Károly Négyesi: Drupal 8 progress from my / MongoDB perspective: update #28

Planet Drupal - Tue, 05/08/2014 - 00:13

The standard mechanism for backend-aware service overrides is in and these services are already tagged. We have agreed on how to transfer data from one backend to another and my sandbox contains the first getTransferIterator implementation for config with more to follow. There's a small amendment in the works that makes the old backend available too.

More field renames are in the works. That's why I am not focusing on the MongoDB drivers just yet. Let's wait for beta. The drivers in a state where we can do some meaningful testing (which lead to making sure tests are modifiable before) and so we can make sure everything will work for us but writing the entity drivers themselves at this point is a waste of time -- let's wait for a (more) stable API. The transfer work started because MongoDB needed to solve taking over config storage and while we had it solved, there is really nothing MongoDB specific so I am pushing for core inclusion.

I didn't mention config devel in this series -- although I did previously on this blog -- I firmly believe this will be used widely and lead to a more joyous CMI experience. Reminder: everyone using CMI is what makes the Drupal on MongoDB only feasible in the first place.

Categories: Elsewhere

Drupal core announcements: Drupal Core Updates for Aug 4, 2014

Planet Drupal - Mon, 04/08/2014 - 22:51
What's new with Drupal 8?

It's been an exciting two weeks as Twig Autoescaping was turned on by default, the menu links system was completely revamped, entity caching was finally added to core, and we switched Drupal 8 version numbers to Semantic Versioning!

The switch to semantic versioning means that if you have a clone of Drupal 8 core, you shouldn't patch the 8.x branch anymore: use 8.0.x instead. To switch branches, simply run git fetch origin && git checkout -t origin/8.0.x. See jhodgdon's announcement to the Core group for more information.

The valiant efforts of the 15-person team at the Drupal 8 Code Sprint at the Jersey Shore saw 30 issues move forward, 12 of which have already been committed. For more information, read this recap of the event by Kalpana Goel of Forum One.

Finally, thank you to all the contributors who helped us fix 378 Drupal 8 issues in July, 101 more than in June! The fast turnaround in the RTBC queue from our awesome core maintainers has been really motivating — as of right now the RTBC queue is totally empty, meaning that every RTBC issue has either received committer feedback or been committed. (Also noteworthy, Alex Pott of Chapter Three committed a remarkable 70% of July's many commits. Wow!)

Where's Drupal 8 at in terms of release?

In the past week, we've fixed 9 critical issues and 22 major issues, and opened 4 criticals and 35 majors. That puts us overall at 104 release-blocking critical issues and 656 major issues.

Only 3 of 173 beta blockers remain before we can release a Drupal 8 beta. Drupal 8will soon be in beta, so now is the time to take a close look at the remaining critical issues and beta deadline issues. In each issue, help clarify:

  1. If it's critical or major, why?
  2. What would be the implications of not fixing the issue?
  3. What would be the implications of fixing the issue between betas? (Code changed for modules, upgrade path, etc.)
  4. What would be the implications of fixing the issue after the first release candidate?
  5. What is the next step to make progress? What are the remaining tasks?
Where can I help? Top criticals to hit this week

Each week, we check with core maintainers and contributors for the "extra critical" criticals that are blocking other work. These issues are often tough problems with a long history. If you're familiar with the problem-space of one of these issues and have the time to dig in, help drive it forward by reviewing, improving, and testing its patch, and by making sure the issue's summary is up to date and any API changes are documented with a draft change record, we could use your help!

  • Issue #1934152: Figure out if we want global config overrides to stick (settings.php overrides don't work on all pages) aims to determine if it would be more secure/sane to apply global configuration overrides hard-coded into settings.php even when they wouldn't normally (for example, when editing/previewing a the configuration of a view in the Views UI, where request/URL don't apply because they're intended for the edit page, not the view itself), or whether it would be better to provide a 2-tiered override system (one for global overrides and one for "soft" request/URL overrides).
  • Issue #2313159: [meta] Make multilingual views work is a collection of problems related to making multi-lingual views in Drupal 8. A number of the sub-issues are "Major", meaning they have significant repercussions but do not render the whole system unusable.
More ways to help
  • Issue #2189661: Replace $form_state['redirect_route'] with setRedirect() aims to make the Form API more consistent with the rest of core, but the patch is out-of-date and needs to be re-rolled.
  • Pick a critical issue or beta deadline issue, take the time to thoroughly read the issue (including doing some background reading if necessary to understand the problem space), and then update the issue summary for the issue. Include a summary of the current status and remaining tasks for the issue, and identify any API changes the issue would introduce. Consider whether the change would require a change record or updates to existing change records. Consider what the implications of not resolving the issue would be, or of resolving it after the first beta or after release.
  • We also need help writing help text for core modules like Entity, Contextual Links, Field UI, Image, Taxonomy and Toolbar. This is an easy way to learn the Drupal Core contribution process and start contributing to Drupal Core.
  • Help brainstorm how to improve core's Contact module for Drupal 8.1 and beyond.

As always, if you're new to contributing to core, check out Core contribution mentoring hours. Twice per week, you can log into IRC and helpful Drupal core mentors will get you set up with answers to any of your questions, plus provide some useful issues to work on.

You can also help by sponsoring Drupal core development.

Notable Commits

The best of git log --since "2014-07-16" --pretty=oneline (180 commits in total):

  • Issue 1825952 by Fabianx, joelpittet, bdragon, heddn, chx, xjm, pwolanin, mikey_p, ti2m, bfr, dags, cilefen, scor, mgifford: Turn on twig autoescape by default
    Now, every string printed from a twig template (i.e.: between {{ and }}) is automatically run through String::checkPlain(). This makes it hard for themers and module developers to accidentally introduce XSS attack vectors in their code, which is a big win for security.
    If you notice a double-escaping issue, please update Issue #2297711: [meta] Fix double-escaping due to Twig autoescape.
    A follow-up issue was also committed: Issue #2289999 by dawehner, Cottser | Fabianx: Add an easy way to create HTML on the fly without having to create a theme function / template.. This makes it easier to generate tiny chunks of HTML where full Twig files would not be useful.
  • Issue 2256521 by pwolanin, dawehner, Wim Leers, effulgentsia, joelpittet, larowlan, xjm, YesCT, kgoel, victoru, berdir, likin, plach, alexpott: [META] New plan, Phase 2: Implement menu links as plugins, including static admin links and views, and custom links with menu_link_content entity, all managed via menu_ui module.
    This critical beta-blocker completely revamped the menu link system on the back-end (the UI for managing menus and menu links remains largely the same). It added a common interface for menu links, to hide implementation details and let different storage methods work together in the same menu tree, condensed the crufty, confusing code that loads and renders menu trees down to just three methods, decoupled breadcrumbs and menu links, and broke down the code into multiple services to allow different behavior to be customized with a minimal amount of code.
  • Issue 597236 by Berdir, catch, msonnabaum, Xano, Wim Leers, jhedstrom, amateescu, corvus_ch, swentel, moshe weitzman, Gábor Hojtsy, riccardoR, killes@www.drop.org, et al: Add entity caching to core.
    This issue, which has been around in various forms for about 10 years, increases overall peformance by caching entities so they don't have to be rebuilt every page request. Initial performance testing showed a performance increase of about 15%, although this varies based on the number of loaded entities.
  • Issue 1986418 by tompagabor, LewisNyman, idflood, jamesquinton, lauriii, emma.maria, danmuzyka, rteijeiro, scronide, frankbaele, Coornail, ekl1773, oresh, philipz | Bojhan: Update textfield & textarea style.
  • Issue 733054 by jhodgdon, mkalkbrenner, amitgoyal, ndewhurst: Fixed Watchdog logging of all searches is performance hit; need ability to turn it off.
  • Issue 1288442 by jhodgdon | Wolfflow: Added search index status to the Status Report page.
  • Issue 2062043 by eelkeblok, longwave, rhm50, InternetDevels, alvar0hurtad0, Xano: Replace user_access() calls with $account->hasPermission() in core files.
  • Issue 2293773 by Gábor Hojtsy, alexpott, effulgentsia, penyaskito, hussainweb: Fixed Field allowed values use dots in key names - not allowed in config.
  • Issue 2247049 by sqndr, herom, LewisNyman: Redesign password strength indicator so it's less fragile.
  • Issue 2225353 by tim.plunkett: Convert $form_state to an object and provide methods like setError().

You can also always check the Change records for Drupal core for the full list of Drupal 8 API changes from Drupal 7.

Drupal 8 Around the Interwebs

If you want to keep up with the changes in Drupal 8, but you'd rather absorb yourself in articles than dig through diffs, here are some notable blog posts to read:

Drupal 8 in "Real Life"

August will have many events for you to meet other Drupal contributors and collaborate on the issues you're passionate about! Some notable ones are:

Whew! That's a wrap!

Do you follow Drupal Planet with devotion, or keep a close eye on the Drupal event calendar, or git pull origin 8.0.x every morning without fail before your coffee? We're looking for more contributors to help compile these posts. You could either take a few hours once every six weeks or so to put together a whole post, or help with one section more regularly. Contact xjm if you'd like to help communicate all the interesting happenings in Drupal 8!

Categories: Elsewhere

Friendly Machine: Headless Drupal? It Just Might Be a Bigger Deal than Twig

Planet Drupal - Mon, 04/08/2014 - 22:21

If you're a frontend developer or designer that has grumbled about the challenges of Drupal theming, you no doubt applauded the announcement that the Twig template framework was being added to Drupal 8.

It's a big upgrade, no question. If you're like me, however, you may prefer a completely custom frontend crafted out of HTML, CSS and JavaScript. You may have looked at the cool stuff AngularJS or Backbone is capable of and wondered how you could bridge the gap with Drupal to enjoy that sort of freedom.

Fortunately, there are some folks that are already doing exactly that and sharing the results of their work. It's something called "headless Drupal" and it's an approach that uses Drupal as a backend content repository and REST server.

A REST server makes it possible for other applications to read and update data. The typical case is that Drupal is used to store and manage content and it then provides that data to your app built with Angular, Backbone, Ember, or whatever.  If that's not entirely clear, don't worry. The links below will help sort it out.

Headless Drupal Resources

Headless Drupal Manifesto - This is great place to start. It succinctly answers the question of why anyone would want to do this sort of thing.

Headless Drupal Group - A group on Drupal.org devoted to sharing ideas, discussion and experiments around the topic of headless Drupal.

Build a Drupal-free theme with 8's REST API and JavaScript - A presentation from DrupalCon Austin on building an AngularJS site that uses Drupal for the backend.

Headless Drupal, One form at a time - This is a great post from Amitai Burstein that demonstrates some of what this approach has to offer for the creation of frontend user interfaces.

Headless Drupal - Inline edit - Another good one from Amitai.

Here’s Drupal - Tonight on the Tonight Show with Jimmy Fallon - A case study of headless Drupal in action on a very high profile site.

If you know of some other resources, please share them in the comments below. I'd love to check them out.

Categories: Elsewhere

Ian Donnelly: New Release: Elektra 0.8.7

Planet Debian - Mon, 04/08/2014 - 17:42

Hi Everybody!

I am very proud to inform you all that Elektra has just shipped a new release, version 0.8.7, with many great features and fixes!

First of all, I want to let you all know that a lot of work from my Google Summer of Code Project has made its way into this release. Elektra now includes support for a three way merge of KeySets! A special and sincere thanks goes out to Felix Berlakovich for helping me test this new merge feature and adding some great features to allow for different merge strategies and dealing with meta keys. You can try out the new merge features using the kdb merge command or by using the Elektra API. There is still work to be done with Merging and improving documentation (also look for some posts on this blog soon about the feature).

Additionally, thanks to Felix, we have technical previews for some new plug-ins. The new plug-ins are keytometa and ini. In short the keytometa plugin allows to convert normal keys to meta keys during the get operation and reverting this conversion during the set operation. The ini plugin is basically a rewrite of the simpleini plugin and makes use of the inih library.

Also there have been many improvements made to the glob plug-in. He even found some time to add a new script for bash tab completion which is located under scripts/kdb-bash-completion. To use it on debian just copy it to /etc/bash_completion.d/ and make sure it is executable.

Moreover, we fixed a lot of things with this newest release. Pino Toscano has been working on fixing up the Debian packages for Elektra but he has also fixed many other things along the way including fixing a lot of spelling errors, simplifying the RPATH setting, improvements to respecting $HOME and $TMPDIR, and improvements to some test cases. The kdb tool now does a better job of checking for subfolders that aren’t allow and it now makes sure to output warnings before errors so errors can more easily be seen. We have also improved some tests for kdb tool and some plugins as well as fixed compiler warnings on clang and gcc 4.9. We also made some fixes to kdb import and export for some storage plugins and fixed some bugs so that kdb run_all now works flawlessly.

There have also been a few tweaks to the API for this release, specifically in the C++ bindings.

There is now a delMeta() function for C++. The reason for this is that contrary to the C API, calling

key.setMeta("metaname", NULL)

does not delete the metadata, but stores the value “0″.

Additionally, we changed the arguments for isBelow, isDirectBelow, and isBelowSame for the C++ binding to be easier to understand and be more natural to use. Before this change, the C++ binding closely mirrored the C API which lead to an unintuitive behaviour.

Before the change the API did the following:

Key (“user/config/key/below”).isBelow (Key (“user/config”)) == false
Key (“user/config/key/below”).isBelow (Key (“user/config/key/below/deeper”)) == true

That is because the first argument in the C API is the object itself in the C++ API.
The attribute “of being below” the key in question (the object) refers to the second key in the C API.
While this makes some sense for the C API, it definitely does not for the C++ API.

Now the API behaves as follows (as intuitively expected):

Key (“user/config/key/below”).isBelow (Key (“user/config”)) == true
Key (“user/config/key/below”).isBelow (Key (“user/config/key/below/deeper”)) == false

We even had time for a bunch of documentation changes. We now have a tutorial for contextual values to GitHub so developers can start using contextual values with Elektra. We also included a specification for metadata and a better specification for contracts.

There is even a little bit of extra news to share. We now use GitHub for active development of Elektra. We have adopted its issue tracker for issues. Also, now pull requests automatically get built by the server to see if the merge would brake the build and whether it passes all the tests. We are also in the process of updating a lot of our documentation and READMEs to use Markdown so they can be viewed easily on GitHub. Also, Raffael Pancheri has been making really great progress on a qt-gui for Elektra. There is still work to be done but it looks great and is coming along nicely.

You can download the release now from Markus’ site:


size: 1566800
md5sum: 4996df62942791373b192c793d912b4c
sha1: 00887cc8edb3dea1bc110f69ea64f6b700c29402
sha256: 698ebd41d540eb0c6427c17c13a6a0f03eef94655fbd40655c9b42d612ea1c9b

Also there are packages already ready for some distributions:

There is a lot of ongoing work to fix the Debian packages and I will post about it on this blog when they are good to go!

Enjoy the new release!
-Ian S. Donnelly

Categories: Elsewhere

Nikro: Moldcamp 2014 - a late review

Planet Drupal - Mon, 04/08/2014 - 17:00

I know, it's been a while since the event took place (17th-18th of May), I was pretty busy and had a lot of stuff to do meanwhile, so I finally found a couple of hours to make a small review.

Categories: Elsewhere

Konstantinos Margaritis: SIMD book, "Sponsored by ARM"!

Planet Debian - Mon, 04/08/2014 - 12:58

Ok, took a while but I got the final word about this and can announce that the sponsor who donated 500 EUR to the Indiegogo campaign was ARM itself! I have to thank my friends at ARM@Cambridge and especially Dr Monika Biddulph, General Manager, Partner Enablement Group at ARM. When the book goes to print you can be sure it will include "Sponsored by ARM" somewhere! :)

Also a friendly reminder that even if the campaign is over, I still welcome the support in the form of preorders/sponsorships.

Categories: Elsewhere

Microserve: Coding in the Cloud

Planet Drupal - Mon, 04/08/2014 - 11:39

An old timer like myself couldn't help but be filled with trepidation when it was revealed I'd be acting as the company guinea pig to give cloud based development a viability road test on my latest project.

No matter how cool I played it, the momentary panic at the thought of working without the tried and tested 'REAL' software apps installed on my macbook, must have been visible on my face.

You'll have to pry my favourite text editor out of my cold dead hands!

I've been used to the same comfy workflow for the last few years.

A local environment comprising of the same trusty text editor/IDE, a LAMP stack running on MAMP and code versioning using GIT. There was just something about 'cloud based coding' that didn't seem to ring true.

Pause For Thought

Then when i really thought about it, I began to examine just how much of my professional and personal life had already drifted into the cloud and in most cases for the better.

Thanks to Google, Dropbox and Apple amongst others, my email, calendars, notepads, files, photos, videos and documents have for the most part been in the cloud for ages. Do I miss opening up MS Word to write a letter? No.

Then I thought about how much easier life as a Drupal developer had become since adopting tools like Drush, Git and more recently, the Pantheon platform. (in essence 'cloud' based tools themselves.) So, thinking about it, cutting the last few remaining ties to local, machine specific workflow seemed less of an imposition and more like the next natural step in the evolution of web development.

Where to start?

After a bit of googling 'cloud based IDE', you'll see there's already quite a few choices. Most seem to follow a similar basic subscription paradigm (one or a number of free public projects and a paid for plan for private/production projects.)

In most cases they provide a fully functioning text/code editor with text highlighting support, basic options for uploading, renaming and deleting files, a cloud based LAMP stack, some kind of terminal or command line and a selection of optional 'plugin' tools.


I've been testing Codio: https://codio.com/

The site I've been working on is a Drupal 7 site that arrived with us, half built.

Codio handled the import of the existing database and files without much hassle and pulled in the code base via Git.

I was able to install drush as a Codio ‘part' (plugin) and was installing essential modules via Codio's command line terminal in no time.

There's a nice file tree in the left pane and the editor itself is a real pleasure to use.

I was impressed to find text highlighting support for SASS/LESS out of the box and it had decent poke at autocomplete of attributes.

There's a handy tab in the main menu which opens your project 'box' in a new tab or window and on a decent sized screen, it's pretty easy to get a nice comfortable layout with your code in one window and the running site in another.

One of the best things about Codio is that all changes to code are instant, with no saving or incremental Git commits needed. You only need to refresh your site to see it update.

Once you've done a tranche of work you're happy with, you can commit as you normally would, either using the in-built terminal or the GUI menus.


By the end of day one I had been totally sold. The feeling of freedom was, well.. liberating. The next day I had to set up a new mac to use at work, and usually this process eats up half a day of downloading latest versions of software, configuring, chasing licences etc. In this case I literally just turned on the new laptop, installed my browser of choice, logged into Codio and I was away!

Of course, with everything, there are some niggles. The most obvious downside to cloud based development is, that when your connection is spotty or you suffer an outage, you're immediately incapacitated. A few days in and the Codio servers themselves had a few hours of intermediate drop outs. You can imagine how frustrating this might be if you were riding up close to a deadline.

But on the whole the good far outweighed the bad and I'm sure that service and reliability is only going to improve as web based coding becomes the norm... Which i'm now convinced it will before too long.

Pros and Cons of Web Based Development Pros
  • Code anywhere that has a connection
  • Collaborate more easily with other developers
  • No local apps needed other than a browser
  • Platform agnostic (Makes things like Chromebooks slightly more viable as a stripped down development machine)
  • Less chance of incompatible files being shared between collaborators
  • Fewer problems for code team Sysadmins.
  • Reliant on reliable internet connection and host server
  • Basic file, folder housekeeping can be a bit laborious.

*I should point out that my experiences are with Codio IDE, but there are many other alternatives available. Cloud 9 seems to be proving very popular for instance.
You can find a rundown of some of the most popular here:

Categories: Elsewhere

Russ Allbery: Review: Parasite

Planet Debian - Mon, 04/08/2014 - 07:15

Review: Parasite, by Mira Grant

Series: Parasitology #1 Publisher: Orbit Copyright: October 2013 ISBN: 0-316-21893-6 Format: Kindle Pages: 504

It's 2027, and a company named Symbogen has revolutionized medicine and health. They manufacture a genetically-engineered parasite based on a tapeworm that can stabilize and protect the health of just about anyone. It can synthesize medication, fix chronic medical problems, and be adapted to different conditions. (Yes, I know biological systems don't work this way. That's not going to be the only suspension of disbelief problem.) This has made Symbogen one of the most powerful corporations in the country, aided by the skill at marketing and self-promotion shown by one of the founders.

Sal, the protagonist of the novel, is one of Symbogen's most famous success stories. Sally was the victim of a horrible car crash that put her into an apparently irreversible coma. But as her family was debating whether to turn off life support, she woke up. She had no memory of her previous life at all, and had to relearn fine motor control, reading, and many other skills. She was essentially a new person. But she was alive; her symbiont had saved her.

When the story proper starts, Sal is still a ward of her parents. She has generally adult skills despite still struggling with reading, but she still has occasional attacks and is under intensive monitoring by Symbogen. That means periodic mandatory appointments with Symbogen, which she hates, but she's otherwise started building a life for herself: a job in an animal shelter, an interest in exotic predatory plants, and, most notably, a boyfriend. There are things about her life she doesn't like, and she wants to be free of Symbogen, but she doesn't have a bad life. But then a mysterious illness begins sweeping through the population, causing people to go blank, apparently lose their minds, and then start attacking those near them.

Some of you have doubtless already figured out the key plot revelation. It's not hard; even if you didn't from the summary, you will probably figure it out shortly into the book. And therein lies a large problem with this novel: it's hopelessly predictable. Creepy evil corporation that supposedly has your best interests at heart, check. Plucky mad scientist opposition who understands exactly what's going on, check. Well-meaning but heavy-handed government agents who try to get involved but mostly make everything worse, check. (Although it's unusual to have those agents as part of the protagonist's family, and I thought that added some additional depth.) Mostly clueless protagonist sucked into the plot and becoming critical to its resolution, check. Very few readers are going to be surprised by this story.

This is not, by itself, a fatal flaw. Predictable story structures can carry satisfying variations, or introduce the reader to enjoyable characters. And I think Grant manages both here.

Seanan McGuire, both as herself and under her Mira Grant pseudonym, tends to write damaged and struggling characters. Both her Newsflesh and October Daye series feature protagonists that have been hurt badly, but are coping and muddling through in their own ways. In Parasite, I think she takes a more daring and intriguing approach: a protagonist that other people in the story perceive as damaged and struggling, but who actually isn't. Sal is not a badly injured Sally, and she's quite a bit healthier than those around her think she is. Her thought processes don't work quite the same as those around her, but that's not because she's hurt. That's because she's a different person. This makes Parasite partly a novel about identity, about Sal claiming ownership of her own life. Grant drags this out longer than I wish she had, but I liked the idea. In Sal, she strikes a good balance between gratitude and genuine affection for her family and the need to become her own person unconstrained by other people's expectations.

As with the Newsflesh series, Grant uses quotes and excerpts from interviews to fill in the world background: a few at the start of each chapter, and more around each part boundary. I like this technique, and Grant uses it well. By the end of the book, the Rolling Stone interview with the head of Symbogen has added a lot of insight into how Symbogen manages its public relations.

Grant also throws in a few of her trademark dangerously off-beat characters: hyper-competent, wise-cracking, but eerily skewed. I loved those in Blackout and I loved Tansy and Dr. Cale here. (Adam was much less successful.) A whole book from Tansy's perspective wouldn't work, since she needs Sal as a straight woman, but I thought she stole every scene she was in.

However, I agree wholeheartedly with Tansy on another point: Sal is remarkably, irritatingly dim about what is apparently intended to be the critical revelation of the book. I won't state it outright; given its significant presence in the final scene, apparently it is intended to be a spoiler. But I figured it out about 50 pages into the book. Grant telegraphs this revelation heavily, and Tansy considers it painfully obvious (with quite a bit of justification). But Sal doesn't figure it out for the entire book, ignores all the signs, and is apparently willfully blind. In a book written from the first-person perspective by an otherwise-reliable narrator, this is highly annoying. It significantly undermined my enjoyment of the book. I spent much of the novel ahead of the narrator in my understanding of the plot and waiting, in vain, for her to get on with it already.

That unfortunately makes Parasite a mixed bag. I really liked many of the characters, and I think Grant did some interesting things with family dynamics and with claiming one's own identity. But this is undermined by a very predictable plot, the protagonist deciding to be dumber than a sack of hammers about a critical plot point, and some rather dubious world logic. (For example, why is Sal terrified of bad driving? It makes sense as a post-traumatic stress reaction... except it's a critical point to her characterization that she never went through that stress.) Sometimes I wanted to like this book and sometimes I wanted to shake it, and sometimes I felt both reactions at the same time.

I like Grant's writing and characterization well enough that I will probably read the sequel, but this is more like the later books in the Newsflesh series than it is like the spectacular Feed. Worth reading, at least for me, but it could have been better.

Rating: 7 out of 10

Categories: Elsewhere

Dirk Eddelbuettel: Introducing sanitizers 0.1.0

Planet Debian - Sun, 03/08/2014 - 23:01
A new package sanitizers is now on CRAN. It provides test cases for Address Sanitizers, and Undefined Behaviour Sanitizers. These are two recent features of both g++ and clang++, and described in the Checking Memory Access section of the Writing R Extension manual.

I set up a new web page for the sanitizers package which illustrates their use case via pre-built Docker images, similar to what I presented at the end of my useR! 2014 keynote a few weeks ago.

So instead of repeating this over here, I invite you to read the detailed discussion on the sanitizers page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Bits from Debian: DebConf14 - schedule available

Planet Debian - Sun, 03/08/2014 - 22:40

Debconf14 will be held in three weeks in Portland, OR, USA and we're happy to announce that the schedule is already available. Of course, it is still possible for some minor changes to happen!

DebConf will open on Saturday, August 23 with the Welcome talk followed by two highlighted talks:

  • Debian in the Dark Ages of Free Software by Stefano Zacchiroli, former Debian Project Leader. Stefano will speak about the achievement made by Free Software communities in the past years, and how now, despite the visible success, this freedom is being threatened by the current technologies trends, and how can Debian help to preserve the so well deserved freedom.

  • Weapons of the Geek by Biella Coleman, cultural anthropologist, who researches, writes, and teaches on computer hackers and digital activism will share with us part of her research, explaining how online communities can have higher incidence on today's world politics.

There will also be also a plethora of social events, such as our traditional cheese and wine party, our group photo and our day trip.

The complete schedule can be found at: https://summit.debconf.org/debconf14/

DebConf talks will be broadcast live on the Internet when possible, and videos of the talks will be published on the web along with the presentation slides.

Categories: Elsewhere

Steinar H. Gunderson: Visiting Assembly

Planet Debian - Sun, 03/08/2014 - 17:44

I've wanted to visit Assembly in Finland for at least the last ten years, but various things (the latter years mostly lack of initiative :-) ) have gotten in the way. This year, however, I had received an invitation to come and see how they're doing things and how it compares to The Gathering (where I've been a crew member for the last fifteen years), and the opportunity was just too good to pass up. It ended a few hours ago, so here I am on an airport with some time to kill :-)

I don't intend to write a full partyreport, but I think there are a few things that should be said nevertheless. Assembly and TG are fundamentally very similar kinds of parties; large (3000 vs. 5000), mixed (mostly gamers, but far from pure game events) and dominated by male youth (average age 16–17 versus 18–19). However, despite the similarities, I came away with the impression that the two parties are surprisingly different in the details.

The perhaps most immediately notable from my point of view is that Assembly has had a stronger demoscene following; this is partially because TG has a time slot that conflicts with another very popular demoparty (first Mekka & Symposium, then Breakpoint and now Revision) and partially for other reasons I won't go into here. Of course, this shows in the quality of the entries in the competitions; I'd be thrilled if we had this kind of turnout at TG. This is, naturally, among the easier things to notice as an outsider; everybody knows that Assembly is one of the big parties to watch every year if you want to know what's going on in the demoscene.

A bigger surprise was that there are very interesting differences in organizing. (One would think this shouldn't go unnoticed, but it seems that very few people from TG-crew go visit Assembly and the other way around.) In particular, where TG-crew is an organization that's formally rebuilt from scratch every year or every two years (the board of KANDU selects five organizers after application, those select chiefs after application, and the chiefs select crew members after application), ASM-crew seems to be based around continuity and personal relations—very few people seem to be picked by open application, and people stay around for a long time. (This is not to say that TG-crew is an organization in constant flux; like I said, I've been part of it for fifteen years!)

I think both models have their merits; someone from the social sciences would probably have a field day comparing them in much greater detail than I have. But I'm fairly certain that if I get the chance to go again, I'll try to dig a fair bit deeper.

I don't know if I'll be at Assembly next year, but it was definitely a party I enjoyed, even though I knew few people and got to knew even fewer new ones. Being in the compostudio for 1k and 4k was a new and interesting challenge, and seeing the compos live was great (although of course it destroys the traditional AsmTV watching on my own TV at home, which I've always enjoyed!). Seeing Boozembly was… well, OK, now I've seen Boozembly.

Thanks to Lauri Kangas of the livecrew for the invitation! If anybody from the Assembly organizing group happens to read this, please do come to TG or Solskogen next year. I'm sure we can learn a lot from each other. :-)

Categories: Elsewhere

Holger Levsen: 20140803-torbrowser-launcher

Planet Debian - Sun, 03/08/2014 - 14:52
About torbrowser-launcher in all current Debian distros plus some thoughts and scripts for running it more securely

So, torbrowser-launcher 0.1.2-1 is now in sid (only that version has the script examples discussed below), and 0.1.1-2(~bpo70+1) are in jessie and wheezy-backports.

Originally Jacob Appelbaum packaged torbrowser-launcher, then Ulrike Uhlig stepped in and fixed some major bugs, I sponsored her uploads and somehow the idea emerged to team maintain the package, so pkg-anonymity-tools was founded. So far it's only used for having a mailing list which is used for the Maintainer: field of the torbrowser-launcher package. But we invite all maintainers of anonymity related packages to join the team! Currently there ain't even a Debian teams wiki page about it (it would be great if YOU could fix that!), so that will probably be the next thing that will happen. As for version control we intend to use the collab-maint project on alioth. So joining the team is not done by joining the alioth project (technically you can do this, but it's rather pointless), but rather by putting the pkg-anonymity-tools mailing list into the Maintainer: field of your package (and you and other people into the Uploaders: field) and subscribing to that very mailing list. Once more packages are maintained that way we'll need to see whether we'll need more mailing lists (eg one specific for commit notifications) or if we rely on client side filtering only or what else should be done.

The example scripts (available in /usr/share/doc/torbrowser-launcher/examples in the package from sid or in git) show how to run torbrowser-launcher, confined with AppArmor, in Xephyr (a virtual Xserver running on another Xserver) as another user. This, using AppArmor and Xephyr, shall have two effects:

  • the browser process (and it's subprocesses) can - thanks to AppArmor confinement - only access a tiny part of the filesystem
  • the real Xserver is not exposed to the browser application, so hopefully that application cannot exploit bugs to grab keyboard input from other applications.

Does that really help? Feedback welcome.

Full quote of /usr/share/doc/torbrowser-launcher/examples/README:

torbrowser-launcher launcher scripts ==================================== These scripts are intended to run torbrowser-launcher (and thus torbrowser) as another user in an Xephyr window server running inside your normal Xorg session. They assume the following packages are installed: - torbrowser-launcher - apparmor - xserver-xephyr, awesome - sudo, slay, psmisc AppArmor should be enabled, but doesn't have to. I followed the HowTo from https://wiki.debian.org/AppArmor, which can be summed up as just adding one parameter to the kernel to enable it, followed by a reboot. Using Apparmor has the advantage that the browser process cannot most of the filesystem, eg saving downloads only works in ~/.torbrowser/tbb/x86_64/tor-browser_en-US/Desktop/ On wheezy, I'm using backports for torbrowser-launcher and apparmor. The scripts assume they have been copied to /usr/local/bin/ and that there is a user called "foo" (for running the actuall torbrowser(-launcher) process, and that the current user has sudo rights for the following commands: - sudo -i -u foo /usr/local/bin/tbb-l-wrapper - sudo slay foo There are two scripts, tbb-in-xephyr and tbb-l-wrapper. Only tbb-in-xephyr is to be called directly and will result in torbrowser running in Xephyr. Known problems: --------------- - dbus is not started, so some input methods won't work. (Personally I don't want/need dbus though, so I'm awaiting a solution to https://trac.torproject.org/projects/tor/ticket/10014) - not everybody likes awesome as the window manager being used ;) Ideas, questions and ToDo: -------------------------- - maybe all of this functionality could be integrated into. torbrowser-launcher itself, just writing this in shell was so easy. - or for the time being, merge these two scripts into one, doing both, depending on how its called. Also make them run from everywhere. - run this in an unprivileged LXC container, which is also apparmor confined. - (when) does this double confinement make sense? - use a more sensible named default user (instead of foo). - there should really be an option, so torbrowser-launcher doesn't detach itself, so that this "while;ps fax|grep" hack can go away. - ship an usable sudoers.d example too. - support for more users / instances Feedback welcome, especially accompanied by patches!
Categories: Elsewhere


Subscribe to jfhovinne aggregator - Elsewhere