FLOSS Project Planets

Session notes/research for Linux Unplugged 63

Planet KDE - Wed, 2014-10-22 00:56

Interview today for Linux Unplugged 63 which was fun! However we never discussed Kubuntu, which I understood was the subject. I had gotten together facts and links in case they were needed, so I thought I would post them in case anybody needs the information.
Created and supported by community: http://www.kubuntu.org/supportProfessional support for users: http://kubuntu.emerge-open.com/buySupport by Blue Systems to some developers & projects:http://www.blue-systems.com/ http://www.blue-systems.com/projects/Infrastructure support by Ubuntu, KDE, Blue Systems and DebianGovernance: Kubuntu Council https://launchpad.net/~kubuntu-council
How to contact us: kubuntu.org, freenode irc: #kubuntu (-devel), kubuntu-user list, kubuntu-devel list, kubuntuforum  - http://kubuntu.org  - http://webchat.freenode.net/  - https://lists.ubuntu.com/mailman/listinfo/kubuntu-users  - https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel  - https://www.kubuntuforums.net  - Documentation on KDE userbase: http://userbase.kde.org/Kubuntu  - Kubuntu in the news: http://wire.kubuntu.org/
* our "upstream" KDE is also making big changes, starting by splitting kdelibs into the Frameworks, and basing them on Qt5  - that work is largely done, although of course each library is being improved as time goes along. Releases monthly.  - We're writing a KDE Frameworks book; more about that at books.kde.org  - Developers: apidox at api.kde.org
* KDE has now released Plasma 5, based on those new frameworks  - that is nearly done, and 5.1 was released 15 Oct.https://www.kde.org/announcements/plasma-5.1/  - lots of excitement around that, because it looks and works really elegant, smooth and modern  - Riddell: 14.12 release of KDE Applications will be in December with a mix of Qt 4 and Qt 5 apps, they should both work equally well on your Plasma 4 or 5 desktop and look the same with the classic Oxygen or lovely new Breeze themes
*  so our upstream is up to lots of new wonderful stuff, including using CI too (CI: continuous integration with automated testing)
* meanwhile, bugfixes continue on KDE4:https://www.kde.org/announcements/announce-4.14.2.php
* Our base for 14.10 (codename Utopic Unicorn) is that stable KDE platform.* At the same time, we are releasing weekly ISOs of Plasma 5, to makeit easy for people to test  - http://apachelog.wordpress.com/2014/10/17/plasma-5-weekly-iso-revisited/ - Riddell: We're releasing a tech preview of Kubuntu Plasma 5 as part of 14.10 for people to test. I'm using it daily and it's working great but expect testers to be competent enough to check for and report beasties
* we're following along to KDE's CI effort, and doing that with our packages  - see #kubuntu-ci IRC channel for the reports as they are generated - Riddell: gory details at http://kci.pangea.pub/ - packages built constantly to check for any updates that need changed
* Our new packaging is now in Debian git, so we can share packaging work  - as time goes on, all our packaging files will be there  - tooling such as packaging scripts are being updated  - Debian and Kubuntu packagers will both save time which they can use to improve quality
* moving from LightDM to SDDM (Simple Desktop Display Manager), KDE/Qt defaultgraphical login program
* moving to systemd replacing upstart along with Debian and Ubuntu at some point in the future
* moving to Wayland when it is ready along with KDE (Kwin); now on xorg windowing system. We do not plan to use Ubuntu's Mir
* Testing until release (please!) on the 23rd:  - http://iso.qa.ubuntu.com/qatracker/milestones/325/builds/82050/testcases  - http://iso.qa.ubuntu.com/qatracker/milestones/325/builds/82052/testcases
* Testing Plasma 5:http://apachelog.wordpress.com/2014/10/17/plasma-5-weekly-iso-revisited/(fresh install)  - https://community.kde.org/Plasma/Packages#Kubuntu (upgrading)
* Another way we stay close to KDE is that since Ubuntu stopped inviting community members to participate in face-to-face meetings, we have a Kubuntu Day with Akademy, KDE's annual meeting. Thanks to the Ubuntu Contributors who paid the travel costs for some of us to attend
Qt Free: http://qt-project.org/wiki/The_Qt_Governance_Model
--Thanks to Jonathan Riddell for his clarifications and corrections

Categories: FLOSS Project Planets

Russ Allbery: Another haul post

Planet Debian - Tue, 2014-10-21 22:44

I know I've been very quiet here lately. That's due to a variety of reasons, but mostly because settling in to a new job is taking nearly all of my attention and time. When that's combined with getting obsessed with watching the League of Legends world championships, it means no real time for writing things.

I've had lots of time for reading things, though, and have a lot of book reviews that I need to write. So, of course, I felt like buying more books.

Elizabeth Bear — One-Eyed Jack (sff)
Steven Brust — Hawk (sff)
Kenneth T. Jackson — Crabgrass Frontier (non-fiction)
Ann Leckie — Ancillary Sword (sff)
Scott Lynch — Republic of Thieves (sff)
Randall Munroe — What If? (non-fiction)
Sarah Tolmie — The Stone Boatmen (sff)
Jeffrey Toobin — The Oath (non-fiction)

I'm pretty excited about everything in this shipment, but particularly the new Vlad Taltos novel from Brust and the sequel to Ancillary Justice (probably the best novel that I've read so far this year). And of course there's What If?.

Categories: FLOSS Project Planets

Bevan Rudge: Your Drupal website's backdoor

Planet Drupal - Tue, 2014-10-21 21:09

I estimate hundreds of thousands of Drupal websites now have backdoors; between ten and fifty percent of all Drupal websites. Automated Drupageddon exploits were in the wild within hours of the announcement. Updating or patching Drupal does not fix backdoors that attackers installed before updating or patching Drupal. Backdoors give attackers admin access and allow arbitrary PHP execution.

read more

Categories: FLOSS Project Planets

Junichi Uekawa: Migrating my diary system to some new server.

Planet Debian - Tue, 2014-10-21 19:31
Migrating my diary system to some new server. I took the chance to migrate my system from CVS-based system to Git-based system. It no longer relies on a chain of CVS commit hooks, and now I have a makefile to publish. I also took the chance to rewrite my 15 year old elisp so that I can use UTF-8 instead of a mix of ISO-2022-JP and EUC-JP. Dusting off some old code. No test exists, what could go wrong!

Categories: FLOSS Project Planets

Justin Mason: Links for 2014-10-21

Planet Apache - Tue, 2014-10-21 18:58
  • BioBrick

    Holy shit we are living in the future.

    BioBrick parts are DNA sequences which conform to a restriction-enzyme assembly standard.[1][2] These Lego-like building blocks are used to design and assemble synthetic biological circuits, which would then be incorporated into living cells such as Escherichia coli cells to construct new biological systems.[3] Examples of BioBrick parts include promoters, ribosomal binding sites (RBS), coding sequences and terminators. (via Soren)

    (tags: via:sorenrags biobricks fabrication organisms artificial-life biology e-coli genetic-engineering)

  • Is Docker ready for production? Feedbacks of a 2 weeks hands on

    I have to agree with this assessment — there are a lot of loose ends still for production use of Docker in a SOA stack environment:

    From my point of view, Docker is probably the best thing I’ve seen in ages to automate a build. It allows to pre build and reuse shared dependencies, ensuring they’re up to date and reducing your build time. It avoids you to either pollute your Jenkins environment or boot a costly and slow Virtualbox virtual machine using Vagrant. But I don’t feel like it’s production ready in a complex environment, because it adds too much complexity. And I’m not even sure that’s what it was designed for.

    (tags: docker complexity devops ops production deployment soa web-services provisioning networking logging)

Categories: FLOSS Project Planets

Mike Driscoll: Logging Currently Running Processes with Python

Planet Python - Tue, 2014-10-21 17:15

I was looking through some of my old code and noticed this old script where I was creating a log of all running processes every 5 minutes. I believe I originally wrote the code to help me diagnose rogue processes that were eating memory or pegging the CPU. I was using the psutil project to get the information I needed, so if you’d like to follow along you will need to download and install it as well.

Here’s the code:

import os import psutil import time   #---------------------------------------------------------------------- def create_process_logs(log_path): """ Create a log of all the currently running processes """ if not os.path.exists(log_path): try: os.mkdir(log_path) except: pass     separator = "-" * 80 col_format = "%7s %7s %12s %12s %30s" data_format = "%7.4f %7.2f %12s %12s %30s" while 1: procs = psutil.get_process_list() procs = sorted(procs, key=lambda proc: proc.name)   logPath = os.path.join(log_path, "procLog%i.log" % int(time.time())) f = open(logPath, 'w') f.write(separator + "\n") f.write(time.ctime() + "\n") f.write(col_format % ("%CPU", "%MEM", "VMS", "RSS", "NAME")) f.write("\n")   for proc in procs: cpu_percent = proc.get_cpu_percent() mem_percent = proc.get_memory_percent() rss, vms = proc.get_memory_info() rss = str(rss) vms = str(vms) name = proc.name f.write(data_format % (cpu_percent, mem_percent, vms, rss, name)) f.write("\n\n") f.close() print "Finished log update!" time.sleep(300) print "writing new log data!"   if __name__ == "__main__": log_path = r"c:\users\USERNAME\documents" create_process_logs(log_path)

Let’s break this down a bit. Here we pass in a log path, check if it exists and create it if it does not. Next we set up a few variables that contain formatting for the log file. Then we start an infinite loop that uses psutil to get all the currently running processes. We also sort the processes by name. Next, we open up a uniquely named log file and we write out each process’es CPU and memory usage along with it’s VMS, RSS and name of the executable. Then we close the file and wait 5 minutes before doing it all over again.

In retrospect, it would probably have been better to write this information to a database like SQLite so that the data could be searched and graphed. In the meantime, hopefully you will find some useful tidbits in here that you can use for your own project.

Categories: FLOSS Project Planets

Aten Design Group: Automating Drupal Configuration

Planet Drupal - Tue, 2014-10-21 16:42

Last month at the Central Denver Drupal meeting, Nick Switzer from Elevated Third showed how they are using a structured spreadsheet format for describing their Drupal configuration in a way that makes it easy to build. They based their spreadsheet format on a template Palantir published a while ago, and someone mentioned Lullabot has been using something similar. This looked to me a lot like what we were doing at Aten, even though we had missed the de facto standard that was developing. We are now using that de facto standard.

This was particularly interesting to me because I've been doing a lot of work lately around declarative interfaces and standardized Drupal configuration. Spreadsheets are declarative and CINC has a working YAML import, so when we got to the question and answer portion of the presentation, I knew exactly what I wanted to ask: "Why are we still building Drupal sites manually when these spreadsheets contain everything we would need to automate it?"

No one offered a reason not to automate this process, so I volunteered to present at this month's meeting and show an automated process that did not yet exist. I have since built that process. It still needs a lot more testing and bug fixes, but it's already a compelling alternative to the traditional Drupal site building process.

Sheet2Module

Sheet2Module takes a Google spreadsheet and produces a Drupal module that will create the configuration described therein. The exported modules use YAML files for configuration, which works natively in Drupal 8, and works in Drupal 7 with the CINC YAML submodule. With a standard spreadsheet format, Sheet2Module, and CINC YAML, you can build a reasonably complex Drupal site configuration in a few minutes. The process looks like this:

  1. Describe your Drupal configuration in a Google spreadsheet.
  2. Use Sheet2Module to auto-generate a module from that spreadsheet.
  3. Enable that module to auto-generate your Drupal configuration.
  4. (Optional) Spend the hours you would otherwise spend on Drupal configuration helping improve this process.

Both Sheet2Module and CINC YAML almost certainly have bugs, as they've had very limited testing. Both are open source (CINC on Drupal.org, Sheet2Module on GitHub), and patches and pull requests will be met with enthusiastic appreciation. Beyond my appreciation, I'm convinced custom-tailored interfaces like this are the future of Drupal configuration, and you have a lot to gain from helping shape that future.

Outside code contributions, simply trying out the process and giving feedback is very useful, and a good way to make sure this works for your own workflow. Even the incomplete current solution will likely save you hours on your next Drupal build, and you can still manually add any configuration that doesn't work automatically. So you have nothing to lose and hours to gain by trying it out.

Drupal Spreadsheet Standard

I suspect there are more than a few shops already using a similar spreadsheet format to describe Drupal configuration, so before we go too far down the path of building tools around this format, we should turn this into a real, documented community standard. To that end, I've started creating a Drupal Configuration Spreadsheet Standard on GitHub. If you're already using spreadsheets to describe your Drupal configuration, take a look at the documentation and contribute your own format improvements to the wider community. If you're just getting started using spreadsheets to describe your Drupal configuration, this is a good place to start.

Own Your Process

Even if you're not using spreadsheets to describe Drupal configuration, it's worth taking a look at this automation for ideas on how you can improve your own process. I've mentioned before that the declarative format for Drupal configuration adopted in Drupal 8 (and available Drupal 7 with CINC) allows us all to customize our workflows. I'm going to keep mentioning it until this becomes common enough in the Drupal community that it's boring to mention. But for now, this is still a new and exciting space to be working in, and you should join the fun.

Categories: FLOSS Project Planets

gnuzilla @ Savannah: GNU IceCat 31.2.0 released

GNU Planet! - Tue, 2014-10-21 15:06

GNUzilla is the GNU version of the Mozilla suite, and GNU IceCat is the
GNU version of the Firefox browser. Its main advantage is an ethical
one: it is entirely free software. While the Firefox source code from
the Mozilla project is free software, they distribute and recommend
non-free software as plug-ins and addons. Also their trademark license
restricts distribution in several ways incompatible with freedom 0.
https://www.gnu.org/software/gnuzilla/

Source tarballs, binaries for generic GNU/Linux systems and translations
are available at http://ftp.gnu.org/gnu/gnuzilla/31.2.0/
New gpg key ID:D7E04784 GNU IceCat releases
Fingerprint: A573 69A8 BABC 2542 B5A0 368C 3C76 EED7 D7E0 4784

This is a new iteration of the IceCat project, based on new build
scripts and with an extra focus on privacy.
The new maintainer is Ruben Rodriguez.

IceCat will continue to stick to the ESR (Extended Support Release)
cycle (https://www.mozilla.org/en-US/firefox/organizations/faq/) because
it provides security updates over a stable base. That will also allow to
port privacy features from TorBrowser, which is now following v31ESR.

== Changes since v24 ==

  • Javascript can be disabled through the configuration interface.
  • Third party cookies are disabled.
  • Referrers are spoofed (to the same server where the file lives).
  • The user is not asked to install plugins (such as flash or java).
  • Only free software gets offered by IceCat.
  • Installed plugins (flash, java) require per-site activation.
  • DuckDuckGO as default search engine, through https and without JS.
  • DoNotTrack header enabled.
  • Reporting features disabled (Avoids send data to mozilla's partners

about crashes or security related events).

  • Disabled "Social API" that brings integration with Facebook.
  • Disabled "Safe browsing", which asks Google if websites are safe

before browsing them.

  • Disabled access to the clipboard from JS.
  • Don't recommend online services for IRC.

Preinstalled add-ons:

  • LibreJS 6.0.1 checks for the freedom of the javascript you run
  • HttpsEverywhere 4.0.2 redirects requests through https when possible.
  • Spyblock, custom made and based on AdblockPlus, provides:

- A blacklist of trackers that is used in any browsing mode.
Self-served, privacy-friendly advertising is preserved.
- A filter for all third-party requests while in private browsing.
- A filter for javascript data retrieval while in private browsing.
- Autoupdate for filter lists is optional.

  • A custom homepage lists this and other features with links to

documentation and the possibility to disable them quickly if needed.

Fingerprinting:

  • Spoofing the useragent to:

- Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

  • Fonts can be listed with this methods:

- Plugins like java or flash: these are disabled by default in
IceCat, requiring the user to enable them in a per-site basis. Also
Gnash doesn't work for fingerprinting.
- JS probing: the custom homepage allows to disable custom fonts.

  • Plugins: IceCat no longer discloses the list of installed plugins.
  • Extra spoofing: appname, appversion, buildID, oscpu and platform.
  • Request pages in english by default.

To Do:

  • Add the needed documentation at libreplanet (volunteers welcome!):

- http://libreplanet.org/wiki/Group:IceCat/
- http://libreplanet.org/wiki/Group:IceCat/icecat-help
- http://libreplanet.org/wiki/Group:IceCat/Tour
- http://libreplanet.org/wiki/Group:IceCat/keyboard-shortcuts

  • Incorporate patches from TorBrowser 4.0
  • Build binaries for Windows and MacOS
Categories: FLOSS Project Planets

PyPy Development: PyPy3 2.4.0 released

Planet Python - Tue, 2014-10-21 14:02
We're pleased to announce the availability of PyPy3 2.4.0!

This release contains several bugfixes and enhancements. Among the user-facing improvements specific to PyPy3:
  • Better Windows compatibility, e.g. the nt module functions _getfinalpathname & _getfileinformation are now supported (the former is required for the popular pathlib library for example)
  • Various fsencode PEP 383 related fixes to the posix module (readlink, uname, ttyname and ctermid) and improved locale handling
  • Switched the default binary name on POSIX distributions from 'pypy' to 'pypy3' (which symlinks to to 'pypy3.2')
  • Fixed a couple different crashes related to parsing Python 3 source code

And improvements shared with the recent PyPy 2.4.0 release:
  • internal refactoring in string and GIL handling which led to significant speedups
  • improved handling of multiple objects (like sockets) in long-running programs. They are collected and released more efficiently, reducing memory use. In simpler terms - we closed what looked like a memory leak
  • Windows builds now link statically to zlib, expat, bzip, and openssl-1.0.1i
  • Many issues were resolved since the 2.3.1 release in June

You can download PyPy3 2.4.0 here http://pypy.org/download.html.

PyPy is a very compliant Python interpreter, almost a drop-in replacement for CPython 2.7 and 3.2.5. It's fast (pypy 2.4 and cpython 2.7.x performance comparison) due to its integrated tracing JIT compiler.

This release supports x86 machines running Linux 32/64, Mac OS X 64, Windows, and OpenBSD, as well as newer ARM hardware (ARMv6 or ARMv7, with VFPv3) running Linux. 
We would like to thank our donors for the continued support of the PyPy project.

The complete release notice is here.

Please try it out and let us know what you think. We especially welcome success stories, please tell us about how it has helped you!

Cheers, The PyPy Team

Categories: FLOSS Project Planets

Creative Juices: 27 Questions (and Answers) from My First Drupal 8 Site Build

Planet Drupal - Tue, 2014-10-21 12:10
27 Questions (and Answers) from My First Drupal 8 Site Build I recently built my first site with Drupal 8, off of the public beta. It was a great experience. I kept a list of questions as I worked, and wrote down the answers when I found them. matt Tue, 10/21/2014 - 13:10
Categories: FLOSS Project Planets

Code Karate: Drush Cheat Sheet

Planet Drupal - Tue, 2014-10-21 10:42

As developers we always are looking for ways to become more efficient. After all, time is money.

Categories: FLOSS Project Planets

blog.studio.gd: Inline Entity Display

Planet Drupal - Tue, 2014-10-21 10:31

At Studio.gd we love the Drupal ecosystem and it became very important to us to give back and participate.
Today we're proud to announce a new module that we hope will help you !

Inline Entity Display module will help you handle the display of referenced entity fields directly in the parent entity.
For exemple if you reference a taxomony "Tags" to an Article node, you will be able directly in the manage display of the article to display tags' fields. It can become very usefull with more complex referenced entity like field collection for exemple.

VOIR LE MODULE : https://www.drupal.org/project/inline_entity_display



Features

- You can control, for each compatible reference field instances, if the fields from the referenced entities would be available as extra fields. Disabled by default.

- You can manage the visibility of the referenced entities fields on the manage display form. Hidden by default.

- View modes are added to represent this context and manage custom display settings for the referenced entities fields in this context {entity_type}_{view_mode} Example: "Node: Teaser" is used to render referenced entities fields, when you reference an entity into a node, and you view this node as a teaser if there are no custom settings for this view mode, fields are rendered using the default view mode settings.

- Extra data attributes are added on the default fields markup, so the field of the same entity can be identified.

Compatible with Field group on manage display form.

Compatible with Display Suite layouts on manage display form.


Requirements

- Entity API
- One of the compatible reference fields module.


Tutorials

simplytest.me/project/inline_entity_display/7.x-1.x
The simplytest.me install of this module will come automatically with these modules: entity_reference, field_collection, field_group, display suite.


VOIR LE MODULE : https://www.drupal.org/project/inline_entity_display


We are currently developping a similar module for Drupal 8 but more powerful and more flexible, Stay tuned !

Categories: FLOSS Project Planets

Blink Reaction: Blog and ebook Series; Responsive Content and Design

Planet Drupal - Tue, 2014-10-21 10:23

Blink Reaction's Director of IT, Kenny Silanskas takes a look at why content is crucial when it comes to creating responsive design. Here Kenny breaks it down with a few easy sports analogies.

Categories: FLOSS Project Planets

Adrian Sutton: So you want to write a bash script…

Planet Apache - Tue, 2014-10-21 09:43

Before writing any even half serious bash script, stop and read:

Any other particularly good articles on writing reliable bash scripts that should be added to this list?

Categories: FLOSS Project Planets

DebConf team: DebConf15 dates are set, come and join us! (Posted by DebConf15 team)

Planet Debian - Tue, 2014-10-21 09:30

At DebConf14 in Portland, Oregon, USA, next year’s DebConf team presented their conference plans and announced the conference dates: DebConf15 will take place from 15 to 22 August 2015 in Heidelberg, Germany. On the Open Weekend on 15/16 August, we invite members of the public to participate in our wide offering of content and events, before we dive into the more technical part of the conference during following week. DebConf15 will also be preceeded by DebCamp, a time and place for teams to gather for intensive collaboration.

A set of slides from a quick show-case during the DebConf14 closing ceremony provide a quick overview of what you can expect next year. For more in-depth information, we invite you to watch the video recording of the full session, in which the team provides detailed information on the preparations so far, location and transportation to the venue at Heidelberg, the different rooms and areas at the Youth Hostel (for accommodation, hacking, talks, and social activities), details about the infrastructure that are being worked on, and the plans around the conference schedule.

We invite everyone to join us in organising this conference. There are different areas where your help could be very valuable, and we are always looking forward to your ideas. Have a look at our wiki page, join our IRC channels and subscribe to our mailing lists.

We are also contacting potential sponsors from all around the globe. If you know any organisation that could be interested, please consider handing them our sponsorship brochure or contact the fundraising team with any leads.

Let’s work together, as every year, on making the best DebConf ever!

Categories: FLOSS Project Planets

Colm O hEigeartaigh: Kerberos Credential Delegation support in Apache CXF

Planet Apache - Tue, 2014-10-21 08:25
Apache CXF provides full support for integrating Kerberos with JAX-WS and JAX-RS services. A previous tutorial (here and here) described how to set up Kerberos with WS-Security in CXF, where the client obtains a Kerberos service ticket and encodes it in the security header of the request, and where it is validated in turn by the service. In this post we will discuss support for kerberos credential delegation for JAX-WS clients and services in Apache CXF. For more information on using kerberos with JAX-RS please consult the CXF documentation.

1) Kerberos Client Configuration

CXF provides a number of JAX-WS properties that can be used to configure Kerberos on the client side (documented here under "Kerberos Configuration Tags"). Essentially there are two different ways of doing it. The client must explicitly allow kerberos credential delegation by setting a property.

1.1) Create and configure a KerberosClient Object directly

The KerberosClient in the CXF WS-Security runtime module is used to retrieve a kerberos ticket. It can be configured by setting various properties and then referenced via the JAX-WS property:
  • ws-security.kerberos.client - A reference to the KerberosClient class used to obtain a service ticket.
The "requestCredentialDelegation" property of the KerberosClient must be set to "true" to allow credential delegation. Here is an example in Spring:

<bean class="org.apache.cxf.ws.security.kerberos.KerberosClient" id="kerberosClient">
        <constructor-arg ref="cxf"/>
        <property name="contextName" value="bob"/>
        <property name="serviceName" value="bob@service.ws.apache.org"/>
        <property name="requestCredentialDelegation" value="true"/>
</bean>

<jaxws:client name="{service}port" createdFromAPI="true">
        <jaxws:properties>
            <entry key="ws-security.kerberos.client" value-ref="kerberosClient"/>
        </jaxws:properties>
</jaxws:client>

1.2) Use JAX-WS properties to configure Kerberos

Rather than use the KerberosClient above, it is possible to configure Kerberos via JAX-WS properties:
  • ws-security.kerberos.jaas.context - The JAAS Context name to use for Kerberos.
  • ws-security.kerberos.spn - The Kerberos Service Provider Name (spn) to use.
  • ws-security.kerberos.is.username.in.servicename.form - Whether the Kerberos username is in servicename form or not.
  • ws-security.kerberos.use.credential.delegation - Whether to use credential delegation or not in the KerberosClient.
  • ws-security.kerberos.request.credential.delegation - Whether to request credential delegation or not in the KerberosClient.
The latter property must be set to "true" on the client side to allow kerberos credential delegation.

2) Kerberos Service Configuration

A JAX-WS service validates a kerberos ticket received in the security header of a request via a KerberosTokenValidator. Here is an example:

<bean id="kerberosValidator"
           class="org.apache.wss4j.dom.validate.KerberosTokenValidator">
        <property name="contextName" value="bob"/>
        <property name="serviceName" value="bob@service.ws.apache.org"/>
</bean>
<jaxws:endpoint ...>
        <jaxws:properties>
            <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
        </jaxws:properties>
</jaxws:endpoint>
   
3) Using Kerberos Credential Delegation

After a service has validated a kerberos token sent by the client, it can obtain another kerberos token "on behalf of" the client, assuming the client enabled credential delegation in the first place. To use the client credential for delegation the "useDelegatedCredential" property of the KerberosClient must be set to "true" (see here), or else the JAX-WS property "ws-security.kerberos.use.credential.delegation" must be set to "true" if not configuring Kerberos via the KerberosClient Object.

To see how a concrete use-case for this functionality, take a look at the KerberosDelegationTokenTest in the CXF STS advanced systests. Here we have a backend service which requires a SAML Token issued by an STS. However, the clients only know how to obtain a Kerberos token. So we have an intermediary service which requires a Kerberos token. The clients enable credential delegation + send a ticket to the Intermediary. The Intermediary validates the ticket, then uses it to obtain a Kerberos token "OnBehalfOf" the client, which in turn is used to authenticate to the STS + retrieve a SAML Token, which is then forwarded on to the backend service.
Categories: FLOSS Project Planets

Drupalize.Me: Including Image Styles With Your Drupal 8 Theme

Planet Drupal - Tue, 2014-10-21 08:21

One of many new features in Drupal 8, made possible by the configuration management system, is the ability to add a default image style to your theme, instead of needing to use a module in tandem with your theme, or creating the image style by hand. Here's a look at working with this new feature in Drupal 8.

Categories: FLOSS Project Planets

Lucas Nussbaum: Tentative summary of the amendments of the init system coupling GR

Planet Debian - Tue, 2014-10-21 08:07

This is an update of my previous attempt at summarizing this discussion. As I proposed one of the amendments, you should not blindly trust me, of course. :-)

First, let’s address two FAQ:

What is the impact on jessie?
On the technical level, none. The current state of jessie already matches what is expected by all proposals. It’s a different story on the social level.

Why are we voting now, then?
Ian Jackson, who submitted the original proposal, explained his motivation in this mail.

We now have four different proposals: (summaries are mine)

  • [iwj] Original proposal (Ian Jackson): Packages may not (in general) require one specific init system (Choice 1 on this page)
  • [lucas] Amendment A (Lucas Nussbaum): support for alternative init systems is desirable but not mandatory (Choice 2 on this page)
  • [dktrkranz] Amendment B (Luca Falavigna): Packages may require a specific init system (Choice 3 on this page)
  • [plessy] Amendment C (Charles Plessy): No GR, please; already resolved (Choice 4 on this page)

[plessy] is the simplest, and does not discuss the questions that the other proposals are answering, given it considers that they already have been resolved (even though I disagree with this analysis).

In order to understand the three other proposals, it’s useful to break them down into several questions.

Q1: support for the default init system on Linux
A1.1: packages MUST work with the default init system on Linux as PID 1.
(That is the case in both [iwj] and [lucas])

A1.2: packages SHOULD work with the default init system on Linux as PID 1.
With [dktrkranz], it would no longer be required to support the default init system, as maintainers could choose to require another init system that the default, if they consider this a prerequisite for its proper operation; and no patches or other derived works exist in order to support other init systems. That would not be a policy violation. (see this mail and its reply for details). Theoretically, it could also create fragmentation among Debian packages requiring different init systems: you would not be able to run pkgA and pkgB at the same time, because they would require different init systems.

Q2: support for alternative init systems as PID 1
A2.1: packages MUST work with one alternative init system (in [iwj])
(if you are confused with “one” here, it’s basically fine to read it as “sysvinit” instead. See this subthread for a discussion about this)
To the user, that brings the freedom to switch init systems (assuming that the package will not just support two init systems with specific interfaces, but rather a generic interface common to many init systems).
However, it might require the maintainer to do the required work to support additional init systems, possibly without upstream cooperation.
Lack of support is a policy violation (severity >= serious, RC).
Bugs about degraded operation on some init systems follow the normal bug severity rules.

A2.2: packages SHOULD work with alternative init systems as PID 1. (in [lucas])
This is a recommendation. Lack of support is not a policy violation (bug severity < serious, not RC). A2.3: nothing is said about alternative init systems (in [dktrkranz]). Lack of support would likely be a wishlist bug.

Q3: special rule for sysvinit to ease wheezy->jessie upgrades
(this question is implicitly dealt with in [iwj], assuming that one of the supported init systems is sysvinit)

A3.1: continue support for sysvinit (in [lucas])
For the jessie release, all software available in Debian ‘wheezy’ that supports being run under sysvinit should continue to support sysvinit unless there is no technically feasible way to do so.

A3.2: no requirement to support sysvinit (in [dktrkranz])
Theoretically, this could require two-step upgrades: first reboot with systemd, then upgrade other packages

Q4: non-binding recommendation to maintainers
A4.1: recommend that maintainers accept patches that add or improve
support for alternative init systems. (in both [iwj] and [lucas], with a different wording)

A4.2: say nothing (in [dktrkranz])

Q5: support for init systems with are the default on non-Linux ports
A5.1: non-binding recommendation to add/improve support with a high priority (in [lucas])

A5.2: say nothing (in [iwj] and [dktrkranz])

 

Comments are closed: please discuss by replying to that mail.

Categories: FLOSS Project Planets

Erich Schubert: Avoiding systemd isn't hard

Planet Debian - Tue, 2014-10-21 07:17
Don't listen to trolls. They lie. Debian was and continues to be about choice. Previously, you could configure Debian to use other init systems, and you can continue to do so in the future. In fact, with wheezy, sysvinit was essential. In the words of trolls, Debian "forced" you to install SysV init! With jessie, it will become easier to choose the init system, because neither init system is essential now. Instead, there is an essential meta-package "init", which requires you to install one of systemd-sysv | sysvinit-core | upstart. In other words, you have more choice than ever before. Again: don't listen to trolls. However, notice that there are some programs such as login managers (e.g. gdm3) which have an upstream dependency on systemd. gdm3 links against libsystemd0 and depends on libpam-systemd; and the latter depends on systemd-sysv | systemd-shim so it is in fact a software such as GNOME that is pulling systemd onto your computer. IMHO you should give systemd a try. There are some broken (SysV-) init scripts that cause problems with systemd; but many of these cases have now been fixed - not in systemd, but in the broken init script. However, here is a clean way to prevent systemd from being installed when you upgrade to jessie. (No need to "fork" Debian for this, which just demonstrates how uninformed some trolls are ... - apart from Debian being very open to custom debian distributions, which can easily be made without "forking".) As you should know, apt allows version pinning. This is the proper way to prevent a package from being installed. All you need to do is create a file named e.g. /etc/apt/preferences.d/no-systemd with the contents: Package: systemd-sysv Pin: release o=Debian Pin-Priority: -1 from the documentation, a priority less than 0 disallows the package from being installed. systemd-sysv is the package that would enable systemd as your default init (/sbin/init). This change will make it much harder for aptitude to solve dependencies. A good way to help it to solve the dependencies is to install the systemd-shim package explicitly first: aptitude install systemd-shim After this, I could upgrade a Debian system from wheezy to jessie without being "forced" to use systemd... In fact, I could also do an aptitude remove systemd systemd-shim. But that would have required the uninstallation of GNOME, gdm3 and network-manager - you may or may not be willing to do this. On a server, there shouldn't be any component actually depending on systemd at all. systemd is mostly a GNOME-desktop thing as of now. As you can see, the trolls are totally blaming the wrong people, for the wrong reasons... and in fact, the trolls make up false claims (as a fact, systemd-shim was updated on Oct 14). Stop listening to trolls, please. If you find a bug - a package that needlessly depends on systemd, or a good way to remove some dependency e.g. via dynamic linking, please contribute a patch upstream and file a bug. Solve problems at the package/bug level, instead of wasting time doing hate speeches.
Categories: FLOSS Project Planets

Joining Kolab Systems

Planet KDE - Tue, 2014-10-21 06:45

I've been a long time fan of Kolab, the free software collaboration and groupware system. I have recommended it, and even helped deploy it a few times, since it launched some ten years ago. I used it back then with KDE's Kontact, and still do to this day.

Kolab interested me because it had the opportunity to join such key free software products as LibreOffice (then Open Office) and Firefox in terms of importance and usage. Think about it: in a professional setting (business, government or educational) what key software tools are universally required? Certainly among them are tools to read and edit office documents; a world-class web browser; and collaboration software (email, calendaring, contacts, resource booking, notes, task lists, file sharing ...). The first two were increasingly well covered, but that last one? Not so much.

And then Kolab walked on to the stage and held out the promise of completing the trifecta.
However, there were years in between then and now when it was less obvious to me that Kolab had a glowing future. It was an amazing early-stage product that filled a huge gap in the free software stack, but development seemed to slow up and promotion was extremely limited. This felt like a small tragedy.

So when I heard that Kolab Systems was launching back in 2010 as a company centered around Kolab, I was excited: Could this be a vehicle which tows Kolab forward towards success? Could this new company propel Kolab effectively into the market which is currently the domain of proprietary products? Only time would tell ... I knew the founders personally, and figured that if anyone could pull this off it would be them. I also knew that they would work with freedom and upstream communities as priorities.

Four years later and Kolab Systems has indeed been successful in bringing Kolab significantly forward technologically and in adoption. Today Kolab is more reliable and has a spectacular set of features, thanks to the solid engineering team that has come together with the help and support of Kolab Systems.

Their efforts have also resulted in Kolab being used more: Fortune 100 companies are using Kolab, the city of Munich is currently migrating to it, there are educational systems using it and, of course, there is My Kolab which is a hosted instance of Kolab hat is being used by an ever growing number of people.

Kolab Systems has also helped the free software it promotes and relies on flourish by investing in it: developers are paid to work on upstream free software such as Roundcube and Kontact in addition to the Kolab serer; community facilitation and public promotion are in focus ... there's a rather nice balance between company and community at play.

There is still a lot to do, however. This is not the end of a success story, perhaps only the end of the beginning. So when the opportunity arose to join Kolab Systems I didn't have to think twice. Starting this month I am joining the Kolab Systems team where I will be engaged in technical efforts (more so in the near term) as well as business and community development. I'm really excited to be joining what is a pretty stellar team of people working on technology I believe in.

Before I wrapping up, I'd like to share something that helped convince me about Kolab Systems. I've known Georg Greve, Kolab Systems' CEO and Free Software Foundation Europe founder, for a good number of years. One afternoon during a friendly walk-and-chat in the countryside near his house, he noted that we should not be satisfied with just making software that is free-as-in-freedom; it should also be awesome software, presented as something worth wanting. It is unrealistic to expect everyone to use free software solely because it is ethically the right thing to do (which it is), but we might expect people to choose free software because it is the most desirable option they know of. To phrase it as an aspiration:

Through excellence we can spread freedom.
I'll probably write more about this philosophy another time, as there are a number of interesting facets to it. I'll also write from time to time about the the interesting things going on in the Kolab world .. but that's all for another time. Right now I need to get back to making notes-on-emails-sync'd-with-a-kolab-server work well. :)

Categories: FLOSS Project Planets
Syndicate content