Weekly roundup 2017 – week 16

Cauldron

Not too much to report on the RC ISO testing this week, but that’s a good thing – the classical ISOs are nearly ready and the remaining trivial issues in the Live ISOs should be fixed in the next rebuild. The Mageia 6 release is starting to look very good.

Cauldron has had lots of updates as well, here are some highlights:

  • dovecot 2.2.29.1
  • dnfdragora 1.0.1
  • koji 1.12.0
  • tomcat 8.0.43 – Fixes CVE-2017-5647 and CVE-2017-5648
  • caja 1.18.2
  • kernel 4.9.23
  • plasma 5.8.6
  • vlc 3.0.0 – git nightly 20170405, fixes persistent performance on AMD with OpenGL driver, among others

Note that the plasma update was not a new version, but a sync with the 5.8 branch.

Mageia 5

  • wireshark 2.0.12 – CVE fixes, the full list is available here
  • flash-player-plugin 25.0.0.148 – numerous CVE fixes, the full list is here
  • chromium-browser 57.0.2987.133 – numerous CVE fixes, full list available here
  • gimp 2.8.14 – bug and CVE fixes (mga20663 and mga18804)

These will arrive as soon as they have been validated by the QA team. While this has been a quiet week for Mageia 5 updates, it’s a slight calm before the storm as there are a new kernel and firefox coming that will keep the QA team busy.

Infrastructure

The infrastructure updates are nearly complete, the mailing list administration and forums are still down, while this is far from ideal, the sysadmins are working hard to bring the forums up as quickly as possible.

Weekly roundup 2017 – week 15

Infrastructure

The sysadmins have done some amazing work to get the remaining servers upgraded to Mageia 5, and some of the major packages we use upgraded as well. The remaining large issue is with the encoding of the upgraded PostgreSQL database that is used by all of our services, however, this was hopefully fixed today. That allowed  Bugzilla to come back online fully upgraded, which will be a large help in tracking the bugs in the latest Mageia 6 ISOs and QA in general.

Our blog has also had some upgrades to its WordPress. We are now running the latest version, 4.7.3 with https set by default. Sadly we have had to drop some of our inactive blogs as the were not being translated. If that’s something you would be interested in helping with, the translation teams are always more than welcoming towards new people.

Cauldron

As always, some updates on how the ISO testing is going. The wider QA tests on the upcoming RC ISOs have found some problems, but they are trivial and the builds are looking good. Hopefully, the remaining issues can be fixed in the next round of new builds and we can release Mageia 6 RC for everyone to test. The QA team has also started to test upgrades from Mageia 5 to 6, the main focus in ensuring that the switch from KDE4 to Plasma 5 works well and that there are no other issues.

Update wise, there has been a lot of activity, both bugfixes and new versions, here are some highlights:

  • gnome 3.24.1
  • gtk+3.0 3.22.12
  • qtdeclarative5 5.6.2 added a patch to fix kwin crashes
  • dnf 2.3.0
  • packagekit 1.1.5 backported fixes for offline updates
  • mercurial and tortoisehg 4.1.2
  • amarok 2.8.90 more appstream fixes
  • godot 2.1.3 mainly bugfixes
  • mediawiki 1.27.2 lots of CVE fixes, see here for details

Mageia 5

It’s been a relatively quiet week for Mageia 5, MediaWiki was updated to 1.23.16 with lots of CVE fixes, a full announcement is available here. There was also a backport of simgear-2016.4.4, it’s currently in backports_testing if you are interested in trying it.

Weekly roundup 2017 – week 14

Infrastructure

So sadly the big news this week is the outage of two of our servers for needed upgrades. The status of the services that are down can be read here. Our sysadmins have been hard at work, already pushing 30 patches to our infrastructure and working on porting the PostgreSQL database used by most services to a new server.

The first priority is to get the mirrorlist service running again quickly as it has the largest impact on users. Our Bugzilla, which will not only be moved to a machine running Mageia 5 but will also be upgraded to Bugzilla 5, will be the next step. The homepage has already been moved to a server that is fully up to date and had no downtime.

Note that the mirrorlist and Bugzilla were restored shortly after publishing, thanks to the sysadmins for finishing the upgrades so quickly.

While the updates on the two servers we preventively took down were severely needed for security reasons, they have been in planning for a significant time, and require non-trivial development work to port scripts, templates and configurations to the updated Mageia 5 ecosystem.

The outage only affected two of our many servers. All of our other servers, including the build nodes, for i586, x86_64 and arm, which I struggled to count from memory, 6 arm and 3 x86 at last count – I swear the arm nodes are multiplying, ISO builder and the repository server have remained active and fully up to date on Mageia 5, busily building for Cauldron and Mageia 5, you can see the queue here. Nevertheless, it must be noted that the two servers which had to be taken down were the most exposed as they hosted most web-facing services (and since they ran outdated software, also the most vulnerable).

We can only apologise that these upgrades have not happened sooner, even if the impact on the development has been minimal, we will have to continue to make changes in our sysadmin procedures to ensure that upgrades are simpler and timelier in the future.

Once the services migration is complete, we will publish a blog post to give a better overview of what the components of our infrastructure are, what software they run, how the sysadmin team maintains it and the evolution in our sysadmin team that has been happening to for some time now.

Cauldron

ISO building and testing for Mageia 6 RC has been making good progress. The release blockers are being fixed nicely, a new drakxtools included on the latest ISOs fixed a number of partitioning bugs so the ISOs are starting to become satisfactory. The Live ISOs are now ready for wider QA testing, and an EFI issue that was holding up the 64-bit Classical ISOs has hopefully been fixed. 

There were updates to many packages, the highlights of which were:

  • drakconf 13.15 aka Mageia Control Center – fixes 3 bugs, improved message for missing packages (mga#20614), dropped legacy loaders (mga#18572) and improved Gtk+ animations (mga#19827)
  • webkit2 2.16.1 fixes several crashes and rendering issue, numerous CVEs
  • darktable 2.2.4 adds a few new features, more supported cameras and lots of bugfixes
  • mate 1.18.1 fixes multiple memory leaks as well as improving support for status-notifier
  • dnf 2.2.0 
  • enlightenment 0.21.
  • kernel 4.9.20 added firmware for Intel 6030 wifi cards and added more Polaris 12 PCI IDs.

Mageia 5

There were updates to a number of packages for Mageia 5 this week, including:

  • webkit 2 2.16.1 fixes several crashes and rendering issue, numerous CVEs
  • python-django 1.18.16 with numerous CVE fixes
  • nvidia-current 375.39 with CVE fixes and new GPU support
  • phpmyadmin 4.4.15.10 with numerous CVE fixes
  • wget 1.15 fixes various CVEs

These updates are going through validation, so will be pushed to a mirror once that process is completed. The Bugzilla downtime makes the QA team’s work slightly harder, but they are keeping testing via their mailing list, so updates should keep coming as usual 🙂

Web services shut down preventively

Our sysadmins decided to preventively shut down most of our web services which were still running on end-of-life Mageia versions, as their potential vulnerability to remote attacks was publicised in third party communities.

The migration of those services to Mageia 5 servers was planned but delayed due to a lack of sysadmin time to work on it. The unexpected publicity that it received obviously made this topic a high priority one, our infrastructure being exposed as an easy target. The sysadmins therefore decided to shut down the services to be able to work on the migration without further risks.

Please note that our buildsystems for packages and ISO images are running the latest stable release, and therefore Mageia users need (as far as we know at this stage) not be concerned. The potential risks should be confined to web services of the mageia.org domain – we are nevertheless auditing all servers for traces of intrusion which could have been facilitated by the outdated infrastructure.

We are sorry for the disagreement and this security negligence, and will keep you posted with our progress on this issue and the verification of the services.

Current status:

  • Homepage (www): online
  • Blog: online
  • Identity: online
  • Bugzilla (bugs): online
  • Mailing list (ml): offline
  • Wiki: online
  • Forums: offline
  • Mirrors index and MIRRORLIST (mirrors): online
  • Git / Svn: online
  • Gitweb / Svnweb: online
  • Buildsystem (pkgsubmit): online
  • Mageia App DB (madb): online

Edit Apr 5, 2017 @ 17:45: Added more details about services being down and the security risks.

Edit Apr 5, 2017 @ 20:45: Instructions to add a specific mirror manually for MIRRORLIST users.

Edit Apr 6, 2017 @ 8:00: Web services had been mistakenly put back online automatically during the night, they are now back offline as necessary.

Edit Apr 8, 2017 @ 1:00: Bugzilla and MIRRORLIST are functional again. Bugzilla was also updated to the latest 5.0.3+ upstream version.

Edit Apr 9, 2017 @ 0:15: Identity is back online.

Edit Apr 20, 2017 @ 15:00: Wiki is back online. Gitweb and Svnweb were also restored in the past week, and the mailing list software will be back soon.

Weekly roundup 2017 – week 13

Cauldron

The big Cauldron news is that ISO testing for Mageia 6 RC is well under way, new images were generated that will hopefully fix the EFI implementation and some grub config issues. Gnome 3.24 will be available on the upcoming ISOs as pre-testing has not shown any issues. We’re also hoping to have most blocker bugs fixed before the RC release, the list is getting nice and short, so hopefully that wont take long. If you want to get involved with pre-release ISO testing, the QA team always has room for more hardware and hands.

Big updates include:

  • libbluray 1.0.0 – there might be some broken deps with this while the needed packages are rebuilt
  • kernel 4.9.19
  • webkit2 2.16.0
  • firefox 52.0.2
  • urpmi 8.106-2 – this increases the transaction size from 8 to 50, it will help with upgrades from Mageia 5 to 6
  • chrome-gnome-shell – this should add some nice functionality to Gnome

The other big talking point aside from the RC release in the Council Meeting was the inclusion of the new Manatools for system configuration on the ISOs. The ncurses versions will be added, along with dnfdragora, but the integration of the graphical front ends was pushed until after Mageia 6 to give proper testing time.

Mageia 5

R-base was patched against CVE 2016-8714, the other big update is to the kernel, 4.4.59 which will fix a vulnerability found in the pwn2own contest.

Community

We will be at the Libre Software Days in Lyon this weekend, so if you are in the area drop by and meet some of our contributors or catch up on the other projects on show.

We have been using Mypads from Framasoft a lot for blog posts and announcements, this is being written on one in fact. To that end, we have made a ‎€250 donation, full blog about how we use Mypads and Framasoft can be read here.

Donation to Framasoft

When we at Mageia write blog posts and other announcements, we use a collaborative editing tool called Etherpad to draft the text.  In the past, the links to these draft documents were accessible from our mailing list archives and wide open for anyone to access.  Fortunately, we found a better way to do this thanks to Framasoft. Framasoft provides the excellent MyPads platform, which provides a folder to store multiple Etherpads with access control, title editing, and sorting by date and name. Having a single point of access for our draft documents has been a huge help to getting blog posts written and proofread, and has provided a way to keep track of what we have coming. In addition to this excellent service, Framasoft provides other services such as spreadsheets, mindmapping, drawing, and undoubtedly some other tools that we will find useful in the future. A full list can be seen here. While Framasoft does host and offers free usage of these services, it should be noted that their main aim is to develop this platform for self-hosting, not to offer a hosted service.

It is to this end that we would like to announce a donation of 250 to Framasoft. It has always been one of the goals of Mageia to not only develop an excellent high-quality operating system and community surrounding the project, but also to help with the general development and support of Free and Open Source software in the wider community. It is excellent to be able to use and support an association like Framasoft. They offer fantastic services, and supporting them fits with the goals that Mageia has laid out since the beginning. You can read more about the Framasoft association here.

As a further note to this, we would like to look into hosting the Framasoft software on our own infrastructure in the future. Unfortunately, with the infrastructure administration resources we currently have available, our current priorities are the release of Mageia 6 and general upkeep. Further development of our infrastructure will have to take place in the future as time and resources allow. So, in the meantime, we hope that this donation will help to cover our usage of Framasoft’s services.

Mageia at JDLL 2017 in Lyon on the 1st and 2nd of April

JDLL banner

A quick late notice that a few contributors will have a stand at the yearly Libre Software Days in Lyon (“Journées du Logiciel Libre”, in French), as they do every year, next weekend (1st and 2nd of April).

As always, it’s a nice occasion to discuss and get to know others in the Mageia community (which includes every user, of course) as well as see what other communities are working on, so if you happen to be able to come, you are welcome!

The event’s program (in french) : http://www.jdll.org/programme/

Weekly Roundup – 2017, week 12

Another week has passed and there have been many changes with Cauldron as well as continued testing on RC ISOs for Mageia 6. Mageia 5 has also received some important updates.

Cauldron

As we are hoping to release the release candidate for Mageia 6 soon, the focus on development in Cauldron is switching more and more away from new releases and features to focus on bug fixes and getting the packaged software into the best state for release. That being said, there was a major update to Gnome 3.24. This is currently in updates_testing to check was major issues and regressions before being pushing to release if everything is ok.

Another big update was to move to ICU 58.2, which is a requirement for packaging Firefox 52 ESR. The rebuilds went relatively well in core/updates_testing, but after the rebuilt packages were moved to core/release, some issues appeared with Cauldron. Ironically, all Mozilla software (Firefox, Thunderbird, Seamonkey/Iceape) crashed with this new version, forcing us to rebuild them against their bundled ICU code base. We could finally fix the crashes with the system library by adding Mozilla patches to ICU 58.2, which should hopefully allow us to package all Mozilla software against the system ICU.

There were updates to LibreOffice (5.3.2 RC1) which will be updated to final before Mageia 6 is released. The libinput RC update from last week was also updated to final. Samba was updated to 4.5.7, fixing this Mageia bug and a security issue where a symlink race could be used to gain access to parts of the filesystem not shared, see this CVE for further details. DNF was updated to 2.1.1, Mesa to 17.0.2 and flash player plugin was also updated to 25.0.0.127. Firefox/Thunderbird are currently on versions 45.8.0 ESR, with the intention to update them to the 52 ESR branch for the final release.

ISO testing for Mageia 6 RC started last week, and a new round of ISOs was built yesterday. Testing so far is looking good.

Mageia 5

There have been lots of updates submitted for validation, here is the full list, the highlights of which are:

  • Flash – 25.0.0.127 – multiple CVE fixes
  • Kernel 4.4.55
  • qbittorrent 3.3.11
  • Firefox/Thunderbird 45.8.0, this closes MGASA 2017-0081 and 0082 respectively.

Community

The introduction of packager groups for various programming languages was discussed last week, and acted upon yesterday. As a first step, groups were created for thePerl, Python, Java and PHP stacks. If you’d like to help with the debugging and packaging of those stacks, don’t hesitate to join them. More information is available here.

Review: Back from CLT 2017

It’s almost a week since the Chemnitzer Linux days: time for a brief review (link in German):

To make a long story short: This meeting was a big success.

Alfred and I arrived on Friday evening and went to check out the location. The slogan “Barrieren einreißen” (engl: “tear down barriers”) couldn’t have been chosen better. To get there by the shortest route you had to tear down many barriers, since it seems that Chemnitz is a single big construction site. So it took us a while to find the best alternative route. 

When we arrived, we were warmly welcomed by the organisation team and had our first discussion, about the relation between the number of free projects and the number of companies, and the danger of sponsoring of this kind of event by big companies. On the other hand the free projects benefit from the lower costs, the preparation of the booth (incl free printing of a poster) and two days of free catering.

sdr

On Saturday morning, after Jürgen and Frank‘s arrival to complete our booth attendance, we were a little bit afraid that our booth wouldn’t get enough attention, because it was located in a corner. It turned out to be not the case: we were getting in contact with a lot of different people and there was enough time for various discussions about our project. Also our presentation of the upcoming Mageia 6 raised a lot of interest. We had a lot of giveaways, too, like pens, stickers, cups, t-shirts and USB sticks (which we exchanged for a small donation) and also the swiss cookies attracted visitors and booth attendants the same way. Because there were 4 of us, there was also some time for visiting talks and getting in contact with other projects around us.

On Saturday evening there was (as every year) the big dinner for staff and booth attendants with plenty of food and drink. And even there we had some very interesting and informative discussions with people from other projects or associations (a special regards to Christoph from LUG Frankfurt (Link in German), if he’s reading this). 

It felt like the Sunday was not as busy (many of the visitors already visited the booth on Saturday), but anyway the booth of Mageia still attracted many other visitors. There were some who complimented Mageia as the only distribution to get their WIFI to work or others who are using this distribution and the ancestors since Mandrake times. However there are still some people around who had never heard about Mageia, even though it has already existed for around 7 years and released 5 great versions. So this should lead us to increase our marketing as we did with this presence at the CLT.

Finally we want to  say a big “Thank you” to the organisation team of CLT 2017 for giving us the opportunity to present Mageia there. In exchange for the printing of a second poster we donated 20€ to the penguins of the animal park in Limbach-Oberfrohna, who are adopted by the CLT (link in German / Video in German).

We are looking forward to presenting at CLT 2018 as well.

Weekly roundup – 2017, week 11

It has been another busy week with lots of changes, upgrades, tests and news.

Cauldron

All of the Mageia-developed tools have been updated to include the latest translations, as well as updates to the DrakX installer that will hopefully fix some of the remaining bugs, more on that later. libinput was updated to 1.7 RC2, so if there are any regressions with input devices following this, please submit bugs to the bugzilla, so that we can help upstream fix them in time for Mageia 6. The kernel was updated to 4.9.15 final yesterday, with the required rebuilds following, so that update should be available soon, if not already. KDE applications 16.12.3 and MATE 1.18 also landed. The FFmpeg update and required rebuilds were finalised, so hopefully, all the issues have been straightened out there, v4l-utils 1.12.3 also landed. Builds for an update VLC 3.0-git snapshot are also ongoing. There were also updates to Calibre 2.81 and LibreOffice 5.3.1.rc2. As this was written, there was extensive activity on the build system, so plenty of updates should be coming.

Sta2 testing feedback roundup:

While the majority of the feedback has been positive, to the extent that we are moving forwards towards a release candidate build, there are still ongoing issues with NVIDIA proprietary drivers, specifically the 340 driver for slightly older cards. Testing for fixes is ongoing, a new round of internal ISOs was generated to test this and to check the status on installer bugs, such as some buttons appearing off screen at the partitioning stage in some languages. The next round of ISO testing will be in preparation for the RC release.

Mageia 5

Kernel updates to 4.4.54 are in testing, so expect these soon once the updates have been validated.

Security updates to MariaDB, Pidgin, libquicktime and others are currently going through validation, as well as a few others that will be available soon.

Community

Maintainer groups for the main programming languages are in the process of being setup, to nominally share the work load of the huge perl or python stacks on groups of packagers. Similar groups for other large stacks or components proved successful for the kernel, the Mageia tools and some desktop environments so this will allow for similar work sharing on the language stacks.

Successful event at the Chemnitz Linux Day, Mageia had a booth there showing our system with contributors on hand to answer questions, full write up coming soon, but in the meantime, some pictures are up on the German Forum.