Friday, December 2, 2016

Security Update: firefox, thunderbird

Few days ago, a new security vulnerability was posted in Tor's mailing list and it contains a PoC which affects Firefox and Thunderbird and it's currently being used to exploit TorBrowser users. Mozilla quickly being notified and they released an update to their products followed by others. After analyzing it, turns out it's a SVG Animation remote code execution. It targets for Windows users, but the underlying bug is also available on other platforms as well.

Slackware include the latest Firefox and Thunderbird products in their latest update. Stable release still receive an ESR version, which is still at 45.x branch. TorBrowser is also using ESR as their baseline. They also release a new version: 6.0.7.

Another update was a request by me to include a patch to fix a problem i found while testing MATE 1.17. During creating the tarball by using make distcheck, it failed to build properly. One of MATE's developer (monsta) pointed to a bug report in LP and there was a patch to fix this issue, but somehow upstream no longer update the repository and the development seems to be stalled. Last commit was in January 2016. I send a request to Patrick and he agreed to include it on stable and current.

Friday, November 25, 2016

Plans for MATE 1.18

Since Cinnamon 3.2 packages are done, now i can shift my focus towards future MATE 1.18. The goal of MATE 1.18 will be a complete transition to GTK+3 and so far, the upstream developers have done a great job on doing it. By moving to fully GTK+3, they can focus on introducing new features that are impossible to deliver while having to support the old GTK+2 and new GTK+3 toolkit.

The current plan is deliver MATE 1.18 on December 2016. It's an ambitious plan, but we hope it can be met and if the target is achieved, MATE 1.18 will be included in the next Debian 9.0 "Stretch". That's the optimistic plan. The fallback plan will be around January/February.

Since GTK+3 have many releases and different distribution ship different version of GTK+3, it's already agreed that the minimum GTK+3 supported is 3.14. GTK+3 will no longer be updated for major releases as they are now working towards GTK+4 and GTK+3 3.22 will be the last version for 3.x branch while minor and micro releases may still be around for the next 3 years. Read Matthias Clasen's blog post for more information about the versioning. Hopefully when all distribution already shipped the last GTK+3 3.22 for their distributions, MATE development can progress rapidly.

At this moment, these MATE components have been migrated to GTK+3: engrampa, mate-notification-daemon, mate-polkit, mate-session-manager, mate-terminal, mate-system-monitor, and mozo. In future 1.18, ALL MATE components will be migrated to GTK+3. In order to help the migration, upstream developers have switched to 1.17 numbering scheme to denote the development release. You can check the released tarballs here: http://pub.mate-desktop.org/releases/1.17/. They are no longer built against GTK+2, but GTK+3. Upstream also managed to get rid of libunique dependency and switch to GtkApplication.

I already built all those tarballs here locally on my desktop and so far, everything works just as before. There's no major differences between 1.16 and 1.17 in terms of functionality, but you will see some slight changes in the appearance due to toolkit changes. I have also prepared a local branch which contains all the changes to build MATE 1.17, but i haven't pushed it yet since i'm going to wait for upstream to upload all the tarballs for 1.17. Once they are released, i will push the branch to github and people can start testing it. As always, i will also publish binary packages for testing purposes.

Looking back in history, Slackware 14.0 got 1 MATE release (1.6) while Slackware 14.1 got 4 MATE releases (1.6, 1.8, 1.10, 1.12). Slackware 14.2 already got 2 MATE releases (1.12 and 1.14) and i guess it will have more MATE releases than Slackware 14.1.

Wednesday, November 23, 2016

Cinnamon 3.2 Packages for Slackware 14.2

After being stuck at fixing the desktop locking issues for days, Walesa came in with a simple change on PAM rules and voila... the desktop locking issue is now fixed. I can finally publish the latest work on Cinnamon 3.2 built on top of Slackware 14.2.

The changes are now pushed to master and 14.2 branch, which is different a little bit due to commits ordering due to addition of mint-y-* , but it will give the same output in general. 3.2-prep is now removed as well and the binary packages for x86 and x86_64 are now uploaded to http://slackware.uk/csb/14.2/ (Big thanks to Darren Austin for providing this service).

There are several new packages and one removal:

  • autoconf-archive: Added
  • cracklib: Added
  • mint-y-icons: Added
  • mint-y-theme: Added
  • pam_unix2: Removed
  • xapps: Added

It's always recommended to use upgradepkg --reinstall --install-new to install/upgrade all the packages since they are all built/rebuilt from scratch on a clean Slackware 14.2 VM. This will also avoid missing new packages added in 3.2 cycle.

Here's the highlight of Cinnamon 3.2 (Taken from Segfault):
Session Manager

  • QT 5.7+ support

Settings Daemon

  • iio-sensor-proxy rotation plugin
  • Fix cursor-size changes being ignored
  • Support for libinput touchpads as well as synaptics

Window Manager

  • Improvements to unredirect heuristic and borders/maximization
  • Cross-fade effect on background changes
  • Fixed special cases which could lead to cinnamon crashes

Nemo Extensions

  • EXIF rotation and fixes in nemo-preview
  • More sizes in image converter

Screensaver

  • Complete rewrite
  • Much faster, responsive
  • More customizable
  • Support for media keys, media art and and media controls
  • Support to show the number of notifications and battery status

Control Center

  • Fixed new network connections secrets
  • New keyboard layout options

Cinnamon

  • Vertical panels
  • Removal of box pointers
  • Ability to peek at desktop
  • Ability to upload system information
  • Ability to play a sound effect when showing notifications

Settings API

  • Revamped the xlet settings
  • Xlet settings now open in their own window/process, match new style of cinnamon settings, support pages and sections, are automatically highlighted, use  new JSON backend for easier maintenance and simplification of the code
  • Support for backendable widgets which were not previously available to the xlet settings api
  • New backendable date chooser widget

Applets

  • Keyboard: can now show flags based on short name of language in keyboard applet and distinguish between two layouts using the same flag or code
  • Sound: Add a menu that allows the user to switch between active players
  • Menu: Ability to run software with optirun if Bumblebee is installed
  • Menu: Improved keyboard navigation and performance

Nemo

  • file-operations: reduce the time for reliable transfer rate
  • Expand grid width to canvas
  • Trash-monitor: change trash monitoring process
  • Fix –geometry option when Nemo is already running
  • Option to double-click empty area to go to parent directory
  • nemo-file.c: Only append .desktop to desktop files when they actually need it.  Trusted desktop files (ones that typically get made and placed on the desktop) don’t show their extension, so when you try to rename them, the new name needs .desktop appended to it.
  • nemo-application.c: Look for already-existing desktop windows before attempting to manage the desktop.
  • desktop: Don’t rebuild the desktop any time _NET_WORKAREA changes – this can happen fairly frequently in some situations, causing crashes due to the asynchronous nature of nemo’s directory loading back-end.
Bug reports are welcome at github.

Enjoy Cinnamon 3.2 on Slackware 14.2

Saturday, November 19, 2016

Security Update: Firefox

New Firefox package has been released for Slackware 14.1, 14.2, and current and it's considered a security update. For Slackware 14.1, there's one package that is being rebuilt due to changed soname, which is libxcb.

In current, things are progressing again and this time, it *may* break your system, so proceed with cautions. Here are the changes in Slackware-Current:
  • Bash: Upgraded to 4.4.005
  • Kernel: Upgraded to 4.4.32
  • Ghostscript: Upgraded to 9.20
  • Nmap: Upgraded to 7.31
  • Samba: Upgraded to 4.5.1.
  • Freeglut: Upgraded to 3.0.0
  • libXfont2: Added
  • libdrm: Upgraded to 2.4.73
  • Mesa: Upgraded to 13.0.1
  • X,Org: Upgraded to 1.19
  • Xterm: Upgraded to 326
  • tigervnc: Upgraded to 1.7.0
One big change is the inclusion of X.Org 1.19 which has newer ABI thus it will break systems who uses proprietary drivers and the vendor haven't released an update to support the new ABI. NVidia already released a new driver 375.20 which is the only NVidia driver update at this moment, but they are working to provide an update for legacy drivers as well soon (see the discussion here).

X.Org 1.19 was developed for one year and it has so many new features and improvements, such as threaded input support, PRIME synchronization support, Wayland improvements, and many more. See this article for more coverage. Along with X.Org 1.19, many xorg drivers are updated as well as announced in the mailing list. Please note however that some of the drivers gets removed as well so you may need to remove them after upgrading to 1.19. They are:
  • xf86-video-chips
  • xf86-video-glint
  • xf86-video-i740
  • xf86-video-mga
  • xf86-video-nv
  • xf86-video-r128
  • xf86-video-savage
  • xf86-video-siliconmotion
  • xf86-video-sis
  • xf86-video-tdfx
  • xf86-video-trident
  • xf86-video-xgi
  • xf86-video-xgixp

Monday, November 14, 2016

Cinnamon Locking Issue

In the past few days, i have been spending some time to take a look on a known issue in Cinnamon which affected my packages for Slackware. It's a desktop locking problem and it's an important feature that i need to prioritize.

In Cinnamon 3.0, the desktop lock was not a problem at all and everything worked just fine. Somehow, upstream developer changed their code during the development for 3.2 and now it's "broken" in 3.2. I called it "broken" since it may only affect non-systemd and non-PAM systems like Slackware. I'm thinking of PAM-related issue since i'm relatively new to PAM, but strange thing is that everything worked well before 3.2 and it also use the same PAM package i used for 3.0. I tried many combinations in PAM settings, but the problem persists: It won't authenticate properly.

If you have knowledge on PAM, please test the new Cinnamon 3.2, mostly cinnamon-screensaver since that's where the issue is.

Tuesday, November 8, 2016

Cinnamon 3.2 Early Preview

Cinnamon 3.2.0 has just been tagged in the github repository and it will be polished in preparation for upcoming Linux Mint 18.1 which will be released around December.

Cinnamon 3.2.x will highlight a new interesting feature: Vertical Panels. This is the most interesting feature as it will add capability to add vertical panel in your desktop. GNOME 3 has been using it for a while, but Cinnamon developer decided to implement this in 3.2 with some considerations.

There's a noticeable performance improvement on this release as it's getting less lag in my desktop compared to previous 3.0 releases. I'm very pleased with the results and looking forward for more performance improvements made by the upstream developers.

I decided to build an early Cinnamon packages and test it first on my desktop for early preview. Since my desktop machine is tracking Slackware Current and contain other third party packages such as those coming from SBo or MSB projects, there's no guarantee that it will build cleanly under clean Slackware 14.2 installation. For that reason, i will try to test this under clean virtual machine on top of clean Slackware 14.2 installation.

For those who want to build this packages via source, i have pushed 3.2-prep branch in github which contains an updated scripts for building Cinnamon 3.2.x. This branch is based on 14.2 branch, so it's very suitable for building Cinnamon 3.2.x packages on Slackware 14.2. There's two packages that are not yet there since it's only available in master branch: mint-y-icons and mint-y-theme.

There's a new package added for this new Cinnamon: autoconf-archive. It is required to build some Cinnamon packages (i found it while building cinnamon-control-center) and it also triggers a change in gnome-common package to use --with-autoconf-archive configure parameter so that the resulting output do not overlap each other.

While i conduct more testing on a clean VM, i posted some screenshots for early Cinnamon 3.2.0 preview. Feedbacks, bug reports and suggestions can be sent via github issue tracker or via email.





Friday, November 4, 2016

Security Updates: bind, curl

Two more security updates were released today:
  • bind: Upgraded to 9.9.9_P4 for Slackware 13.0 until 14.1, 9.10.4_P4 for Slackware 14.2 and current
  • curl: Upgraded to 7.51.0 for Slackware 13.0 up until current
Other changes not concerning to security updates (some only apply to current):
  • glibc-zoneinfo: Upgraded to 2016i
  • nano: Upgraded to 2.7.1
  • vim/gvim: Upgraded to 8.0.0055
  • libcdio-paranoia: Rebuilt 
  • gnuchess: Upgraded to 6.2.4

Tuesday, November 1, 2016

Multiple Security Updates

After a long hiatus, finally stable and current branches are now updated with some security fixes, mainly the Dirty COW exploit and last month's multiple XOrg security issues. It has been a long wait, but i'm sure it's worthed and since the fast release of 4.4.x kernel lately, Patrick wanted to make sure that it really fix the issue and not bringing other issues (Linux Kernel 4.4.30 has just been released to revert some changes in 4.4.29 by the way).

Here are the summary of security updates released today:
  • kernels: Upgraded to 3.2.83 for Slackware 14.0, 3.10.104 for Slackware 14.1 and 4.4.29 for Slackware 14.2
  • php: Upgraded to 5.6.27 for Slackware 14.0, 14.1, 14.2, and current
  • mariadb: Upgraded to 5.5.53 for Slackware 14.1, 10.0.28 for Slackware 14.2 and current
  • XOrg: Multiple update for libX11, libXfixes, libXi, libXrandr, libXrender, libXtst, libXv, libXvMC. Some packages in older release of Slackware are bumped due to changes in other packages in XOrg.
 In current, there are some packages that are upgraded as well:
  • grep: Upgraded to 2.26
  • gdb: Upgraded to 7.12
  • guile: Upgraded to 2.0.13
  • libcdio: Upgraded to 0.94
  • nmap: Upgraded to 7.30
  • xscreensaver: Upgraded to 5.36
  • mozilla: Upgraded to 49.0.2

Tuesday, October 4, 2016

GNOME From Scratch Project

This morning i got an email from Rafael Tavares about his new project, GFS (GNOME From Scratch), a personal project that makes possible to use GNOME on Slackware GNU/Linux operating system without systemd or wayland programs. The GFS project will attempt to bring GNOME 3.22 to Slackware Linux. This is the latest version of GNOME available at this moment.

I'm very happy to see more and more Slackware users are contributing to the Slackware Linux community by providing better access to upstream projects. This enables other Slackware users to use their favorite apps/DE which are not provided in the main Slackware repository.

Before you attempt to try this project, please note that GNOME 3.22 REQUIRES new version of GTK-related libraries compared what we have in Slackware 14.2 or current. This project have provided a list of packages that will be upgraded during the process:
  • NetworkManager
  • adwaita-icon-themes
  • at-spi2-atk
  • at-spi2-core
  • atk
  • atkmm
  • dconf
  • dconf-editor
  • gcr
  • gdk-pixbuf2
  • glib-networking
  • glib2
  • gnome-keyring
  • gnome-themes-standard
  • gobject-introspection
  • gsettings-desktop-schemas
  • gst-plugins-base
  • gst-plugins-good
  • gstreamer
  • gtk+3
  • gtkmm3
  • gvfs
  • libsigc++
  • libsoup
  • pango
  • pangomm
  • upower
If you are ready, run this steps:
In console, type:
  1. git clone https://github.com/slackport/gfs
  2. cd gfs
  3. ./gfs.SlackMeta
  4. After compile and install, reboot your system.
  5. Use 'startx' to choose Gnome3 (or Flashback).
I'm building a new VM to test this project at this moment and will start to build and leave it while i go to work. Hopefully when i got home later, all is done :)

Big thanks to Rafael for his efforts

Wednesday, September 28, 2016

OpenSSL Security Advisories

OpenSSL has released two advisories in short period of time (4 days apart) and so does Slackware due to the same reason. The openssl package is now upgraded to 1.0.2j for 14.2 and current and 1.0.1u for 14.1.Another security advisory was about PHP which is now upgraded to 5.6.26.

Other changes happening in current is that the kernel stock is now raised to 4.4.22, the latest -stable LTS kernel for 4.4 branch. A new package is introduced in -current as well, which is sshfs. Michiel maintained that package in SBo repository and it will be removed in the next development cycle of SBo. pkgtools also got a little update to fix some issue when removing filenames containing "%" character.