.

Three new openSUSE Tumbleweed snapshots were released recently with updated packages for Curl, Salt, FFmpeg and more. The 20190412 snapshot updated Ceph and added fixes for Azure. In addition, the 20190415 snapshot included Mozilla Firefox version 66.0.3, and the 20190411 snapshot brought the 5.0.7 Linux kernel.

Back in the Day: UNIX, Minix and Linux

Columnist Dave Taylor reminisces about the early days of UNIX and how Linux evolved and grew from that seed.

Twenty five years of Linux Journal. This also marks my 161st column with the magazine too, which means I've been a part of this publication for almost 14 years. Where does the time go?

In honor of the historical significance of this issue, I wanted to share some of my memories of the very early days of UNIX, Minix and Linux. If you're a regular reader of my column, you'll recall that I'm in the middle of developing a mail merge Bash utility, but that'll just have to wait until next time. I promise, the shell ain't going anywhere in the meantime!

Back in the Day

I first stepped foot on campus at UC San Diego in late 1980, a declared computer science major. At that point, a lot of our compsci program was based on USCD Pascal on Apple II systems. I still have fond memories of floppy drives and those dorky, pixelated—but oh so fun!—Apple II games we'd play during lab time.

For more serious classes, however, we had some big iron—a mainframe with accounts and remote computer lab terminals set up in designated rooms. The operating system on those systems? UNIX—an early version of BSD UNIX is my guess. It had networking using a modem-to-modem connection called UNIX-to-UNIX Copy Protocol, or UUCP. If you wanted to send email to someone, you used addresses where it was:

unique-hostname ! unique-hostname ! account

I don't remember my UCSD email address, but some years later, I was part of the admin team on the major UUCP hub hplabs, and my email address was simply hplabs!taylor.

Somewhere along the way, networking leaped forward with TCP/IP (we had TCP/IP "Bake Offs" to test interoperability). Once we had many-to-many connectivity, it was clear that the "bang" notation was unusable and unnecessarily complicated. We didn't want to worry about routing, just destination. Enter the "@" sign. I became taylor@hplabs.com.

Meanwhile, UNIX kept growing, and the X Window System from MIT gained popularity as a UI layer atop the UNIX command line. In fact, X is a public domain implementation of the windowing system my colleagues and I first saw at the Xerox Palo Alto Research Center. PARC had computers where multiple programs were on the screen simultaneously in "windows", and there was a pointer device used to control them—so cool. Doug Englebart was inspired too; he went back to Stanford Research Institute and invented the mouse to make control of those windows easier. At Apple, they also saw what was being created at PARC and were inspired to create the Macintosh with all its windowing goodness.