Open-source News

What You Missed Last Month in NYC (According to Linux)  Papermag

Valve Steam Deck can run Bitwig's DAW and the VCV Rack 2 Pro synth as a plugin: a gaming handheld that music producers should be interested in, too?  MusicRadar

Dynatrace : Managed release notes version 1.238  Marketscreener.com

How to use the Firefox tagging system  TechRepublic

Days after new open-source kernel driver code appeared in a Tegra code drop, NVIDIA happens today to have published signed firmware images for their RTX 30 "Ampere" graphics processors for finally allowing open-source driver support to proceed for these latest-generation GPUs...

AMD P-State vs. ACPI CPUFreq Testing With Ryzen Laptops On Linux 5.17  Phoronix

One of the most prominent features of Linux 5.17 for end-users was the introduction of the AMD P-State driver that is designed to deliver better energy efficiency than the generic ACPI CPUFreq frequency scaling driver relied on by AMD Ryzen processors up to this point. For those wondering how the performance and efficiency currently compare for Ryzen laptops, here are some benchmarks recently carried out on Linux 5.17 for both drivers and testing both the Schedutil and Performance governors.

WSL- Running Linux on Windows  Cyber Security News

Get 12 Linux certification training courses on sale for just $69 today  PCWorld

6 reasons this nonprofit chose Backdrop for its open source CMS Laryn Kragt Bakker Mon, 04/11/2022 - 03:00 Up Register or Login to like.

As a nonprofit that builds websites for other nonprofits (among other things), the Stuart Center has used a variety of platforms over the years based on experience and feedback from nonprofit partners. In the early days, we did straight HTML websites, and as content management system (CMS) technology blossomed, used Mambo (and Joomla after it forked). We then moved on and have used WordPress and Drupal for years now. As things evolve and change, we always have to re-assess and adjust course as necessary based on the audience we are serving. Of course, it's not just the technology that is changing, but the focus and priorities and end-user experience of the various projects.

The Stuart Center serves primarily small to mid-sized nonprofits. Many of our partners don't have a full-time website person, and often people wear many hats. Funding is usually tight. They have website needs that can't always fit into a cookie-cutter solution, and they appreciate flexibility from a website so it can be a solid base that can grow and scale and adapt as their needs do. This is why we've often turned to Drupal over the last decade or so.

In the last number of years, we've shifted and begun to suggest Backdrop to our partners as an alternative to Drupal. Backdrop not only maintains many of the strengths of Drupal: it also brings some strong new features and a particular focus on and attention to just the kind of groups that make up our audience. Here are some of the deciding factors we considered as we've observed and begun to participate in the Backdrop project. (And to be clear, this is not intended as a knock on the other projects as much as an endorsement of Backdrop – we've used WordPress and Drupal plenty and I expect we'll use them again when the project is right).

More great content Free online course: RHEL technical overview Learn advanced Linux commands Download cheat sheets Find an open source alternative Explore open source resources Power, flexibility, scalability

In Backdrop, the best parts of Drupal are kept, including many of the new improvements that went into Drupal 8 such as configuration management and key features like the ability to create dynamic, customizable views in the core software. This makes it much more flexible out of the box than WordPress. There are also new Backdrop-specific improvements, such as a user-friendly and a powerful layout system that allows separate landing pages. There are also sections with unique page structures and blocks of various kinds of content placed differently on the page. We have the power to build a solid, flexible base that we can scaffold on top of as budget allows and ideas grow. Sometimes a group doesn't have the budget for a full project all at once. With Backdrop, we can find a way to do a project in multiple phases, building on what we started rather than having to start again or redo a lot of work.

Usability and empowerment

There has been a continuous stream of usability improvements in Backdrop as the team tries to clean up some of the inconsistencies and less than ideal user interface aspects of Drupal 7. Some of them are small and the kind of thing you don't even notice when they're fixed (which is what you want) and others bring new features into play (like the addition of an image library in the editor, and the fact that images uploaded through the editor are tracked elsewhere on the site as well). We had a partner email us the day after we upgraded and slide in a comment about how they loved the new image library, so we know that these improvements are being noticed by our end users. Attention to the little details like the full-featured editor experience (which works so nicely out of the box) and upgraded JavaScript libraries make it much more enjoyable to use as a content editor or site builder on a day-to-day basis.

Backdrop's principles fit hand-in-glove with the Stuart Center's values, especially the way we try to educate and empower our partners. Make sure it's usable. Include features that the majority need and want. Keep it simple but extendable. This is critical as we build a site and then try to empower our partners to take on as much of the editorial and administrative aspects as they are willing and able. We always tell our partners that, based on their needs, we will help train them to handle as much as they are able on the site. We'll be here for questions as needed, realizing some groups will need more support and others will need less (or none).

Affordability

As we at the Stuart Center evaluated Backdrop, we had to look at the total cost of ownership of the website for our partners.The fact that building a Drupal site will cost more than building a Backdrop site, that is one thing, but the costs of ongoing maintenance and upgrades and the potential need for a more expensive hosting plan are others. We've found that we can develop Backdrop sites quickly, which means lower costs, and that the Backdrop principle of backwards compatibility has made updates and upgrades very smooth. (With core updates  already possible via the admin interface, and potentially in an automated form in the future, it's another affordability win for our partners on the horizon). Some of our smaller partners have sites that are on shared hosting, and Backdrop's philosophy includes a principle of maintaining great performance so the system can run on lower cost hosting.

It's worth noting here that there is a smooth upgrade path from Drupal 7 to Backdrop, whereas the process of moving from Drupal 7 to Drupal 8 and above is a more intensive migration process. 

Security, maintenance, and a four year track record

At the Stuart Center, we've been evaluating Backdrop for several years, even as we've built sites with it and participated in the community by porting, maintaining, and developing modules. Backdrop is over seven years old now, with scheduled and on-time releases every 4 months. Security updates are generally managed in collaboration with the Drupal 7 security team on issues that affect both systems. The ability to update the core software via the administrative interface (in a similar way to how you can already update contributed modules) is a great feature for those partners that want to manage things more completely. The long term goal of providing an option for automated security updates is another step in the right direction (I've appreciated the thoughtful conversation around this and whether it will be possible to provide a "security updates only" release for minor versions to minimize the chance that an automated update could cause a breakage – a branch that does not force you to upgrade to the latest functionality but does allow the security patches to flow in as seamlessly as possible).

I expect that we'll see a spike in Backdrop adoption as we approach the end-of-life of Drupal 7.

Community and leadership

Most of the above considerations are from the end user perspective, but the developer's Backdrop experience is also one of empowerment. The community is still comparatively small but it's growing, and the attitude in general feels very welcoming and warm, "structured to promote participation and collaboration." Modern workflows and development tools like Github help make it simpler to get involved in one way or another.

The leadership structure is one of the hidden gems of the project. Rather than one person or an enterprise-focused company having outsized control of a community-powered project, the Backdrop Project Management Team is set up as a diverse group representing "all perspectives of the Backdrop community". This gives peace of mind that the project won't stray from the principles that focus on the needs of small and mid-size nonprofits, companies, and groups, and the big shops and enterprise developers that want to shift everything to headless systems or other expensive functionality can't use their size to steer the project away from its intended audience. They are still welcome to use Backdrop and participate in the contrib space, of course, just not to commandeer the project!

Integration with CiviCRM

Another important check mark for Backdrop CMS is the deep integration it has with CiviCRM, allowing nonprofits or company to take advantage of all the benefits CiviCRM offers: centralized donor and contact management, memberships, donations, events with registration, case management, email blasts, and the privacy win of self-hosted data.

Conclusion

If you work in a small or medium-sized nonprofit, the points above will probably resonate in many ways. At the Stuart Center, we've been very pleased with Backdrop's direction and we're looking forward to the project's future as a tool to help us and our partners build a better world. I expect we'll use other systems from time to time, but Backdrop feels like a "Swiss Army knife" of sorts and should be part of the conversation.

If you have a web project coming up or are just interested in discussing Backdrop or asking us a question or two, join the live chat or feel free to get in touch with us at the Stuart Center. You can also follow the Nonprofit Backdrop Twitter feed.

Here are some of the deciding factors that the Stuart Center considered as they observed and begun to participate in the Backdrop project.

Image by:

Opensource.com

Tools Alternatives Business What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

5 open source alternatives to Doodle polls Don Watkins Mon, 04/11/2022 - 03:00 Up Register or Login to like.

Scheduling meetings can be a nearly insurmountable task. Finding a time that works for everyone in the same organization, let alone across different time zones, can feel like trying to solve a puzzle with a missing piece.

There are several web applications that can help you send around a poll to find out what times work for each participant, with several different options for dates and times provided. By taking the intersection of all the good times, you can uncover the ideal meeting schedule.

Should you want to host your own meeting poll software, there are several open source options available to you, and recently I had the occasion to try five of them.

More great content Free online course: RHEL technical overview Learn advanced Linux commands Download cheat sheets Find an open source alternative Explore open source resources Framadate

Framadate is produced by the French not-for-profit association Framasof. Offered as a hosted web application, Framadate is ad-free, supports real time collaboration, is multilingual, and can help with planning and documenting meetings. It's released under a Cecill-B license. The source code is available on GitLab, if you want to review it, contribute to it, or download and self-host.

Image by:

(Seth Kenlon, CC BY-SA 4.0)

​

Dudle

Dudle is an open source poll and event scheduling application. It was released with a GPL v.3 license. You can easily create scheduling and polling events in over twenty different languages, either anonymously or with a distinct URI. Dudle comes with different stylesheets to give your event scheduling or polling a distinct appearance. The source code is available, and you can run the software on your own server.

Image by:

(Seth Kenlon, CC BY-SA 4.0)

Nextcloud

There's not much Nextcloud can't do. It has an application called Nextcloud Polls that allows you to create and share polls from the familiar Nextcloud interface. It's written in PHP and Vue.js, and is released under an AGPL 3.0 license. It has many features, including easy poll creation, the ability to hide results from other users, and the option for an automatic expiration date. You can easily export to HTML and different spreadsheet formats. You can report bugs or request new features, and there's an active development community.

Image by:

(Seth Kenlon, CC BY-SA 4.0)

Croodle

Croodle doesn't have a demo server, so you're likely to use this only if you intend to self-host. It's released under an MIT license and is written in PHP. Croodle is encrypted end-to-end. All data (poll title, description, options, user names, and so on) are encrypted and decrypted in the browser using 256-bit AES encryption. If you're building a site and you want to include polling as a service, this is a great project to try.

 

Rallly

Rallly (yes, that's three L's) provides a simple and direct interface for quickly scheduling events and allowing participants to vote on the date and time of events. Released with an MIT license, Rallly's source code is available for you to contribute to or review. Its primary means of delivery is as a container, so there's essentially no configuration required to quickly launch an instance on your own server using Podman, Kubernetes, or Docker. Rallly has excellent documentation to aid you setting it up in your own environment for complex setups.

Image by:

(Seth Kenlon, CC BY-SA 4.0)

Polls

Whether you run a temporary solution in a container, an occasional poll on Nextcloud, or build a full productivity suite around scheduling, there are plenty of open source solutions for getting input from your event's participants. The world is smaller due to the increase of video calls we make, and now it's effortless to coordinate your meetups across time zones and busy schedules.

Whether you run a temporary solution in a container, an occasional poll on Nextcloud, or build a full productivity suite around scheduling, there are plenty of open source solutions for getting input from your event's participants.

Alternatives Nextcloud Business Tools What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. 1 Comment Register or Login to post a comment. Image by:

opensource.com

Laurent | April 11, 2022

And what about Dolibarr survey ?
https://www.dolibarr.org/presentation-surveys-polls.php

Automate checking for flaws in Python with Thoth Fridolin Pokorny Mon, 04/11/2022 - 03:00 Up Register or Login to like.

Most cyberattacks take advantage of publicly known vulnerabilities. Many programmers can automate builds using Continuous Integration/Continuous Deployment (CI/CD) or DevOps techniques. But how can we automate the checks for security flaws that turn up hourly in different free and open source libraries? Many methods now exist to ferret out buggy versions of libraries when building an application.

This article will focus on Python because it boasts some sophisticated tools for checking the security of dependencies. In particular, the article explores Project Thoth because it pulls together many of these tools to automate Python program builds with security checks as part of the resolution process. One of the authors, Fridolín, is a key contributor to Thoth.

More on security The defensive coding guide 10 layers of Linux container security SELinux coloring book More security articles Inputs to automated security efforts

This section lists efforts to provide the public with information about vulnerabilities. It focuses on tools related to the article's subject: Reports of vulnerabilities in open source Python libraries.

Common Vulnerabilities and Exposures (CVE) program

Any discussion of software security has to start with the comprehensive CVE database, which pulls together flaws discovered by thousands of scattered researchers. The other projects in this article depend heavily on this database. It's maintained by the U.S. National Institute of Standards and Technology (NIST), and additions to it are curated by MITRE, a non-profit corporation specializing in open source software and supported by the U.S. government. The CVE database feeds numerous related projects, such as the CVE Details statistics site.

A person or automated tool can find exact packages and versions associated with security vulnerabilities in a structured format, along with less structured text explaining the vulnerability, as seen below.

Image by:

(Fridolín Pokorný and Andy Oram, CC BY-SA 4.0)

Security efforts by the Python Packaging Authority

The Python Packaging Authority (PyPA) is the major organization creating best practices for open source packages in the Python language. Volunteers from many companies support PyPA. Security-related initiatives by PyPA are significant advances in making Python robust.

PyPA's Advisory Database curates known vulnerabilities in Python packages in a machine-readable form. Yet another project, pip-audit, supported by PyPA, audits application requirements and reports any known vulnerabilities in the packages used. Output from pip-audit can be in both human-readable and structured formats such as JSON. Thus, automated tools can consult the Advisory Database or pip-audit to warn developers about the risks in their dependencies.

A video by Dustin Ingram, a maintainer of PyPI, explains how these projects work.

Open Source Insights

An initiative called Open Source Insights tries to help open source developers by providing information in structured formats about dependencies in popular language ecosystems. Such information includes security advisories, license information, libraries' dependencies, etc.

To exercise Open Source Insights a bit, we looked up the popular TensorFlow data science library and discovered that (at the time of this writing) it has a security advisory on PyPI (see below). Clicking on the MORE DETAILS button shows links that can help research the advisory (second image).

Image by:

(Fridolín Pokorný and Andy Oram, CC BY-SA 4.0)

Image by:

(Fridolín Pokorný and Andy Oram, CC BY-SA 4.0)

Interestingly, the version of TensorFlow provided by the Node.js package manager (npm) had no security advisories at that time. The programming languages used in this case may be the reason for the difference. However, the apparent inconsistency reminds us that provenance can make a big difference, and we'll show how an automated process for resolving dependencies can adapt to such issues.

Open Source Insights obtains dependency information on Python packages by installing them into a clean environment. Python packages are installed by the pip resolver—the most popular installation tool for Python libraries—from PyPI, the most popular index listing open source Python libraries. Vulnerability information for each package is retrieved from the Open Source Vulnerability database (OSV). OSV acts as a triage service, grouping vulnerabilities across multiple language ecosystems.

Open Source Insights would be a really valuable resource if it had an API; we expect that the developers will add one at some point. Even though the information is currently available only as web pages, the structured format allows automated tools to scrape the pages and look for critical information such as security advisories.

Security Scorecards by the Open Source Security Foundation

Software quality—which is intimately tied to security—calls for basic practices such as conducting regression tests before checking changes into a repository, attaching cryptographic signatures to releases, and running static analysis. Some of these practices can be detected automatically, allowing security experts to rate the security of projects on a large scale.

An effort called Security Scorecards, launched in 2020 and backed by the Open Source Security Foundation (OpenSSF), currently lists a couple of dozen such automated checks. Most of these checks depend on GitHub services and can be run only on projects stored in GitHub. The project is still very useful, given the dominance of GitHub for open source projects, and represents a model for more general rating systems.

Project Thoth

Project Thoth is a cloud-based tool that helps Python programmers build robust applications, a task that includes security checking along with many other considerations. Red Hat started Thoth, and it runs in the Red Hat OpenShift cloud service, but its code is entirely open source. The project has built up a community among Python developers. Developers can copy the project's innovations in other programming languages.

A tool that helps programmers find libraries and build applications is called a resolver. The popular pip resolver generally picks the most recent version of each library, but is sophisticated enough to consider the dependencies of dependencies in a hierarchy called a dependency graph. pip can even backtrack and choose a different version of a library to handle version range specifications found by traversing the dependency graph.

When it comes to choosing the best version of a dependency, Thoth can do much more than pip. Here is an overview of Thoth with a particular eye to how it helps with security.

Thoth overview

Thoth considers many elements of a program's environment when installing dependencies: the CPU and operating system on which the program will run, metadata about the application's container such as the ones extracted by Skopeo, and even information about the GPU that a machine learning application will use. Thoth can take into account several other variables, but you can probably guess from the preceding list that Thoth was developed first to support machine learning in containers. The developer provides Thoth with information about the application's environment in a configuration file.

What advantages does the environment information give? It lets Thoth exclude versions of libraries with known vulnerabilities in the specified environment. A developer who notices that a build fails or has problems during a run can store information about what versions of dependencies to use or avoid in a specification called a prescription, consulted by Thoth for future users.

Thoth can even run tests on programs and their environments. Currently, it uses Clair to run static testing over the content of container images and stores information about the vulnerabilities found. In the future, Thoth's developers plan to run actual applications with various combinations of library versions, using a project from the Python Code Quality Authority (PyCQA) named Bandit. Thoth will run Bandit on each package source code separately and combine results during the resolution process.

The different versions of the various libraries can cause a combinatorial explosion (too many possible combinations to test them all). Thoth, therefore, models dependency resolution as a Markov Decision Process (MDP) to decide on the most productive subset to run.

Sometimes security is not the primary concern. For instance, perhaps you plan to run a program in a private network isolated from the Internet. In that case, you can tell Thoth to prioritize some other benefit, such as performance or stability, over security.

Thoth stores its dependency choices in a lock file. Lock files "lock in" particular versions of particular dependencies. Without the lock files, subtle security vulnerabilities and other bugs can creep into the production application. In the worst case, without locking, users can be confronted with so-called "dependency confusion attacks".

For instance, a resolver might choose to get a library from an index with a buggy version because the index from which the resolver usually gets the dependency is temporarily unavailable.

Another risk is that an attacker might bump up a library's version number in an index, causing a resolver to pick that version because it is the most recent one. The desired version exists in a different index but is overlooked in favor of the one that seems more up-to-date.

Wrap-up

Thoth is a complicated and growing collection of open source tools. The basic principles behind its dependency resolutions can be an inspiration for other projects. Those principles are:

1. A resolver should routinely check for vulnerabilities by scraping websites such as the CVE database, running static checks, and through any other sources of information. The results must be stored in a database.
2. The resolver has to look through the dependencies of dependencies and backtrack when it finds that some bug or security flaw calls for changing a decision that the resolver made earlier.
3. The resolver's findings and information passed back by the developers using the resolver should be stored and used in future decisions.

In short, with the wealth of information about security vulnerabilities available these days, we can automate dependency resolution and produce safer applications.

Project Thoth pulls together many open source tools to automate program builds with security checks as part of the resolution process.

Image by:

opensource.com

Security and privacy DevOps Python What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. 32 points Arlington, Massachusetts, USA

Andy is a writer and editor in the computer field. His editorial projects at O'Reilly Media ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. Andy also writes often on health IT, on policy issues related to the Internet, and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM (Brussels), DebConf, and LibrePlanet. Andy participates in the Association for Computing Machinery's policy organization, named USTPC, and is on the editorial board of the Linux Professional Institute.

| Follow praxagora Open Enthusiast Register or Login to post a comment.

9to5Linux Weekly Roundup: April 10th, 2022  9to5Linux

Disable Animations in Cinnamon to Slightly Speed Up Linux Mint  It's FOSS

Looking back on IBM's game-changing mainframe moments  Reseller News

Linux Release Roundup #22.15: Raspberry Pi OS, EndeavourOS Apollo, and More Releases  It's FOSS News

We’re proud to share that Red Hat has been included on Fortune 100 Best Companies to Work For 2022, produced by Great Places to Work and published by Fortune, for the fourth consecutive year. Red Hat is ranked No. 34. 

The post Installation and Review of Qubes Linux [Lightweight Distro] first appeared on Tecmint: Linux Howtos, Tutorials & Guides .

This article will talk about the installation and setup process of Qubes Linux. It will also talk about how to test and evaluate the security features of Qubes Linux. Finally, it will offer a

The post Installation and Review of Qubes Linux [Lightweight Distro] first appeared on Tecmint: Linux Howtos, Tutorials & Guides.

Following last week's first release candidate of Linux 5.18 that capped off the two week merge window, Linux 5.18-rc2 was just issued as the newest weekly release candidate...

While Reiser4 never made it to mainline and has lacked any major corporate backing while Linux 5.18 is deprecating the older ReiserFS driver for removal later on, former Namesys developer Edward Shishkin continues progressing development on "Reiser5" as the evolution of Reiser4. Out today is the newest Reiser5 snapshot and some performance numbers from Shishkin...