Planet GNU https://planet.gnu.org/ en Planet GNU - https://planet.gnu.org/ FSF Blogs: Help us meet our goal of thirty-three new associate members by July 26 http://www.fsf.org/blogs/community/help-us-meet-our-goal-of-thirty-three-new-associate-members-by-july-26 http://www.fsf.org/blogs/community/help-us-meet-our-goal-of-thirty-three-new-associate-members-by-july-26 Tue, 23 Jul 2024 22:15:00 +0000 GNU Guix: The European Union must keep funding free software https://guix.gnu.org/blog/2024/the-european-union-must-keep-funding-free-software// https://guix.gnu.org/blog/2024/the-european-union-must-keep-funding-free-software// <p>Guix is the fruit of a combination of volunteer work by an amazingnumber of people, work paid for by employers, but also work sponsored bypublic institutions. The European Commission’s <a href="https://www.ngi.eu">Next GenerationInternet</a> (NGI) calls have been instrumental in thatregard. News that NGI funding could vanish came to us as a warningsignal.</p><p>Since 2020, NGI has supported many free software projects, allowing forsignificant strides on important topics that would otherwise be hard tofund. As an example, here are some of the NGI grants that directlybenefited Guix and related projects:</p><ul><li>the <a href="https://nlnet.nl/project/GNUMes-fullsource">full-sourcebootstrap</a>, whichincludes groundwork not just in Guix but crucially in<a href="https://www.gnu.org/software/mes">Mes</a> and sister projects (<a href="https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/">blogpost</a>);</li><li><a href="https://nlnet.nl/project/Guix-Riscv64/">porting Guix to the RISC-Varchitecture</a>;</li><li><a href="https://nlnet.nl/project/GNUMes-RISCV/">porting GNU Mes and associated projects toRISC-V</a> and<a href="https://nlnet.nl/project/GNUMes-ARM_RISC-V">AArch64</a>;</li><li><a href="https://nlnet.nl/project/GNUMes-RISCV-bootstrap/">porting the full-source bootstrap to the RISC-Varchitecture</a>;</li><li>the <a href="https://nlnet.nl/project/Cuirass">Cuirass continuous integrationtool</a> (<a href="https://guix.gnu.org/en/blog/2021/cuirass-10-released/">blogpost</a>);</li><li>the <a href="https://nlnet.nl/project/GuixDaemon-Guile/">Guile implementation of the Guix builddaemon</a> (<a href="https://guix.gnu.org/en/blog/2023/a-build-daemon-in-guile/">blogpost</a>);</li><li><a href="https://nlnet.nl/project/DistributedShepherd/">distributed system daemon management with the Shepherdand Goblins</a>, underthe aegis of the Spritely Institute (<a href="https://spritely.institute/news/spritely-nlnet-grants-december-2023.html">blogpost</a>).</li><li>a <a href="https://nlnet.nl/project/Whippet/">new garbage collector forGuile</a>, the Scheme implementationthat Guix builds upon.</li></ul><p>Over the years, NGI has more than demonstrated that public financialsupport for free software development makes a difference. We stronglybelieve that this support must continue, that it must strengthen thedevelopment of innovative software where user autonomy and freedom is acentral aspect.</p><p>For these reasons, the Guix project joins a growing number of projectsand organizations in signing the following open letter to the EuropeanCommission.</p><blockquote><p>The open letter below was initially published by <a href="https://ps.zoethical.org/pub/lettre-publique-aux-ncp-au-sujet-de-ngi/">petitessingularités</a>.English translation provided by<a href="https://www.ow2.org/view/Events/The_European_Union_must![](https://)_keep_funding_free_software_open_letter">OW2</a>.</p></blockquote><h2>Open Letter to the European Commission</h2><p>Since 2020, Next Generation Internet (<a href="https://www.ngi.eu">NGI</a>) programmes, part of European Commission's Horizon programme, fund free software in Europe using a cascade funding mechanism (see for example NLnet's <a href="https://www.nlnet.nl/commonsfund">calls</a>). This year, according to the Horizon Europe working draft detailing funding programmes for 2025, we notice that Next Generation Internet is not mentioned any more as part of Cluster 4.</p><p>NGI programmes have shown their strength and importance to supporting the European software infrastructure, as a generic funding instrument to fund digital commons and ensure their long-term sustainability. We find this transformation incomprehensible, moreover when NGI has proven efficient and economical to support free software as a whole, from the smallest to the most established initiatives. This ecosystem diversity backs the strength of European technological innovation, and maintaining the NGI initiative to provide structural support to software projects at the heart of worldwide innovation is key to enforce the sovereignty of a European infrastructure.Contrary to common perception, technical innovations often originate from European rather than North American programming communities, and are mostly initiated by small-scaled organisations.</p><p>Previous Cluster 4 allocated 27 million euros to:</p><ul><li>"Human centric Internet aligned with values and principles commonly shared in Europe" ;</li><li>"A flourishing internet, based on common building blocks created within NGI, that enables better control of our digital life" ;</li><li>"A structured ecosystem of talented contributors driving the creation of new internet commons and the evolution of existing internet commons".</li></ul><p>In the name of these challenges, more than 500 projects received NGI funding in the first 5 years, backed by 18 organisations managing these European funding consortia.</p><p>NGI contributes to a vast ecosystem, as most of its budget is allocated to fund third parties by the means of open calls, to structure commons that cover the whole Internet scope - from hardware to application, operating systems, digital identities or data traffic supervision. This third-party funding is not renewed in the current program, leaving many projects short on resources for research and innovation in Europe.</p><p>Moreover, NGI allows exchanges and collaborations across all the Euro zone countries as well as "widening countries"¹, currently both a success and an ongoing progress, likewise the Erasmus programme before us. NGI also contributes to opening and supporting longer relationships than strict project funding does. It encourages implementing projects funded as pilots, backing collaboration, identification and reuse of common elements across projects, interoperability in identification systems and beyond, and setting up development models that mix diverse scales and types of European funding schemes.</p><p>While the USA, China or Russia deploy huge public and private resources to develop software and infrastructure that massively capture private consumer data, the EU can't afford this renunciation.Free and open source software, as supported by NGI since 2020, is by design the opposite of potential vectors for foreign interference. It lets us keep our data local and favors a community-wide economy and know-how, while allowing an international collaboration.</p><p>This is all the more essential in the current geopolitical context: the challenge of technological sovereignty is central, and free software allows to address it while acting for peace and sovereignty in the digital world as a whole.</p><p>In this perspective, we urge you to claim for preserving the NGI programme as part of the 2025 funding programme.</p><p>¹ As defined by Horizon Europe, widening Member States are Bulgaria, Croatia, Cyprus, Czechia, Estonia, Greece, Hungary, Latvia, Lituania, Malta, Poland, Portugal, Romania, Slovakia, and Slovenia. Widening associated countries (under condition of an association agreement) include Albania, Armenia, Bosnia, Feroe Islands, Georgia, Kosovo, Moldavia, Montenegro, Morocco, North Macedonia, Serbia, Tunisia, Turkeye, and Ukraine. Widening overseas regions are Guadeloupe, French Guyana, Martinique, Reunion Island, Mayotte, Saint-Martin, The Azores, Madeira, the Canary Islands.</p> Tue, 23 Jul 2024 15:46:49 +0000 libc @ Savannah: The GNU C Library version 2.40 is now available https://savannah.gnu.org/news/?id=10658 https://savannah.gnu.org/news/?id=10658 <p>The GNU C Library<br />=================<br /><br />The GNU C Library version 2.40 is now available.<br /><br />The GNU C Library is used as <b>the</b> C library in the GNU system and<br />in GNU/Linux systems, as well as many other systems that use Linux<br />as the kernel.<br /><br />The GNU C Library is primarily designed to be a portable<br />and high performance C library.  It follows all relevant<br />standards including ISO C11 and POSIX.1-2017.  It is also<br />internationalized and has one of the most complete<br />internationalization interfaces known.<br /><br />The GNU C Library webpage is at <a href="http://www.gnu.org/software/libc/">http://www.gnu.org/software/libc/</a><br /><br />Packages for the 2.40 release may be downloaded from:<br />        <a href="http://ftpmirror.gnu.org/libc/">http://ftpmirror.gnu.org/libc/</a><br />        <a href="http://ftp.gnu.org/gnu/libc/">http://ftp.gnu.org/gnu/libc/</a><br /><br />The mirror list is at <a href="http://www.gnu.org/order/ftp.html">http://www.gnu.org/order/ftp.html</a><br /><br />Distributions are encouraged to track the release/* branches<br />corresponding to the releases they are using.  The release<br />branches will be updated with conservative bug fixes and new<br />features while retaining backwards compatibility.<br /><br />NEWS for version 2.40<br />=====================<br /><br />Major new features:<br /><br /></p><ul><li>The &lt;stdbit.h&gt; header type-generic macros have been changed when using</li></ul><p>  GCC 14.1 or later to use __builtin_stdc_bit_ceil etc. built-in functions<br />  in order to support unsigned __int128 and/or unsigned _BitInt(N) operands<br />  with arbitrary precisions when supported by the target.<br /><br /></p><ul><li>The GNU C Library now supports a feature test macro _ISOC23_SOURCE to</li></ul><p>  enable features from the ISO C23 standard.  Only some features from<br />  this standard are supported by the GNU C Library.  The older name<br />  _ISOC2X_SOURCE is still supported.  Features from C23 are also enabled<br />  by _GNU_SOURCE, or by compiling with the GCC options -std=c23,<br />  -std=gnu23, -std=c2x or -std=gnu2x.<br /><br /></p><ul><li>The following ISO C23 function families (introduced in TS</li></ul><p>  18661-4:2015) are now supported in &lt;math.h&gt;.  Each family includes<br />  functions for float, double, long double, _FloatN and _FloatNx, and a<br />  type-generic macro in &lt;tgmath.h&gt;.<br /><br />  - Exponential functions: exp2m1, exp10m1.<br /><br />  - Logarithmic functions: log2p1, log10p1, logp1.<br /><br /></p><ul><li>A new tunable, glibc.rtld.enable_secure, can be used to run a program</li></ul><p>  as if it were a setuid process. This is currently a testing tool to allow<br />  more extensive verification tests for AT_SECURE programs and not meant to<br />  be a security feature.<br /><br /></p><ul><li>On Linux, the epoll header was updated to include epoll ioctl definitions</li></ul><p>  and the related structure added in Linux kernel 6.9.<br /><br /></p><ul><li>The fortify functionality has been significantly enhanced for building</li></ul><p>  programs with clang against the GNU C Library.<br /><br /></p><ul><li>Many functions have been added to the vector library for aarch64:</li></ul><p>    acosh, asinh, atanh, cbrt, cosh, erf, erfc, hypot, pow, sinh, tanh<br /><br /></p><ul><li>On x86, memset can now use non-temporal stores to improve the performance</li></ul><p>  of large writes. This behaviour is controlled by a new tunable<br />  x86_memset_non_temporal_threshold.<br /><br />Deprecated and removed features, and other changes affecting compatibility:<br /><br /></p><ul><li>Architectures which use a 32-bit seconds-since-epoch field in struct</li></ul><p>  lastlog, struct utmp, struct utmpx (such as i386, powerpc64le, rv32,<br />  rv64, x86-64) switched from a signed to an unsigned type for that<br />  field.  This allows these fields to store timestamps beyond the year<br />  2038, until the year 2106.  Please note that applications are still<br />  expected to migrate off the interfaces declared in &lt;utmp.h&gt; and<br />  &lt;utmpx.h&gt; (except for login_tty) due to locking and session management<br />  problems.<br /><br /></p><ul><li>__rseq_size now denotes the size of the active rseq area (20 bytes</li></ul><p>  initially), not the size of struct rseq (32 bytes initially).<br /><br />Security related changes:<br /><br />The following CVEs were fixed in this release, details of which can be<br />found in the advisories directory of the release tarball:<br /><br />  GLIBC-SA-2024-0004:<br />    ISO-2022-CN-EXT: fix out-of-bound writes when writing escape<br />    sequence (CVE-2024-2961)<br /><br />  GLIBC-SA-2024-0005:<br />    nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599)<br /><br />  GLIBC-SA-2024-0006:<br />    nscd: Null pointer crash after notfound response (CVE-2024-33600)<br /><br />  GLIBC-SA-2024-0007:<br />    nscd: netgroup cache may terminate daemon on memory allocation<br />    failure (CVE-2024-33601)<br /><br />  GLIBC-SA-2024-0008:<br />    nscd: netgroup cache assumes NSS callback uses in-buffer strings<br />    (CVE-2024-33602)<br /><br />The following bugs were resolved with this release:<br /><br />  [19622] network: Support aliasing with struct sockaddr<br />  [21271] localedata: cv_RU: update translations<br />  [23774] localedata: lv_LV collates Y/y incorrectly<br />  [23865] string: wcsstr is quadratic-time<br />  [25119] localedata: Change Czech weekday names to lowercase<br />  [27777] stdio: fclose does a linear search, takes ages when many FILE*<br />    are opened<br />  [29770] libc: prctl does not match manual page ABI on powerpc64le-<br />    linux-gnu<br />  [29845] localedata: Update hr_HR locale currency to €<br />  [30701] time: getutxent misbehaves on 32-bit x86 when _TIME_BITS=64<br />  [31316] build: Fails test misc/tst-dirname "Didn't expect signal from<br />    child: got `Illegal instruction'" on non SSE CPUs<br />  [31317] dynamic-link: [RISCV] static PIE crashes during self<br />    relocation<br />  [31325] libc: mips: clone3 is wrong for o32<br />  [31335] math: Compile glibc with -march=x86-64-v3 should disable FMA4<br />    multi-arch version<br />  [31339] libc: arm32 loader crash after cleanup in 2.36<br />  [31340] manual: A bad sentence in section 22.3.5 (resource.texi)<br />  [31357] dynamic-link: $(objpfx)tst-rtld-list-diagnostics.out rule<br />    doesn't work with test wrapper<br />  [31370] localedata: wcwidth() does not treat<br />    DEFAULT_IGNORABLE_CODE_POINTs as zero-width<br />  [31371] dynamic-link: x86-64: APX and Tile registers aren't preserved<br />    in ld.so trampoline<br />  [31372] dynamic-link: _dl_tlsdesc_dynamic doesn't preserve all caller-<br />    saved registers<br />  [31383] libc: _FORTIFY_SOURCE=3 and __fortified_attr_access vs size of<br />    0 and zero size types<br />  [31385] build: sort-makefile-lines.py doesn't check variable with _<br />    nor with "^# variable"<br />  [31402] libc: clone (NULL, NULL, ...) clobbers %r7 register on<br />    s390{,x}<br />  [31405] libc: Improve dl_iterate_phdr using _dl_find_object<br />  [31411] localedata: Add Latgalian locale<br />  [31412] build: GCC 6 failed to build i386 glibc on Fedora 39<br />  [31429] build: Glibc failed to build with -march=x86-64-v3<br />  [31468] libc: sigisemptyset returns true when the set contains signals<br />    larger than 34<br />  [31476] network: Automatic activation of single-request options break<br />    resolv.conf reloading<br />  [31479] libc: Missing #include &lt;sys/rseq.h&gt; in sched_getcpu.c may<br />    result in a loss of rseq acceleration<br />  [31501] dynamic-link: _dl_tlsdesc_dynamic_xsavec may clobber %rbx<br />  [31518] manual: documentation: FLT_MAX_10_EXP questionable text, evtl.<br />    wrong,<br />  [31530] localedata: Locale file for Moksha - mdf_RU<br />  [31553] malloc: elf/tst-decorate-maps fails on ppc64el<br />  [31596] libc: On the llvm-arm32 platform, dlopen("not_exist.so", -1)<br />    triggers segmentation fault<br />  [31600] math: math: x86 ceill traps when FE_INEXACT is enabled<br />  [31601] math: math: x86 floor traps when FE_INEXACT is enabled<br />  [31603] math: math: x86 trunc traps when FE_INEXACT is enabled<br />  [31612] libc: arc4random fails to fallback to /dev/urandom if<br />    getrandom is not present<br />  [31629] build: powerpc64: Configuring with "--with-cpu=power10" and<br />    'CFLAGS=-O2 -mcpu=power9' fails to build glibc<br />  [31640] dynamic-link: POWER10 ld.so crashes in<br />    elf_machine_load_address with GCC 14<br />  [31661] libc: NPROCESSORS_CONF and NPROCESSORS_ONLN not available in<br />    getconf<br />  [31676] dynamic-link: Configuring with CC="gcc -march=x86-64-v3"<br />    --with-rtld-early-cflags=-march=x86-64 results in linker failure<br />  [31677] nscd: nscd: netgroup cache: invalid memcpy under low<br />    memory/storage conditions<br />  [31678] nscd: nscd: Null pointer dereferences after failed netgroup<br />    cache insertion<br />  [31679] nscd: nscd: netgroup cache may terminate daemon on memory<br />    allocation failure<br />  [31680] nscd: nscd: netgroup cache assumes NSS callback uses in-buffer<br />    strings<br />  [31682] math: [PowerPC] Floating point exception error for math test<br />    test-ceil-except-2 test-floor-except-2 test-trunc-except-2<br />  [31686] dynamic-link: Stack-based buffer overflow in<br />    parse_tunables_string<br />  [31695] libc: pidfd_spawn/pidfd_spawnp leak an fd if clone3 succeeds<br />    but execve fails<br />  [31719] dynamic-link: --enable-hardcoded-path-in-tests doesn't work<br />    with -Wl,--enable-new-dtags<br />  [31730] libc: backtrace_symbols_fd prints different strings than<br />    backtrace_symbols returns<br />  [31753] build: FAIL: link-static-libc with GCC 6/7/8<br />  [31755] libc: procutils_read_file doesn't start with a leading<br />    underscore<br />  [31756] libc: write_profiling is only in libc.a<br />  [31757] build: Should XXXf128_do_not_use functions be excluded?<br />  [31759] math: Extra nearbyint symbols in libm.a<br />  [31760] math: Missing math functions<br />  [31764] build: _res_opcodes should be a compat symbol only<br />  [31765] dynamic-link: _dl_mcount_wrapper is exported without prototype<br />  [31766] stdio: <i>IO_stderr</i> _IO_stdin_ _IO_stdout should be compat<br />    symbols<br />  [31768] string: Extra stpncpy symbol in libc.a<br />  [31770] libc: clone3 is in libc.a<br />  [31774] libc: Missing __isnanf128 in libc.a<br />  [31775] math: Missing exp10 exp10f32x exp10f64 fmod fmodf fmodf32<br />    fmodf32x fmodf64 in libm.a<br />  [31777] string: Extra memchr strlen symbols in libc.a<br />  [31781] math: Missing math functions in libm.a<br />  [31782] build: Test build failure with recent GCC trunk (x86/tst-cpu-<br />    features-supports.c:69:3: error: parameter to builtin not valid:<br />    avx5124fmaps)<br />  [31785] string: loongarch: Extra strnlen symbols in libc.a<br />  [31786] string: powerpc: Extra strchrnul and strncasecmp_l symbols in<br />    libc.a<br />  [31787] math: powerpc: Extra llrintf, llrintf, llrintf32, and<br />    llrintf32 symbols in libc.a<br />  [31788] libc: microblaze: Extra cacheflush symbol in libc.a<br />  [31789] libc: powerpc: Extra versionsort symbol in libc.a<br />  [31790] libc: s390: Extra getutent32, getutent32_r, getutid32,<br />    getutid32_r, getutline32, getutline32_r, getutmp32, getutmpx32,<br />    getutxent32, getutxid32, getutxline32, pututline32, pututxline32,<br />    updwtmp32, updwtmpx32 in libc.a<br />  [31797] build: g++ -static requirement should be able to opt-out<br />  [31798] libc: pidfd_getpid.c is miscompiled by GCC 6.4<br />  [31802] time: difftime is pure not const<br />  [31808] time: The supported time_t range is not documented.<br />  [31840] stdio: Memory leak in _IO_new_fdopen (fdopen) on seek failure<br />  [31867] build: "CPU ISA level is lower than required" on SSE2-free<br />    CPUs<br />  [31876] time: "Date and time" documentation fixes for POSIX.1-2024 etc<br />  [31883] build: ISA level support configure check relies on bashism /<br />    is otherwise broken for arithmetic<br />  [31892] build: Always install mtrace.<br />  [31917] libc: clang mq_open fortify wrapper does not handle 4 argument<br />    correctly<br />  [31927] libc: clang open fortify wrapper does not handle argument<br />    correctly<br />  [31931] time: tzset may fault on very short TZ string<br />  [31934] string: wcsncmp crash on s390x on vlbb instruction<br />  [31963] stdio: Crash in _IO_link_in within __gcov_exit<br />  [31965] dynamic-link: rseq extension mechanism does not work as<br />    intended<br />  [31980] build: elf/tst-tunables-enable_secure-env fails on ppc<br /><br />Release Notes<br />=============<br /><br /><a href="https://sourceware.org/glibc/wiki/Release/2.40">https://sourceware.org/glibc/wiki/Release/2.40</a><br /><br />Contributors<br />============<br /><br />This release was made possible by the contributions of many people.<br />The maintainers are grateful to everyone who has contributed<br />changes or bug reports.  These include:<br /><br />Adam Sampson<br />Adhemerval Zanella<br />Alejandro Colomar<br />Alexandre Ferrieux<br />Amrita H S<br />Andreas K. Hüttel<br />Andreas Schwab<br />Andrew Pinski<br />Askar Safin<br />Aurelien Jarno<br />Avinal Kumar<br />Carlos Llamas<br />Carlos O'Donell<br />Charles Fol<br />Christoph Müllner<br />DJ Delorie<br />Daniel Cederman<br />Darius Rad<br />David Paleino<br />Dragan Stanojević (Nevidljivi)<br />Evan Green<br />Fangrui Song<br />Flavio Cruz<br />Florian Weimer<br />Gabi Falk<br />H.J. Lu<br />Jakub Jelinek<br />Jan Kurik<br />Joe Damato<br />Joe Ramsay<br />Joe Simmons-Talbott<br />Joe Talbott<br />John David Anglin<br />Joseph Myers<br />Jules Bertholet<br />Julian Zhu<br />Junxian Zhu<br />Konstantin Kharlamov<br />Luca Boccassi<br />Maciej W. Rozycki<br />Manjunath Matti<br />Mark Wielaard<br />MayShao-oc<br />Meng Qinggang<br />Michael Jeanson<br />Michel Lind<br />Mike FABIAN<br />Mohamed Akram<br />Noah Goldstein<br />Palmer Dabbelt<br />Paul Eggert<br />Philip Kaludercic<br />Samuel Dobron<br />Samuel Thibault<br />Sayan Paul<br />Sergey Bugaev<br />Sergey Kolosov<br />Siddhesh Poyarekar<br />Simon Chopin<br />Stafford Horne<br />Stefan Liebler<br />Sunil K Pandey<br />Szabolcs Nagy<br />Wilco Dijkstra<br />Xi Ruoyao<br />Xin Wang<br />Yinyu Cai<br />YunQiang Su<br /><br />We would like to call out the following and thank them for their<br />tireless patch review:<br /><br />Adhemerval Zanella<br />Alejandro Colomar<br />Andreas K. Hüttel<br />Arjun Shankar<br />Aurelien Jarno<br />Bruno Haible<br />Carlos O'Donell<br />DJ Delorie<br />Dmitry V. Levin<br />Evan Green<br />Fangrui Song<br />Florian Weimer<br />H.J. Lu<br />Jonathan Wakely<br />Joseph Myers<br />Mathieu Desnoyers<br />Maxim Kuvyrkov<br />Michael Jeanson<br />Noah Goldstein<br />Palmer Dabbelt<br />Paul Eggert<br />Paul E. Murphy<br />Peter Bergner<br />Philippe Mathieu-Daudé<br />Sam James<br />Siddhesh Poyarekar<br />Simon Chopin<br />Stefan Liebler<br />Sunil K Pandey<br />Szabolcs Nagy<br />Xi Ruoyao<br />Zack Weinberg<br /><br />--<br />Andreas K. Hüttel<br /><a href="mailto:dilfridge@gentoo.org">dilfridge@gentoo.org</a><br />Gentoo Linux developer<br />(council, toolchain, base-system, perl, releng)<br /><a href="https://wiki.gentoo.org/wiki/User:Dilfridge">https://wiki.gentoo.org/wiki/User:Dilfridge</a><br /><a href="https://www.akhuettel.de/">https://www.akhuettel.de/</a><br /></p> Mon, 22 Jul 2024 14:29:11 +0000 parallel @ Savannah: GNU Parallel 20240722 ('Assange') released [stable] https://savannah.gnu.org/news/?id=10657 https://savannah.gnu.org/news/?id=10657 <p>GNU Parallel 20240722 ('Assange') has been released. It is available for download at: lbry://@GnuParallel:4<br /><br />Quote of the month:<br /><br />  parallel is frickin great for launching jobs on multiple<br />  machines. Ansible and Jenkins and others may be good too but I was<br />  able to jump right in with parallel.<br />    -- dwhite21787@reddit<br />  <br />New in this release:<br /></p><ul><li>No new features. This is a candidate for a stable release.</li><li>Bug fixes and man page updates.</li></ul><p><br />News about GNU Parallel:<br /></p><ul><li>Scientific Workflows at Scale using GNU Parallel <a href="https://web.cvent.com/event/f318e73c-2230-432a-a044-b75625020543/websitePage:afd80266-008e-414b-9f94-2fd9b4dd1924?session=fe79a785-ec60-414c-8d2b-c29208f53d4c&amp;shareLink=true">https://web.cvent.com/event/f318e73c-2230-432a-a044-b75625020543/websitePage:afd80266-008e-414b-9f94-2fd9b4dd1924?session=fe79a785-ec60-414c-8d2b-c29208f53d4c&amp;shareLink=true</a></li><li>Use GNU Parallel to render blender movies distributed by a bunch of nodes <a href="https://github.com/tfmoraes/blender_gnu_parallel_render">https://github.com/tfmoraes/blender_gnu_parallel_render</a></li><li>Lessons Learned from Scaling to Multi-Terabyte Datasets <a href="https://v2thegreat.com/2024/06/19/lessons-learned-from-scaling-to-multi-terabyte-datasets/">https://v2thegreat.com/2024/06/19/lessons-learned-from-scaling-to-multi-terabyte-datasets/</a></li><li>Efisiensi Maksimal: Cara Paralelisasi Perintah di CLI Linux <a href="https://medium.com/@nfrozi/efisiensi-maksimal-cara-paralelisasi-perintah-di-cli-linux-f4fda3afe2a0">https://medium.com/@nfrozi/efisiensi-maksimal-cara-paralelisasi-perintah-di-cli-linux-f4fda3afe2a0</a></li><li>Introduction to GNU parallel <a href="https://datascience.101workbook.org/06-hpc/06-parallel/01-intro-to-gnu-parallel/#gsc.tab=0">https://datascience.101workbook.org/06-hpc/06-parallel/01-intro-to-gnu-parallel/#gsc.tab=0</a></li></ul><p><br />GNU Parallel - For people who live life in the parallel lane.<br /><br />If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.<br /><br /><br /></p><h2>About GNU Parallel</h2><p><br />GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.<br /><br />If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.<br /><br />GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.<br /><br />For example you can run this to convert all jpeg files into png and gif files and have a progress bar:<br /><br />  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif<br /><br />Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:<br /><br />  find . -name '*.jpg' |<br />    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200<br /><br />You can find more about GNU Parallel at: <a href="http://www.gnu.org/s/parallel/">http://www.gnu.org/s/parallel/</a><br /><br />You can install GNU Parallel in just 10 seconds with:<br /><br />    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \<br />       fetch -o - <a href="http://pi.dk/3">http://pi.dk/3</a> ) &gt; install.sh<br />    $ sha1sum install.sh | grep 883c667e01eed62f975ad28b6d50e22a<br />    12345678 883c667e 01eed62f 975ad28b 6d50e22a<br />    $ md5sum install.sh | grep cc21b4c943fd03e93ae1ae49e28573c0<br />    cc21b4c9 43fd03e9 3ae1ae49 e28573c0<br />    $ sha512sum install.sh | grep ec113b49a54e705f86d51e784ebced224fdff3f52<br />    79945d9d 250b42a4 2067bb00 99da012e c113b49a 54e705f8 6d51e784 ebced224<br />    fdff3f52 ca588d64 e75f6033 61bd543f d631f592 2f87ceb2 ab034149 6df84a35<br />    $ bash install.sh<br /><br />Watch the intro video on <a href="http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1">http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1</a><br /><br />Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.<br /><br />When using programs that use GNU Parallel to process data for publication please cite:<br /><br />O. Tange (2018): GNU Parallel 2018, March 2018, <a href="https://doi.org/10.5281/zenodo.1146014">https://doi.org/10.5281/zenodo.1146014</a>.<br /><br />If you like GNU Parallel:<br /><br /></p><ul><li>Give a demo at your local user group/team/colleagues</li><li>Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists</li><li>Get the merchandise <a href="https://gnuparallel.threadless.com/designs/gnu-parallel">https://gnuparallel.threadless.com/designs/gnu-parallel</a></li><li>Request or write a review for your favourite blog or magazine</li><li>Request or build a package for your favourite distribution (if it is not already there)</li><li>Invite me for your next conference</li></ul><p><br />If you use programs that use GNU Parallel for research:<br /><br /></p><ul><li>Please cite GNU Parallel in you publications (use --citation)</li></ul><p><br />If GNU Parallel saves you money:<br /><br /></p><ul><li>(Have your company) donate to FSF <a href="https://my.fsf.org/donate/">https://my.fsf.org/donate/</a></li></ul><p><br /><br /></p><h2>About GNU SQL</h2><p><br />GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.<br /><br />The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.<br /><br />When using GNU SQL for a publication please cite:<br /><br />O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.<br /><br /><br /></p><h2>About GNU Niceload</h2><p><br />GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.<br /></p> Sun, 21 Jul 2024 03:01:50 +0000 GNUnet News: DHT Technical Specification Milestone 5 https://gnunet.org/en/news/2024-07-DHTSpec2.html https://gnunet.org/en/news/2024-07-DHTSpec2.html <article id="newspost-content"><h1>DHT Technical Specification Milestone 5</h1><p>We are happy to announce the completion of milestone 5 for the DHT specification.The general objective is to provide a detailed and comprehensive guide for implementors of the GNUnet DHT "R<sup>5</sup>N".As part of this milestone, the specification was updated andinteroperability testing conducted.We submitted the draft to the Independent Stream Editor (ISE)who is going to decide if it will be adopted and shepherded throughthe RFC process.</p><p>The current protocol is implemented as part of GNUnet and gnunet-go as<a href="https://lists.gnu.org/archive/html/gnunet-developers/2022-06/msg00019.html">announced on the mailing list when the previous implementation milestones were finished</a>.</p><p><b>We again invite any interested party to read the document and provide criticalreview and feedback. This greatly helps us to improve the protocoland help future implementations. Contact us at<a href="mailto:gnunet-developers@gnunet.org">the gnunet-developers mailing list</a></b>.</p><ul><li><a href="https://lsd.gnunet.org/lsd0004/draft-schanzen-r5n.txt">Plain text version</a></li><li><a href="https://lsd.gnunet.org/lsd0004/draft-schanzen-r5n.html">HTML version</a></li><li><a href="https://git.gnunet.org/lsd0004.git">Git sources</a></li></ul><p>This work is generously funded by<a href="https://nlnet.nl">NLnet</a>as part of their<a href="https://nlnet.nl/assure">NGI Assure fund</a>.</p></article> Sat, 20 Jul 2024 22:00:00 +0000 GNU Taler news: Video interview with Mikolai Gütschow on payments for the Internet of Things https://taler.net/en/news/2024-19.html https://taler.net/en/news/2024-19.html <article>On the occasion of the Point Zero Forum's Innovation Tour, Evgeny Grin has interviewed Mikolai Gütschow who designed and implemented solutions for the payments in the Internet of Things (IoT). </article> Fri, 19 Jul 2024 08:52:21 +0000 GNU Taler news: Video interview with Isidor Walliman, creator of the Netzbon regional currency in Basel https://taler.net/en/news/2024-17.html https://taler.net/en/news/2024-17.html <article>On the occasion of the Point Zero Forum's Innovation Tour, Evgeny Grin has interviewed Isidor Wallimann who is introducing GNU Taler for the local currency Netzbon in Basel. </article> Thu, 18 Jul 2024 22:00:00 +0000 GNUnet News: The European Union must keep funding free software https://gnunet.org/en/news/2024-07-EU-continuing-NGI.html https://gnunet.org/en/news/2024-07-EU-continuing-NGI.html <article id="newspost-content"><h1>The European Union must keep funding free software</h1><p></p><p>The GNUnet project was granted NGI funding via<a href="https://nlnet.nl/">NLnet</a>.<a href="https://nlnet.nl/project/">Other</a>FOSS related projects also benefit from NGI funding. This funding is now at risk for future projects.</p><p><em>The following is an openletter initially published in French by the<a href="https://ps.zoethical.org/pub/lettre-publique-aux-ncp-au-sujet-de-ngi/">Petites Singularités</a>association. To co-sign it, please publish it on your website in your preferredlanguage, then add yourself to<a href="https://pad.public.cat/lettre-NCP-NGI">this table</a>.</em></p><p>Open Letter to the European Commission.</p><p>Since 2020, Next Generation Internet (<a href="https://www.ngi.eu">NGI</a>) programmes,part of European Commission’s Horizon programme, fund free software in Europeusing a cascade funding mechanism (see for example NLnet’s<a href="https://www.nlnet.nl/commonsfund">calls</a>). This year, according to the HorizonEurope working draft detailing funding programmes for 2025, we notice thatNext Generation Internet is not mentioned any more as part of Cluster 4.</p><p>NGI programmes have shown their strength and importance to supporting theEuropean software infrastructure, as a generic funding instrument to funddigital commons and ensure their long-term sustainability. We find thistransformation incomprehensible, moreover when NGI has proven efficient andeconomical to support free software as a whole, from the smallest to the mostestablished initiatives. This ecosystem diversity backs the strength ofEuropean technological innovation, and maintaining the NGI initiative toprovide structural support to software projects at the heart of worldwideinnovation is key to enforce the sovereignty of a European infrastructure.Contrary to common perception, technical innovations often originate fromEuropean rather than North American programming communities, and are mostlyinitiated by small-scaled organizations.</p><p>Previous Cluster 4 allocated 27 million euros to:</p><ul><li>“Human centric Internet aligned with values and principles commonly shared inEurope” ;</li><li>“A flourishing internet, based on common building blocks created within NGI,that enables better control of our digital life” ;</li><li>“A structured ecosystem of talented contributors driving the creation of newinternet commons and the evolution of existing internet commons”.</li></ul><p>In the name of these challenges, more than 500 projects received NGI funding inthe first 5 years, backed by 18 organisations managing these European fundingconsortia.</p><p>NGI contributes to a vast ecosystem, as most of its budget is allocated to fundthird parties by the means of open calls, to structure commons that cover thewhole Internet scope - from hardware to application, operating systems, digitalidentities or data traffic supervision. This third-party funding is not renewedin the current program, leaving many projects short on resources for researchand innovation in Europe.</p><p>Moreover, NGI allows exchanges and collaborations across all the Euro zonecountries as well as “widening countries”<sup id="fnref:1"><a class="footnote-ref" href="https://www.gnunet.org/en/rss.xml#fn:1">1</a></sup>, currently both a success and anongoing progress, likewise the Erasmus programme before us. NGI alsocontributes to opening and supporting longer relationships than strict projectfunding does. It encourages implementing projects funded as pilots, backingcollaboration, identification and reuse of common elements across projects,interoperability in identification systems and beyond, and setting updevelopment models that mix diverse scales and types of European fundingschemes.</p><p>While the USA, China or Russia deploy huge public and private resources todevelop software and infrastructure that massively capture private consumerdata, the EU can’t afford this renunciation.Free and open source software, as supported by NGI since 2020, is by design theopposite of potential vectors for foreign interference. It lets us keep ourdata local and favors a community-wide economy and know-how, while allowing aninternational collaboration.This is all the more essential in the current geopolitical context: thechallenge of technological sovereignty is central, and free software allowsaddressing it while acting for peace and sovereignty in the digital world as awhole.</p><div class="footnotes"><hr /><ol><li id="fn:1"><p>As defined by Horizon Europe, widening Member States are Bulgaria,Croatia, Cyprus, Czechia, Estonia, Greece, Hungary, Latvia, Lituania, Malta,Poland, Portugal, Romania, Slovakia, and Slovenia. Widening associatedcountries (under condition of an association agreement) include Albania,Armenia, Bosnia, Feroe Islands, Georgia, Kosovo, Moldavia, Montenegro, Morocco,North Macedonia, Serbia, Tunisia, Turkeye, and Ukraine. Widening overseasregions are Guadeloupe, French Guyana, Martinique, Reunion Island, Mayotte,Saint-Martin, The Azores, Madeira, the Canary Islands.<a class="footnote-backref" href="https://www.gnunet.org/en/rss.xml#fnref:1"></a></p></li></ol></div></article> Thu, 18 Jul 2024 22:00:00 +0000 GNU Taler news: Video interview with Christian Blättler on his work on tokens for unlinkable discounts and subscriptions https://taler.net/en/news/2024-16.html https://taler.net/en/news/2024-16.html <article>On the occasion of the Point Zero Forum's Innovation Tour, Berna Alp has interviewed Christian Blättler who implemented a system for using GNU Taler for unlikable discounts and subscriptions. </article> Wed, 17 Jul 2024 22:00:00 +0000 health @ Savannah: MyGNUHealth 2.2.1 released https://savannah.gnu.org/news/?id=10656 https://savannah.gnu.org/news/?id=10656 <p>Dear community<br /><br />I am happy to announce patchset 2.2.1 for MYGNUHealth, the GNU Health Personal Health Record.<br /><br />This patchset fixes the following issues:<br /><br /></p><ul><li>MyGH crashes when clicking 'Network':  <a href="https://codeberg.org/gnuhealth/mygnuhealth/issues/34">https://codeberg.org/gnuhealth/mygnuhealth/issues/34</a></li><li>Include icons of type gif on MANIFEST.in : <a href="https://codeberg.org/gnuhealth/mygnuhealth/issues/36">https://codeberg.org/gnuhealth/mygnuhealth/issues/36</a></li></ul><p><br />You can download MyGNUHealth source code from the official GNU Savannah (<a href="https://ftp.gnu.org/gnu/health/mygnuhealth/">https://ftp.gnu.org/gnu/health/mygnuhealth/</a>). You can also install MyGH from the Python Package Index (PyPI) or from your operating system distribution.<br /><br />Happy hacking<br />Luis<br /></p> Wed, 17 Jul 2024 10:10:50 +0000 GNU Taler news: Video interview with Nic Eigel, co-author of the GNU Taler real-time auditor https://taler.net/en/news/2024-15.html https://taler.net/en/news/2024-15.html <article>On the occasion of the Point Zero Forum's Innovation Tour, Berna Alp has interviewed Nicola Eigel who implemented a real-time auditor for the GNU Taler exchange with his colleague Cédric Zwahlen. </article> Tue, 16 Jul 2024 22:00:00 +0000 FSF Blogs: Make a pledge to share free software with a friend http://www.fsf.org/blogs/community/make-a-pledge-to-share-free-software-with-a-friend http://www.fsf.org/blogs/community/make-a-pledge-to-share-free-software-with-a-friend Tue, 16 Jul 2024 20:56:58 +0000 GNU Taler news: Video interview with Özgur Kesim on age-restricted digital cash https://taler.net/en/news/2024-18.html https://taler.net/en/news/2024-18.html <article>On the occasion of the Point Zero Forum's Innovation Tour, Evgeny Grin has interviewed Özgur Kesim who designed and implemented an age restricition mechanism inside the GNU Taler coins. </article> Tue, 16 Jul 2024 18:30:11 +0000 tasklist @ Savannah: Cleaning out old jobs https://savannah.gnu.org/news/?id=10655 https://savannah.gnu.org/news/?id=10655 <p>When I opened this Savannah project I imported items from the old GNU tasklist document. 20 years later all of the context has been lost (if there ever was any) so now if anyone asks about these tasks it just leads to frustration on everyone's part.<br /><br />I therefore deleted the original help wanted entries that date back to 2003. If anyone wants to help the GNU project, the best way to do that is to pick one of the FSF's High-Priority projects:<br /><br /><a href="https://www.fsf.org/campaigns/priority-projects">https://www.fsf.org/campaigns/priority-projects</a><br /></p> Tue, 16 Jul 2024 14:35:07 +0000 FSF Events: Free Software Directory meeting on IRC: Friday, July 19, starting at 12:00 EDT (16:00 UTC) http://www.fsf.org/events/fsd-20240719-irc http://www.fsf.org/events/fsd-20240719-irc Join the FSF and friends on Friday, July 19 from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory. Mon, 15 Jul 2024 04:00:00 +0000 automake @ Savannah: automake 1.17 released [stable] https://savannah.gnu.org/news/?id=10653 https://savannah.gnu.org/news/?id=10653 <p>Automake 1.17 released. Announcement:<br /><a href="https://lists.gnu.org/archive/html/autotools-announce/2024-07/msg00000.html">https://lists.gnu.org/archive/html/autotools-announce/2024-07/msg00000.html</a><br /></p> Sun, 14 Jul 2024 15:58:32 +0000 gnuastro @ Savannah: Gnuastro 0.23 released https://savannah.gnu.org/news/?id=10652 https://savannah.gnu.org/news/?id=10652 <p>The 23rd release of GNU Astronomy Utilities (Gnuastro) is now available. See the full announcement for all the new features in this release and the many bugs that have been found and fixed: <a href="https://lists.gnu.org/archive/html/info-gnuastro/2024-07/msg00001.html">https://lists.gnu.org/archive/html/info-gnuastro/2024-07/msg00001.html</a><br /></p> Sat, 13 Jul 2024 23:01:56 +0000 FSF Blogs: Spring Bulletin Issue 44 now online! Read and share it with your community http://www.fsf.org/blogs/community/spring-bulletin-issue-44-now-online-read-and-share-it-with-your-community http://www.fsf.org/blogs/community/spring-bulletin-issue-44-now-online-read-and-share-it-with-your-community Wed, 10 Jul 2024 20:05:00 +0000 Simon Josefsson: Towards Idempotent Rebuilds? https://blog.josefsson.org/?p=2018 https://blog.josefsson.org/2024/07/10/towards-idempotent-rebuilds/ <p>After <a href="https://blog.josefsson.org/2023/04/10/trisquel-is-42-reproducible/">rebuilding all added/modified packages in Trisquel</a>, I have been circling around the elephant in the room: 99% of the binary packages in Trisquel comes from Ubuntu, which to a large extent are built from Debian source packages. Is it possible to rebuild the official binary packages identically? Does anyone make an effort to do so? Does anyone care about going through the differences between the official package and a rebuilt version? <a href="https://reproducible-builds.org/">Reproducible-build.org</a>‘s effort to track <a href="https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/mpich.html">reproducibility bugs in Debian</a> (and other systems) is amazing. However as far as I know, they do not confirm or deny that their rebuilds match the official packages. In fact, typically their rebuilds do not match the official packages, even when they say the package is reproducible, which had me surprised at first. To understand why that happens, compare the <a href="https://buildinfo.debian.net/0ddf8ee352df8a2f74aa86efaebdf3e032f7320e/coreutils_9.1-1_amd64">buildinfo file for the official coreutils 9.1-1</a> from Debian bookworm with the <a href="https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/coreutils.html">buildinfo file for reproducible-build.org’s build</a> and you will see that the SHA256 checksum does not match, but still they declare it as a reproducible package. As far as I can tell of the situation, the purpose of their rebuilds are not to say anything about the official binary build, instead the purpose is to offer a QA service to maintainers by performing two builds of a package and declaring success if both builds match.</p><p>I have felt that something is lacking, and months have passed and I haven’t found any project that address the problem I am interested in. During my earlier work I created a project called <a href="https://blog.josefsson.org/2023/04/17/more-on-differential-reproducible-builds-devuan-is-46-reproducible/">debdistreproduce</a> which performs rebuilds of the difference between two distributions in a GitLab pipeline, and display <a href="https://diffoscope.org/">diffoscope</a> output for further analysis. A couple of days ago I had the idea of rewriting it to perform rebuilds of a single distribution. A new project <a href="https://gitlab.com/debdistutils/debdistrebuild">debdistrebuild</a> was born and today I’m happy to bless it as <a href="https://gitlab.com/debdistutils/debdistrebuild/-/tree/v1.0">version 1.0</a> and to announces the project! Debdistrebuild has <strong>rebuilt the top-50 popcon packages from Debian bullseye, bookworm and trixie, on amd64 and arm64, as well as Ubuntu jammy and noble on amd64</strong>, see the <a href="https://gitlab.com/debdistutils/debdistrebuild/-/tree/v1.0#show-me-results">summary status page</a> for links. This is intended as a proof of concept, to allow people experiment with the concept of doing GitLab-based package rebuilds and analysis. Compare how <a href="https://guix.gnu.org/">Guix</a> has the <code><a href="https://guix.gnu.org/manual/en/html_node/On-Trusting-Binaries.html">guix challenge</a></code> command.</p><p>Or I should say <code>debdistrebuild</code> has <em>attempted</em> to rebuild those distributions. The number of identically built packages are fairly low, so I didn’t want to waste resources building the rest of the archive until I understand if the differences are due to consequences of my build environment (plain <code>apt-get build-dep</code> followed by <code>dpkg-buildpackage</code> in a fresh container), or due to some real difference. Summarizing the results, <code><strong>debdistrebuild</strong></code><strong> is able to rebuild 34% of Debian bullseye on amd64, 36% of bookworm on amd64, 32% of bookworm on arm64</strong>. The results for trixie and Ubuntu are disappointing, below 10%.</p><p>So what causes my rebuilds to be different from the official rebuilds? Some are trivial like the classical problem of <a href="https://debdistutils.gitlab.io/-/reproduce/debian-bullseye-amd64/-/jobs/7291684506/artifacts/diffoscope/index.html">varying build paths</a>, resulting in a different <code>NT_GNU_BUILD_ID</code> causing a mismatch. Some are a bit strange, like a <a href="https://debdistutils.gitlab.io/-/reproduce/debian-bullseye-amd64/-/jobs/7291769934/artifacts/diffoscope/index.html">subtle difference in one of perl’s headers</a> file. Some are due to <a href="https://debdistutils.gitlab.io/-/reproduce/debian-bullseye-amd64/-/jobs/7291759732/artifacts/diffoscope/index.html">embedded version numbers</a> from a build dependency. Several of the build logs and diffoscope outputs doesn’t make sense, likely due to bugs in my build scripts, especially for Ubuntu which appears to strip translations and do other build variations that I don’t do. In general, the classes of reproducibility problems are the expected. Some are <a href="https://debdistutils.gitlab.io/-/reproduce/debian-bullseye-amd64/-/jobs/7291703958/artifacts/diffoscope/index.html">assembler differences</a> for GnuPG’s gpgv-static, likely triggered by upload of a new version of gcc after the original package was built. There are at least two ways to resolve that problem: either use the same version of build dependencies that were used to produce the original build, or demand that all packages that are affected by a change in another package are rebuilt centrally until there are no more differences.</p><p>The current design of <code>debdistrebuild</code> uses the latest version of a build dependency that is available in the distribution. We call this a “<strong>idempotent rebuild</strong>“. This is usually not how the binary packages were built originally, they are often built against earlier versions of their build dependency. That is the situation for most binary distributions.</p><p>Instead of using the latest build dependency version, higher reproducability may be achieved by rebuilding using the same version of the build dependencies that were used during the original build. This requires parsing <a href="https://buildinfo.debian.net/">buildinfo</a> files to find the right version of the build dependency to install. We believe doing so will lead to a higher number of reproducibly built packages. However it begs the question: can we rebuild that earlier version of the build dependency? This circles back to really old versions and <a href="https://bootstrappable.org/">bootstrappable builds</a> eventually.</p><p>While rebuilding old versions would be interesting on its own, we believe that is less helpful for trusting the latest version and improving a binary distribution: it is challenging to publish a new version of some old package that would fix a reproducibility bug in another package when used as a build dependency, and then rebuild the later packages with the modified earlier version. Those earlier packages were already published, and are part of history. It may be that ultimately it will no longer be possible to rebuild some package, because proper source code is missing (for packages using build dependencies that were never part of a release); hardware to build a package could be missing; or that the source code is no longer publicly distributable.</p><p>I argue that getting to 100% idempotent rebuilds is an interesting goal on its own, and to reach it we need to start measure idempotent rebuild status.</p><p>One could conceivable imagine a way to rebuild modified versions of earlier packages, and then rebuild later packages using the modified earlier packages as build dependencies, for the purpose of achieving higher level of reproducible rebuilds of the last version, and to reach for bootstrappability. However, it may be still be that this is insufficient to achieve idempotent rebuilds of the last versions. Idempotent rebuilds are different from a reproducible build (where we try to reproduce the build using the same inputs), and also to bootstrappable builds (in which all binaries are ultimately built from source code). Consider a cycle where package X influence the content of package Y, which in turn influence the content of package X. These cycles may involve several packages, and it is conceivable that a cycle could be circular and infinite. It may be difficult to identify these chains, and even more difficult to break them up, but this effort help identify where to start looking for them. Rebuilding packages using the same build dependency versions as were used during the original build, or rebuilding packages using a bootsrappable build process, both seem orthogonal to the idempotent rebuild problem.</p><p>Our notion of rebuildability appears thus to be complementary to <a href="https://reproducible-builds.org/docs/definition/">reproducible-builds.org’s definition</a> and <a href="https://bootstrappable.org/">bootstrappable.org’s definition</a>. Each to their own devices, and Happy Hacking!</p><p><strong>Addendum about terminology:</strong> With “idempotent rebuild” I am talking about a rebuild of the entire operating system, applied to itself. Compare how you build the latest version of the <a href="https://gcc.gnu.org/">GNU C Compiler</a>: it first builds itself using whatever system compiler is available (often an earlier version of gcc) which we call step 1. Then step 2 is to build a copy of itself using the compiler built in step 1. The final step 3 is to build another copy of itself using the compiler from step 2. Debian, Ubuntu etc are at step 1 in this process right now. The output of step 2 and step 3 ought to be bit-by-bit identical, or something is wrong. The comparison between step 2 and 3 is what I refer to with an idempotent rebuild. Of course, most packages aren’t a compiler that can compile itself. However entire operating systems such as Trisquel, PureOS, Ubuntu or Debian are (hopefully) a self-contained system that ought to be able to rebuild itself to an identical copy. Or something is amiss. The reproducible build and bootstrappable build projects are about improve the quality of step 1. The property I am interested is the identical rebuild and comparison in step 2 and 3. I feel the word “idempotent” describes the property I’m interested in well, but I realize there may be better ways to describe this. Ideas welcome!</p> Tue, 09 Jul 2024 22:16:16 +0000 FSF Blogs: Share free software with your friends and colleagues http://www.fsf.org/blogs/community/share-free-software-with-your-friends-and-colleagues http://www.fsf.org/blogs/community/share-free-software-with-your-friends-and-colleagues Fri, 05 Jul 2024 20:55:00 +0000 Greg Casamento: What Apple has forgotten... tag:blogger.com,1999:blog-13189460.post-2145421725565112647 https://heronsperch.blogspot.com/2024/07/what-apple-has-forgotten.html <p> When NeXT still existed and the black hardware was a thing, Steve Jobs made the announcement that OPENSTEP would be created and that the object model, not the operating system and not the hardware, was the important thing.</p><p>This is a concept that Apple has forgotten.  With it's push towards Apple Silicon and a walled-garden, Apple has committed itself to the same pitfall that NeXT fell into.  NeXT lacked the infrastructure to handle OPENSTEP running on multiple kinds of hardware, but the object model on different OSes was successful... this is evident in OPENSTEP1.1 for Solaris and OPENSTEP for NT.</p><p>GNUstep attempts to reach the same goal, but provides the APIs that are available with Cocoa.   The object model IS the important thing and this is why GNUstep is so important.  It breaks the walled garden and makes it possible for users to run their apps and tools on other operating systems.  GNUstep HASN'T forgotten and we believe this is a core concept that Apple has left behind.</p> Wed, 03 Jul 2024 23:03:55 +0000 noreply@blogger.com (Unknown) FSF Blogs: The Licensing & Compliance Team, running at full steam for your freedom http://www.fsf.org/blogs/community/the-licensing-compliance-team-running-at-full-steam-for-your-freedom http://www.fsf.org/blogs/community/the-licensing-compliance-team-running-at-full-steam-for-your-freedom Tue, 02 Jul 2024 21:02:41 +0000 direvent @ Savannah: GNU Direvent Version 5.4 https://savannah.gnu.org/news/?id=10651 https://savannah.gnu.org/news/?id=10651 <p>GNU direvent version 5.4 is <a href="https://ftp.gnu.org/gnu/direvent/direvent-5.4.tar.gz">available for download</a>.<br /><br />New in this version:<br /><br /></p><h3>Simultaneous execution limits</h3><p><br />It is possible to limit number of command instances that are allowed to run simultaneously for a particular watcher.  This is done using<br />the <i>max-instances</i> statement in <i>watcher</i> section.<br /><br /></p><h3>Restore the "nowait" default</h3><p><br />In previous version, watchers waited for the handler to terminate, unless given the <i>nowait</i> option explicitly.  It is now fixed and <i>nowait</i> is the default, as described in the documentation.<br /><br /></p><h3>Fix bug in generic to system event translation</h3><p><br /></p><h3>Fix sentinel code</h3><p><br />In some cases setting the sentinel effectively removed the original watcher.  That happened if the full file name of the original watcher <br />and its directory part produced the same hash code.<br /></p> Tue, 02 Jul 2024 16:00:14 +0000 gdbm @ Savannah: GNU dbm version 1.24 https://savannah.gnu.org/news/?id=10650 https://savannah.gnu.org/news/?id=10650 <p>GNU dbm version 1.24 is <a href="https://ftp.gnu.org/gnu/gdbm/gdbm-1.24.tar.gz">available for download</a>. New in this version:<br /><br /></p><h3>New gdbm_load option: --update</h3><p><br />The <b>--update</b> (<b>-U</b>) option instructs <i>gdbm_load</i> to update an existing database.<br /><br /></p><h3>Fix semantics of gdbm_load -r</h3><p><br />The <b>--replace</b> (<b>-r</b>) is valid only when used together with <b>--update</b>.<br /><br /></p><h3>Use getline in gdbmtool shell</h3><p><br /></p><h3>New function: gdbm_load_from_file_ext</h3><p><br />In contrast to <i>gdbm_load</i> and <i>gdbm_load_from_file</i>, which derive the value of the flag parameter for <i>gdbm_open</i> from the value of their <i>replace</i> argument, this function allows the caller to specify it explicitly.  <br /><br /></p><h3>Bugfixes</h3><p><br /></p><ul><li>Fix binary dump format for key and/or data of zero size (see <a href="https://puszcza.gnu.org.ua/bugs/?565">bug 656</a>)</li><li>Fix location tracking and recover command in gdbtool (see <a href="https://puszcza.gnu.org.ua/bugs/?566">bug 566</a>)</li><li>Fix possible buffer underflow in gdbmload.</li><li>Ensure any padding bytes in <i>avail_elem</i> structure are filled with 0. This fixes <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031276">debian bug 1031276</a>.</li><li>Improve the documentation.</li></ul> Tue, 02 Jul 2024 14:28:09 +0000 Parabola GNU/Linux-libre: restart sshd immediately after upgrade tag:parabolagnulinux.org,2024-07-01:/news/restart-sshd-immediately-after-upgrade/ https://parabolagnulinux.org/news/restart-sshd-immediately-after-upgrade/ <p>from arch:</p><p>After upgrading to <code>openssh-9.8p1</code>, the existing SSH daemon will be unable to accept new connections.When upgrading remote hosts, please make sure to restart the sshd serviceusing <code>systemctl try-restart sshd</code> right after upgrading.</p><p>We are evaluating the possibility to automatically apply a restart of the sshd service on upgrade in a future release of the openssh-9.8p1 package.</p> Mon, 01 Jul 2024 18:52:51 +0000 poke @ Savannah: GNU poke 4.2 released https://savannah.gnu.org/news/?id=10648 https://savannah.gnu.org/news/?id=10648 <p>I am happy to announce a new release of GNU poke, version 4.2.<br /><br />This is a bugfix release in the 4.x series.<br /><br />See the file NEWS in the distribution tarball for a list of issues<br />fixed in this release.<br /><br />The tarball poke-4.2.tar.gz is now available at<br /><a href="https://ftp.gnu.org/gnu/poke/poke-4.2.tar.gz">https://ftp.gnu.org/gnu/poke/poke-4.2.tar.gz</a>.<br /><br />    &gt; GNU poke (<a href="http://www.jemarch.net/poke">http://www.jemarch.net/poke</a>) is an interactive, extensible<br />    &gt; editor for binary data.  Not limited to editing basic entities such<br />    &gt; as bits and bytes, it provides a full-fledged procedural,<br />    &gt; interactive programming language designed to describe data<br />    &gt; structures and to operate on them.<br /><br /><br />Thanks to the people who contributed with code and/or documentation to<br />this release.<br /><br />Happy poking!<br /><br />Mohammad-Reza Nabipoor<br /></p> Sun, 30 Jun 2024 21:03:02 +0000 GNU Health: Migrar, migrant, migràrem https://my.gnusolidario.org/?p=1984 https://my.gnusolidario.org/2024/06/27/migrar-migrant-migrarem/ <p class="has-text-align-left">The title of this article, “<em>Migrar, migrant, migràrem</em>“, comes from a beautiful poem written by Laia Porcar[1], that inspired the strikingly profound painting by Sara Belles [2] “<em>Jo per tu, fill meu</em>“. The artists reflect the migrants ordeal to provide a better life to their children and families, even at the cost of losing their own lives.</p><p>GNU Health[3] is a Social project with some technology behind and the mission at Sea-Eye is one of the best examples. After all, GNU Solidario[4] is a NGO that focuses in the advancement of Social Medicine.</p><p>We live a world of injustice. Concentration of power, social gradient and poverty rates keep on the rise. Artificial intelligence is on the hands of mega private corporations, targeting our privacy and feeding the macabre business of war. The fight for scarce natural resources such as lithium or coltan creates coups in impoverished countries. Nature and non-human animals are used and abused as mere commodities. Our world turns a blind eye to the systematic crushing and eradication of civilian population by powerful armies. As a result, we live in a world where migration is not a choice, but the only way out for millions of human beings, even at the risk of becoming anonymous victims in the Atlantic ocean or Mediterranean sea mass graveyards. </p><div class="wp-block-image"><figure class="aligncenter size-full"><img alt="" class="wp-image-1994" height="795" src="https://my.gnusolidario.org/wp-content/uploads/2024/06/aurora_suport.png" width="592" /><figcaption class="wp-element-caption">“Jo per tu, fill meu”, by Sara Belles</figcaption></figure></div><p>But there is hope. The Sea-Eye mission is the end result of a network of solidarity, cooperation and empathy. The Free Software movement started by Richard Stallman[5]; Julian Sassenscheidt message in Mastodon and his presentation at GNU Health Con 2023[6] ; The work of our representative in Germany, Gerald Wiese; the Chaos Computer Club[7]; the team from L’Aurora[8] providing logistic support to the Search and Rescue vessels; the phenomenal Sea-Eye family who made me feel at home: The cook, crew on deck, the logistics and medical team who stood stoically intensive hours of GNU Health training. Of course, Selene, the heart of GNU Solidario and the one that looks after the human and non-human family members while I’m away.</p><p>You will hardly see these people in the news, because most corporate-backed media neglect them and their organizations. Unlike some billionaire “philanthropists” that take the media spotlight, these anonymous heroes stand on the right side of history, making a difference on the present and future of those who need it most, with very limited resources. </p><div class="wp-block-image"><figure class="aligncenter size-full"><img alt="" class="wp-image-1995" height="735" src="https://my.gnusolidario.org/wp-content/uploads/2024/06/sea-eye-gnuhealth-collage.png" width="741" /><figcaption class="wp-element-caption">Collage of several pictures during my stay at the Sea-eye</figcaption></figure></div><p>We’re very happy and proud to see that GNU Health can be of help to Sea-Eye in tasks such as guests registration, health evaluations, reporting, statistics and stock management. This is just the beginning and we will be optimizing and adding functionality on successive missions. That said, GNU Health will always play a secondary role compared to picking up somebody from the water and giving them a welcoming hug. Again, we’re a social project with a bit of technology behind.</p><div class="wp-block-image"><figure class="aligncenter size-large is-resized"><img alt="" class="wp-image-1997" height="162" src="https://my.gnusolidario.org/wp-content/uploads/2024/06/image-1024x265.png" width="625" /><figcaption class="wp-element-caption">Drawings made by the children rescued at the Sea-eye</figcaption></figure></div><p>I’d like to finish with a reflection on the picture I took to some of the drawings done by children during their stay at the Sea-Eye. The drawings exist because the Sea-eye crew rescued those kids. Otherwise, their corpses would be at the bottom of the Mediterranean sea, along with thousands who tragically perished trying to find dignity in this world. Thank you, Sea-eye. You are priceless.</p><p>A final note: shame on those countries and governments that detain and punish Search and Rescue vessels. Saving lives is not a crime.</p><p>Love, freedom and happy hacking</p><p>You can obtain Sara Belles painting and Laia Porcar poem from L’Aurora solidarity shop[8]</p><div class="wp-block-group is-layout-constrained"><div class="wp-block-group__inner-container"><ol><li>Laia Porcar : <a href="https://laravalerateatre.com/qui-som/" rel="noreferrer noopener" target="_blank">https://laravalerateatre.com/qui-som/</a></li><li>Sara Belles . <a href="https://sarabelles.es/" rel="noreferrer noopener" target="_blank">https://sarabelles.es/</a></li><li>The GNU Health project. <a href="https://www.gnuhealth.org" rel="noreferrer noopener" target="_blank">https://www.gnuhealth.org</a></li><li>GNU Solidario. Advancing Social Medicine <a href="https://www.gnusolidario.org" rel="noreferrer noopener" target="_blank">https://www.gnusolidario.org</a></li><li>The GNU Operating System.<a href="https://www.gnu.org" rel="noreferrer noopener" target="_blank"> https://www.gnu.org</a></li><li>Search and rescue on the central Mediterranean migratory route . <a href="https://https://www.gnuhealthcon.org/2023/presentations/GHCon2023-Friday-07-Julian_Sassenscheidt-Search_and_rescue_on_the_central_Mediterranean_migratory_route.pdf" rel="noreferrer noopener" target="_blank">https://https://www.gnuhealthcon.org/2023/presentations/GHCon2023-Friday-07-Julian_Sassenscheidt-Search_and_rescue_on_the_central_Mediterranean_migratory_route.pdf</a></li><li>The Chaos Computer Club (CCC) . <a href="https://www.ccc.de/en/" rel="noreferrer noopener" target="_blank">https://www.ccc.de/en/</a></li><li>L’Aurora suport. <a href="https://aurorasuport.org/" rel="noreferrer noopener" target="_blank">https://aurorasuport.org/</a> </li></ol></div></div> Thu, 27 Jun 2024 19:48:18 +0000 Greg Casamento: Free as in Freedom, not as in beer... tag:blogger.com,1999:blog-13189460.post-4846609092401621794 https://heronsperch.blogspot.com/2024/06/free-as-in-freedom-not-as-in-beer.html <p> So... recently I was working for a bit (sweat equity or so I thought) for a company by the name of <a href="https://www.immortaldata.net/" target="_blank">ImmortalData</a>.  The company is headed by a man by the name of <a href="https://www.linkedin.com/in/dale-amon-3a6162/" target="_blank">Dale Amon</a>.  I have worked, on and off, for them for about 2-3 years.   They are developing a piece of software that is used to extract data from their proprietary black box systems.  This piece of software uses GNUstep.   They were born from a previous company known as <a href="https://en.wikipedia.org/wiki/XCOR_Aerospace" target="_blank">XCOR</a> which was developing a space plane at the Mojave space port.   That company is now defunct.</p><p>Okay, so with that bit of history, I worked for a while for XCOR and then, because ImmortalData inherited the software, for them as well.  When I worked for XCOR it was as a contractor.  There have been issues with the software (some GNUstep bugs and some bugs due to problems introduced by Dale) that I have been asked to address.</p><p>At the end of a meeting a few weeks ago Dale made a comment like "Well, this issue seems like a GNUstep bug, so there is no reason we should have to pay for any of this" which hit an EXTREMELY sour note with me.</p><p>Later on that week I tried to clarify it with Dale, and it seems as though he was under the impression that since I was working on Free Software any changes or fixes TO that software should not be billable.   This is NOT true.  Additionally, the issue that they are experiencing is because of something THEY did, and it is not a GNUstep bug. </p><p>I mentioned this in the previous post, but I feel strongly that this needs to be called out explicitly.   Free Software is free as in FREEDOM.  This means you are free to look at, examine, and modify the software as you see fit.   It does NOT mean services performed on that software on your behalf by someone other than you are free.</p><p>This development was VERY upsetting to me and I feel the need to make the above VERY clear.</p> Thu, 27 Jun 2024 10:16:08 +0000 noreply@blogger.com (Unknown) FSF News: FSF adds three highly qualified board members http://www.fsf.org/news/fsf-adds-3-highly-qualified-board-members http://www.fsf.org/news/fsf-adds-3-highly-qualified-board-members Wed, 26 Jun 2024 17:00:09 +0000 parallel @ Savannah: GNU Parallel 20240622 ('34 counts') released https://savannah.gnu.org/news/?id=10646 https://savannah.gnu.org/news/?id=10646 <p>GNU Parallel 20240622 ('34 counts') has been released. It is available for download at: lbry://@GnuParallel:4<br /><br />Quote of the month:<br /><br />  The most glorious 15,000 lines of Perl ever written.<br />    -- @nibblrrr7124@YouTube<br /> <br />New in this release:<br /></p><ul><li>Bug fixes and man page updates.</li></ul><p><br />News about GNU Parallel:<br /></p><ul><li>Howto - Parallel: lanciare comandi in simultanea <a href="https://github.com/linuxhubit/linuxhub.it/blob/main/_posts/2024-06-14-howto-parallel-per-lanciare-comandi-in-simultanea.md">https://github.com/linuxhubit/linuxhub.it/blob/main/_posts/2024-06-14-howto-parallel-per-lanciare-comandi-in-simultanea.md</a></li><li>Implementing Concurrency in Shell Scripts <a href="https://dev.to/siddhantkcode/implementing-concurrency-in-shell-scripts-521o">https://dev.to/siddhantkcode/implementing-concurrency-in-shell-scripts-521o</a></li></ul><p><br />GNU Parallel - For people who live life in the parallel lane.<br /><br />If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.<br /><br /><br /></p><h2>About GNU Parallel</h2><p><br />GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.<br /><br />If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.<br /><br />GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.<br /><br />For example you can run this to convert all jpeg files into png and gif files and have a progress bar:<br /><br />  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif<br /><br />Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:<br /><br />  find . -name '*.jpg' |<br />    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200<br /><br />You can find more about GNU Parallel at: <a href="http://www.gnu.org/s/parallel/">http://www.gnu.org/s/parallel/</a><br /><br />You can install GNU Parallel in just 10 seconds with:<br /><br />    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \<br />       fetch -o - <a href="http://pi.dk/3">http://pi.dk/3</a> ) &gt; install.sh<br />    $ sha1sum install.sh | grep 883c667e01eed62f975ad28b6d50e22a<br />    12345678 883c667e 01eed62f 975ad28b 6d50e22a<br />    $ md5sum install.sh | grep cc21b4c943fd03e93ae1ae49e28573c0<br />    cc21b4c9 43fd03e9 3ae1ae49 e28573c0<br />    $ sha512sum install.sh | grep ec113b49a54e705f86d51e784ebced224fdff3f52<br />    79945d9d 250b42a4 2067bb00 99da012e c113b49a 54e705f8 6d51e784 ebced224<br />    fdff3f52 ca588d64 e75f6033 61bd543f d631f592 2f87ceb2 ab034149 6df84a35<br />    $ bash install.sh<br /><br />Watch the intro video on <a href="http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1">http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1</a><br /><br />Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.<br /><br />When using programs that use GNU Parallel to process data for publication please cite:<br /><br />O. Tange (2018): GNU Parallel 2018, March 2018, <a href="https://doi.org/10.5281/zenodo.1146014">https://doi.org/10.5281/zenodo.1146014</a>.<br /><br />If you like GNU Parallel:<br /><br /></p><ul><li>Give a demo at your local user group/team/colleagues</li><li>Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists</li><li>Get the merchandise <a href="https://gnuparallel.threadless.com/designs/gnu-parallel">https://gnuparallel.threadless.com/designs/gnu-parallel</a></li><li>Request or write a review for your favourite blog or magazine</li><li>Request or build a package for your favourite distribution (if it is not already there)</li><li>Invite me for your next conference</li></ul><p><br />If you use programs that use GNU Parallel for research:<br /><br /></p><ul><li>Please cite GNU Parallel in you publications (use --citation)</li></ul><p><br />If GNU Parallel saves you money:<br /><br /></p><ul><li>(Have your company) donate to FSF <a href="https://my.fsf.org/donate/">https://my.fsf.org/donate/</a></li></ul><p><br /><br /></p><h2>About GNU SQL</h2><p><br />GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.<br /><br />The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.<br /><br />When using GNU SQL for a publication please cite:<br /><br />O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.<br /><br /><br /></p><h2>About GNU Niceload</h2><p><br />GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.<br /></p> Mon, 24 Jun 2024 19:00:25 +0000 GNU Guile: GNU Guile 3.0.10 released https://www.gnu.org/software/guile/news/gnu-guile-3010-released.html https://www.gnu.org/software/guile/news/gnu-guile-3010-released.html <p>We are pleased to finally announce the release of GNU Guile 3.0.10!This release is mainly a bug-fix release, though it does include anumber of new features:</p><ul><li>Better ability to define new port types in Scheme (<a href="https://www.gnu.org/software/guile/manual/html_node/Custom-Ports.html">R6RS customtextualports</a>,<a href="https://www.gnu.org/software/guile/manual/html_node/Soft-Ports.html">a new soft portinterface</a>,<a href="https://www.gnu.org/software/guile/manual/html_node/Low_002dLevel-Custom-Ports.html">low-level customports</a>).</li><li>Support for local <code>define</code> definitions in all forms with bodies:<code>when</code> and <code>unless</code>, <code>cond</code> and <code>case</code> clauses, and so on.</li><li>An experimental opt-in surface syntax,<a href="https://www.gnu.org/software/guile/manual/html_node/SRFI_002d119.html#index-wisp">WISP</a>.</li></ul><p>For full details, see the <a href="https://lists.gnu.org/archive/html/guile-devel/2024-06/msg00039.html">releaseannouncement</a>,and check out the <a href="https://www.gnu.org/software/guile/download">download page</a>.</p><p>Happy Guile hacking!</p> Mon, 24 Jun 2024 08:25:12 +0000 guile-devel@gnu.org (Andy Wingo) automake @ Savannah: automake 1.16.92 pretest release candidate https://savannah.gnu.org/news/?id=10645 https://savannah.gnu.org/news/?id=10645 <p>automake 1.16.92 pretest release candidate released. Please test if you can, so 1.17 will be as reliable as we can make it. Announcement:<br /><a href="https://lists.gnu.org/archive/html/autotools-announce/2024-06/msg00001.html">https://lists.gnu.org/archive/html/autotools-announce/2024-06/msg00001.html</a><br /></p> Fri, 21 Jun 2024 22:01:30 +0000 health @ Savannah: MyGNUHealth 2.2 series released! https://savannah.gnu.org/news/?id=10644 https://savannah.gnu.org/news/?id=10644 <p>Dear all<br /><br />I am happy to announce the release of MyGNUHealth 2.2.0!<br /><br />The new series of the GNU Health Personal Health record comes with many improvements and bug fixes. Some highlights of this new version:<br /><br /></p><ul><li>Support for Kivy 2.3.0</li><li>Localization. MyGNUHealth now has support for different languages. English, Spanish and Chinese are available to use, and French, German, Italian are ready to be translated. There will be a translation component for MyGNUHealth at Codeberg's Weblate instance. </li><li>Bluetooth functionality: Starting with MyGH series 2.2 we provide bluetooth integration for open compatible devices and health trackers. We include the link with the Pinetime Smartwatch (experimental) and the possibility to link to any open hardware device (glucometer, scales, blood pressure monitors,  .. ). We need to get a list of available medical devices that respect our privacy and freedom, so let us know of any!</li><li>Charts now allow to select date ranges with calendar widgets</li><li>The Book of Life have a revised format for the pages.</li><li>The charts have been improved in the format and include x axis labels.</li></ul><p><br />Thanks to Kivy, Mygnuhealth codebase can be ported to other architectures and operating systems such as Android AOSP (Pierre Michel is working on this) and GNU/Linux phones.<br /><br />In addition to Savannah, we have incorporated Codeberg to the GNU Health development environment. Mailing lists, news and file downloads are at GNU, while the development repositories are at Codeberg (<a href="https://codeberg.org/gnuhealth">https://codeberg.org/gnuhealth</a>)<br /><br />You can download the latest MyGNUhealth sourcecode from GNU ftp site, pypi (using pip) or from your operating system package (like openSUSE).<br /><br />Upgrading should be straightforward, and all the health history will remain in the MyGH database. In any case, please make sure you make a backup before upgrading (and daily ;) ).<br /><br />Thank you to all the contributors that have possible this milestone!<br /><br />Happy hacking<br />Luis<br /></p> Fri, 21 Jun 2024 09:44:00 +0000 Greg Casamento: Keysight laid me off in January! tag:blogger.com,1999:blog-13189460.post-968465091965715593 https://heronsperch.blogspot.com/2024/06/keysight-laid-me-off-in-january.html A little history first. Keysight is a large company that, primarily, makes testing equipment such as oscilloscopes and other electronics. They bought a company a few years back named TestPlant. Prior to that, TestPlant bought a company by the name of Redstone that produced a product known as Eggplant. Recently, I was laid off for economic reasons (at least that's what they said). It occurs to me that nothing in this world lasts forever. I was so depressed when I was let go because Keysight was the perfect home for me... they used GNUstep deeply. So, as you can imagine, I was deeply upset when things ended... but all things do. <div><br /></div><div> I think it happened for several reasons: <div><ul style="text-align: left;"><li><b>Economic</b> - This is what was explained to me, but I am not sure I believe it </li><li><b>Politics</b> - I think this part is because I expressed my opinions HONESTLY about the direction of the company given that they wanted to make the application into a VSCode plugin.</li><li><b>Perception</b> - I am 54 years old... so I think that they believed that Objective-C was my one and only talent, it's not... I know many other languages and have many other skills. </li></ul>Unfortunately, in the US, any employer can let go of any employee or contractor for ANY reason. This is known as at-will employment, making it very hard to take any action against any employer (not that this is something I considered).</div></div><div><br /></div><div>Keysight is and will remain a major contributor to GNUstep.</div><div><br /></div><div>That being said, I recently ran into something rather disturbing at another company.   I have been working with a company based out of New Mexico that is interested in space applications.  They have been using GNUstep and have been awaiting funding.</div><div><br /></div><div>The lead of this effort expressed something during a meeting saying "We will work on the GNUstep side of this because there is no reason we should have to pay for any of this."   This hit a sour note with me to say the very least.   As it turns out he was under the mistaken impression that, because the work was on GNUstep, it was for free... which is WRONG.</div><div><br /></div><div>I wonder if the same impression was present at Keysight or if other companies believe this.  The saying, according to RMS, is "Free as in freedom, not as in beer."   If you are a manager at a company who is under the mistaken impression that work on any Free Software or Open Source project is free when your product depends on it, please correct your thinking.   Just because it is someone's passion project does NOT mean that they are going to do that work for free and prioritize the things that need to be done for your organization.</div><div><br /></div><div>All of that being said the positive sides are this:</div><div><ol style="text-align: left;"><li>More time to code on GNUstep without interruption</li><li>More time to work on my own projects</li><li>Time to rest and relax</li></ol><div>So, as much as I hate being unemployed there ARE some upsides to it.  Here's to hoping something works out soon.   I literally loved my job at Keysight and, honestly, hope to return.   I have my eye on their changes as well as those of others just like any other member of the community.  Yours, GC</div></div> Mon, 17 Jun 2024 05:24:34 +0000 noreply@blogger.com (Unknown) GNUnet News: GNUnet 0.21.2 https://gnunet.org/en/news/2024-06-0.21.2.html https://gnunet.org/en/news/2024-06-0.21.2.html <article id="newspost-content"><h1>GNUnet 0.21.2</h1><p>This is a bugfix release for gnunet 0.21.1.It primarily addresses some connectivity issues introduced with our new transport subsystem.</p><p></p><h4>Links</h4><ul><li>Source:<a href="https://ftpmirror.gnu.org/gnunet/gnunet-0.21.2.tar.gz">https://ftpmirror.gnu.org/gnunet/gnunet-0.21.2.tar.gz</a>(<a href="https://ftpmirror.gnu.org/gnunet/gnunet-0.21.2.tar.gz.sig">https://ftpmirror.gnu.org/gnunet/gnunet-0.21.2.tar.gz.sig</a>)</li><li>Source (meson):<a href="https://buildbot.gnunet.org/releases/gnunet-0.21.2-meson.tar.gz">https://buildbot.gnunet.org/gnunet-0.21.2-meson.tar.gz</a>(<a href="https://buildbot.gnunet.org/gnunet-0.21.2-meson.tar.gz.sig">https://buildbot.gnunet.org/gnunet-0.21.2-meson.tar.gz.sig</a>)</li><li>Detailed list of changes:<a href="https://git.gnunet.org/gnunet.git/log/?h=v0.21.2">https://git.gnunet.org/gnunet.git/log/?h=v0.21.2</a></li><li>NEWS:<a href="https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.21.2">https://git.gnunet.org/gnunet.git/tree/NEWS?h=v0.21.2</a></li><li>The list of closed issues in the bug tracker:<a href="https://bugs.gnunet.org/changelog_page.php?version_id=440">https://bugs.gnunet.org/changelog_page.php?version_id=440</a></li></ul><p>The GPG key used to sign is:<a href="https://gnunet.org/~schanzen/3D11063C10F98D14BD24D1470B0998EF86F59B6A">3D11063C10F98D14BD24D1470B0998EF86F59B6A</a></p><p>Note that due to mirror synchronization, not all links may be functionalearly after the release. For direct access try<a href="https://ftp.gnu.org/gnu/gnunet/">https://ftp.gnu.org/gnu/gnunet/</a></p><h2>libgnunetchat 0.5.0 released</h2><p>We are also pleased to announce the release of libgnunetchat 0.5.0.<br />This is a major new release bringing compatibility with the major changes in the Messenger service from latest GNUnet release 0.21.2 adding new message kinds and functionality. This release will also require your GNUnet to be at least 0.21.2 because of that.</p><h4>Download links</h4><ul><li><a href="http://ftpmirror.gnu.org/gnunet/libgnunetchat-0.5.0.tar.gz">libgnunetchat-0.5.0.tar.gz</a></li><li><a href="http://ftpmirror.gnu.org/gnunet/libgnunetchat-0.5.0.tar.gz.sig">libgnunetchat-0.5.0.tar.gz.sig</a></li></ul><h4>Noteworthy changes in 0.5.0</h4><ul><li>This release requires the GNUnet Messenger Service 0.5!</li><li>Implements tickets to share attributes with contacts.</li><li>Implement functionality to get recipient of sent private messages.</li><li>Allow file sharing without additional encryption key.</li><li>Implements discourses to send data in live channels.</li><li>Fix memory violations and duplicate storage entries.</li><li>Adjust callbacks regarding account states.</li><li>Fix deletions of accounts and lobbies.</li><li>Fix multiple synchronization bugs.</li><li>Add test cases for discourses and tickets.</li></ul><p>A detailed list of changes can be found in the<a href="https://git.gnunet.org/libgnunetchat.git/tree/ChangeLog">ChangeLog</a>.</p><h2>Messenger-GTK 0.10.0</h2><p>Since libgnunetchat made some changes there're also a new releases of the messenger applications addressing changes for compatibility and providing some new functionality.</p><h4>Download links</h4><ul><li><a href="http://ftpmirror.gnu.org/gnunet/messenger-gtk-0.10.0.tar.gz">messenger-gtk-0.10.0.tar.gz</a></li><li><a href="http://ftpmirror.gnu.org/gnunet/messenger-gtk-0.10.0.tar.gz.sig">messenger-gtk-0.10.0.tar.gz.sig</a></li></ul><h4>Noteworthy changes in 0.10.0</h4><ul><li>Implement tagging and filtering messages</li><li>Adjust media previews and optimize memory footprint</li><li>Implement sharing profile attribute and profile picture with contacts</li><li>Fix several UI issues and memory leaks</li><li>Improve UI to waste less vertical space for smaller screens</li><li>Add localization for English, German and Spanish</li></ul><h4>Known Issues</h4><ul><li>Chats still require a reliable connection between GNUnet peers. So this still depends on the upcoming NAT traversal to be used outside of local networks for most users (see<a href="https://bugs.gnunet.org/view.php?id=5710">#5710</a>).</li><li>File sharing via the FS service should work in a GNUnet single-user setup but a multi-user setup breaks it (see<a href="https://bugs.gnunet.org/view.php?id=7355">#7355</a>)</li></ul><p>In addition to this list, you may also want to consult our bug tracker at<a href="https://bugs.gnunet.org/">bugs.gnunet.org</a>.</p><h2>messenger-cli 0.3.0</h2><p>This is mostly a compatibility release for messenger-cli 0.3.0 to address changes in libgnunetchat 0.5.0.</p><h4>Download links</h4><ul><li><a href="http://ftpmirror.gnu.org/gnunet/messenger-cli-0.3.0.tar.gz">messenger-cli-0.3.0.tar.gz</a></li><li><a href="http://ftpmirror.gnu.org/gnunet/messenger-cli-0.3.0.tar.gz.sig">messenger-cli-0.3.0.tar.gz.sig</a></li></ul></article> Fri, 07 Jun 2024 22:00:00 +0000 www-zh-cn @ Savannah: copyright notices in www.gnu.org translations https://savannah.gnu.org/news/?id=10641 https://savannah.gnu.org/news/?id=10641 <p>Dear Translators:<br /><br />Recently, the Licensing and Compliance Lab provided guidelines<br />for writing copyright notices in <a href="https://www.gnu.org">www.gnu.org</a> translations:<br /><br /><a href="https://www.gnu.org/s/trans-coord/w/Copyright-Notices.html">https://www.gnu.org/s/trans-coord/w/Copyright-Notices.html</a><br /><br />Please take them into account.<br /><br />After received 2 translators‘ feedback plus my thought, I would put the following as advice for new translations:<br /><br />1. add your name in the copyright notices in the translation if you think your contribution is enough for an article, like<br /><br />Copyright &amp;copy; 2024 Free Software Foundation, Inc.&lt;br&gt;&lt;/br&gt;<br />Copyright &amp;copy; 2024 XIE Wensheng (translation)&lt;<br /><br />2. or optionally add your name in the TRANSLATOR'S CREDITS part as we always do.<br /><br />&lt;b&gt;翻译&lt;/李凡希,2010。lt;br&gt;&lt;/br&gt;<br />&lt;b&gt;审查学校&lt;/b&gt;:&lt;a href="mailto:1945649519@qq.com"&gt;&amp;lt;Nios34&amp;gt;&lt;/a&gt;,2020。&lt;br&gt;&lt;/br&gt;<br />&lt;b&gt;翻译团&lt;/b&gt;:&lt;a rel="team" href="<a href="https://savannah.gnu.org/projects/www-zh-cn/">https://savannah.gnu.org/projects/www-zh-cn/</a>"&gt;&amp;lt;CTT&amp;gt;&lt;/a&gt;,2017-2024。&lt;<br /><br />best regards,<br />wxie<br /></p> Fri, 07 Jun 2024 10:15:59 +0000 gsl @ Savannah: GNU Scientific Library 2.8 released https://savannah.gnu.org/news/?id=10640 https://savannah.gnu.org/news/?id=10640 <p>Version 2.8 of the GNU Scientific Library (GSL) has been released.<br />Thank you to all who helped test the library prior to the release, and<br />thank you to everyone for using the library and giving feedback and<br />reports. The following changes have been added to the library:<br /><br /></p><ul><li>What is new in gsl-2.8:</li></ul><p><br />** apply patch for <i><a href="https://savannah.gnu.org/bugs/?63679">bug #63679</a></i> (F. Weimer)<br /><br />** updated multilarge TSQR method to store ||z_2|| and<br />   provide it to the user<br /><br />** add routines for Hermite B-spline interpolation<br /><br />** fix for <i><a href="https://savannah.gnu.org/bugs/?59624">bug #59624</a></i><br /><br />** fix for <i><a href="https://savannah.gnu.org/bugs/?59781">bug #59781</a></i> (M. Dunlap)<br /><br />** bug fix #61094 (reported by A. Cheylus)<br /><br />** add functions:<br />   - gsl_matrix_complex_conjugate<br />   - gsl_vector_complex_conj_memcpy<br />   - gsl_vector_complex_div_real<br />   - gsl_linalg_QR_lssolvem_r<br />   - gsl_linalg_complex_QR_lssolvem_r<br />   - gsl_linalg_complex_QR_QHmat_r<br />   - gsl_linalg_QR_UR_lssolve<br />   - gsl_linalg_QR_UR_lssvx<br />   - gsl_linalg_QR_UR_QTvec<br />   - gsl_linalg_QR_UU_lssvx<br />   - gsl_linalg_QR_UD_lssvx<br />   - gsl_linalg_QR_UD_QTvec<br />   - gsl_linalg_complex_cholesky_{decomp2,svx2,solve2,scale,scale_apply}<br />   - gsl_linalg_SV_{solve2,lssolve}<br />   - gsl_rstat_norm<br /><br />** add Lebedev quadrature (gsl_integration_lebedev)<br /><br />** major overhaul to the B-spline module to add<br />   new functionality<br /></p> Fri, 07 Jun 2024 01:10:31 +0000 enscript @ Savannah: GNU Enscript 1.7rc released https://savannah.gnu.org/news/?id=10639 https://savannah.gnu.org/news/?id=10639 <p>Version 1.7rc is available for download from:<br /><br />  git clone <a href="https://git.savannah.gnu.org/git/enscript.git">https://git.savannah.gnu.org/git/enscript.git</a><br /><br />We are looking forward for your feedback.<br /></p> Wed, 05 Jun 2024 12:21:25 +0000 FSF Events: Free Software Directory meeting on IRC: Friday, June 07, starting at 12:00 EDT (16:00 UTC) http://www.fsf.org/events/fsd-20240607-irc http://www.fsf.org/events/fsd-20240607-irc Join the FSF and friends on Friday, June 07, from 12:00to 15:00 EDT (16:00 to 19:00 UTC)to help improve the Free Software Directory. Tue, 04 Jun 2024 20:28:29 +0000 FSF News: FSF adds three provisional board members http://www.fsf.org/news/fsf-adds-three-provisional-board-members http://www.fsf.org/news/fsf-adds-three-provisional-board-members Mon, 03 Jun 2024 15:16:40 +0000 findutils @ Savannah: GNU findutils 4.10.0 released https://savannah.gnu.org/news/?id=10638 https://savannah.gnu.org/news/?id=10638 <p>This is to announce findutils-4.10.0, a stable release.<br />See the NEWS below for more details.<br /><br />GNU findutils is a set of software tools for finding files that match<br />certain criteria and for performing various operations on them.<br />Findutils includes the programs "find", "xargs" and "locate".<br />More information about findutils is available at:<br />  <a href="https://www.gnu.org/software/findutils/">https://www.gnu.org/software/findutils/</a><br /><br />Please report bugs and problems with this release via the the<br />GNU Savannah bug tracker:<br />  <a href="https://savannah.gnu.org/bugs/?group=findutils">https://savannah.gnu.org/bugs/?group=findutils</a><br /><br />Please send general comments and feedback about the GNU findutils<br />package to the mailing list (&lt;mailto:bug-findutils@gnu.org):<br />  <a href="https://lists.gnu.org/mailman/listinfo/bug-findutils">https://lists.gnu.org/mailman/listinfo/bug-findutils</a><br /><br />There have been 88 commits by 8 people in the - sigh - 121 weeks since 4.9.0:<br />  Antonio Diaz Diaz (2)       James Youngman (24)<br />  Bernhard Voelker (57)       John A. Leuenhagen (1)<br />  Bjarni Ingi Gislason (1)    Shuiqing Zhou (1)<br />  Helmut Grohne (1)           ribbon (1)<br /><br />This release was bootstrapped with the following tools:<br />   Autoconf 2.72<br />   Automake 1.16.5<br />   M4 1.4.18<br />   Gnulib v1.0-187-g623bcc22f4<br /><br />Please consider supporting the Free Software Foundation in its fund<br />raising appeal; see &lt;<a href="https://www.fsf.org/appeal/">https://www.fsf.org/appeal/</a>&gt;.<br /><br />Thanks to everyone who has contributed!<br /><br />Have a nice day,<br />Bernhard Voelker [on behalf of the GNU findutils maintainers]<br /><br />================================================================================<br /><br />Here are the compressed sources:<br />  <a href="https://ftp.gnu.org/pub/gnu/findutils/findutils-4.10.0.tar.xz">https://ftp.gnu.org/pub/gnu/findutils/findutils-4.10.0.tar.xz</a><br />    <br />Here are the GPG detached signatures[*]:<br />  <a href="https://ftp.gnu.org/pub/gnu/findutils/findutils-4.10.0.tar.xz.sig">https://ftp.gnu.org/pub/gnu/findutils/findutils-4.10.0.tar.xz.sig</a><br /><br />Use a mirror for higher download bandwidth:<br />  <a href="http://www.gnu.org/order/ftp.html">http://www.gnu.org/order/ftp.html</a><br /><br />Here is the SHA256 checksum:<br /> <br />  1387e0b67ff247d2abde998f90dfbf70c1491391a59ddfecb8ae698789f0a4f5  findutils-4.10.0.tar.xz<br /><br />[*] Use a .sig file to verify that the corresponding file (without the<br />.sig suffix) is intact.  First, be sure to download both the .sig file<br />and the corresponding tarball.  Then, run a command like this:<br /><br />gpg --verify findutils-4.10.0.tar.xz.sig<br /><br />If that command fails because you don't have the required public key,<br />then run this command to import it:<br /><br />gpg --keyserver keys.gnupg.net --recv-keys A5189DB69C1164D33002936646502EF796917195<br /><br />and rerun the 'gpg --verify' command.<br /><br />================================================================================<br /><br />NEWS<br /><br /></p><ul><li>Noteworthy changes in release 4.10.0 (2024-06-01) [stable]</li></ul><p><br />** Bug Fixes<br /><br />  Find now defaults to optimization level 1 rather than 2 and the<br />  cost-based optimizer will only run at level 2 and above.  This<br />  should prevent changes of operation order which result in<br />  user-visible differences in behaviour. [#58427]<br /><br />  If the -P option to xargs is not used, xargs will not change the way<br />  in which the SIGUSR1 and SIGUSR2 signals are handled.  This means<br />  that they will cause the program to terminate if the signals were<br />  not ignored in the process which started xargs.  This also means that<br />  xargs does not use parallel execution at all.<br />  If you start xargs with '-P 1', then xargs will not be killed by these<br />  signals, and they instead change the degree of parallelism.<br />  This change improves xargs' POSIX compliance.<br /><br />  'xargs -P' now waits for all its child processes to complete before<br />  exiting, even if one of them exits with status 255. [#64451]<br /><br />  If the -P option of xargs is in use, reads on standard input which are<br />  interrupted by a signal are re-started. [#64442]<br /><br />  'find -name /' no longer outputs a warning, because that is a valid pattern<br />  to match the root directory "/".  Previously, a diagnostic falsely claimed<br />  that this pattern would not match anything. [#62227]<br /><br />  'find -gid' (without the mandatory argument) now outputs a correct error<br />  diagnostic.  Previously it output: "find: invalid argument `-gid' to `-gid'".<br />  The error diagnostic for non-numeric arguments has been improved as well.<br />  Likewise for -inum, -links and -uid.<br /><br />  'find -user' and 'find -group' now allow to specify larger UIDs/GIDs.<br />  Previously, that was limited to INT_MAX, although the types uid_t and gid_t<br />  are larger on many systems, including x86_64 GNU/Linux. [#64900]<br /><br />  'find -xtype l' no longer fails on symbolic links that point to<br />  themselves.  These are treated similarly to broken links. [#51926]<br /><br />** Improvements<br /><br />  The find predicates -used, -amin, -cmin, -mmin, -atime, -ctime, and -mtime<br />  now properly diagnose a not-a-number argument.  Previously, find dumped<br />  core via an assertion.  [#64717]<br /><br />** Changes to the build process<br /><br />  findutils now builds again on systems with musl-libc.<br />  This requires gettext-0.19.8.<br /><br />  findutils programs no longer fail for timestamps past the year 2038<br />  on obsolete configurations with 32-bit signed time_t, because the<br />  build procedure now rejects these configurations.<br />  On systems without any year2038 support configure with --disable-year2038.<br /><br />** Documentation Changes<br /><br />  When generating the Texinfo manual, `makeinfo` is invoked with the --no-split<br />  option for all output formats now; this avoids files like find.info-[12].<br /><br />  The xargs documentation now describes the double dash "--" option delimiter.<br /><br />  The xargs examples in the Texinfo manual now use the -L and --replace options<br />  instead of the deprecated -l and -i options.  [#64480]<br /><br />  The TexInfo manual now uses upper-case 'B' as birthtime for the -newerXY<br />  comparison consistently.  [#65378]<br /><br />** Translations<br /><br />Updated the following translations: Belarusian, Brazilian Portuguese,<br />Bulgarian, Catalan, Chinese (simplified), Chinese (traditional),<br />Croatian, Czech, Danish, Dutch, Esperanto, Estonian, Finnish, French,<br />Galician, Georgian, German, Greek, Hungarian, Indonesian, Irish,<br />Italian, Japanese, Korean, Lithuanian, Luganda, Malay, Norwegian<br />Bokmaal, Polish, Portuguese, Romanian, Russian, Serbian, Slovak,<br />Slovenian, Spanish, Swedish, Turkish, Ukrainian, Vietnamese.<br /></p> Sat, 01 Jun 2024 18:30:40 +0000 poke @ Savannah: GNU poke 4.1 released https://savannah.gnu.org/news/?id=10637 https://savannah.gnu.org/news/?id=10637 <p>I am happy to announce a new release of GNU poke, version 4.1.<br /><br />This is a bugfix release in the 4.x series.<br /><br />See the file NEWS in the distribution tarball for a list of issues<br />fixed in this release.<br /><br />The tarball poke-4.1.tar.gz is now available at<br /><a href="https://ftp.gnu.org/gnu/poke/poke-4.1.tar.gz">https://ftp.gnu.org/gnu/poke/poke-4.1.tar.gz</a>.<br /><br /></p><blockquote class="quote"><p>&gt; GNU poke (<a href="http://www.jemarch.net/poke">http://www.jemarch.net/poke</a>) is an interactive, extensible<br />&gt; editor for binary data.  Not limited to editing basic entities such<br />&gt; as bits and bytes, it provides a full-fledged procedural,<br />&gt; interactive programming language designed to describe data<br />&gt; structures and to operate on them.<br /></p></blockquote><p><br />Thanks to the people who contributed with code and/or documentation to<br />this release.<br /><br />Happy poking!<br /><br />Mohammad-Reza Nabipoor<br /></p> Fri, 31 May 2024 14:32:50 +0000 GNU Guix: Source code archiving in Guix: new publication https://guix.gnu.org/blog/2024/source-code-archiving-in-guix-new-publication// https://guix.gnu.org/blog/2024/source-code-archiving-in-guix-new-publication// <p>We are glad to announce the publication of a new research paper entitled<a href="https://hal.science/hal-04586520v1"><em>Source Code Archiving to the Rescue of ReproducibleDeployment</em></a> for the <a href="https://acm-rep.github.io/2024/">ACM Conferenceon Reproducibility and Replicability</a>.The paper presents work that has been done since we started <a href="https://guix.gnu.org/en/blog/2019/connecting-reproducible-deployment-to-a-long-term-source-code-archive/">connectingGuix with the Software Heritage (SWH)archive</a>five years ago:</p><blockquote><p>The ability to <em>verify</em> research results and to <em>experiment</em> withmethodologies are core tenets of science. As research results areincreasingly the outcome of computational processes, software plays acentral role. GNU Guix is a software deployment tool that supports<em>reproducible</em> software deployment, making it a foundation forcomputational research workflows. To achieve reproducibility, we mustfirst ensure the source code of software packages Guix deploys remainsavailable.</p><p>We describe our work connecting Guix with Software Heritage, theuniversal source code archive, making Guix the first free softwaredistribution and tool backed by a stable archive. Our contribution istwofold: we explain the rationale and present the design andimplementation we came up with; second, we report on the archivalcoverage for package source code with data collected over five years anddiscuss remaining challenges.</p></blockquote><p>The ability to retrieve package source code is important for researcherswho need to be able to<a href="https://guix.gnu.org/en/blog/2024/adventures-on-the-quest-for-long-term-reproducible-deployment/">replay</a>scientific workflows, but it’s just as important for engineers anddevelopers alike, who may also have <a href="https://guix.gnu.org/en/blog/2024/identifying-software/">good reasons to redeploy or toaudit</a> pastpackage sets.</p><p>Support for source code archiving and recovery in Guix has improved alot over the past five years, in particular with:</p><ul><li>Support for recovering source code tarballs (<code>tar.gz</code> and similarfiles): this is made possible by<a href="https://ngyro.com/software/disarchive.html">Disarchive</a>, written byTimothy Sample.</li></ul><p><img alt="Diagram taken from the paper showing Disarchive tarball “disassembly” and “assembly”." src="https://guix.gnu.org/static/blog/img/swh-paper-disarchive.png" /></p><ul><li>The ability to look up data <a href="https://archive.softwareheritage.org/api/1/extid/doc/">by narhash</a> in theSWH archive (“nar” is the <em>normalized archive</em> format used by Nixand Guix), thanks to fellow SWH hackers. This, in turn, allows Guixto look up <em>any</em> version control checkout <a href="https://issues.guix.gnu.org/68741">by contenthash</a>—Git, Subversion, Mercurial,you name it!</li><li>The monitoring of archival coverage with Timothy’s <a href="https://ngyro.com/pog-reports/latest/"><em>Preservation ofGuix</em> reports</a> has allowed usto identify discrepancies in Guix, Disarchive, and/or SWH and toincrease archival coverage.</li></ul><p><img alt="Graph taken from the paper showing package source code archival coverage over time." src="https://guix.gnu.org/static/blog/img/swh-paper-coverage.png" /></p><p>94% of the packages in a January 2024 snapshot of Guix are known to havetheir source code archived!</p><p>Check out <a href="https://hal.science/hal-04586520v1">the paper</a> to learn moreabout the machinery at play and the current status.</p> Fri, 31 May 2024 12:00:00 +0000 FSF Events: Workshop: Free software & legislation: How we win http://www.fsf.org/events/workshop-free-software-legislation-how-we-win http://www.fsf.org/events/workshop-free-software-legislation-how-we-win Tue, 28 May 2024 12:15:00 +0000 Parabola GNU/Linux-libre: pacman.conf and makepkg.conf changes tag:parabolagnulinux.org,2024-05-24:/news/makepkgconf-change/ https://parabolagnulinux.org/news/makepkgconf-change/ <p>NOTICE FOR EVERYONE:</p><p>You may see the following error message from pacman:</p><p><code>error: config file /etc/pacman.d/*.conf could not be read: No such file or directory</code></p><p>If you do, that is because you have modified your pacman.conf file in the past; but you forgot to reconcile the latest .pacnew replacement. Remember that it is upon each user to notice any new .pacnew replacement files for any configuration files that you have modified, each time pacman does an upgrade, and to merge the changes into your existing config files. Pacman will not do that automatically, to avoid clobbering your customizations. To correct this, compare /etc/pacman.conf and /etc/pacman.conf.pacnew to remind yourself which changes you had made. Then move /etc/pacman.conf.pacnew to /etc/pacman.conf; and redo you customizations (eg: enable the [nonsystemd] repo, enable ParallelDownloads, add ILoveCandy, etc).</p><p>NOTICE FOR THOSE WHO BUILD THEIR OWN PACKAGES:</p><p>Parabola's default <code>makepkg.conf</code> has long loaded <code>/etc/makepkg.d/*.conf</code>. As of makepkg 6.1.0, the program itself now loads <code>/etc/makepkg.conf.d/*.conf</code>, so this part of our <code>makepkg.conf</code> has been removed. Users who have <code>/etc/makepkg.d/*.conf</code> files need to move them to <code>/etc/makepkg.conf.d/</code>.</p> Fri, 24 May 2024 01:06:30 +0000 FSF Events: Free Software Directory meeting on IRC: Friday, May 24, starting at 12:00 EDT (16:00 UTC) http://www.fsf.org/events/fsd-20240524-irc http://www.fsf.org/events/fsd-20240524-irc Join the FSF and friends on Friday, May 24, from 12:00to 15:00 EDT (16:00 to 19:00 UTC)to help improve the Free Software Directory. Wed, 22 May 2024 22:32:38 +0000 parallel @ Savannah: GNU Parallel 20240522 ('Tbilisi') released https://savannah.gnu.org/news/?id=10635 https://savannah.gnu.org/news/?id=10635 <p>GNU Parallel 20240522 ('Tbilisi') has been released. It is available for download at: lbry://@GnuParallel:4<br /><br />Quote of the month:<br /><br />  GNU Parallel é mais um daqueles "como eu vivia sem isso?!"<br />  -- Ivan Augusto @ivanaugustobd@twitter<br /> <br />New in this release:<br /></p><ul><li>--onall now supports sshpass - user:pass@host.</li><li>--memfree kills do not count as --retries.</li><li>Bug fixes and man page updates.</li></ul><p><br />GNU Parallel - For people who live life in the parallel lane.<br /><br />If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.<br /><br /><br /></p><h2>About GNU Parallel</h2><p><br />GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.<br /><br />If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.<br /><br />GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.<br /><br />For example you can run this to convert all jpeg files into png and gif files and have a progress bar:<br /><br />  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif<br /><br />Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:<br /><br />  find . -name '*.jpg' |<br />    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200<br /><br />You can find more about GNU Parallel at: <a href="http://www.gnu.org/s/parallel/">http://www.gnu.org/s/parallel/</a><br /><br />You can install GNU Parallel in just 10 seconds with:<br /><br />    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \<br />       fetch -o - <a href="http://pi.dk/3">http://pi.dk/3</a> ) &gt; install.sh<br />    $ sha1sum install.sh | grep 883c667e01eed62f975ad28b6d50e22a<br />    12345678 883c667e 01eed62f 975ad28b 6d50e22a<br />    $ md5sum install.sh | grep cc21b4c943fd03e93ae1ae49e28573c0<br />    cc21b4c9 43fd03e9 3ae1ae49 e28573c0<br />    $ sha512sum install.sh | grep ec113b49a54e705f86d51e784ebced224fdff3f52<br />    79945d9d 250b42a4 2067bb00 99da012e c113b49a 54e705f8 6d51e784 ebced224<br />    fdff3f52 ca588d64 e75f6033 61bd543f d631f592 2f87ceb2 ab034149 6df84a35<br />    $ bash install.sh<br /><br />Watch the intro video on <a href="http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1">http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1</a><br /><br />Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.<br /><br />When using programs that use GNU Parallel to process data for publication please cite:<br /><br />O. Tange (2018): GNU Parallel 2018, March 2018, <a href="https://doi.org/10.5281/zenodo.1146014">https://doi.org/10.5281/zenodo.1146014</a>.<br /><br />If you like GNU Parallel:<br /><br /></p><ul><li>Give a demo at your local user group/team/colleagues</li><li>Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists</li><li>Get the merchandise <a href="https://gnuparallel.threadless.com/designs/gnu-parallel">https://gnuparallel.threadless.com/designs/gnu-parallel</a></li><li>Request or write a review for your favourite blog or magazine</li><li>Request or build a package for your favourite distribution (if it is not already there)</li><li>Invite me for your next conference</li></ul><p><br />If you use programs that use GNU Parallel for research:<br /><br /></p><ul><li>Please cite GNU Parallel in you publications (use --citation)</li></ul><p><br />If GNU Parallel saves you money:<br /><br /></p><ul><li>(Have your company) donate to FSF <a href="https://my.fsf.org/donate/">https://my.fsf.org/donate/</a></li></ul><p><br /><br /></p><h2>About GNU SQL</h2><p><br />GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.<br /><br />The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.<br /><br />When using GNU SQL for a publication please cite:<br /><br />O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.<br /><br /><br /></p><h2>About GNU Niceload</h2><p><br />GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.<br /></p> Wed, 22 May 2024 20:43:15 +0000 education @ Savannah: Schools in Italy Migrated to Free Software https://savannah.gnu.org/news/?id=10632 https://savannah.gnu.org/news/?id=10632 <h2>New Addition to Education Case Studies - Italy</h2><p><br /><a href="https://www.gnu.org/education/edu-cases-italy-south-tyrol.html">All Italian-Language Schools in South Tyrol Migrated to Free Software</a><br /></p> Sat, 18 May 2024 17:15:18 +0000 libtool @ Savannah: libtool-2.5.0 released [alpha] https://savannah.gnu.org/news/?id=10631 https://savannah.gnu.org/news/?id=10631 <p>Libtoolers!<br /><br />The Libtool Team is pleased to announce the release of libtool 2.5.0, a alpha release.<br /><br />GNU Libtool hides the complexity of using shared libraries behind a<br />consistent, portable interface. GNU Libtool ships with GNU libltdl, which<br />hides the complexity of loading dynamic runtime libraries (modules)<br />behind a consistent, portable interface.<br /><br />There have been 91 commits by 29 people in the 113 weeks since 2.4.7.<br /><br />See the NEWS below for a brief summary.<br /><br />Thanks to everyone who has contributed!<br />The following people contributed changes to this release:<br /><br />  Albert Chu (1)<br />  Alex Ameen (3)<br />  Antonin Décimo (3)<br />  Brad Smith (2)<br />  Bruno Haible (2)<br />  Dmitry Antipov (1)<br />  Florian Weimer (1)<br />  Gilles Gouaillardet (1)<br />  Ileana Dumitrescu (24)<br />  Jakub Wilk (1)<br />  Jonathan Wakely (2)<br />  Manoj Gupta (1)<br />  Mike Frysinger (23)<br />  Mingli Yu (2)<br />  Oliver Kiddle (1)<br />  Olly Betts (1)<br />  Ozkan Sezer (2)<br />  Paul Eggert (2)<br />  Paul Green (1)<br />  Raul E Rangel (1)<br />  Richard Purdie (5)<br />  Sam James (4)<br />  Samuel Thibault (1)<br />  Stephen Webb (1)<br />  Tijl Coosemans (1)<br />  Tim Rice (1)<br />  Uwe Kleine-König (1)<br />  Vadim Zeitlin (1)<br />  Xiang.Lin (1)<br /><br />Ileana<br /> [on behalf of the libtool maintainers]<br />==================================================================<br /><br />Here is the GNU libtool home page:<br />    <a href="https://gnu.org/s/libtool/">https://gnu.org/s/libtool/</a><br /><br />For a summary of changes and contributors, see:<br />  <a href="https://git.sv.gnu.org/gitweb/?p=libtool.git;a=shortlog;h=v2.5.0">https://git.sv.gnu.org/gitweb/?p=libtool.git;a=shortlog;h=v2.5.0</a><br />or run this command from a git-cloned libtool directory:<br />  git shortlog v2.4.7..v2.5.0<br /><br />Here are the compressed sources:<br />  <a href="https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.gz">https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.gz</a>   (1.9MB)<br />  <a href="https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.xz">https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.xz</a>   (1008KB)<br /><br />Here are the GPG detached signatures:<br />  <a href="https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.gz.sig">https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.gz.sig</a><br />  <a href="https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.xz.sig">https://alpha.gnu.org/gnu/libtool/libtool-2.5.0.tar.xz.sig</a><br /><br />Use a mirror for higher download bandwidth:<br />  <a href="https://www.gnu.org/order/ftp.html">https://www.gnu.org/order/ftp.html</a><br /><br />Here are the SHA1 and SHA256 checksums:<br /><br />  fb3ab5907115b16bf12a0d3d424c79cb0003d02e  libtool-2.5.0.tar.gz<br />  1DjDF0VdhVVM4vmYvkiGb9QM/L+DTWCzAm9PwO1YPSM=  libtool-2.5.0.tar.gz<br />  70e2dd113a9460c279df01b2eee319adb99ee998  libtool-2.5.0.tar.xz<br />  fhDMhjgj1AjsX/6kHUPDckqgiBZldXljydsL77LIecw=  libtool-2.5.0.tar.xz<br /><br />Verify the base64 SHA256 checksum with cksum -a sha256 --check<br />from coreutils-9.2 or OpenBSD's cksum since 2007.<br /><br />Use a .sig file to verify that the corresponding file (without the<br />.sig suffix) is intact.  First, be sure to download both the .sig file<br />and the corresponding tarball.  Then, run a command like this:<br /><br />  gpg --verify libtool-2.5.0.tar.gz.sig<br /><br />The signature should match the fingerprint of the following key:<br /><br />  pub   rsa4096 2021-09-23 [SC]<br />        FA26 CA78 4BE1 8892 7F22  B99F 6570 EA01 146F 7354<br />  uid   Ileana Dumitrescu &lt;ileanadumi95@protonmail.com&gt;<br />  uid   Ileana Dumitrescu &lt;ileanadumitrescu95@gmail.com&gt;<br /><br />If that command fails because you don't have the required public key,<br />or that public key has expired, try the following commands to retrieve<br />or refresh it, and then rerun the 'gpg --verify' command.<br /><br />  gpg --locate-external-key <a href="mailto:ileanadumi95@protonmail.com">ileanadumi95@protonmail.com</a><br /><br />  gpg --recv-keys 6570EA01146F7354<br /><br />  wget -q -O- '<a href="https://savannah.gnu.org/project/release-gpgkeys.php?group=libtool&amp;download=1">https://savannah.gnu.org/project/release-gpgkeys.php?group=libtool&amp;download=1</a>' | gpg --import -<br /><br />As a last resort to find the key, you can try the official GNU<br />keyring:<br /><br />  wget -q <a href="https://ftp.gnu.org/gnu/gnu-keyring.gpg">https://ftp.gnu.org/gnu/gnu-keyring.gpg</a><br />  gpg --keyring gnu-keyring.gpg --verify libtool-2.5.0.tar.gz.sig<br /><br />This release was bootstrapped with the following tools:<br />  Autoconf 2.72e<br />  Automake 1.16.5<br />  Gnulib v0.1-6995-g29d705ead1<br /><br />NEWS<br /><br /></p><ul><li>Noteworthy changes in release 2.5.0 (2024-05-13) [alpha]</li></ul><p><br />** New features:<br /><br />  - Pass '-fdiagnostics-color', '-frecord-gcc-switches',<br />    '-fno-sanitize*', '-Werror', and 'prefix-map' flags.<br /><br />  - Pass the '-no-canonical-prefixes' linker flag.<br /><br />  - Pass '-fopenmp=*' for Clang to allow choosing between libgomp and<br />    libomp.<br /><br />  - Pass '-shared-libsan', '-static-libsan', 'rtlib=*', and<br />    'unwindlib=*' for Clang.<br /><br />  - Expanded process.h inclusion on Windows for more than the<br />    proprietary MSVC compiler. Other alternative Windows compilers<br />    also require process.h.<br /><br />  - Pass 'elf32_x86_64' and 'elf64_x86_64' to the linker on hurd-amd64.<br /><br />  - Recognize <b>-</b>-windows* config triplets.<br /><br />** Important incompatible changes:<br /><br />  - Removed test_compile from command line options.<br /><br />  - By default executables are created with the RUNPATH property for<br />    the Android linker. RUNPATH works for libraries which are not<br />    installed in system locations.<br /><br />  - Removed AC_PROG_SED fallback, as the macro has been supported<br />    in Autoconf since the 90's.<br /><br />** Bug fixes:<br /><br />  - Check for space after -l, -L, and -R linker flags.<br /><br />  - Updated documentation for tests, the demo directory, and<br />    elsewhere.<br /><br />  - Fixed Solaris 11 builds.<br /><br />  - Clean trailing "/" from sysroot path.<br /><br />  - Fixed shared library builds for System V.<br /><br />  - Added mingw to the list of systems not requiring libm.<br /><br />  - Fixed support for nios2 systems.<br /><br />  - Fixed linker check for '--whole-archive' support for linkers other<br />    than ld.<br /><br />  - Use -Fe instead of -o with MSVC to avoid deprecation warnings.<br /><br />  - Improved reproducibility of libtool scripts.<br /><br />  - Avoided MinGW warning by adding CRTIMP.<br /><br />  - Improved grep portability.<br /><br />  - Fixed cross-building warnings when checking for file.<br /><br /><br />** Changes in supported systems or compilers:<br /><br />  - Removed support for bitrig (<b>-</b>-bitrig*).<br /><br />  - Added support for flang (Fortran LLVM-based) compilers.<br /><br /><br />Enjoy!<br /></p> Mon, 13 May 2024 19:06:37 +0000 GNU Guix: Authenticate your Git checkouts! https://guix.gnu.org/blog/2024/authenticate-your-git-checkouts// https://guix.gnu.org/blog/2024/authenticate-your-git-checkouts// <p>You clone a Git repository, then pull from it. How can you tell itscontents are “authentic”—i.e., coming from the “genuine” project youthink you’re pulling from, written by the fine human beings you’ve beenworking with? With commit signatures and “verified” badges flourishing, you’d think this has long been solved—but nope!</p><p>Four years after Guix <a href="https://guix.gnu.org/en/blog/2020/securing-updates/">deployed its owntool</a> to allowusers to authenticate updates fetched with <code>guix pull</code> (which uses Gitunder the hood), the situation hasn’t changed all that much: the vastmajority of developers using Git simply do not authenticate the codethey pull. That’s pretty bad. It’s the modern-day equivalent ofsharing unsigned tarballs and packages like we’d blissfully do in thepast century.</p><p>The authentication mechanism Guix uses for<a href="https://guix.gnu.org/manual/devel/en/html_node/Channels.html">channels</a>is available to any Git user through the <a href="https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-git-authenticate.html"><code>guix git authenticate</code></a>command. This post is a guide for Git users who are not necessarilyGuix users but are interested in using this command for their ownrepositories. Before looking into the command-line interface and how weimproved it to make it more convenient, let’s dispel anymisunderstandings or misconceptions.</p><h1>Why you should care</h1><p>When you run <code>git pull</code>, you’re fetching a bunch of commits from aserver. If it’s over HTTPS, you’re authenticating <em>the server</em> itself,which is nice, but that does not tell you who the code actually comesfrom—the server might be compromised and an attacker pushed code to therepository. Not helpful. At all.</p><p>But hey, maybe you think you’re good because everyone on your project issigning commits and tags, and because you’re disciplined, you routinelyrun <code>git log --show-signature</code> and check those “Good signature” GPGmessages. Maybe you even have those fancy “ verified” badges as found<a href="https://docs.gitlab.com/ee/user/project/repository/signed_commits/gpg.html">onGitLab</a>and <a href="https://docs.github.com/en/authentication/managing-commit-signature-verification">onGitHub</a>.</p><p>Signing commits is part of the solution, but it’s not enough to<em>authenticate</em> a set of commits that you pull; all it shows is that,well, those commits are signed. Badges aren’t much better: the presenceof a “verified” badge only shows that the commit is signed by theOpenPGP key <em>currently registered</em> for the corresponding GitLab/GitHubaccount. It’s another source of lock-in and makes the hosting platforma trusted third-party. Worse, there’s no notion of authorization (whichkeys are authorized), let alone tracking of the history of authorizationchanges (which keys were authorized at the time a given commit wasmade). Not helpful either.</p><p>Being able to ensure that when you run <code>git pull</code>, you’re getting codethat <em>genuinely</em> comes from authorized developers of the project isbasic security hygiene. Obviously it cannot protect against efforts toinfiltrate a project to eventually get commit access and insertmalicious code—the kind of multi-year plot that led to the <a href="https://tukaani.org/xz-backdoor/">xzbackdoor</a>—but if you don’t evenprotect against unauthorized commits, then all bets are off.</p><p>Authentication is something we naturally expect from <code>apt update</code>,<code>pip</code>, <code>guix pull</code>, and similar tools; why not treat <code>git pull</code> to thesame standard?</p><h1>Initial setup</h1><p>The <a href="https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-git-authenticate.html"><code>guix git authenticate</code></a>command authenticates Git checkouts, unsurprisingly. It’s currentlypart of Guix because that’s where it was brought to life, but it can beused on any Git repository. This section focuses on how to use it; youcan learn about the motivation, its design, and its implementation in<a href="https://guix.gnu.org/en/blog/2020/securing-updates/">the 2020 blogpost</a>, in the 2022peer-reviewed academic paper entitled <a href="https://doi.org/10.22152/programming-journal.org/2023/7/1"><em>Building a Secure SoftwareSupply Chain withGNU Guix</em></a>,or in this 20mn<a href="https://archive.fosdem.org/2023/schedule/event/security_where_does_that_code_come_from/">presentation</a>.</p><p>To support authentication of your repository with <code>guix git authenticate</code>, you need to follow these steps:</p><ol><li><p>Enable commit signing on your repo: <code>git config commit.gpgSign true</code>. (Git now supports other signing methods but here we needOpenPGP signatures.)</p></li><li><p>Create a <code>keyring</code> branch containing all the OpenPGP keys of allthe committers, along these lines:</p><pre><code>git checkout --orphan keyringgit reset --hardgpg --export alice@example.org &gt; alice.keygpg --export bob@example.org &gt; bob.keygit add *.keygit commit -m "Add committer keys."</code></pre><p>All the files must end in <code>.key</code>. You must never remove keys fromthat branch: keys of users who left the project are necessary toauthenticate past commits.</p></li><li><p>Back to the main branch, add a <code>.guix-authorizations</code> file, listingthe OpenPGP keys of authorized committers—we’ll get back to itsformat below.</p></li><li><p>Commit! This becomes the <em>introductory commit</em> from whichauthentication can proceed. The <em>introduction</em> of your repositoryis the ID of this commit and the OpenPGP fingerprint of the keyused to sign it.</p></li></ol><p>That’s it. From now on, anyone who clones the repository canauthenticate it. The first time, run:</p><pre><code>guix git authenticate COMMIT SIGNER</code></pre><p>… where <code>COMMIT</code> is the commit ID of the introductory commit, and<code>SIGNER</code> is the OpenPGP fingerprint of the key used to sign that commit(make sure to enclose it in double quotes if there are spaces!). As arepo maintainer, you must advertise this introductory commit ID andfingerprint on a web page or in a <code>README</code> file so others know what topass to <code>guix git authenticate</code>.</p><p>The commit and signer are now recorded on the first run in<code>.git/config</code>; next time, you can run it without any arguments:</p><pre><code>guix git authenticate</code></pre><p>The other new feature is that the first time you run it, the commandinstalls <em>pre-push and pre-merge hooks</em> (unless preexisting hooks arefound) such that your repository is automatically authenticated fromthere on every time you run <code>git pull</code> or <code>git push</code>.</p><p><code>guix git authenticate</code> exits with a non-zero code and an error messagewhen it stumbles upon a commit that lacks a signature, that is signed bya key not in the <code>keyring</code> branch, or that is signed by a key not listedin <code>.guix-authorizations</code>.</p><h1>Maintaining the list of authorized committers</h1><p>The <code>.guix-authorizations</code> file in the repository is central: it liststhe OpenPGP fingerprints of authorized committers. Any commit that is<em>not</em> signed by a key listed in the <code>.guix-authorizations</code> file of itsparent commit(s) is considered inauthentic—and an error is reported.The <a href="https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html#channel_002dauthorizations">format of<code>.guix-authorizations</code></a>is based on <a href="https://en.wikipedia.org/wiki/S-expression">S-expressions</a>and looks like this:</p><pre><code class="language-scheme">;; Example ‘.guix-authorizations’ file.(authorizations(version 0) ;current file format version(("AD17 A21E F8AE D8F1 CC02 DBD9 F8AE D8F1 765C 61E3"(name "alice"))("2A39 3FFF 68F4 EF7A 3D29 12AF 68F4 EF7A 22FB B2D5"(name "bob"))("CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"(name "charlie"))))</code></pre><p>The <code>name</code> bits are hints and do not have any effect; what matters isthe fingerprints that are listed. You can obtain them with GnuPG byrunning commands like:</p><pre><code>gpg --fingerprint charlie@example.org</code></pre><p>At any time you can add or remove keys from <code>.guix-authorizations</code> andcommit the changes; those changes take effect for child commits. Forexample, if we add Billie’s fingerprint to the file in commit <em>A</em>, thenBillie becomes an authorized committer in <em>descendants</em> of commit <em>A</em>(we must make sure to add Billie’s key as a file in the <code>keyring</code>branch, too, as we saw above); Billie is still unauthorized in branchesthat lack <em>A</em>. If we remove Charlie’s key from the file in commit <em>B</em>,then Charlie is no longer an authorized committer, except in branchesthat start before <em>B</em>. This should feel rather natural.</p><p>That’s pretty much all you need to know to get started! <a href="https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix-git-authenticate.html">Check themanual</a>for more info.</p><p>All the information needed to authenticate the repository is containedin the repository itself—it does not depend on a forge or key server.That’s a good property to allow anyone to authenticate it, to ensuredeterminism and transparency, and to avoid lock-in.</p><h1>Interested? You can help!</h1><p><code>guix git authenticate</code> is a great tool that you can start using todayso you and fellow co-workers can be sure you’re getting the right code!It solves an important problem that, to my knowledge, hasn’t really beenaddressed by any other tool.</p><p>Maybe you’re interested but don’t feel like installing Guix “just” forthis tool. Maybe you’re not into Scheme and Lisp and would rather use atool written in your favorite language. Or maybe you think—andrightfully so—that such a tool ought to be part of Git proper.</p><p>That’s OK, we can talk! We’re open to discussing with folks who’d liketo come up with alternative implementations—check out the articlesmentioned above if you’d like to take that route. And we’re open tocontributing to a standardization effort. Let’s <a href="https://guix.gnu.org/contact/">get intouch</a>!</p><h1>Acknowledgments</h1><p>Thanks to Florian Pelz and Simon Tournier for their insightful commentson an earlier draft of this post.</p> Tue, 07 May 2024 14:14:00 +0000 FSF News: Free Software Awards winners announced: Bruno Haible, code.gouv.fr, Nick Logozzo http://www.fsf.org/news/free-software-awards-winners-announced-bruno-haible-french-free-software-unit-nick-logozzo http://www.fsf.org/news/free-software-awards-winners-announced-bruno-haible-french-free-software-unit-nick-logozzo Sun, 05 May 2024 22:55:00 +0000 Gary Benson: git submodule forgetting https://gbenson.net/?p=958 https://gbenson.net/git-submodules/ <p>Did you forget the <code>-r</code> when cloning a git repo with submodules? The command you’re looking for is <code>git submodule update --init</code></p> Thu, 02 May 2024 15:11:16 +0000 FSF News: FSF to be deposed in SFC v Vizio, updates relevant FAQ entry http://www.fsf.org/news/fsf-to-be-deposed-in-sfc-v-vizio-updates-relevant-faq-entry http://www.fsf.org/news/fsf-to-be-deposed-in-sfc-v-vizio-updates-relevant-faq-entry Mon, 29 Apr 2024 18:23:26 +0000 gnulib @ Savannah: GNU gnulib: gnulib-tool has become much faster https://savannah.gnu.org/news/?id=10629 https://savannah.gnu.org/news/?id=10629 <p>If you are developer on a package that uses GNU gnulib as part of its build system:<br /><br />gnulib-tool has been known for being slow for many years. We have listened to your complaints. We have rewritten gnulib-tool in another programming language (Python). It is between 8 times and 100 times faster than the previous implementation.<br /><br />Both implementations behave identically, that is, produce the same generated files and the same output. Nothing changes in your way to use Gnulib; it's only faster.<br /><br />In order to reap the new speed:<br /><br />1. Make sure you have Python (version 3.7 or newer) installed on your machine.<br /><br />2. Update your gnulib checkout. (For some packages, it comes as a git submodule named 'gnulib'.) Like this:<br /><br /></p><blockquote class="verbatim"><p>   $ git checkout master<br />  $ git pull<br /></p></blockquote><p>  Set the environment variable GNULIB_SRCDIR, pointing to this checkout.<br /><br />  If the package is using a git submodule named 'gnulib', it is also advisable to do<br /><br /></p><blockquote class="verbatim"><p>   $ git commit -m 'build: Update gnulib submodule to latest.' gnulib<br /></p></blockquote><p>  (as a preparation for step 4, because the --no-git option does not work as expected in all variants of 'bootstrap').<br /><br />3. Clean the built files of your package:<br /><br /></p><blockquote class="verbatim"><p>   $ make -k distclean<br /></p></blockquote><p><br />4. Regenerate the fetched and generated files of your package. Depending on the package, this may be a command such as<br /><br /></p><blockquote class="verbatim"><p>   $ ./bootstrap --no-git --gnulib-srcdir=$GNULIB_SRCDIR<br /></p></blockquote><p>  or<br /><br /></p><blockquote class="verbatim"><p>   $ export GNULIB_SRCDIR; ./autopull.sh; ./autogen.sh<br /></p></blockquote><p>  or, if no such script is available:<br /><br /></p><blockquote class="verbatim"><p>   $ $GNULIB_SRCDIR/gnulib-tool --update<br /></p></blockquote><p><br />5. Continue with<br /><br /></p><blockquote class="verbatim"><p>   $ ./configure<br />  $ make<br /></p></blockquote><p>  as usual.<br /><br />Enjoy! The rewritten gnulib-tool was implemented by Dmitry Selyutin, Collin Funk, and me.<br /></p> Fri, 26 Apr 2024 10:12:40 +0000 parallel @ Savannah: GNU Parallel 20240422 ('Børsen') [stable] https://savannah.gnu.org/news/?id=10627 https://savannah.gnu.org/news/?id=10627 <p>GNU Parallel 20240422 ('Børsen') has been released. It is available for download at: lbry://@GnuParallel:4<br /><br />Quote of the month:<br /><br />  I’m a big fan of GNU parallel!<br />    -- Scott Cain @scottjcain@twitter<br /> <br />New in this release:<br /></p><ul><li>Bug fixes and man page updates.</li></ul><p><br />GNU Parallel - For people who live life in the parallel lane.<br /><br />If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.<br /><br /><br /></p><h2>About GNU Parallel</h2><p><br />GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.<br /><br />If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.<br /><br />GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.<br /><br />For example you can run this to convert all jpeg files into png and gif files and have a progress bar:<br /><br />  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif<br /><br />Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:<br /><br />  find . -name '*.jpg' |<br />    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200<br /><br />You can find more about GNU Parallel at: <a href="http://www.gnu.org/s/parallel/">http://www.gnu.org/s/parallel/</a><br /><br />You can install GNU Parallel in just 10 seconds with:<br /><br />    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \<br />       fetch -o - <a href="http://pi.dk/3">http://pi.dk/3</a> ) &gt; install.sh<br />    $ sha1sum install.sh | grep 883c667e01eed62f975ad28b6d50e22a<br />    12345678 883c667e 01eed62f 975ad28b 6d50e22a<br />    $ md5sum install.sh | grep cc21b4c943fd03e93ae1ae49e28573c0<br />    cc21b4c9 43fd03e9 3ae1ae49 e28573c0<br />    $ sha512sum install.sh | grep ec113b49a54e705f86d51e784ebced224fdff3f52<br />    79945d9d 250b42a4 2067bb00 99da012e c113b49a 54e705f8 6d51e784 ebced224<br />    fdff3f52 ca588d64 e75f6033 61bd543f d631f592 2f87ceb2 ab034149 6df84a35<br />    $ bash install.sh<br /><br />Watch the intro video on <a href="http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1">http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1</a><br /><br />Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.<br /><br />When using programs that use GNU Parallel to process data for publication please cite:<br /><br />O. Tange (2018): GNU Parallel 2018, March 2018, <a href="https://doi.org/10.5281/zenodo.1146014">https://doi.org/10.5281/zenodo.1146014</a>.<br /><br />If you like GNU Parallel:<br /><br /></p><ul><li>Give a demo at your local user group/team/colleagues</li><li>Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists</li><li>Get the merchandise <a href="https://gnuparallel.threadless.com/designs/gnu-parallel">https://gnuparallel.threadless.com/designs/gnu-parallel</a></li><li>Request or write a review for your favourite blog or magazine</li><li>Request or build a package for your favourite distribution (if it is not already there)</li><li>Invite me for your next conference</li></ul><p><br />If you use programs that use GNU Parallel for research:<br /><br /></p><ul><li>Please cite GNU Parallel in you publications (use --citation)</li></ul><p><br />If GNU Parallel saves you money:<br /><br /></p><ul><li>(Have your company) donate to FSF <a href="https://my.fsf.org/donate/">https://my.fsf.org/donate/</a></li></ul><p><br /><br /></p><h2>About GNU SQL</h2><p><br />GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.<br /><br />The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.<br /><br />When using GNU SQL for a publication please cite:<br /><br />O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.<br /><br /><br /></p><h2>About GNU Niceload</h2><p><br />GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.<br /></p> Mon, 22 Apr 2024 21:12:49 +0000 www-zh-cn @ Savannah: Welcome our new member - integral https://savannah.gnu.org/news/?id=10626 https://savannah.gnu.org/news/?id=10626 <p>Hi, All:<br /><br />Please join me in welcoming our new member:<br /><br /> User Details:<br />-------------<br />Name:<br />Login:   integral<br />Email:   <a href="mailto:integral@member.fsf.org">integral@member.fsf.org</a><br /><br />I wish integral a wonderful journey in GNU CTT.<br /><br />Happy Hacking<br />wxie<br /></p> Mon, 22 Apr 2024 00:56:18 +0000 gnulib @ Savannah: GNU gnulib: calling for beta-testers https://savannah.gnu.org/news/?id=10625 https://savannah.gnu.org/news/?id=10625 <p>If you are developer on a package that uses GNU gnulib as part of its build system:<br /><br />gnulib-tool has been known for being slow for many years. We have listened to your complaints. A rewrite of gnulib-tool in another programming language (Python) is ready for beta-testing. It is between 8 times and 100 times faster than the original gnulib-tool.<br /><br />Both implementations should behave identically, that is, produce the same generated files and the same output. You can help us ensure this, through the following steps:<br /><br />1. Make sure you have Python (version 3.7 or newer) installed on your machine.<br /><br />2. Update your gnulib checkout. (For some packages, it comes as a git submodule named 'gnulib'.) Like this:<br /><br /></p><blockquote class="verbatim"><p>   $ git checkout master<br />  $ git pull<br /></p></blockquote><p>     Set the environment variable GNULIB_SRCDIR, pointing to this checkout.<br /><br />     If the package is using a git submodule named 'gnulib', it is also advisable to do<br /><br /></p><blockquote class="verbatim"><p>   $ git commit -m 'build: Update gnulib submodule to latest.' gnulib<br /></p></blockquote><p>     (as a preparation for step 5, because the --no-git option does not work as expected in all variants of 'bootstrap').<br /><br />3. Set an environment variable that enables checking that the two implementations behave the same:<br /><br /></p><blockquote class="verbatim"><p>   $ export GNULIB_TOOL_IMPL=sh+py<br /></p></blockquote><p><br />4. Clean the built files of your package:<br /><br /></p><blockquote class="verbatim"><p>   $ make -k distclean<br /></p></blockquote><p><br />5. Regenerate the fetched and generated files of your package. Depending on the package, this may be a command such as<br /><br /></p><blockquote class="verbatim"><p>   $ ./bootstrap --no-git --gnulib-srcdir=$GNULIB_SRCDIR<br /></p></blockquote><p>     or<br /><br /></p><blockquote class="verbatim"><p>   $ export GNULIB_SRCDIR; ./autopull.sh; ./autogen.sh<br /></p></blockquote><p>     or, if no such script is available:<br /><br /></p><blockquote class="verbatim"><p>   $ $GNULIB_SRCDIR/gnulib-tool --update<br /></p></blockquote><p>     If there is a failure, due to differences between the 'sh' and 'py' results, please report it to &lt;bug-gnulib@gnu.org&gt;.<br /><br />6. If this invocation was successful, you can trust the rewritten gnulib-tool and use it from now on, by setting the environment variable<br /><br /></p><blockquote class="verbatim"><p>   $ export GNULIB_TOOL_IMPL=py<br /></p></blockquote><p><br />7. Continue with<br /><br /></p><blockquote class="verbatim"><p>   $ ./configure<br />  $ make<br /></p></blockquote><p>     as usual.<br /><br />And enjoy the speed! The rewritten gnulib-tool was implemented by Dmitry Selyutin, Collin Funk, and me.<br /></p> Sun, 21 Apr 2024 10:47:35 +0000 www-zh-cn @ Savannah: It is easy to contribute to GNU https://savannah.gnu.org/news/?id=10624 https://savannah.gnu.org/news/?id=10624 <p><b>I will be delivering my talk, "It is easy to contribute to GNU," Saturday, May 4, 2024, 12:15--13:00 EDT (16:00 UTC), at the LibrePlanet 2024 conference, and I hope you’ll check it out!</b><br /><br /><b>LibrePlanet is a conference about software freedom, happening on May 4 &amp; 5, 2024. The event is hosted by the Free Software Foundation (FSF), and brings together software developers, law and policy experts, activists, students, and computer users to learn skills, celebrate free software accomplishments, and face upcoming challenges. Newcomers are always welcome, and LibrePlanet 2024 will feature programming for all ages and experience levels.</b><br /><br /><b>*Please register in advance at &lt;<a href="https://libreplanet.org/2024/">https://libreplanet.org/2024/</a>&gt;.</b>*<br /><br />wxie<br /></p> Wed, 17 Apr 2024 23:30:51 +0000 Simon Josefsson: Reproducible and minimal source-only tarballs https://blog.josefsson.org/?p=1973 https://blog.josefsson.org/2024/04/13/reproducible-and-minimal-source-only-tarballs/ <p>With the <a href="https://lists.nongnu.org/archive/html/libntlm/2024-04/msg00000.html">release of Libntlm version 1.8</a> the release tarball can be reproduced on several distributions. We also publish a signed minimal source-only tarball, produced by <a href="https://git-scm.com/docs/git-archive">git-archive</a> which is the same format used by <a href="https://savannah.gnu.org/">Savannah</a>, <a href="https://codeberg.org/">Codeberg</a>, <a href="https://about.gitlab.com/">GitLab</a>, <a href="https://github.com/">GitHub</a> and others. Reproducibility of both tarballs are tested <a href="https://gitlab.com/gsasl/libntlm/-/pipelines">continuously for regressions</a> on GitLab through a CI/CD pipeline. If that wasn’t enough to excite you, the <a href="https://tracker.debian.org/pkg/libntlm">Debian packages of Libntlm</a> are now built from the reproducible minimal source-only tarball. The resulting binaries are <a href="https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/libntlm.html">reproducible</a> on several architectures.</p><p>What does that even mean? Why should you care? How you can do the same for your project? What are the open issues? Read on, dear reader…</p><p>This article describes my practical experiments with reproducible release artifacts, following up on <a href="https://blog.josefsson.org/2024/04/01/towards-reproducible-minimal-source-code-tarballs-please-welcome-src-tar-gz/">my earlier thoughts</a> that lead to <a href="https://fosstodon.org/@janneke@todon.nl/112229121637671457">discussion on Fosstodon</a> and a <a href="https://issues.guix.gnu.org/70169/#21">patch by Janneke Nieuwenhuizen to make Guix tarballs reproducible</a> that inspired me to some practical work.</p><p>Let’s look at how a maintainer release some software, and how a user can reproduce the released artifacts from the source code. Libntlm provides a shared library written in C and uses <a href="https://www.gnu.org/software/make/">GNU Make</a>, <a href="https://www.gnu.org/software/autoconf/">GNU Autoconf</a>, <a href="https://www.gnu.org/software/automake/">GNU Automake</a>, <a href="https://www.gnu.org/software/libtool/">GNU Libtool</a> and <a href="https://www.gnu.org/software/gnulib/">gnulib</a> for build management, but these ideas should apply to most project and build system. The following illustrate the steps a maintainer would take to prepare a release:</p><pre class="wp-block-code"><code>git clone https://gitlab.com/gsasl/libntlm.gitcd libntlmgit checkout v1.8./bootstrap./configuremake distcheckgpg -b libntlm-1.8.tar.gz</code></pre><p>The generated files <code>libntlm-1.8.tar.gz</code> and <code>libntlm-1.8.tar.gz.sig</code> are published, and users download and use them. This is how <a href="https://www.gnu.org/">the GNU project</a> have been doing releases since the late 1980’s. That is a testament to how successful this pattern has been! These tarballs contain source code and some generated files, typically shell scripts generated by autoconf, makefile templates generated by automake, documentation in formats like <a href="https://www.gnu.org/software/texinfo/">Info</a>, HTML, or PDF. Rarely do they contain binary object code, but historically that happened.</p><p>The <a href="https://en.wikipedia.org/wiki/XZ_Utils_backdoor">XZUtils incident</a> illustrate that tarballs with files that are not included in the git archive offer an opportunity to disguise malicious backdoors. I <a href="https://blog.josefsson.org/2024/04/01/towards-reproducible-minimal-source-code-tarballs-please-welcome-src-tar-gz/">blogged earlier</a> how to mitigate this risk by using signed minimal source-only tarballs.</p><p>The risk of hiding malware is not the only motivation to publish signed minimal source-only tarballs. With pre-generated content in tarballs, there is a risk that <a href="https://www.gnu.org/distros/free-distros.en.html">GNU/Linux distributions</a> such as <a href="https://trisquel.info/">Trisquel</a>, <a href="https://guix.gnu.org/">Guix</a>, <a href="https://www.debian.org/">Debian</a>/<a href="https://ubuntu.com/">Ubuntu</a> or <a href="https://fedoraproject.org/">Fedora</a> ship generated files coming from the tarball into the binary <code>*.deb</code> or <code>*.rpm</code> package file. Typically the person packaging the upstream project never realized that some installed artifacts was not re-built through a typical <code>autoconf -fi &amp;&amp; ./configure &amp;&amp; make install</code> sequence, and never wrote the code to rebuild everything. This can also happen if the build rules are written but are buggy, shipping the old artifact. When a security problem is found, this can lead to time-consuming situations, as it may be that patching the relevant source code and rebuilding the package is not sufficient: the vulnerable generated object from the tarball would be shipped into the binary package instead of a rebuilt artifact. For architecture-specific binaries this rarely happens, since object code is usually not included in tarballs — although for 10+ years I shipped the binary Java JAR file in the <a href="https://www.gnu.org/software/libidn/">GNU Libidn</a> release tarball, until I <a href="https://gitlab.com/libidn/libidn/-/commit/fdc31300ab23b52b97e8b09d56df826d84fc081b">stopped shipping</a> it. For interpreted languages and especially for generated content such as HTML, PDF, shell scripts this happens more than you would like.</p><p>Publishing minimal source-only tarballs enable easier auditing of a project’s code, to avoid the need to read through all generated files looking for malicious content. I have taken care to generate the source-only minimal tarball using <code><a href="https://git-scm.com/docs/git-archive">git-archive</a></code>. This is the same format that GitLab, GitHub etc offer for the automated download links on git tags. The minimal source-only tarballs can thus serve as a way to audit GitLab and GitHub download material! Consider if/when hosting sites like GitLab or GitHub has a security incident that cause generated tarballs to include a backdoor that is not present in the git repository. If people rely on the tag download artifact without verifying the maintainer PGP signature using <a href="https://gnupg.org/">GnuPG</a>, this can lead to similar backdoor scenarios that we had for XZUtils but originated with the hosting provider instead of the release manager. This is even more concerning, since this attack can be mounted for some selected IP address that you want to target and not on everyone, thereby making it harder to discover.</p><p>With all that discussion and rationale out of the way, let’s return to the release process. I have added another step here:</p><pre class="wp-block-code"><code>make srcdistgpg -b libntlm-1.8-src.tar.gz</code></pre><p>Now the release is ready. I publish these four files in the <a href="https://download.savannah.nongnu.org/releases/libntlm/">Libntlm’s Savannah Download area</a>, but they can be uploaded to a GitLab/GitHub release area as well. These are the SHA256 checksums I got after building the tarballs on my <a href="https://blog.josefsson.org/2022/12/10/trisquel-11-on-nv41pz-first-impressions/">Trisquel 11 aramo laptop</a>:</p><pre class="wp-block-code"><code>91de864224913b9493c7a6cec2890e6eded3610d34c3d983132823de348ec2ca libntlm-1.8-src.tar.gzce6569a47a21173ba69c990965f73eb82d9a093eb871f935ab64ee13df47fda1 libntlm-1.8.tar.gz</code></pre><p>So how can you reproduce my artifacts? Here is how to reproduce them in a Ubuntu 22.04 container:</p><pre class="wp-block-code"><code>podman run -it --rm ubuntu:22.04apt-get updateapt-get install -y --no-install-recommends autoconf automake libtool make git ca-certificatesgit clone https://gitlab.com/gsasl/libntlm.gitcd libntlmgit checkout v1.8./bootstrap./configuremake dist srcdistsha256sum libntlm-*.tar.gz</code></pre><p>You should see the exact same SHA256 checksum values. Hooray!</p><p>This works because Trisquel 11 and Ubuntu 22.04 uses the same version of git, autoconf, automake, and libtool. These tools do not guarantee the same output content for all versions, similar to how <a href="https://www.gnu.org/software/gcc/">GNU GCC</a> does not generate the same binary output for all versions. So there is still some delicate version pairing needed.</p><p>Ideally, the artifacts should be possible to reproduce from the release artifacts themselves, and not only directly from git. It is possible to reproduce the full tarball in a <a href="https://almalinux.org/">AlmaLinux</a> 8 container – replace <code>almalinux:8</code> with <code>rockylinux:8</code> if you prefer <a href="https://rockylinux.org/">RockyLinux</a>:</p><pre class="wp-block-code"><code>podman run -it --rm almalinux:8dnf update -ydnf install -y make wget gccwget https://download.savannah.nongnu.org/releases/libntlm/libntlm-1.8.tar.gztar xfa libntlm-1.8.tar.gzcd libntlm-1.8./configuremake distsha256sum libntlm-1.8.tar.gz</code></pre><p>The source-only minimal tarball can be regenerated on <a href="https://www.debian.org/releases/bullseye/">Debian 11</a>:</p><pre class="wp-block-code"><code>podman run -it --rm debian:11apt-get updateapt-get install -y --no-install-recommends make git ca-certificatesgit clone https://gitlab.com/gsasl/libntlm.gitcd libntlmgit checkout v1.8make -f cfg.mk srcdistsha256sum libntlm-1.8-src.tar.gz </code></pre><p>As the Magnus Opus or chef-d’œuvre, let’s recreate the full tarball directly from the minimal source-only tarball on Trisquel 11 – replace <code>docker.io/kpengboy/trisquel:11.0</code> with <code>ubuntu:22.04</code> if you prefer.</p><pre class="wp-block-code"><code>podman run -it --rm docker.io/kpengboy/trisquel:11.0apt-get updateapt-get install -y --no-install-recommends autoconf automake libtool make wget git ca-certificateswget https://download.savannah.nongnu.org/releases/libntlm/libntlm-1.8-src.tar.gztar xfa libntlm-1.8-src.tar.gzcd libntlm-v1.8./bootstrap./configuremake distsha256sum libntlm-1.8.tar.gz</code></pre><p>Yay! You should now have great confidence in that the release artifacts correspond to what’s in version control and also to what the maintainer intended to release. Your remaining job is to audit the source code for vulnerabilities, including the source code of the dependencies used in the build. You no longer have to worry about auditing the release artifacts.</p><p>I find it somewhat amusing that the build infrastructure for Libntlm is now in a significantly better place than the code itself. Libntlm is written in old C style with plenty of string manipulation and uses broken cryptographic algorithms such as <a href="https://en.wikipedia.org/wiki/MD4">MD4</a> and <a href="https://en.wikipedia.org/wiki/Data_Encryption_Standard">single-DES</a>. Remember folks: solving supply chain security issues has no bearing on what kind of code you eventually run. A clean gun can still shoot you in the foot.</p><p>Side note on naming: GitLab exports tarballs with pathnames <code>libntlm-v1.8/</code> (i.e.., <code>PROJECT-TAG/</code>) and I’ve adopted the same pathnames, which means my <code>libntlm-1.8-src.tar.gz</code> tarballs are bit-by-bit identical to GitLab’s exports and you can verify this with tools like <a href="https://diffoscope.org/">diffoscope</a>. GitLab name the tarball <code>libntlm-v1.8.tar.gz</code> (i.e., <code>PROJECT-TAG.ARCHIVE</code>) which I find too similar to the <code>libntlm-1.8.tar.gz</code> that we also publish. GitHub uses the same git archive style, but unfortunately they have logic that removes the ‘v’ in the pathname so you will get a tarball with pathname <code>libntlm-1.8/</code> instead of <code>libntlm-v1.8/</code> that GitLab and I use. The content of the tarball is bit-by-bit identical, but the pathname and archive differs. Codeberg (running <a href="https://forgejo.org/">Forgejo</a>) uses another approach: the tarball is called <code>libntlm-v1.8.tar.gz</code> (after the tag) just like GitLab, but the pathname inside the archive is <code>libntlm/</code>, otherwise the produced archive is bit-by-bit identical including timestamps. <a href="https://git.savannah.gnu.org/">Savannah’s CGIT</a> interface uses archive name <code>libntlm-1.8.tar.gz</code> with pathname <code>libntlm-1.8/</code>, but otherwise file content is identical. Savannah’s <a href="https://git-scm.com/docs/gitweb">GitWeb</a> interface provides snapshot links that are named after the git commit (e.g., <code>libntlm-a812c2ca.tar.gz</code> with <code>libntlm-a812c2ca/</code>) and I cannot find any tag-based download links at all. Overall, we are so close to get SHA256 checksum to match, but fail on pathname within the archive. I’ve chosen to be compatible with GitLab regarding the content of tarballs but not on archive naming. From a simplicity point of view, it would be nice if everyone used <code>PROJECT-TAG.ARCHIVE</code> for the archive filename and <code>PROJECT-TAG/</code> for the pathname within the archive. This aspect will probably need more discussion.</p><p>Side note on git archive output: It seems different versions of <a href="https://git-scm.com/docs/git-archive">git archive</a> produce different results for the same repository. The version of git in Debian 11, Trisquel 11 and Ubuntu 22.04 behave the same. The version of git in Debian 12, AlmaLinux/RockyLinux 8/9, Alpine, ArchLinux, macOS homebrew, and upcoming Ubuntu 24.04 behave in another way. Hopefully this will not change that often, but this would invalidate reproducibility of these tarballs in the future, forcing you to use an old git release to reproduce the source-only tarball. Alas, GitLab and most other sites appears to be using modern git so the download tarballs from them would not match my tarballs – even though the content would.</p><p>Side note on ChangeLog: <a href="https://www.gnu.org/prep/standards/html_node/Change-Logs.html">ChangeLog files</a> were traditionally manually curated files with version history for a package. In recent years, several projects moved to dynamically generate them from git history (using tools like <a href="https://git.savannah.nongnu.org/cgit/git2cl.git/tree/README">git2cl</a> or <a href="https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=blob_plain;f=build-aux/gitlog-to-changelog">gitlog-to-changelog</a>). This has consequences for reproducibility of tarballs: you need to have the entire git history available! The <code>gitlog-to-changelog</code> tool also output <a href="https://lists.gnu.org/archive/html/bug-gnulib/2024-04/msg00188.html">different outputs depending on the time zone</a> of the person using it, which arguable is a simple bug that can be fixed. However this entire approach is incompatible with rebuilding the full tarball from the minimal source-only tarball. It seems <a href="https://gitlab.com/gsasl/libntlm/-/blob/04e5c601ad921df70f659d92db72fcd01e835fa7/ChangeLog">Libntlm’s ChangeLog file</a> died on the <a href="https://gitlab.com/gsasl/libntlm/-/commit/04e5c601ad921df70f659d92db72fcd01e835fa7">surgery table</a> here.</p><p>So how would a distribution build these minimal source-only tarballs? I happen to help on the <a href="https://tracker.debian.org/pkg/libntlm">libntlm package in Debian</a>. It has historically used the generated tarballs as the source code to build from. This means that code coming from gnulib is vendored in the tarball. When a security problem is discovered in gnulib code, the security team needs to patch all packages that include that vendored code and rebuild them, instead of merely patching the gnulib package and rebuild all packages that rely on that particular code. To change this, the Debian libntlm package needs to Build-Depends on <a href="https://tracker.debian.org/pkg/gnulib">Debian’s gnulib package</a>. But there was one problem: similar to most projects that use gnulib, Libntlm depend on a particular git commit of gnulib, and Debian only ship one commit. There is no coordination about which commit to use. I <a href="https://tracker.debian.org/news/1518892/accepted-gnulib-20240412dfb7117stable20240120240408aa0aa87-1-source-into-experimental/">have adopted gnulib</a> in Debian, and add a <a href="https://git-scm.com/docs/git-bundle">git bundle</a> to the <code>*_all.deb</code> binary package so that projects that rely on gnulib can pick whatever commit they need. This allow an <a href="https://salsa.debian.org/auth-team/libntlm/-/commit/f2e88f211256df86561e444813707cafa4c7b541">no-network <code>GNULIB_URL</code> and <code>GNULIB_REVISION</code> approach when running Libntlm’s <code>./bootstrap</code></a> with the Debian gnulib package installed. Otherwise libntlm would pick up whatever latest version of gnulib that Debian happened to have in the gnulib package, which is not what the Libntlm maintainer intended to be used, and can lead to all sorts of version mismatches (and consequently security problems) over time. <a href="https://salsa.debian.org/auth-team/libntlm">Libntlm in Debian is developed and tested on Salsa</a> and there is <a href="https://salsa.debian.org/auth-team/libntlm/-/pipelines">continuous integration testing</a> of it as well, thanks to the <a href="https://salsa.debian.org/salsa-ci-team/pipeline/">Salsa CI team</a>.</p><p>Side note on git bundles: unfortunately there appears to be no reproducible way to export a git repository into one or more files. So one unfortunate consequence of all this work is that the gnulib <code>*.orig.tar.gz</code> tarball in Debian is not reproducible any more. I have <a href="https://baecher.dev/stdout/reproducible-git-bundles/">tried</a> to get Git bundles to be reproducible but I never got it to work — see my notes in <a href="https://salsa.debian.org/debian/gnulib/-/blob/debian/sid/debian/README.source">gnulib’s debian/README.source</a> on this aspect. Of course, source tarball reproducibility has nothing to do with binary <a href="https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/gnulib.html">reproducibility of gnulib in Debian</a> itself, fortunately.</p><p>One open question is how to deal with the increased build dependencies that is triggered by this approach. Some <a href="https://lists.debian.org/debian-devel/2024/03/msg00375.html">people are surprised</a> by this but I don’t see how to get around it: if you depend on source code for tools in another package to build your package, it is a bad idea to hide that dependency. We’ve done it for a long time through vendored code in non-minimal tarballs. Libntlm isn’t the most critical project from a bootstrapping perspective, so adding git and gnulib as <code>Build-Depends</code> to it will probably be fine. However, consider if this pattern was used for other packages that uses gnulib such as <a href="https://tracker.debian.org/pkg/coreutils">coreutils</a>, <a href="https://tracker.debian.org/pkg/gzip">gzip</a>, <a href="https://tracker.debian.org/pkg/tar">tar</a>, <a href="https://tracker.debian.org/pkg/bison">bison</a> etc (all are using gnulib) then they would all <code>Build-Depends</code> on git and gnulib. Cross-building those packages for a new architecture will therefor require git on that architecture first, which gets circular quick. The dependency on gnulib is real so I don’t see that going away, and gnulib is a <code>Architecture:all</code> package. However, the dependency on git is merely a consequence of how the Debian gnulib package chose to make all gnulib git commits available to projects: through a git bundle. There are other ways to do this that doesn’t require the git tool to extract the necessary files, but none that I found practical — ideas welcome!</p><p>Finally some brief notes on how this was implemented. Enabling bootstrappable source-only minimal tarballs via gnulib’s <code>./bootstrap</code> is achieved by using the <code>GNULIB_REVISION</code> mechanism, locking down the gnulib commit used. I have always disliked git submodules because they add extra steps and has complicated interaction with CI/CD. The reason why I <a href="https://gitlab.com/gsasl/libntlm/-/commit/8914bca33ae527ad86a43c6daf11d35bf0921193">gave up git submodules</a> now is because the particular commit to use is not recorded in the <code>git archive</code> output when git submodules is used. So the particular gnulib commit has to be mentioned explicitly in some source code that goes into the git archive tarball. <a href="https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=c083cd5af2655e6cd0240d02dccb28556bad8dbf">Colin Watson added the GNULIB_REVISION</a> approach to <code>./bootstrap</code> back in 2018, and now it no longer made sense to continue to use a gnulib git submodule. One alternative is to use <code>./bootstrap</code> with <code>--gnulib-srcdir</code> or <code>--gnulib-refdir</code> if there is some practical problem with the <code>GNULIB_URL</code> towards a git bundle the <code>GNULIB_REVISION</code> in <code>bootstrap.conf</code>.</p><p>The <a href="https://gitlab.com/gsasl/libntlm/-/commit/a6727bdecc702f583bc5fcc0e08f12ea93332716">srcdist make rule</a> is simple:</p><pre class="wp-block-code"><code>git archive --prefix=libntlm-v1.8/ -o libntlm-1.8-src.tar.gz HEAD</code></pre><p>Making the <code>make dist</code> generated tarball reproducible can be more complicated, however for Libntlm it was sufficient to make sure the <a href="https://gitlab.com/gsasl/libntlm/-/commit/2231ae304e29b3343f4d7a785fa4d58a7d0fde9e">modification times of all files were set deterministically</a> to the timestamp of the last commit in the git repository. Interestingly there seems to be a couple of different ways to accomplish this, Guix doesn’t support minimal source-only tarballs but <a href="https://issues.guix.gnu.org/70169/#21">rely on a .tarball-timestamp</a> file inside the tarball. Paul Eggert <a href="https://lists.gnu.org/archive/html/bug-gnulib/2023-01/msg00124.html">explained what TZDB is using</a> some time ago. The <a href="https://gitlab.com/gsasl/libntlm/-/commit/2231ae304e29b3343f4d7a785fa4d58a7d0fde9e">approach I’m using now</a> is fairly similar to the <a href="https://lists.gnu.org/archive/html/bug-gnulib/2023-01/msg00121.html">one I suggested</a> over a year ago. If there are problems because all files in the tarball now use the same modification time, there is <a href="https://lists.gnu.org/archive/html/bug-gnulib/2023-01/msg00128.html">a solution by Bruno Haible</a> that could be implemented.</p><p>Side note on git tags: Some people may wonder why not verify a signed git tag instead of verifying a signed tarball of the git archive. Currently most git repositories uses SHA-1 for git commit identities, but <a href="https://sha-mbles.github.io/">SHA-1 is not a secure hash function</a>. While current SHA-1 attacks can be detected and mitigated, there are fundamental doubts that a git SHA-1 commit identity uniquely refers to the same content that was intended. Verifying a git tag will never offer the same assurance, since a git tag can be moved or re-signed at any time. Verifying a git commit is better but then we need to trust SHA-1. Migrating <a href="https://git-scm.com/docs/hash-function-transition">git to SHA-256</a> would resolve this aspect, but most hosting sites such as GitLab and GitHub does not support this yet. There are other advantages to using signed tarballs instead of signed git commits or git tags as well, e.g., <code>tar.gz</code> can be a deterministically reproducible persistent stable offline storage format but <code>.git</code> sub-directory trees or <a href="https://git-scm.com/docs/git-bundle">git bundles</a> do not offer this property.</p><p>Doing continous testing of all this is critical to make sure things don’t regress. <a href="https://gitlab.com/gsasl/libntlm/-/blob/master/.gitlab-ci.yml">Libntlm’s pipeline definition</a> now produce the generated <code>libntlm-*.tar.gz</code> tarballs and a checksum as a build artifact. Then I added the <code><a href="https://gitlab.com/gsasl/libntlm/-/blob/73cc1f220c7173ebb5437b3c23fda8194d742f07/.gitlab-ci.yml#L392">000-reproducability</a></code> job which compares the checksums and fails on mismatches. You can read its <a href="https://gitlab.com/gsasl/libntlm/-/jobs/6618064744">delicate output in the job for the v1.8</a> release. Right now we insists that builds on Trisquel 11 match Ubuntu 22.04, that PureOS 10 builds match Debian 11 builds, that AlmaLinux 8 builds match RockyLinux 8 builds, and AlmaLinux 9 builds match RockyLinux 9 builds. As you can see in pipeline job output, not all platforms lead to the same tarballs, but hopefully this state can be improved over time. There is also partial reproducibility, where the full tarball is reproducible across two distributions but not the minimal tarball, or vice versa.</p><p>If this way of working plays out well, I hope to implement it in other projects too.</p><p>What do you think? Happy Hacking!</p> Sat, 13 Apr 2024 16:44:27 +0000 stow @ Savannah: GNU Stow 2.4.0 released https://savannah.gnu.org/news/?id=10620 https://savannah.gnu.org/news/?id=10620 <p>Stow 2.4.0 has been released. This release contains some much-wanted bug-fixes — specifically, fixing the --dotfiles option to work with dot-foo directories, and avoiding a spurious warning when unstowing. There were also very many clean-ups and improvements, mostly internal and not visible to users. See <a href="http://git.savannah.gnu.org/cgit/stow.git/tree/NEWS">http://git.savannah.gnu.org/cgit/stow.git/tree/NEWS</a> for more details.<br /></p> Sun, 07 Apr 2024 23:22:19 +0000