Professional Documents
Culture Documents
Linux Magazine USA - Issue 269, April 2023 PDF
Linux Magazine USA - Issue 269, April 2023 PDF
Linux Magazine USA - Issue 269, April 2023 PDF
FR D
+
DV
EE
from YouTube’s tricky tracking
Easy!Appointments:
Manage your meetings SMath: Free MathCAD
and social engagements alternative
Explore the ImageMagick: Tweak graphic
Linux Boot Process images at the command line
Google Authenticator:
Protect your server with
multi-factor authentication 10 TREMENDOUS
FREE TOOLS!
W W W. L I N U X - M A G A Z I N E . C O M
EDITORIAL
Welcome
IDENTITY MATTERS
Dear Reader,
The company behind Facebook just announced a new pre- admit that Facebook has an impossible business model,
mium subscription model, where you pay for your Face- rather than letting them climb out of the mess by launching
book account and the payment includes some add-on ser- add-on services and claiming the problems are easily
vices that you don’t currently receive. I always wondered if solved through consumer choice?
a subscription service might be a better model for media But this is all sour grapes for me, because I’m still disap-
giants like Facebook. After all, they do provide a service to pointed that they would launch a for-pay service and not use
their subscribers – maybe asking people to pay directly is the occasion to address the real problem with Facebook,
better than selling user data and acting as a conduit for which is all the stalking. Rest assured there are alternatives,
targeted advertising. though. This month we explore the free social media tools of
After the encouraging headline, however, I was disappointed the Fediverse. The decentralized Fediverse environment will
to see that this new subscription-based service does not make help you with the stalking. As for the impersonation, there’s
your data more private or your online presence less ad- still no universal fix, but check out the article on Mastodon for
choked. The principal purpose of your for-pay Facebook page a workaround that will let you verify your identity to your fol-
is to make sure you are you and not somebody else. The ser- lowers – without paying extra.
vice will provide a “verification badge,” showing that you
have presented a government ID to ensure that you are who
you say you are. The goal is to offer some protection from
rogue users pretending to be you.
Corporate social media culture, like the Microsoft lala land
that preceded it, occupies a dreamy space where people tell
you things and you just nod your head like it is all perfectly Joe Casad,
reasonable, even when it isn’t. If you have to pay extra to Editor in Chief
ensure that no one is out there pretending to be you (basi-
cally, stealing your identity), the other side is that, if you
don’t pay extra, you can’t be sure others aren’t out there try-
ing to be you.
I want to be fair. It really does require resources to verify
someone’s identity and ensure that no one impersonates, so
in that sense, the company has a right to pass those costs on
to users. But it all sheds light on how faulty the basic service
model is in the first place. It is supposed to be against the
rules to use a fake name on Facebook, so what this new ser-
vice says is you have to pay extra for Facebook to enforce its
own rules, and if you don’t pay the money, Facebook is not re-
sponsible for enforcing its own rules.
It might seem like an impossible task to ensure that two bil-
lion active users are not impersonating each other. Actually,
I believe it is an impossible task, and paying $11.99 per
month won’t be enough to make it possible. Is it time to
ON THE COVER
58 Easy!Appointments 68 SMath 90 Tutorial –
Manage customer Tidy up your engineering ImageMagick
appointments from a handy equations and math notes.
Need to change the
web interface.
resolution for 100 vacation
81 Linux Boot Process
64 Google The Linux startup process
photos? You could click all
Authenticator is a series of incremental day with a GUI tool, or you
Thwart the password steps leading from the could write a single script
thieves with multi-factor power button to that with the powerful
authentication. familiar home desktop. ImageMagick toolkit.
REVIEW IN-DEPTH
45 Distro Walk – EuroLinux 48 Programming Snapshot – Go Filters
EuroLinux offers enterprise-class software with support When Mike Schilli is faced with the task of choosing a
from real engineers for a fair price. Bruce talks to the hiking tour from his collection of city trails, he turns to a
developers behind this RHEL-based distribution. DIY program trained to make useful suggestions.
dive down into the alternative universe for 80 Doghouse – Expanding the Base
social media users: the Fediverse. Linux can be a great new option for users from
Windows XP owners to students with a range of
interests.
MakerSpace
command line.
68 SMath
Present complex equations with
intermediate steps, graphics, plots,
and results in SMath.
72 Privacy Appliances
A Raspberry Pi with the right software
filters out annoying ads and nasty trackers TWO TERRIFIC DISTROS
for end devices on your local network. DOUBLE-SIDED DVD!
@linux_pro Linux Magazine SEE PAGE 6 FOR DETAILS
@linuxpromagazine @linuxmagazine
When you install and boot up elementary OS 7, there are no obvious and major
changes to greet you. In fact, the desktop UI looks very much in line with what the
team has released in the past, and that’s a good thing, because the elementary OS
UI is one of the finest on the market.
As for the changes, you’ll find more engaging app descriptions in the AppCenter,
an easier app update process, better support for sideloading and alternative app
stores, and a much more responsive AppCenter.
Version 7 also better supports web apps, making it easier to launch them from the
applications menu and even use their own settings (such as privacy controls).
Other new features include the ability to send feedback directly to the devel-
opers, a more streamlined installer, and an outstanding Onboarding app that
makes it easy for you to configure the UI theme. You can even configure auto-
matic updates for both free and paid apps.
The Mail app has a more modern UI as well as a unified inbox that also supports
Microsoft 365 accounts.
The Music app was also completely rewritten from scratch with a focus on more
quickly queuing and playing audio files from a local collection.
For more information on the latest release, check out the official release notes
(https://blog.elementary.io/os-7-available-now/) and then download an ISO
(https://elementary.io/) image for installation.
Netrunner OS 23 Available
Netrunner “Vaporware” version 23 has been made available by Blue Systems
(https://blue-systems.com/), arriving some two years after the previous milestone
release. Unlike Netrunner 21, version 23 migrates to Debian Bullseye, which
means it also includes the 5.10.19 Linux kernel.
Get the latest news In addition, Netrunner 23 includes KDE Plasma 5.20, Qt 5.15.2, Firefox 102
ESR, LibreOffice 7.0.4, VLC 3.0.18, Audacious 4.0.5, Thunderbird 102.6.0, GIMP
in your inbox every 2.10, and much more. But don’t think you’ll be getting a stock KDE desktop.
two weeks The developers have added a number of customizations to the desktop, such as
an overview-like main menu, a unique theme that helps it stand out, simplified Sys-
Subscribe FREE tem Settings with Plasma Tweaks, a unified look for both KDE and non-KDE applica-
to Linux Update tions, GTK apps with standard Kwin borders, Task Manager with expanding icons,
bit.ly/Linux-Update Show Desktop hotspot in the lower right corner, and more.
One nice addition is the inclusion of the VirtualBox guest additions, which
makes it easier to run the distribution as a virtual machine without having to
manually install the software. This means, out of the box, you can resize your
Netrunner virtual machine window, without having to first install the guest
additions.
Find our more about “Vaporware” on the official Netrunner overview page
(https://www.netrunner.com/netrunner-overview/) and download an ISO
(https://www.netrunner.com/download/) today.
their data operands, unless a ‘data inde- globally set a CPU to always use con- Dave also agreed, saying, “I’m in this
pendent timing’ flag […] is set.” stant-time execution. That way, for code camp as well. Let’s be safe and set it by
Here’s the thing about that. An at- that didn’t need the added security pro- default.”
tacker can sometimes gain useful infor- tection, it wouldn’t have to tolerate the At this point, a number of these peo-
mation about something like a pass- slowdown. ple started discussing implementation
word simply by observing how much Arnd Bergmann noticed that some details for both Intel and ARM, and the
time it takes your code to reject a given parts of the kernel were already using conversation got technical. The email
login attempt. If the rejection is quick, the flags, and he listed some of the thread ended fairly abruptly – presum-
it could mean the first characters of the ways it was handled currently. For ex- ably because people started trying out
password were wrong. If the rejection is ample, he pointed out some caveats patches.
microscopically slower, it could mean such as “the bit is context switched on
the first characters were correct. Then kernel entry, so setting the bit in user Removing Support for ICC
the attacker can keep the earlier charac- space does not change the behavior in- Masahiro Yamada posted a patch to re-
ters, make a new guess for the later side of a syscall.” He also remarked that move support for Intel’s C compiler from
characters, and try again until it guesses currently crypto code inside the kernel the Linux kernel. He pointed out that no-
the whole password correctly. did not use the flag, even when avail- body had complained when patches
The idea of constant-time execution able on the CPU. were accepted into the kernel build sys-
with respect to data means that the CPU Jeffrey Walton also remarked, “please tem that explicitly left Intel’s C compiler
will take the same amount of time to make setting/clearing the bit available in out. For example, “init/Kconfig defines
perform a given operation, regardless of userland. Libraries like Botan, CC_IS_GCC and CC_IS_CLANG but not
whether the data is long or short. This Crypto++ and OpenSSL could benefit CC_IS_ICC, and nobody has reported
has a direct effect on preventing those from it.” any issue.” He concluded, “I guess the
exact sort of attacks. Meanwhile Jason A. Donenfeld offered Intel Compiler support is broken, and
Regarding Intel and ARM’s recent the practical and security-conscious sug- nobody is caring about it.”
statements, Eric continued, “this is a gestion, “Maybe it should be set uncon- Linus Torvalds accepted the patch and
major problem for crypto code, which ditionally now, until we figure out how replied, “I don’t think anybody ever re-
needs to be constant-time, especially to make it more granular.” But he also ally used icc. I can’t recall having heard
with respect to keys. And since this is a mused, “I wonder, though, what’s the a single peep about icc problems, and I
CPU issue, it affects all code running on cost of enabling/disabling it? Would we don’t think it’s because it was *so* good
the CPU. While neither company is treat- in fact need a kind of lazy-deferred dis- at emulating gcc that nobody ever hit
ing this as a security disclosure, to me abling, like we have with any issues.”
this looks exactly like a CPU kernel_fpu_end()?” Harald Arnesen also pointed out that
vulnerability.” Eric replied, “I’d much prefer it being Intel’s compiler binary itself reported
He gave links to the documentation set unconditionally by default as well, that it was a deprecated tool. He ran icc
posted by ARM and Intel. That docu- as making everyone (both kernel and -v and got the message, “remark #10441:
mentation actually said that because the userspace) turn it on and off constantly The Intel(R) C++ Compiler Classic
CPUs didn’t guarantee constant-time ex- would be a nightmare. Note that Intel’s (ICC) is deprecated and will be removed
ecution by default, they implemented documentation says that CPUs before from product release in the second half
flags that could be set by the operating Ice Lake behave as if DOITM [Data Op- of 2023.”
system to force the CPU to perform con- erand Independent Timing Mode] is al- Arnd Bergmann affirmed that he also
stant-time execution. ways set.” had recently considered removing sup-
Eric credited Adam Langley with He concluded, “I think the logical ap- port for Intel’s C compiler. He remarked,
bringing the whole issue to his atten- proach is to unconditionally set DOITM “Intel have completely dropped their old
tion and asked, “I’m wondering if peo- by default, to fix this CPU bug in Ice codebase and moved to using LLVM, so
ple are aware of this issue, and Lake and later and just bring things back my guess is that with the current re-
whether anyone has any thoughts on to the way they were in CPUs before Ice leases it will behave the same as clang.”
whether/where the kernel should be Lake. With that as a baseline, we can Dave Hansen, from Intel, also re-
setting these new CPU flags.” then discuss whether it’s useful to pro- marked, “I honestly can’t remember see-
Peter Zijlstra heaved a deep sigh, vide ways to re-enable this CPU bug / ing anyone actually use icc during my
pointing out that these “CPU flags” are ‘feature’, for people who want to get the entire tenure at Intel. I’ll ask around to
actually registers that are specific to a performance boost (if one actually ex- see if there’s any plausible reason to fix
given model of CPU – in other words, ists) of data dependent timing after care- this up and keep it. But, I’m not holding
the kernel would have to deal with them fully assessing the risks.” my breath.”
differently and specifically for each sepa- Jason agreed with this, remarking, “It’s There was a bit more discussion, and
rate CPU model that implemented the actually kind of surprising that Intel Masahiro updated his patch to avoid re-
constant-time execution flag. didn’t already do this by default. Sure, moving certain things that related more
Peter did suggest that it would be bet- maybe the Intel manual never explicitly to GCC and Clang than ICC. But finally
ter to set and unset the flags as needed guaranteed constant time, but a heck of a it looks as though Intel’s compiler will
by specific processes, rather than lot of code relies on that being the case.” go away.
It was actually a fascinating project while kernel support was still in develop- implement existing functionality in glibc,
and originally represented a significant ment. This has lead to: some applications break. Mostly due to
alternative to GCC – at the time the only 1. Some existing binaries (node.js, PyPy, seccomp filters. They break even if there
such alternative that the kernel could ac- CRIU) that will break when glibc up- would be no observable differences for
tually use. And given that the kernel de- dates to use the kernel CET APIs. applictions in the way the new system
velopers and the GCC developers have 2. GCC C++ exception stack unwinding calls would be invoked if the seccomp fil-
not always seen eye to eye, it seemed code expecting old development ver- ter wouldn’t block them.
like a good idea at the time to have such sions of the kernel ABI.” “I proposed a new ENOSYS handshake
a fallback available. The days of such Rick pointed out that “once there is between userspace and kernel to reduce
conflicts between developer teams, how- kernel support, glibc plans to immedi- the amount of breakage (but not all of
ever, seems to have passed. These days ately update in such a way that some it). Senior kernel developers rejected it,
the kernel and the GCC developers seem existing distro binaries will break so we didn’t implement it in glibc.
pretty much in lockstep with each other. against it.” […]
He also said that meanwhile, “The gcc “Instead, we work with distributions
Putting the Cart Before CET support has preceded the kernel and upstreams to make sure the applica-
the Horse changes and the unwinding code as- tions are ready before the next distribu-
Rick P. Edgecombe asked Linus Tor- sumes things about the kernel shadow tion glibc update. Fortunately, there
valds for some advice about “ecosys- stack signal frame ABI that have seems to be a pretty broad overlap be-
tem compatibility.” In fact, Rick was changed over the course of CET kernel tween seccomp-using applications and
concerned about features that were be- development.” applications with frequent, more-or-less
coming very popular elsewhere, but Rick was trying to come up with a way mandatory updates, so the transition pe-
that were not yet included in the Linux to cushion these future incompatibilities riods are relatively short. You didn’t seem
kernel. Specifically, he was interested somewhat, and he asked Linus for to have noticed, so maybe we aren’t
in Intel’s hardware-based support for advice. doing such a bad job after all.”
Control-flow Enforcement Technology Linus, however, gave an elaborate There was no “official” conclusion
(CET). This creates a hidden memory shrug. He said: during the discussion, although the ker-
stack that prevents certain attacks that “I’m disgusted by glibc being willing to nel developers did get into some serious
might otherwise deduce the memory just upgrade and break existing binaries detail about exactly what breakage to ex-
location containing the next CPU op- and take the ‘you shouldn’t upgrade glibc pect, who would experience it, and
codes to execute. if you have old binaries’ approach. where any potential fixes might go.
It’s a real danger! The kernel’s pro- “But hey, I guess that’s part for the Ultimately, Linus probably does
gram is just a bunch of opcodes in mem- course for glibc, and there’s nothing I can mean business in terms of ensuring
ory, with a hardware register that contin- do about that. that user binaries don’t break, even if
ually points to the next one to be exe- “But yes, once people complain, I’ll the kernel must accomplish this at the
cuted. Function calls and goto state- just make sure that old binaries con- expense of inconveniencing other tools
ments are always updating where that tinue to work, and at that point the and other groups of developers. Break-
register points. If attackers can predict glibc and tooling people will presum- ing existing binaries and allowing
that, they might be able to replace those ably have to fix their broken situation known security holes to persist in the
opcodes with their own hostile code. to get CET at all. kernel are probably two of the least
However, Rick wasn’t concerned about “Because no, the kernel doesn’t en- tolerated things in all of kernel devel-
CET itself so much as the interactions able CET if it breaks binaries. That’s opment. Linus would rather accept a
between other tools and the kernel. Spe- how we roll.” huge loss of efficiency and prune off
cifically, he said: Florian Weimer replied: whole branches of kernel features
“The issues all have a root cause of “We’ve been in this position for years. rather than tolerate a security bug or
support for CET in tools spreading widely Every time we use a new system call to break an existing user binary. Q Q Q
QQQ
Back on Track
After two years online, crowds of FLOSS supporters returned to Brussels
in early February for FOSDEM 2023. Reminiscent of a class reunion, the
FOSDEM keynote program was jam packed with goodies. By Kristian Kißling
A
t FOSDEM 2023 [1] in Brussels, Mastodon instance, you will definitely example, analyzed the software of 180
FOMO (the fear of missing out) want to watch the video [3]. research projects that aim to deter-
was the buzz word, not only for Not only does a Mastodon instance mine, control, or optimize a building’s
people who did not make it to above a certain size need a reliable tech- energy requirements. Emissions from
the event, but also for the conference at- nical infrastructure, it also faces legal pit- buildings are some of the biggest driv-
tendees. Although the event in the Bel- falls. For example, instance operators ers of climate change. The results are
gian capital attracted a slightly smaller need to keep the massive amounts of pri- exciting.
audience than in years prior to the vate data secure, which means having While most of the 180 projects use at
COVID-19 pandemic, visitors repeatedly volunteers or paid staff moderate the least one open source component, only a
turned to live-streams because the con- posts. Operators also need to be careful few of the mostly publicly funded proj-
ference rooms hosting popular topics about which other Mastodon instances ects (about 3%) plan to release their
quickly filled up. from the Fediverse they integrate into software. The reasons range from ethical
their platform and which ones they don’t. to technical to cultural concerns. Often,
The First Instance In addition, they also need to consider projects simply expire after some time,
A particularly large number of comments how to handle corporate accounts [4]. and the software becomes orphaned.
and FOMO statements appeared on Mast- Last but not least, operating a project The focus on users is often missing, the
odon, where the #Fosdem topic was very like this can quickly consume finances. licensing situation remains unclear, or
popular for some time. Thanks to Elon According to Nóva, technical operations the developers are simply afraid of em-
Musk, Mastodon is currently experienc- of her instance alone incur monthly barrassing themselves. Some researchers
ing a flurry of activity. GitHub developer costs of around EUR1,000. also keep their software proprietary for
Kris Nóva, who was unexpectedly The solution, according to Nóva, is the commercial reasons. Despite all these
dragged into the Mastodon universe last newly established Nivenly Foundation problems, Rehmann is convinced that it
year, vividly described how lively things [5]. The instance’s operators will be would be better to use more open source
were. Her plan to build a separate Mast- looking to collect membership fees software in the field, such as CAD pro-
odon instance, Hachyderm [2], for friends through the foundation in the future to grams or simulation software for
took off with thousands of new users refinance operations. This seems to renovations.
gradually migrating to the instance. make sense: Where selling user data and
Upon reaching 30,000 accounts, the advertising cannot be the business Space, Road, and Data
quite powerful hardware in Nóva’s base- model, you need to find alternatives to Center
ment broke down. It was time to move the operate a volunteer project sustainably. Even NASA made it to FOSDEM (Fig-
service to a cloud, and Nóva chose Ger- ure 1). NASA is also looking to use its
man provider Hetzner. The data protec- New Energy data to help in the fight against climate
tion regulations (hashtag #GDPRforever) Sustainability also played a central role change, for example, in the scope of the
were probably also a decisive factor in the at FOSDEM in another context: the POWER project [6]. Astronomer Steve
move, along with Nóva and her support- avoidance of fossil fuels and the battle Crawford explained that the US space
ing developers needing to field some of against climate change. The organizers agency is currently opening up to open
the inevitable questions about the general assigned a separate energy track to this science, increasingly adopting open
handling of a privately managed Twitter pressing problem, along with space in APIs, and maintaining open datasets
alternative. Nóva pointed out in her key- the main stage program. and open access models. However, this
note that this is where the pitfalls lurk. If Felix Rehmann’s research project at is not entirely voluntary. According to a
you are thinking about setting up a the Technical University of Berlin, for US government decision, starting in
2026 all publicly funded research must automatically to other areas of the world in Fedora’s normal repositories, Curtin
also be immediately available to the based on their power consumption. Ide- emphasized.
general public. ally, CO2-neutral electricity will then be
Another topic at the conference dealt used there. The containers’ energy re- Same Procedure …
with electric cars. Vehicle-to-Grid (V2G) quirements are determined by eBPF pro- All told, the familiar FOSDEM feeling
pursues the idea of turning electric car grams, although obtaining the informa- quickly set in, with all its advantages
users into decentralized electricity pro- tion on the types of electricity is proba- and disadvantages. As usual, the speak-
ducers. The idea is for electric car users to bly not entirely trivial and sometimes ers in some rooms struggled with the PA
feed the electricity generated from wind also costs money. A software develop- (poor sound quality), and long queues
or solar energy for their electric vehicle ment kit for the Green Software Founda- formed in front of the coffee stands and
into the power grid in exchange for tion is also expected to emerge from the food trucks. But the conference scored
money. Products to help people do this project in the end. points with its sheer mass of open
are available from commercial providers, source topics, Belgian beer in the cafete-
but they usually look to sell a complete Classics ria, and great discussions. In other
solution. V2G Liberty [7] wants to offer As always, classic programming and words: I’ll be back … next year! Q Q Q
an alternative. Nicolas Höning presented admin topics abounded. Once again,
this project in his keynote, along with the people jostled for the best seats at the Info
setup that was developed. This includes front of the development rooms for pop- [1] FOSDEM: https://fosdem.org/2023/
Home Assistant [8], Nextcloud [9], and ular programming languages. There [2] Hachyderm.io: https://hachyderm.io
the LF Energy Foundation-funded Flex- were various admin-centric tracks (e.g.,
[3] FOSDEM videos:
Measures [10], among others. on continuous integration and contain- https://video.fosdem.org
Höning also explained the potential ers) as well as the obligatory kernel
[4] Account types at Hachyderm:
pitfalls and gave examples of best prac- track, where the developers of the free
https://community.hachyderm.io/
tices. One thing is clear: The less owners operating system kernel presented their docs/account-types/
move their cars, the more electricity they pet projects.
[5] Nivenly: https://nivenly.org/about/
can generate. In the ideal case, up to On the distributions track, Eric Curtin
[6] NASA’s POWER project:
EU10 per day can be earned with vehi- talked about Fedora Asahi Remix [12].
https://power.larc.nasa.gov/
cles converted in this way. The project is The Fedora-based distribution for Apple
[7] V2G Liberty: https://v2g-liberty.eu/
still in its infancy, but that has never de- hardware runs on ARM’s M1 and M2
terred open source enthusiasts. processors. Curtin cited a lack of good [8] Home Assistant:
https://www.home-assistant.io
Finally, Parul Singh and Kaiyi Liu pre- ARM devices supported by Linux as his
sented CO2-sensitive scheduling for Ku- motivation. Upstream, the Remix relies [9] Nextcloud: https://nextcloud.com
bernetes. Admins feed the rules for this on Asahi Linux and offers two kernels of [10] FlexMeasures: https://flexmeasures.io
to the container platform in the usual its own: a more stable one and an edge [11] Kepler: https://github.com/
declarative style. Kubernetes Efficient kernel with newer developments. Fedora sustainable-computing-io/kepler
Power Level Exporter (Kepler) [11] lets will be looking to store as many of the [12] Fedora Asahi Remix: https://
you move pods and their workloads software packages they used as possible fedoraproject.org/wiki/SIGs/Asahi
Figure 1: Even a NASA astronomer made it to FOSDEM and spoke about open source in space, among other things.
Social Time
Do you have to you give up your privacy to enjoy access to social media?
The makers of the Fediverse say no.
By Joe Casad
A
s this magazine goes to press, Twitter has just an- entrance onto the scene. Today a new group of tools threat-
nounced that it is closing its API – a radical move ens to upend the social media orthodoxy. Welcome to the
that will limit access from outside applications. Fediverse [2].
Some form of API access might be possible, if you
pay for it, but as of now, the terms are unclear, and anyway, Free Speech with Free Tools
the move is likely to cause still more restlessness from the The Fediverse is a collection of servers running social media
Linux community, who have never had much patience for tools that offer access in a decentralized format without the spy-
closed APIs and are likely to abandon the platform in even ing. There is no central authority wielding power over the whole
greater numbers. Where will they go? system. Servers operate independently, setting their own rules
Social networking and the new generation of users who live and managing the services as they see fit. The Fediverse is built
on it have changed the Internet. Your thoughts, your experi- on the philosophy that tools should work together, so if you
ences, your pictures, your politics – it all goes on the Internet have an account on one, you can view content from the others.
now through your platform of choice: Life events on Face- In other words, you have an account on one server but an iden-
book; links and short opinions on Twitter; videos on You- tity across the whole federated network. As you will learn in this
Tube; photos on Instagram. The whole world is connected, article, this goal of interoperability has been largely successful,
but many users, including many who have never heard of although a few links are still needed to complete the chain.
Linux or free software, have already begun to ask whether it This month you’ll learn about some leading tools of the
is all worth the price. Fediverse, including:
“What do you mean,” the companies tell us. “Our services • Mastodon – a microblogging platform that lets you send
are all free.” But it all depends on what you mean by free. links and short messages (like Twitter)
Commercial social media services earn billions selling knowl- • diaspora* – a macroblogging tool, like Facebook
edge of their users’ opinions and habits. To get on the site, • PixelFed – a photosharing tool, similar to Instagram
you need to click a box that signs away your privacy and, in • PeerTube – a YouTube-like tool for sharing videos
some cases, even signs away your ownership of your own Tools such as Mastodon and diaspora* are receiving a majority
words and images. of the attention now, perhaps because they fit so neatly into
The whole concept of commercial social media as it is prac- the niches of the conventional platforms they replace, but, as is
ticed today is decidedly at odds with the values of the Free often the case with Free Software, users have an abundance of
Software community. Former Free Software Foundation attor- choice. Other tools of the Fediverse [3] include:
ney Eben Moglen once referred to social media giant Facebook • Misskey – a microblogging tool with some extra features,
as a “man-in-the-middle attack,” adding. “The point is that by such as a calendar, a chat service, and animated text
sharing with our actual friends through a web intermediary • Hubzilla – a multi-purpose macroblogging platform that calls
who can store and mine everything, we harm people by de- itself a “home for nomads and power users”
stroying their privacy for them. It’s not the sharing that’s bad, • Pleroma – a microblogging service tailored for low-resource
it’s the technological design of giving it all to someone in the systems like Raspberry Pi
middle. That is at once outstandingly stupid and overwhelm- • Friendica – an early social media platform that supports mul-
ingly dangerous.” [1] tiple protocols for strong connectivity with other Fediverse
But over the past several years, while the social media gi- utilities
ants were erecting their billion dollar empires, another con- • Funkwhale – a music-sharing platform that also supports
struction project was quietly underway. Now, with recent “socializing around music and discovering new content”
controversies at Twitter and growing distrust for Facebook, • GNU Social – the GNU project’s entry into the search for an
the work of these Free Software pioneers has made a grand alternative microblogging platform
Figure 1: Mastodon is the most popular Fediverse platform, and its popularity is growing with the recent
changes at Twitter.
The popularity of the Fediverse tools varies widely. Mast- vegans and offers “anti-speciesist moderation by animal
odon (Figure 1) is thought to have more than 6 million ac- rights activists.” On the other hand, Truth Social, the social
counts and 4 million active users. The smallest platforms network created by Donald Trump and supported by users
might have only a couple thousand accounts. But new atten- with MAGA political leanings, is also based on Mastodon.
tion on the Fediverse could accelerate migration in the years
to come. Protocols
It is worth noting that the concept of federated servers used The secret to the interoperability of the Fediverse tools is that
with the Fediverse is only one approach to the goal of decen- they share common protocols. A close look at the supported
tralized social media (see the box entitled “Nostr: Even More protocols will give you a better understanding of what fits with
Decentralized”). what – and which tools might work best for your situation. For
historical reasons, or just to improve versatility, some tools
Tools and Rules support more than one protocol.
Decentralization is one of the principal features of the Fedi- The most popular Fediverse communication protocol is
verse, and it requires a bit of explanation. A tool such as Mast- ActivityPub. ActivityPub, which is based on the earlier
odon is an open source utility that anyone is free to download pump.io and StatusNet protocols, is a standard of the World
and implement. The Mastodon community is not all one single Wide Web Consortium. Mastodon, PeerTube, PixelFed,
user base. Instead, several different organizations act as Mast- Friendica, and other important Fediverse services use
odon providers (Figure 2). Each provider makes its own rules ActivityPub.
and manages its own user base. To get started with Mastodon Diaspora*, which was developed independently and earlier
you can sign up with one of the existing providers, or you can than many of the ActivityPub applications, has its own proto-
set up a Mastodon server and become a provider yourself. col that isn’t universally compatible with the others, although
Linux New Media, the publisher of this magazine, has an ac- Friendica and Hubzilla have implemented support for it. One
count with the Mastodon provider called fosstodon. In general, benefit of diaspora* is that it has implemented the necessary
Fediverse providers support interaction with other Fediverse extensions to interact with a number of commercial social
providers, so you aren’t locked in to a single garden as you are media services. You can propagate posts to Tumblr and Word-
with many of the commercial social media tools, however, the Press, and you can even embed YouTube and Vimeo videos in
first step is to set up an account. content pages. In the past, diaspora* has had some support
This independence of the individual providers means that for propagating posts to Twitter, but that support might be
the Fediverse tools aren’t controlled by a single company. ending with Twitter closing the API.
On the other hand, this diversity means there is no unifor- GNU Social, another one of the early entries, uses the
mity in how the providers manage their space and how they OStatus protocol, which is also supported by Friendica.
envision their mission. A server might serve a specific com- Hubzilla, like Friendica, places a premium on interoperability
munity of interest or political cause. Whoever owns the and offers built-in support for both diaspora* and the Activity-
server is free to moderate the content as they wish. For in- Pub services. Hubzilla also supports the Zot protocol, which al-
stance, the veganism.social Mastodon server focuses on lows it to connect with the Zap macroblogging service.
Figure 2: Shop for the server that will host your account at the Mastodon website.
The differing protocols mean that all the services in the Fedi- compatibility. Their mission isn’t just to offer a backdoor to
verse aren’t exactly federated, in that they can’t all directly con- reach Twitter. They would rather have Twitter users give up
nect to each other. In general, you can think of the ActivityPub their Twitter accounts and come join Mastodon.
services as one collection and the orbit around the popular
diaspora* service as another group (Figure 3). The versatile Service and Server
Friendica and Hubzilla fit into both camps. GNU Social’s Free software is all about choice, and the Fediverse is no ex-
OStatus protocol is actually a precursor to ActivityPub and at ception. An abundance of tools means you’ll find the right
one point offered a degree of compatiblity. Mastodon supported tool for an abundance of situations, and the freedom to build
GNU Social until version 3 but has since discontinued it. your own server and target it to your own community will
Keep in mind that compatibility among the different services help to spread the influence of the Fediverse throughout the
is only part of the equation. In many cases, users are more in- world of Internet users.
terested in reaching other users who are within the same tool Will the Fediverse conquer the world and displace the social
community. For instance, the Mastodon community is a com- media giants? That all depends on whether the world starts
plete ecosystem where millions of users interact every day – watching. If the world’s rock idols, politicians, movie stars, and
they don’t measure their value strictly on the ability to reach corporate accounts get fed up with Twitter and Facebook and
other services. The Mastodon community is a federation all by switch to the Fediverse, they will no doubt bring many users
itself, with many servers acting independently yet offering with them. If journalists start watching Mastodon accounts the
way they watch Twitter accounts now,
and treat every post as a quotable news
story, the tide will certainly start to turn.
But the famous people quoted in the
news are only a small fraction of the
users on social media. Most people just
use social media as a way to communi-
cate with their friends, and it is very
easy to imagine circles of friends gradu-
ally making the switch to free tools that
will protect their privacy and keep them
free from data mining and targeted
advertising.
Read on for a look at some leading
tools of Fediverse. And remember: This
issue is just a snapshot of where we
are right now. Things change fast with
Free Software, as developers adapt to
new ideas and changing times. If you
don’t find what you need today, keep
checking! Q Q Q
Info
[1] Eben Moglen comments regarding
Facebook: https://yro.slashdot.org/
story/12/02/06/1828231/moglen-
facebook-is-a-man-in-the-middle-
attack
[2] Fediverse: https://fediverse.info/
[3] Fediverse Services:
https://fediverse.info/
Figure 3: ActivityPub is the most common Fediverse protocol, but [4] Nostr: https://nostr.com/
Diaspora and a few other services use alternatives. [5] Nostr on GitHub: https://github.com/
Mike Kuketz, CC BY-SA 4.0, https://creativecommons.org/licenses/by-sa/4.0/ nostr-protocol/nostr
QQQ
T
he diaspora* federated social net-
work allows users to indepen-
dently run pods (diaspora* serv-
ers) to interact with each other
and the world in a “privacy first” way.
Technically speaking, diaspora* is a mac-
roblogging platform. You could say it’s a
Fediverse equivalent to Facebook. You
can still create a space that serves as your
online presence, post pictures, links, and
personal reflections. But this time, you can still interact with another user who’s registered with the
stay in control of your data. German-based despora.de.
Anyone can set up or join their own diaspora* server (called Diaspora* (Figure 1) fills the strong need for a decentralized
a pod) using free and open source software. Although pods are social network in a world where the established, monolithic
managed separately from each other, they can be federated, so social media services have abused their market dominance,
someone who uses their account on the US-based diasp.org playing fast and loose with users’ privacy (see the box entitled
“Facing Up to Facebook”).
Decentralization
The creators of diaspora* drew their in-
spiration from a 2010 speech to the Inter-
net Society by Columbia University Law
Professor Eben Moglen, who described
monolithic, centralized social networks
as “spying for free”[5]. The dev team
smashed their Kickstarter funding goals,
and the first diaspora* pod was
launched later that same year. The fact
that diaspora* has been in development
for almost 13 years gives it an edge over
other decentralized social networks that
are newer to the game and have had less
time to work out the kinks.
Author
Nate Drake is a tech journalist specializing
Figure 1: Decentralization and freedom are two key benefits of diaspora*. in cybersecurity and retro tech.
Debutantes Diaspora* uses hashtags (e.g., #linux) to help you record and
While setting up your own server is the best way to control search for your interests. When registering a new account,
your personal information (see the box entitled “Setting Up a you’ll be asked to enter a hashtagged topic in order to see rele-
Server”), this approach takes time and resources. Fortunately vant content on that topic in your main stream, which is a
there are a number of pods around the world run by eager vol- newsfeed by any other name.
unteers. You don’t even have to run to your nearest search en- When the main screen loads for the first time, a helpful wiz-
gine to find them, as the Fediverse Observer website [9] main- ard also guides you through diaspora*’s main features (Fig-
tains a list of servers running alternative social media in- ure 3). As pods are run by volunteers who aren’t profiting from
stances, including diaspora* (Figure 2). selling targeted ads, new users are sometimes asked to make a
These lists make for sobering reading, as even the most pop- small donation. This isn’t compulsory.
ular diaspora* pods only host a few thousand users, compared
to Facebook’s billions. Getting started is usually just a question Discretion
of going to a diaspora* pod’s website and filling in your email One huge advantage diaspora* still boasts over its bigger
address, name, and password. Some pods, such as diasp.org, brother Facebook is that there’s still no requirement to use
require you to email to request an invitation link. Otherwise, your real name when registering an account (Figure 4), which
setup is a breeze. will be welcome news to those who have been victims of stalk-
ing and online harassment.
Facing Up to Facebook If this isn’t enough incentive to make the switch from Meta,
diaspora* also has much more clearly defined privacy settings,
A previous article in this magazine [1] discussed some of the
which are enabled by default. First and foremost is diaspora*’s
more controversial uses Facebook (now Meta) found for their
customer’s data, such as retaining information after you
use of aspects. Aspects are similar to the circles formerly used
close your account and using facial recognition to identify
people in photos [2]. Setting Up a Server
Meta doesn’t seem to have learned its lesson. In November The lack of one monolithic server in diaspora* means that data
2022, Ireland’s data privacy regulator fined the company $277 is much less likely to be hacked or misused, particularly if you
million for alleged privacy breaches. This was the fourth fine set up your own diaspora* pod using the foundation’s source
of this kind Meta had received in Europe [3]. code, which is freely available via GitHub. [6]
In December 2022, Meta also paid a record $725 million for its Setting up a server should present no challenge at all to
role in the long-running Cambridge Analytica scandal, where per- anyone who has previously run one. The diaspora* Founda-
sonal data about users was made available to third parties [4]. tion has very clear installation instructions, though at this
Since these fines related to cases that were several years old, time of writing the software won’t run on Ubuntu 22.04 or
Meta was quick to reassure users that they’d since updated Debian 11 [7].
their website, and users now have advanced privacy settings. The Network Admin FAQ points out the software is a standard
However, it is important to keep in mind the words of Andrew Rails application, so it can run quite happily with Passenger or
Lewis, “If you are not paying for it, you’re not the customer; a reverse proxy configuration with Apache or NGINX. There’s
you’re the product being sold.” If Meta didn’t have a way of no requirement to use SSL, but pods that do must have a com-
making money on your data, they wouldn’t be in business. mercial certificate (i.e., they can’t be self-signed) [8].
Figure 2: The Fediverse Observer at https://fediverse.observer/ will help you find a diaspora* pod to join.
reachable via a Tor (.onion) hidden service and I2P (.i2p), The My activity area shows posts that you have either liked
though this is a matter for the pod admin to set up. or commented on. You can find it to the right of the Stream link
in the top bar. The notifications icon (bell symbol) also lives
The Interface here. The letter symbol is the conversations icon. In dias-
Pod admins have the power to customize the diaspora* user in- pora*, conversations are private communications between two
terface, so the details can sometimes vary, but Figure 3 offers a or more people – similar to chat. At the far right of the top bar
good example of what you’ll find when you log in to your dias- is a menu dedicated to your personal account, with options for
pora* account. As mentioned previously, diaspora* uses the contacts, settings, and a personal profile. As you can see in Fig-
term stream to refer to the stream of posts you view when you ure 3, diaspora* also has a menu on the left side of the page
log in. The posts can come from a number of different sources. that lets you manage aspects, mentions, and #tags.
Your stream aggregates content from your contacts and public
posts made containing #tags you follow, as well as posts from Direction
others that mention you (diaspora*’s @mention feature). Dias-
Diaspora* offers many more options for creating posts than on
pora* also supports an optional Community Spotlight feature
most social media sites. You can add images and links but also
that lets you see posts from members of the community that
use Markdown to format your text, add lists, and even poll
the pod admin recommends. other users.
Creating a post in diaspora* is called
publishing, and the text window where
you enter the post is call the publisher.
The interface for entering the text ap-
pears quite sparse (see the publisher at
the top of the window in Figure 6), but,
as the diaspora* documentation states,
“beneath its minimalist appearance lies
a treasure trove of features, which you
can trigger by clicking inside the box.”
Enter the text and apply the desired for-
matting options, and then press the
Share button to share the post.
We were disappointed to see that, after
all this time, it’s still not possible to edit
existing posts to correct typos or change
their visibility. The developers agree that
this would be very helpful but are focus-
ing their efforts on federating servers for
Figure 6: Although features are limited, you can post using Markdown, the time being. They are, however, offer-
including inserting links and images. ing a bounty to any developer who im-
plements this feature on their pod [11].
You can use the search bar to find
other users both on your pod and others
(by adding the @ symbol and the name of
their pod, for example, a dias.org pod
user could search macumazan@nerdpol.ch).
The search bar (Figure 7) also lets you
find subjects that match your interests
by finding posts with matching hashtags.
You can also comment and reshare
other user’s posts to your own My Activ-
ity feed, but as with your own posts,
bear in mind these can’t be edited.
Sharing
As with other social networks, users in
diaspora* make decisions about who they
wish to follow and who they wish to have
following them. In diaspora*, following
and being followed are theoretically inde-
Figure 7: Use the search bar at the top to find other users or posts pendent (you can follow someone who
tagged with your interests, like video games. doesn’t follow you), but mutual sharing
is a more common approach, especially among groups of because one great use case for diaspora* would be to allow an
friends. The versatility of the aspects feature means that sharing offline social network in controlled environments like schools
relationships are not always parallel. For instance, you might put and prisons.
the user in the group of your “close friends,” but the user might The Faustian bargain we make with social media giants
put you in the group of “work friends.” This means each of you like Meta means that they have the resources to hire crack
might be viewing different content streams [12]. developers to develop new features and expand their net-
If your search for a name or diaspora* ID displays a user work, leaving diaspora* and its team of volunteers far be-
you’d like to connect with, just add them as a contact, and hind. Still, if you manage the server yourself or can trust
then add that contact to an aspect. You can also add a user to your podmin, diaspora* offers much greater control over the
an aspect using their profile. When a user’s name turns up in personal data you hold and share, even if its features are
diaspora*, it is often a link to the user’s profile. Click on the still rather spartan. Q Q Q
name to see the user’s profile. Click the button in the corner of
the profile page to add the user to an aspect. Info
You can also use email to invite other users. Click the links [1] “Social Networking the FOSS Way with Diaspora" by Nate
in any search results page to reach out to users by email. You Drake, Linux Magazine, issue 194, January 2017:
also can click the Invite your friends link in the menu on the https://www.linux-magazine.com/Issues/2017/194/Diaspora
side of the Stream page (Figure 6). [2] “7 Controversial Ways Facebook Has Used Your Data” by
Victor Luckerson, Time, February 4, 2014: https://time.com/
Drawbacks 4695/7-controversial-ways-facebook-has-used-your-vdata/
In 2014, diaspora* managed to garner the wrong sort of press [3] “Irish regulator fines Facebook 265 million euros over pri-
attention when some ISIS members managed to set up their vacy breach,“ CNBC, November 28, 2022:
diaspora* pod in order to spread extremist material. The de- https://www.cnbc.com/2022/11/28/irish-regulator-fines-
velopers admitted there was little they could do to stop this facebook-265-million-euros-over-privacy-breach.html
given the network’s decentralized nature but encouraged [4] “Meta settles Cambridge Analytica scandal case for $725m”
“podmins” (pod admin) to take down public posts of such by Shiona McCallum, BBC, December 23, 2022:
material, most of whom did [13]. https://www.bbc.com/news/technology-64075067
Naturally this works both ways: A group of human rights [5] ISOC-NY Event: Eben Moglen “Freedom in the Cloud,”
workers operating in a rogue state could also set up their own February 5, 2010: https://isoc-ny.org/1338
private pod to share news from western agencies and other [6] diaspora*: https://wiki.diasporafoundation.org/FAQ_for_
censored information with citizens. Still, using diaspora* in a pod_maintainers
safe way requires a trustworthy and competent podmin. [7] Installation: https://wiki.diasporafoundation.org/Installation
Instant messaging using Prosody as an XMPP server is still in
[8] General system requirements:
the development phase, and it’s still a matter for each podmin https://wiki.diasporafoundation.org/FAQ_for_pod_maintain-
to enable it or not [14]. This means it’s not currently possible ers#What_are_the_general_system_requirements.3F
to chat in real time with other diaspora* users.
[9] Fediverse Observer: https://fediverse.observer/
Unlike Facebook, there’s no way to tag other users in posts,
[10] FAQ for users: https://wiki.diasporafoundation.org/FAQ_for_
comment on individual photos, or arrange photos into albums.
users#What_is_an_aspect.3F
The diaspora* team planned to address this by using the #tag
feature to group photos, but since my previous article in 2017, [11] Current and future development:
https://wiki.diasporafoundation.org/Current_and_future_
it seems there’s been little work on this [15].
development#Editing_posts
It’s unlikely there will be much uptake in diaspora* usage
while these features we take for granted on monolithic social [12] The diaspora* interface:
https://diasporafoundation.org/getting_started/interface
networks aren’t implemented. Still, this chicken and egg argu-
ment has its limitations: the more people who are involved, the [13] “Diaspora social network cannot stop IS posts” by Dave Lee,
more work can be done on introducing new features. BBC, August 2, 2014:
Some contributors have suggested federating diaspora* with https://www.bbc.com/news/technology-28882042
other “open” social networks. The software is actually already [14] Implement realtime chat, possibly using XMPP:
compatible with any other network that uses its Federation https://discourse.diasporafoundation.org/t/implement-
protocol [16], such as Friendica and Hubzilla. Still, a universal realtime-chat-possibly-using-xmpp/189/353
solution that provides seamless compatibility with the Activity- [15] Photo organization: https://discourse.diasporafoundation.
Pub protocol used with Mastodon and other Fediverse services org/t/organising-photos/253/26
seems a long way away. [16] Federation: https://wiki.diasporafoundation.org/Federation
Diaspora*’s desire for federation also means the pods aren’t [17] Isolation: https://wiki.diasporafoundation.org/FAQ_for_pod_
designed to be run in isolation, and the developers explicitly maintainers#Can_I_make_my_pod_private.2Fisolated.2Fnot_
explain that’s not what the network is for [17]. This is a shame, communicate_with_other_pods.3F
QQQ
R
ecent affairs at the news we publish
Twitter have led there without interfer-
to resounding ence – and without the
and sudden annoying pop-ups from
success for the free, other platforms that
open, and federated order you to register to
Mastodon [1] social continue browsing.
media platform. But de- Click on Local on the
spite the apparent bene- right (see Figure 1) and
fit of Twitter’s misman- you will see the posts of
agement, Mastodon’s all the accounts hosted
success was bound to on that particular “in-
happen sometime. As stance,” in this case,
Cory Doctorow explains fosstodon.org (more on
in one of his many eye- instances in a minute).
opening essays [2], pro- Click on Federated and
prietary, centralized, you will see all the mes-
and for-profit social sages being posted to
media platforms always kill themselves. Mastodon and other all the instances that have federated with fosstodon.org.
open platforms will fill in the vacuum they leave in their wake. Ready to take the dive? To sign up, your first step is to
choose an instance. Each instance is a Mastodon server that is
Mastodon Is Not Twitter part of the network of Mastodon servers. Each instance is
Thinking of Mastodon as a stand-in for Twitter will leave new- owned by a different entity, which could be a person, a group
comers confused. Sure, on the surface, Mastodon is a microblog- of friends, a community, or an organization. The owner de-
ging social media platform, and you could use it a such. But, as cides if the instance will be based around a topic, what the
Max Leibman points out, assuming that Mastodon is just like rules will be, and what the registration steps will be. Not all in-
Twitter is the first of the two fundamental errors people make. stances have open registration. Some do, but for some you
Mastodon taps into and inherits all the advantages of the Fe- need an invitation. Still other Mastodon instances are com-
diverse. It is not only distributed, but massively distributed. pletely closed to new users.
This means no controlling entity can mess with your content or You might think it is best to go with an instance that has lots
push sponsored posts onto your feed. Although a company can of users, because it is less likely to disappear (yes, instances
buy up individual servers, it will be hard for Mastodon, as an can and do disappear from time to time – the same as with any
ever-expanding network of interconnected, but independent in- Internet service), but that is not always the best choice. Bigger
stances, to be bought out. instances have more traffic and are often slower. They are also
Mastodon is also a door into the Fediverse. Built on Activity- more difficult to police, and, hence, more likely to have spam-
Pub [3], a W3C recommended standard for social media plat- mers posting bad things. A mid-sized instance with, say, 1,000
forms, it interconnects with other Fediverse services in ways users or fewer, is often a better bet.
that are both surprising and surprisingly useful. Choose an instance that has rules that sit well with you re-
garding content, harassment, veracity, and hate speech. Just in
How to Mastodon case, before signing up with an instance, browse the content
You can experience Mastodon without even signing up. Visit, for posted by other users – as with everything, there are disreputa-
example, Linux Magazine’s feed [4] and you can scroll through ble tooters (Mastadon posters).
Figure 4: Parts of the tooting form. Figure 5: Adding alt text to an image.
that account posts a toot with an image, it will show up in Fedilab is free, it is powerful, and it easily maintains multiple
Pixelfed. accounts, and it does scheduling well (Figure 10).
It is the same for PeerTube [9], the Fediverse’s service for shar-
ing videos (also covered elsewhere in this issue): Follow a Peer- Migrating
Tube account from Mast- There may come a time when you need to move to another in-
odon, and new videos will stance. It could be that the instance you are on is shutting
appear in your feed, and down, or has gotten too busy, or it has been overtaken by
you can watch, boost, like, trolls, or the new one simply fits your preferences better. What-
and comment on them with- ever the reason, Mastodon makes it relatively easy to take your
out ever leaving Mastodon. configuration, the list of people you follow, and even your fol-
lowers with you.
Mastodon on Before you migrate, bear in mind that Mastodon does not
Mobile allow taking your old posts with you to your new instance. It
The mobile space supports would be theoretically possible to copy the contents from your
dozens of clients for Mast- toots from one database to another if you had system adminis-
odon (and other Fediverse trator access to both servers where the instances are hosted.
services) [10]. The one you But your posts are time-stamped, and not only on your in-
choose is a question of stance, but also on every instance where people interacted with
taste. I recommend choos- them. The timestamps of imported toots would not match the
ing one that supports originals, and that would make an inconsistent mess in the fed-
scheduling. eration. Besides, apparently all of your “new” old toots would
The ability to set a toot to be posted a second time all at once, flooding followers' time-
be posted in the future, at a lines and in general wreaking havoc. So one thing you must
given time and on a given not do is delete the old account, because that is where your
date, is baked into Mast- original toots will and should stay.
odon’s architecture and is There is a second good reason to not remove your old ac-
thus available on all in- count entirely: Mastodon can automatically forward followers
stances by default. You who visit your old account to the new account. If there is no
don’t need a special sched- old account, Mastodon will not know who to forward nor
uling service as you would where to forward them to.
on other platforms, but you Let’s say you are migrating your “JaneDoe” account from the
do need a client that can le- mastodon.social instance to myinstance.org.
verage the feature. You can start by downloading your archive. To do that, in
My favorite client for An- Preferences visit Import and export, choose Data export, and
droid is Fedilab [11]. click Request your archive (Figure 11). If you have posted a lot,
this may take some time,
because it compiles all your
toots and all their attach-
ments into one compressed
archive. The archive is not
strictly necessary, because,
as I said, you will not be
able to import your toots
into your new account. But
it is a good backup, and the
archive also contains con-
tent such as your profile
and header image, the text
you used in your bio, and
so on. Having all these
things in one place is just
convenient when setting up
your new account and mak-
ing it look and read like
your old one.
While you are at it, and
in the same screen, down-
Figure 9: A Pixelfed feed Figure 10: Fedilab supports multiple accounts and load the files in the Data ex-
viewed from Mastodon. toot scheduling. port table:
• Follows contains the list of people you follow. to all Internet-facing servers. A couple of hints, though: Look
• Lists contains a list of the lists for grouping accounts you made. into non-password access for accessing your machine over
• You block contains a list of accounts you blocked. SSH, install and configure a decent firewall, and deploy some-
• You mute contains a list of accounts you muted. thing like Fail2Ban [12] to ward off brute-force attacks.
• Domain blocks contains a list of domains you blocked. Once your machine is safe, you will need the NGINX web
• And Bookmarks contains a list of references to toots you server to run your instance on and PostgreSQL for Mastodon’s
have bookmarked. database, so install both:
You will be able to import these files into your new account.
In fact, you can do that now: Register your new account, and apt install nginx postgresql postgresql-contrib
new posts. That is when they are transferred. It might be a yarn set version classic
adduser --disabled-login mastodon and clone and check out the latest version of the Mastodon
server code (Listing 3).
Log into the new mastodon user: Install some more dependencies for Ruby and JavaScript
(Listing 4).
su - mastodon And you can now run Mastodon’s built-in configuration wizard:
Install the tools to set up the Ruby environment (Listing 2). RAILS_ENV=production bundle exec rake mastodon:setup
ln -s /etc/nginx/sites-available/mastodon U
This creates both a mastodon user and a mastodon database /etc/nginx/sites-enabled/mastodon
echo 'eval "$(rbenv init -)"' >> ~/.bashrc in the /etc/nginx/nginx.conf file within the http
exec bash section.
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
Listing 4: Ruby and JS Dependencies
Listing 3: Getting the Mastodon Code bundle config deployment 'true'
.
[6] William Shatner (yes, that William Shatner) uncovers a
flaw in Mastodon: https://twitter.com/WilliamShatner/
server {
status/1218176903107895296
listen 80;
[7] WPCode for WordPress:
listen [::]:80;
https://wordpress.org/plugins/insert-headers-and-footers/
server_name [your domain here];
root /home/mastodon/live/public;
[8] Pixelfed: https://pixelfed.org/
location /.well-known/acme-challenge/ { allow all; } [9] PeerTube: https://joinpeertube.org/
location / { return 301 https://$host$request_uri; } [10] Mastodon mobile apps: https://joinmastodon.org/apps
} [11] Fedilab Mastodon client:
. https://f-droid.org/en/packages/fr.gouv.etalab.mastodon/
. [12] Fail2Ban: http://fail2ban.org/wiki/index.php/Main_Page
.
[13] Mastodon docs: https://docs.joinmastodon.org/
Fediverse TV
PeerTube, the Fediverse’s video platform, offers a decentralized, open source
way to watch videos and live stream your own content. We’ll show you how
to get started and even set up your own instance. By Paul Brown
T
he Fediverse community is building a parallel Internet PeerTube’s federated nature makes it possible for one instance to
based on ActivityPub, a W3C-recommended standard offer its visitors a much larger catalog of videos than it could if it
for social media, and PeerTube [1] is the Fediverse’s were isolated and relied exclusively on its own storage.
video service for individuals, communities, and other In this article, I’ll show you how to find a PeerTube instance
organizations. to join, set up an account, live stream video, and even run your
As with Mastodon, it would be understandable to think of own instance.
PeerTube as a Fediverse drop-in for the popular closed, proprie-
tary alternatives such as YouTube. And, sure, you can use Peer- Be a Viewer
Tube that way, but you would be ignoring its merits and how it Indeed, when you visit a PeerTube instance for the first time
can deliver video streaming that takes control from powerful (Figure 1), unless the owner has changed the default configu-
corporations and puts it into the hands of users. ration, you will see the most popular videos trending on the
Running a service that delivers video on the scale of YouTube federation. It is entirely possible that none of these videos are
requires an immense amount of bandwidth and storage, unless being hosted on the instance you are visiting, but you can still
you decentralize the whole thing. To be clear, PeerTube does not watch them from that instance.
offer an amount of media on the scale of YouTube. However, To see what is hosted on the instance itself, click on Local
PeerTube does offer an ingenious way of growing the resources it videos in the sidebar on the left. A click on Discover, on the
needs along with the amount of media it serves. By using peer-to- other hand, will show a selection of videos from the federation
peer (P2P) technology, PeerTube shares the load over instances split into categories. Trending is the default view previously
(servers run by PeerTube community members). Counterintui- mentioned, and Recently added shows you new videos from
tively with instances, the more viewers a video has, the lighter across the Fediverse.
the load on the server where the instance is hosted, because the If you want to know more about the instance you are visit-
load is spread over more nodes in the network. In addition, ing, click About at the bottom of the sidebar. The About page
Figure 1: A PeerTube instance will display by default the most popular videos trending in the federation.
tells you why the maintainers created this instance, what the instance is a good choice, more users and content makes an in-
rules are, and, on the right, the instance’s technical specs. stance harder to police, and, therefore, at more risk from spam,
Scrolling down, you will also be able to browse the instance’s trolls, and unsavory content. A large library may also mean
statistics (Figure 2), including how many users and videos are that an instance’s maintainers use lax criteria for approving ac-
hosted on this site, among other details. counts, which, again, may lead to less-than-ideal content.
Knowing what sort of content the instance publishes, the To help you choose, PeerTube offers an instance searcher [2].
rules and intentions laid out by the creators, and the size of the You can search as a viewer or video maker and filter the in-
local library can give you an idea of whether you would like to stances by topic. The searcher also tells you how much
join the PeerTube network via that instance or not. space an instance gives you, the preferred language, if the
Choosing a good instance to get started with is not hard, but it instance offers live streaming, whether the submitted videos
does require a bit of research. As with other Fediverse services, if are moderated before publication or not, and more.
you find the content
unsavory, you may
want to look else-
where. Besides, a
PeerTube instance that
publishes extremely
controversial content
(wild conspiracy theo-
ries, not-safe-for-work
content, racist rants,
etc.) could find itself
cut off from large
chunks of the Peer-
Tube network when
other instances refuse
to federate with them.
If your account is on
that server, you will
be cut off too.
While you may
think that a large Figure 2: Kockatoo Tube is a small instance, with nine users and some 500 videos.
will start to follow the channel on the other service and will article. If you have any user-facing service, such as a blog, you
import videos from there. already should have secured your server anyway. Notwith-
The Import with torrent tab does what it says on the box: It standing, if you need some hints, look into a decent firewall,
lets you upload a video that is being shared over a torrent. Up- close every port except the ones you need open, configure your
load the torrent file from your local storage or paste a magnetic server to not honor password-enabled logins over SSH, and in-
link and the video will appear after a while. stall and set up Fail2Ban [5].
For anyone who has set up a web service before, building a
Streaming PeerTube instance follows the familiar steps of installing de-
You can also create content via live streaming. Choose the Go pendencies, setting up databases, installing and configuring
live tab, and select This is a normal live if your live stream will PeerTube itself, and setting up your web server.
be a one-time event or This is a permanent/recurring live if you Written mostly in TypeScript, PeerTube relies on Node.js as
plan to make this your regular streaming platform. its application server, Yarn as a package manager, and Post-
If you choose a one-time live stream, the key PeerTube pro- greSQL and Redis to store data. FFmpeg is used for processing
vides you for the stream is good for one live session. If you use video in the background, and the supported web server is
the key again, it will overwrite the earlier recording. If you NGINX. The PeerTube documentation provides a guide on how
choose a recurring live stream, each time you start live stream- to install these packages on your machine [6].
ing, even with the same key, PeerTube will generate a different The official documentation also describes the process of
recorded video. setting up a peertube user on the system, setting up data-
Click on the Go live button and configure the stream as if it bases, downloading the PeerTube instance code, and tweak-
were a regular video by setting its title, a description, tags, ing the code to meet your particular needs. The documenta-
the channel where it should be published, and so on. The tion also covers how to set up your NGINX server, set Peer-
Live settings tab is where you can find the live RTMP URL and Tube to run as a service, and, finally, how to log in as the
the key that you will need to feed to your streaming software. administrator [7].
In Open Broadcaster Software (OBS), for example, you will
find the options under Settings | Stream. Select Custom from Administration
the Service drop-down list and then add the RTMP URL to the To quickly and easily acquire content for your instance, feder-
Server text box, and the key to the Stream Key password box ate your instance with other instances. Fill in the details re-
(Figure 4). garding your server so other admins can confirm that your in-
Advanced settings allows you to add a thumbnail, which ap- stance is legit: Click on Administration in the sidebar, and go to
pears when the stream is not active or when the recording Configuration | Information.
joins your library of prerecorded videos upon completion. In the Administration section under Configuration | Basic,
Plugin settings lets you establish which plugins will be avail- you can set up the policy for registering users, as well as how
able to viewers during the stream. For example, many PeerTube much space you are going to assign each user. Note that there
instances provide a very decent chat plugin [3], which allows is nothing wrong with maintaining a small, invitation-only in-
viewers to interact with the streamer (Figure 5). stance. It is better to run an instance for 20 people, give them
ample space for their content, and keep spammers at bay, than
Your Own Instance it is to have 2,000 accounts, very limited space for each user,
Setting up your own PeerTube instance and then federating and a mismanaged mess of an instance.
it is not terribly
hard. First off, you
do not need particu-
larly high-end hard-
ware [4], although a
decent network con-
nection is a must.
With these require-
ments, most mid-
range servers with
decent-sized storage
that you can rent
from a hosting ser-
vice for EUR30
(~$32) will do.
The first installa-
tion step, as usual, in-
volves securing your
server. How to secure
your server is beyond
the scope of this Figure 5: Streaming to PeerTube: Notice the live chat panel to the right of the stream.
Updating
From time to time,
you will need to up-
date your instance.
Your instance will
notify you when a
new version of Peer-
Tube is available. In
general, you can fol-
low the instructions
Figure 6: Add new instances to follow and show their content in your instance. available from Peer-
Tube [8]; usually an
From Basic, you also can set how you want to federate your upgrade is as simple as running a script.
instance with others in the Federation section. Federating in That said, occasionally some vital component will change
PeerTube entails setting your instance to follow others – which and running a script will not be enough. Always remember to
means your instance will show and share the other instances’ check the new version’s release notes before upgrading. The
content (but not necessarily the other way around, unless they release notes will contain instructions that will help you
follow you back) – allowing other instances to follow you, and along the way.
sharing your content on their instances.
To follow an instance with interesting content, go to Federa- What’s Next
tion | Following, click on the Follow button and fill in the text Despite still being quite unknown, PeerTube is already a very
box, with one instance address per line (Figure 6). For follow- mature, production-ready video platform with minimal bugs. It
ers, you will receive notifications of instances that want to just needs its own “Elon Musk moment” to go mainstream.
follow yours. You can approve or reject requests by visiting That said, as this is the Fediverse, PeerTube integrates clev-
Federation | Followers. erly and seamlessly with other services. You can follow a Peer-
Such is the nature of federation that videos may appear on Tube channel, for example, directly from Mastodon. Everything
your instance from instances that you are not directly follow- published to that channel will show up on Mastodon as a regu-
ing. These videos will be reaching you second hand, so to lar post with an attached video, and replies to the post on
speak, because you are following an instance that is following Mastodon will show up as comments on PeerTube. Perhaps
them. Your instance will be helping to spread these videos with the rise in popularity of Mastodon, PeerTube will also be-
from a third party in turn. come a popular service. Q Q Q
In general, this is a good thing, but if you find unsavory
content appearing on your instance, you can block whole in- Info
stances by going to Moderation | Muted servers and adding [1] PeerTube: https://joinpeertube.org/
the offensive domain to the list. However, use this feature [2] PeerTube instance searcher:
sparingly: PeerTube does not host any full videos from other https://joinpeertube.org/instances
instances on your instance, but it does count on federated
[3] PeerTube livechat plugin:
instances sharing fragments of videos in order to spread the
https://github.com/JohnXLivingston/peertube-plugin-livechat/
load in a true P2P fashion. PeerTube relies on instances fed- blob/main/README.md
erating with others to be able to provide a comprehensive
[4] Hardware requirements for an instance: https://joinpeertube.
service.
org/faq#should-i-have-a-big-server-to-run-peertube
The Moderation tab also lets you control your instance’s con-
[5] Fail2Ban: https://www.fail2ban.org/wiki/index.php/Main_Page
tent on a more granular level, allowing you to mute accounts,
remove rule-breaking comments, and check reports of abuse [6] Installing PeerTube dependencies:
coming from users. https://docs.joinpeertube.org/dependencies
If you want to provide more services to your users – for ex- [7] Installing PeerTube:
ample, the chat option on live streams mentioned earlier – https://docs.joinpeertube.org/install-any-os
check out the Plugins/Themes tab. Click on Search, and you [8] Upgrading PeerTube:
can install plugins directly into your instance from there. Each https://docs.joinpeertube.org/install-any-os?id=upgrade
Picture This!
Pixelfed offers an interesting alternative to centralized, algorithm-driven,
commercial photo sharing services. By Dmitri Popov
S
ometimes, it’s painful to watch people make the same A Federated Service
mistake again and again. When Flickr’s bright star If you’re thinking that Pixelfed is like Mastodon for photos,
started to fade, anyone remotely interested in photog- you’re not far off the mark. Pixelfed has the same underpin-
raphy moved to Instagram. With Instagram losing its nings: It’s an open source, federated service based on the Ac-
luster faster than a mountain hare loses its winter coat, there tivityPub protocol. The “federated” part often causes confu-
is a rush to VERO, Glass, and other photo sharing services sion among those unfamiliar with the term. Ironically, most
that promise to be different but are essentially the same. The of us use an established and mature federated service every
features offered by the current batch of Instagram challengers single day without perhaps even realizing it. Although it
may vary, but the overall premise is unchanged: a service run might be a stretch to call email a federated service, the under-
by a commercial entity that dictates the rules and to whose lying idea is basically the same: No matter which email service
fortunes and whims you’re beholden. So you’ll be forgiven provider you choose, you can still exchange messages with
for sagely shaking your head and murmuring to yourself, anyone using any other provider thanks to common protocols
“Will they ever learn?” like IMAP and SMTP. That’s how a federated service operates,
Fortunately, shutterbugs and serious photographers who too. Pick a Pixelfed instance, create an account (which even
are not willing to go down the same road again can choose looks like an email address, e.g., @me@pixelfed.social), and
an alternative path: Pixelfed [1]. If you haven’t heard the you can follow anyone on any other Pixelfed instance, and
name before, you’re not alone. While Pixelfed has been other users can follow you.
around for a while, it has been following the same trajectory Federated services share another trait with email. An email
as Mastodon. Twitter going down in flames has sent people address is unique, but the uniqueness of a specific username
scrambling for alternatives, with Mastodon providing a per- is limited to the service provider. The same is true for feder-
fect harbor for Twitter refugees. While none of the main- ated services. You can be Bobby Bushtail with the thelongtail
stream photo sharing services have suffered a misfortune of username on the pixel.social instance, but nothing prevents
a similar magnitude, the seed of doubt has been planted: someone from setting up the @thelongtail@pixelfed.de ac-
Perhaps sharing your photos and building a following using count and using the Bobby Bushtail name. If you want to
a centralized commercial service is not all it’s cracked up to reach the right Bobby, you have to know which Pixelfed in-
be after all. This is where Pixelfed (Figure 1) comes into the stance your Bobby is on. This may be a problem if you’re an
picture (no pun intended). influencer with a large following. However, it’s worth
stats in the Account Insights section, while Find Friends lists product. The current incarnation has done a lot of things
users that match your interests. right, and new features are popping up on a regular basis.
But the fact that most instances offer only limited storage
Closing Thoughts and are maintained by volunteers is something you need to
Although Pixelfed has been around for quite a while, it still consider. It still remains to be seen how successful individ-
might feel a bit like a work in progress rather than a finished ual Pixelfed instances will be at moderating as they grow in
popularity. Opting for Pixelfed is not a
zero-sum game, though. Nothing pre-
vents you from using your current ser-
vice while experimenting with Pix-
elfed. Even if you’re not interested in
using Pixelfed for sharing your photos,
you might still want to use it to set up
a portfolio to showcase your best
work. In short, start slow and small,
and see what works for you. Q Q Q
Info
[1] Pixelfed: https://pixelfed.org/
Author
Dmitri Popov has been writing exclusively
about Linux and open source software for
many years. His articles have appeared in
Danish, British, US, and German magazines
Figure 5: Get a dose of inspiration and find photographers to follow and websites. You can find more on his
with Daily Trending. website at cameracode.coffee.
REVIEW
Distro Walk – EuroLinux
EuroLinux
EuroLinux offers enterprise class software with support from real engineers for a fair price.
Bruce talks to the developers behind this RHEL-based distribution. By Bruce Byfield
B
ased on Red Hat Enterprise commercial open source software since service of rebuilding and customizing
Linux (RHEL), EuroLinux [1] 2000. Our company’s name originates the system for the customer, even in a
is a Polish-based commercial from the name of its first product, which closed environment. We are also the
distribution that sells support was the EuroLinux operating system. only clone that has a release (RPM re-
from engineers and offers specialist edi- lease tag) of modular packages com-
tions, including a free community edi- LM: Does the distribution have any patible 1:1 with RHEL. We are creating
tion and editions for Raspberry Pi, con- connection to the campaigning organi- special versions of systems – publicly
tainers, the cloud, and desktops. In zation [2] of the same name? available ones include, for example, an
keeping with the company’s philosophy, image for Raspberry Pi or EuroLinux
my questions were answered by leading EL: We don’t have a direct relationship, Desktop. EuroLinux Desktop is an ex-
developers. but we share many values. The emer- tended version of the distribution de-
gence of our products is also in line signed for individuals and organiza-
Linux Magazine (LM): Tell readers with their goals, such as platform neu- tions that use Windows or macOS on a
about the founding of EuroLinux. trality, restriction of patents in software, daily basis and are looking for a stable
freedom of licensing, and no vendor operating system, with a long and
EuroLinux (EL): EuroLinux was lock-in. known life cycle, that looks like a Mi-
founded in 2013 by a group of individu- crosoft and Apple solution. [In addi-
als who had been selling and supporting LM: How does EuroLinux differ from tion], EuroLinux is offered as a com-
other distributions based on RHEL? plete solution. It is not divided into a
Author series of paid elements. Therefore, the
Bruce Byfield is a computer journalist and EL: There are many elements that dis- customer who purchases our product
a freelance writer and editor specializing tinguish EuroLinux from other distri- and support services does not pay for
Photo by DeepMind on Unsplash
in free and open source software. In butions both through our technical and additional system modules such as HA,
addition to his writing projects, he also business elements. We have our own Load Balancer, or additional filesys-
teaches live and e-learning courses. In his EuroLinux Gaia build system, which is tems. We are also distinguished by a
spare time, Bruce writes about Northwest not dependent on git.centos.org (used simple, friendly licensing system that
Coast art (http://brucebyfield.wordpress. mainly by the CentOS Stream and does not limit the use of systems in vir-
com). He is also co-founder of Prentice younger enterprise Linux distribu- tual or cloud environments. The num-
Pieces, a blog about writing and fantasy at tions). As an organization, with the ber of CPUs or cores does not affect the
https://prenticepieces.com/. help of our build systems, we offer the price of support.
LM: What are EuroLinux’s goals and enterprise environments and act as a EuroLinux’s core team consists of a
philosophy? drop-in replacement. In most products group of a dozen developers. Other
available to the public, one of the goals employees of the company and group
EL: The values that guide us are encap- is to keep maximum compatibility with companies focus on work in project
sulated in our motto: the upstream projects. This principle is and product mode. A key element in
• True product: We build the EuroLinux quite similar to the Linux kernel’s princi- building and maintaining (updates/
product stack based on proven, well- ple of not breaking userspace, even patches/custom patches) is the heavy
known, and widely used open source when, for example, some compilation use of automation processes imple-
projects. As a result, we create enter- flags or features are enabled or disabled. mented in EuroLinux Gaia. This allows
prise-class software for use in the most When it comes to the custom distribu- us to maintain agility and speed of sys-
demanding environments, ensuring tions, among the things that we change tem development and testing. At the
stability and security. We provide and are bootchain, boot keys, additional ker- moment we produce five basic ver-
support complete, ready-to-use prod- nel patches, different kernel versions, sions of the system (EuroLinux 6 ELS,
ucts that include standard modules to changes to the cryptographic policies EuroLinux 7, EuroLinux 8, EuroLinux 9,
extend their core capabilities. and used algorithms, additional soft- and EuroLinux Desktop) and addition-
• Real Support: Our support division is ware, software removal, custom reposi- ally several special use distributions.
made up of specialists with the highest tories, and more. It depends greatly on We collect feedback from users and
certifications and the practical knowl- the customer’s needs. customers in a structured and regular
edge needed to provide professional manner, including through the partner
customer service. The foundation of LM: What services does the company channel. We also strive to seek out and
“real support” is facilitated through di- provide? realize responses to user requests. Each
rect access to engineers and architects. person has the opportunity to submit a
Our aim is to keep support simple – a EL: The most notable services are our proposal for change or their comments
conversation between a real engineer potential to build a customized Linux both through direct messages and
and a client. distribution tailored to our customers’ openly on the GitHub platform. On the
• Fair price: The price of our products requirements; the professional, un- flip side, we engage through our social
does not depend on the number of equaled support infrastructure; and our media and direct channels, our develop-
processors in a machine. Nor do we authorized training courses. ments, and upcoming projects with our
impose licensing restrictions on the With the help of the proprietary Euro- community.
number of virtual machines running Linux Gaia tool, we enable customers to At the beginning of each quarter, we
on a physical server. Nor do we make create dedicated Linux systems. Anyone publish our EuroLinux System Road-
the customer dependent on our solu- can order their own Linux distribution map. In this post, we report on the work
tions, but allow them to freely choose from us, branded with a unique logo and done over the last quarter, but most im-
their support and software provider. sets of changes. We will produce it and portantly it contains information about
For us, the element of fair price is also maintain it (updates/custom patches) our development plans. Our roadmap
a business model that maintains flexi- for up to 10 years. largely reflects the needs reported by
bility and openness to negotiation, in- Further, we support customers and EuroLinux users.
cluding flat price unlimited subscrip- users who are migrating their systems to
tions. That allows the customer to sig- EuroLinux. We provide scripts to auto- LM: What features make the EuroLinux
nificantly reduce the costs associated mate the migration process and offer mi- Desktop edition stand out?
with infrastructure upkeep. gration support. Additionally, technical
User freedom is also a very important el- support services are offered at three lev- EL: EuroLinux Desktop (Figure 1), like
ement of our ethos. Users can freely use els. Premium support is provided 24/7, its server sibling, is based on the source
the free public available version of the and Standard support is provided 8/5. code of RHEL 9. This means that it is
system and switch to the paid version at Basic support includes only installation compatible with RHEL, but it also in-
any time they choose. Conversely, they support for the system or solution. cludes additional functionality, exten-
can use the paid, supported version and sions, and facilities.
switch to the free version without any LM: How is EuroLinux organized? How The changes we’ve made primarily
consequences. They will then receive are decisions made? How do the com- concern the system’s appearance and us-
only standard updates to the system, pany and community interact? ability. To this end, we used Gnome ex-
which are identical to the paid versions, tensions. They come preconfigured in
including repository addresses. EL: We have a board-led, team-based the system and are available immedi-
traditional organization. However, we ately after installation, “out of the box.”
LM: How specialized are EuroLinux’s operate a competency-based decision They significantly affect the perception
various products? making ethos, where the technical deci- of the software, but do not revolutionize
sions are made by those in the special- it. All this is done to preserve the stabil-
EL: We have nine products, all of which ized technical team. Only company-wide ity and security of the enterprise Linux
are directly compatible with well-known or executive decisions are made at the family (RHEL, EuroLinux, CentOS),
and popular solutions found in board level. while making the system easier to use
for those accustomed to Windows or • EuroLinux Desktop allows icons to be on the moon icon in the dock and al-
macOS. [For instance:] placed on the desktop by default, al- lows you to set a schedule for auto-
• The translucent dock at the bottom though the popular Gnome window matic theme switching based on the
of the screen is modeled after the lat- manager does not provide such func- time of day.
est versions of these systems. As the tionality by default. We integrated the system with the
dock is permanently visible, in the • When you right-click on the wallpa- Flathub repository. This provides easy
EuroLinux Desktop we have disabled per, additional menu items appear (in- access to more than 2,000 free apps.
the now redundant overview mode cluding New Text Document). We have They are downloadable from the Soft-
and the Gnome hot corner function, also added icons for notifications from ware application. So you can install
which displays said mode when you instant messaging or email programs. them with a single click – analogous to
mouse over the top left corner of the EuroLinux Desktop lets you switch the Microsoft Store or App Store.
screen. day/night themes with a single click
Conclusion
In many ways, EuroLinux is a case
study in the position of commercial
distributions. On the one hand, Euro-
Linux carefully breaks down products
and services for customers. On the
other hand, EuroLinux remains contin-
ually aware of the expectations of the
community. Not only does it continue
to offer a download version, but its use
of developers for support seems likely
to appeal to open source advocates. It
is a balancing act of which EuroLinux
seems well aware. Q Q Q
Info
[1] EuroLinux (company):
https://shop.euro-linux.com
[2] EuroLinux (activist organization):
https://en.wikipedia.org/wiki/
Figure 1: Eurolinux’s Desktop edition. Photo courtesy of EuroLinux EuroLinux
QQQ
Pathfinder
When Mike Schilli is faced with the task of choosing a hiking
tour from his collection of city trails, he turns to a DIY
program trained to make useful suggestions. By Mike Schilli
W
hich of the city walking Snapshot column [1]. This XML for-
routes recorded on the Ko- mat records the waypoints of the re-
moot route planning service spective tour as geo-coordinates with ele- in the USA.
should I do again today? vation above sea level, including time- The rest of the conver-
This is a question I ask myself surpris- stamps (Figure 2). In the absence of a pub- sion flow is now automatic. A preproces-
ingly often. Depending on how I feel, I licly available API on Komoot’s website, a sor wades its way through the GPX data
want the day’s tour to be short or long, web scraper in the previous column of all tours, determines their total dura-
hilly or flat, and – accordingly – chal- logged in to the site, fetched the GPX data, tion, the elevation climbed, and the dis-
lenging or relaxing. Depending on time and copied it locally to the tours/ directory tance from home to the trailhead.
constraints, I might not want to venture on the hard disk using the numeric tour ID Equipped with this metadata, a com-
too far from home. as a filename (as in 523799045.gpx). mand-line program in Go later filters out
My tours are recorded on the Komoot For post-processing, the CSV file in the tours based on given criteria.
service, but it offers only very rudimen- Listing 1 assigns easily recognizable
tary filter options (Figure 1). In my case, route names to those IDs. What you see Dizzying Heights
using its smallest possible search radius here is a selection of my tours, some of Among other things, how strenuous a
of three miles, Komoot searches the en- which are located in Germany and some tour is depends on the meters of
tire San Francisco metropolitan area for
saved tours rather than letting me nar-
row my search to individual neighbor-
hoods. To enable more granular search
criteria, what I have in mind for today’s
column is a command-line tool that uses
the elevation profile, tour time, and dis-
tance to trail entry as filters to greatly re-
duce the selection.
The new tool can make its selection
from tour data that is already available as
GPX files on my hard disk from a previous
Author
Lead Image © Sergey Mironov, 123RF.com
install.packages('gpx')
526430358,Aggenstein
Listing 2: climb.r
434310884,Heidelberg Schlierbach 01 #!/usr/bin/env Rscript
tour-names.csv (Listing 1) and fields a be stored in names. Any 11 steps <- diff(ele)
dataframe with the id and name columns. attempt to do this be- 12 upsteps <- steps[steps > 0]
The for loop starting in line 4 iterates forehand throws an 13 idnames[row,3] = sum(upsteps)
through all rows of this dataframe. Line error message because R 14 names(idnames)[3] = "ele"
5 extracts the tour’s numeric id, and line thinks that the 15 # starting point
6 compiles the path to the GPX file on dataframe is not big 16 idnames[row,4] = track[1, "Latitude"]
disk from the id. The read_gpx() function enough. 17 idnames[row,4] = track[1, "Latitude"]
then reads the tour data in GPX format 18 names(idnames)[4] = "lat"
from the downloaded file, and the re- Starting Point 19 names(idnames)[5] = "lon"
maining altitude calculation is analogous For the contents of the
20 # duration
to Listing 2. Next, I need to append the next two columns, with
21 start <- track[1, "Time"]
computed numerical elevation change index numbers 4 and 5,
22 stop <- tail(track, 1)[1, "Time"]
value to the dataframe in a new column the R script looks for
23 mins <- round(as.numeric(difftime(stop, start),
named ele. the latitude and longi-
units="mins"), 0)
tude of the tour’s start-
24 idnames[row,6] = mins
More Columns ing point. Because the
25 names(idnames)[6] = "mins"
To add a new column to a dataframe, GPX data is available
26 }
you just need to assign a value to it. To as a dataframe, this is a
27 write.csv(idnames)
do this, you can use either the dollar piece of cake. R just
Beginning and End user-configured filters. To do this, List- Lines 41 to 48 then extract the nu-
R’s difftime() function computes the ing 4 uses readCSV() to read the meta- meric column values using ParseFloat()
difference between two timestamps. For data into memory by placing the indi- and ParseInt() along with the respec-
a result in minutes, line 23 calls R’s stan- vidual entries into an array slice with tive precision (32- or 64-bit) and a base
dard as.numeric() function with the elements of the Tour type. Defined of 10 for integers, followed by line 49 to
units="mins" parameter. The return value starting in line 10, the elements of this set the corresponding attributes in the
is a floating-point number with fractions type store all the important metadata, Tour type structure. Line 55 appends a
of minutes, which the standard round() such as the duration, meters of alti- single instance of this structure to the
function rounds to the nearest integer tude, and starting point. array slice with all the line data from
with a precision of 0 (zero decimal As you can see and have probably the CSV file, and the action continues
places). That takes care of the tour dura- expected, data processing in Go is far with the next round.
tion, and lines 24 and 25 insert the value less elegant than in R. The encoding/
in column 6 into the resulting dataframe csv package understands the CSV for- Choosy
under the "mins" column header. mat, but Go’s reader type needs to la- The main program in Listing 5 under-
Finally, write.csv() writes the whole boriously work its way through the stands a number of filter flags: --gain is
enchilada in CSV format to standard lines of the file, checking for the end of a qualifying tour’s maximum elevation
output, which the user redirects to the file (line 29) and handling any read er- gain in meters and --radius is the maxi-
tour-data.csv file, as metadata to later rors. Because the first line in the CSV mum distance from my home base, the
enable automatic and fast filtering. format lists the column names, the coordinates of which are defined by home
The Go hikefind program, which I will logic starting in line 36 works its way in line 9. Adjust this to your private set-
be explaining in a minute, grabs the re- past this with the firstLine Boolean tings for the best results. The command-
sults from the file and applies its variable. line parameter --mins defines the
Listing 4: csvread.go
03 "encoding/csv" 35 }
04 "fmt" 36 if firstLine {
07 "strconv" 39 continue
08 ) 40 }
17 } 49 tour := Tour{
24 tours := []Tour{} 56 }
26 firstLine := true 58 }
30 break 62 }
31 } 63 }
32 if err != nil {
Listing 5: hikefind.go
01 package main 20 }
04 "fmt" 23 continue
05 "github.com/fatih/color" 24 }
07 ) 26 dist := home.GreatCircleDistance(start)
11 radius := flag.Float64("radius", 0, "radius from home") 30 if *mins != 0 && tour.mins > *mins {
13 flag.Parse() 32 }
maximum tour duration in minutes. The for loop starting at line 21 iterates without producing any output. But if an
The flags take either floating-point or over all metadata read using readCSV() in entry passes through all the filters un-
integer values from the user, which line 17 and applies the three implemented scathed, the print statement from line 33
hikefind converts to its internal types. filters: gain, radius, and mins. The distance outputs the tour.
hikefind then uses the values to whit- from home is checked by the radius filter
tle down qualifying tours from the CSV using the GitHub kellydunn/golang-geo Colorful and in Color
metafile. package. This package uses the GreatCir- To make the meta values of the printed
cleDistance() function to determine the tours more eye-catching later on, List-
Listing 6: Compiling distance between the two geo-points in ki- ing 5 initially includes the fatih/color
$ go mod init hikefind
lometers and then compares the numeri- package from GitHub, which provides
$ go mod tidy
cal result with the defined filter value. functions to output the ANSI color
If one of the three filters is tripped, the codes commonly used by terminals.
$ go build hikefind.go csvread.go
for loop continues with the next round You can compile Listings 4 and 5 with
the usual three-card trick (Listing 6).
The resulting hikefind binary either
outputs all tours (Figure 5, without
command-line options) or gives you a
more compact selection using arbitrary
combinations of the different filter
types.
Figure 6 shows all the hiking trails
within 10 kilometers of my adopted
hometown of San Francisco that climb
less than 100 meters in elevation and
can be completed in one hour or less.
Only three routes remain – it’s a pretty
hilly city after all. Q Q Q
Figure 5: When called without options, hikefind lists all available trails.
Info
[1] “Go Retrieves GPS Data from the Ko-
moot App” by Mike Schilli, Linux
Magazine, issue 252, November 2021,
https://www.linux-magazine.com/
Issues/2021/252/Plan-Your-Hike/
Figure 6: Use the filter options to create a selection entirely to your liking. (language)/eng-US
Using Mastodon
from the command line
toot
If you are looking for a Twitter alternative, toot lets you interact documented and up-to-date with Mast-
odon through a series of commands
with Mastodon from the command line. By Bruce Byfield and options that keeps users’ hands
A
firmly on the keyboard.
n open source, decentralized toot with a simple Publish button [3],
version of Twitter, Mastodon but the term remains widely used. Getting Started
has been in development since Toot compares favorably with Twitter You will find toot in the package repos-
2016. With Elon Musk’s erratic clients for Linux such as Twidge, Oys- itories of many distributions and you
decisions since purchasing Twitter in ter, and Rainbow Stream, many of can also install toot using Homebrew,
late 2022, many users predicting Twit- which are not up-to-date, and have an although some sources are more cur-
ter’s doom have been searching des- alarming tendency to come and go rent than others. However you choose
perately for alternatives. The result has without warning. By contrast, al- to install, to use toot, you must create
been a new surge in interest in Mast- though current users must still use the an account in a Mastodon instance
odon – even if many newcomers re- web interface to create a Mastodon ac- from a web browser before logging in
main puzzled by its open source orga- count for everyday use, toot is a com- with the command toot login_cli (Fig-
nization. The interest is so great that plete replacement for the web version ure 2). Upon launching, toot creates a
Mastodon’s founder Eugen Rochko re- of Mastodon (Figure 1), providing configuration file in your home direc-
ports that he has received offers of functionality that is both thoroughly tory at .config/toot/config.json. You
“hundreds of thousands of dollars”
from five investors – offers he refused
so as not to endanger Mastodon’s non-
profit status [1]. As I write, the exodus
from Twitter appears to have slowed,
but along with the renewed interest in
Mastodon has come a renewed interest
Lead Image © Author, 123RF.com
must be entered in lowercase charac- ments. For the first attachment, use the
ters with periods rather than spaces option or by their Mastodon instance address
between the words, regardless of how with
the instance name is presented in the -media path/to/image1.png U
web interface. After toot locates the in- --description "TEXT" \ toot search NAME@INSTANCE
toot post --editor Figure 4: You can compose a toot in the text editor of your choice.
Should you decide to undo any of example, if you decide on second toot unfavourite ID
these actions, you can run the same thought not to favor a toot, use the
commands prefaced by un. For command: The rest you can probably figure out for
yourself. If necessary, though, for de-
tailed summaries, run
Info
[1] Mastodon investment offers:
https://arstechnica.com/tech-policy/
2022/12/twitter-rival-mastodon-rejects-
funding-to-preserve-nonprofit-status/
QQQ
Scheduling
Specialist
If you have a business that requires customers to make an
appointment in advance for services, letting them request
the appointment via Easy!Appointments can free up your
phone line. By Rubén Llorente
H
air salons, medical offices, and owner!) sets a date and time, usually internal management becomes cum-
other small businesses require writing everything down in an appoint- bersome if more than one person
customers to book an appoint- ment book. needs to know the next day’s sched-
ment. Traditionally, small busi- While this approach works, it suf- ule: The receptionist then has to
nesses manage these appointments by fers from a number of shortcomings. spend time telling each professional
offering a phone number. Customers call Customers can only phone in when the weekly schedule instead of work-
in, and an employee (or the business the office is open. In addition, ing on more important tasks.
Installing Easy!Appointments
Easy!Appointments has a short list of
prerequisites. It will run on any mod-
ern LAMP stack (see the “LAMP Serv-
ers in a Nutshell” box). Table 1 shows
the current requirements for the latest
stable version at the time of writing
this article. I have also tested Figure 2: Easy!Appointment’s installation Wizard will ask you for some
Easy!Appointments with OpenBSD’s information in order to get the site set up.
httpd and the MariaDB database with
great success. Listing 1: Creating a Database
The instructions provided here are echo "CREATE DATABASE easyappointments;" | mysql -u root -p
for setting up Easy!Appointments on a
echo "CREATE USER easyappointments IDENTIFIED BY 'password';" | mysql -u root -p
Debian LAMP server. If you are using a
echo "GRANT ALL PRIVILEGES ON easyappointments.* to easyappointments;" | mysql -u root -p
minimal Hetzner LAMP install, you
will need to install some additional
software: Listing 2: Example config.php
01 <?php
05 // GENERAL SETTINGS
cd /var/www/demo.operationalsecurity.es 11
wget https://github.com/alextselegidis/U
12 // ------------------------------------------------------
easyappointments/releases/download/U
13 // DATABASE SETTINGS
14 // ------------------------------------------------------
1.4.3/easyappointments-1.4.3.zip
15
21 // ------------------------------------------------------
Then, grant the web server user ownership over the
22 // GOOGLE CALENDAR SYNC
files:
23 // ------------------------------------------------------
24
chown -R www-data ./*
25 const GOOGLE_SYNC_FEATURE = FALSE; // Enter TRUE or FALSE
Table 2: Fixed and Flexible Appointments one service provider. For example, if you
Fixed Appointments stack according to their defined duration. (If you have a are setting up Easy!Appointments for the
30-minute appointment at 09:30, the next available appointment will be fictitious Horse Hoofcare business,
at 10:00.) which employs three farriers, you’ll need
Flexible Appointments stack to the next interval of 15 minutes. (If you have a to create an account for each employee.
30-minute appointment at 09:30, the next available appointment will be Customers then will be able to book an
at 10:00, and the next one at 10:15.)
appointment with the farrier of their
choice. To do this, go to the admin tool-
MySQL via a pipe is not secure, and it is Once Easy!Appointments is loaded, you bar located at yoursite.com/index.php/
done here only for the sake of clarity. can visit your new site. An installation user/login and log in.
Finally, use the sample configuration wizard will run automatically and help First, you need to define the types of
file in Listing 2 as a template and edit it you finish the process (Figure 2). available appointments in the Services
to your liking with a text editor: tab. Note that services can be grouped
Business Features into categories if desired. Each service
cp config-sample.php config.php One of Easy!Appointments’ most useful can have a price, a location, and an es-
vi config.php features is that it supports more than timated completion time (Figure 3). An
undocumented feature is that services
can be defined as either Fixed or Flexi-
ble (see Table 2) [3]. In addition, you
can allow multiple concurrent custom-
ers to sign up for a service, which is
useful for courses and group activities
that allow multiple people to sign up at
the same time.
Once this is done, go to the Users tab
and add as many providers as necessary
(Figure 4). Keep in mind that you can as-
sign different services to different pro-
viders. For example, you can assign In-
fection Treatment to a provider who is a
veterinarian and Hoof Trimming to a far-
rier. If you have an employee who can
provide both services, you can add both
to that employee’s list of services.
Finally, go to the Business Logic tab lo-
cated under Settings to set your business
Figure 3: Add the services your business provides in the Services tab. hours as well as assign employee breaks
(Figure 5).
An optional, though undocumented,
step is to configure Easy!Appointments
to use an email provider for delivering
email notifications to both your custom-
ers and employees. Email access can be
configured in application/config/email.
php as shown in Listing 3.
Customer View
When potential customers visit your
website, they will be offered a choice
of services. Once the customer selects
a service, a list of providers will be of-
fered (Figure 6). After selecting a pro-
vider, the customer will be prompted to
select an appointment time (Figure 7)
and enter their contact information via
a web form. Finally, an email notifica-
tion is sent to both the customer and
Figure 4: Select the Users tab to add as many providers as desired. You the employee whose services have
can also assign specific services to each provider. been booked.
Lots of Features
Easy!Appointments offers some interest-
ing extras. First, it is a responsive web
application. You will find
Easy!Appointments easy to use and
pleasing to the eye from either a work-
station or a mobile device.
It also supports the (infamous)
cookie warnings, terms of service and
privacy policy pop-ups, and a very nec-
essary CAPTCHA to distinguish hu-
mans from bots.
In addition, Easy!Appointments sup-
ports multiple languages. Both custom-
ers and employees can select their pre-
ferred language when using
Easy!Appointments. Figure 5: The Business Logic tab allows you to configure the available
Finally, Easy!Appointments integrates hours for booking appointments and to schedule breaks for your
with other Internet services. In particu- employees.
lar, it features integration with Word-
Press [4] via a plugin and synchronizes Listing 3: Example of email.php file
with Google Calendar (Figure 8) [5]. 01 <?php defined('BASEPATH') or exit('No direct script access allowed');
At the time of writing, a GitHub proj- 02
ect lets you create an Easy!Appointments 03 $config['useragent'] = 'Easy!Appointments';
client for Android[6], but no official re- 04 $config['protocol'] = 'smtp'; // or 'mail'
leases are listed at this time.
05 $config['mailtype'] = 'html'; // or 'text'
Conclusion
The Easy!Appointments web appoint- Figure 6: The customer selects both the service and the desired provider
ment scheduler is easy and quick to from drop-down lists.
deploy and includes most of the func- notifications, CAPTCHAs, and legal no- documentation is sparse, and it appears
tionality any small business may need. tices, and the technical requirements that the lead developer’s business
It supports internationalization, email are easy to meet. On the other hand, model is to sell support to users who
want site customization. Q Q Q
Info
[1] Easy!Appointments: https://easyappointments.org/ Figure 8: Employees can check upcoming
[2] Hetzner’s documentation for LAMP images: appointments using the web calendar.
https://docs.hetzner.com/cloud/apps/list/lamp-stack/
[3] Fixed vs. flexible appointments:
Author
https://groups.google.com/g/easy-appointments/c/WzxsB8PLTuY Rubén Llorente is a mechanical
engineer who ensures that the IT
[4] Easy!Appointments WordPress plugin:
https://wordpress.org/plugins/easy-appointments/ security measures for a small
[5] Easy!Appointments features: clinic are both legally compliant
https://github.com/alextselegidis/easyappointments#features and safe. In addition, he is an
[6] Easy!Appointments Android client: OpenBSD enthusiast and a
https://github.com/alextselegidis/easyappointments-mobile-client weapons collector.
QQQ
I
n recent years, multifactor authenti- know” authentication factor provides the with virtually any Linux service with
cation (MFA) has been a hot topic second factor to achieve MFA. Many robust industry-standard authentication
in information security, with many software as a service (SaaS) providers, methods. In this article, I will specifi-
organizations and software services such as GitHub, AWS, and Microsoft cally integrate Google Authenticator
now making it a requirement. To achieve Azure, support Google Authenticator as with SSH logins.
MFA, two or more authentication factors an option for MFA.
must be provided by a user to pass au- At a high level, TOTP works by having Advantages of MFA with SSH
thentication. These factors include a secret key that is generated on a ser- You will find MFA useful on servers that
something you have, something you vice and shared with a device. The TOTP have SSH open to the entire Internet or
know, something you are, somewhere algorithm with two inputs, the secret key have SSH open to large networks. By
you are, or something you do. plus the system’s Unix time, results in a adding MFA to SSH, you can mitigate
Many organizations have turned to the one-time password known by both the brute-force attacks on SSH servers, as
Photo by Pedro Miranda on Unsplash
Google Authenticator tool to implement device and the service. A new password well as lower the impact of user pass-
MFA using a time-based one-time pass- is typically generated every 30 or 60 word leaks. An attacker would need
word (TOTP). Using TOTP with Google seconds. both the user’s password and access to
Authenticator satisfies the “something Google provides a pluggable authenti- the user’s Android or iPhone device (or
you have” authentication factor because cation module (PAM), google-authenti- their Google Authenticator secret key)
TOTP requires a device in the user’s pos- cator-libpam [1], that system adminis- to gain access to their user account on
session (e.g., the user’s Android smart- trators can use to integrate various a server via SSH.
phone or iPhone.) Adding a regular user Linux services with Google Authentica- Typically, SSH brute-force attacks on
password to satisfy the “something you tor. As a PAM module, it can be used the open Internet are dictionary
password attacks, and adding TOTP will Server 22.04 uses systemd-timesyncd for PAM looks for service-specific configu-
negate this type of attack. However, if a system time synchronization, but it ration files within /etc/pam.d/ by de-
password leak is suspected, or a user does not have an NTP server config- fault. OpenSSH server has a file located
password seems to have been discovered ured by default. To determine if the at /etc/pam.d/sshd. Add this configura-
by an attacker, it is necessary to change NTP service is active, use the following tion item to the bottom of line:
the password regardless of whether MFA command:
has been implemented or not. auth required U
$ timedatectl status pam_google_authenticator.so nullok
Considerations
While MFA does provide additional secu- I recommend adding NIST’s NTP service The temporary nullok option, used for
rity benefits for authentication with SSH, as the primary NTP server, and Ubuntu’s testing, allows users that have not gener-
it does not make sense for all use cases. own NTP service as a fallback. To do ated a secret key to still authenticate
Bastion hosts, which are typically ac- this, uncomment the #NTP= and with SSH using only their password.
cessed manually by users or as a jump #FallBackNTP=ntp.ubuntu.com lines in / Once keys have been added to all SSH
host, are usually good use cases for etc/systemd/timesyncd.conf, and change users, the nullok option will be removed
MFA. However, MFA may not be ideal for NTP= to NTP=time.nist.gov. After these to enforce MFA.
internal SSH hosts located behind a bas- configuration changes have been made, Finally, reload the SSH server configu-
tion jump host, because two separate restart the timesyncd service with: ration with:
MFA codes will be required for both the
bastion jump host and the destination # restart systemd-timesyncd.service # systemctl reload sshd
Installation
The Google Authenticator module re-
quires libqrencode as a dependency for
generating QR codes in a shell session.
On Ubuntu Server 22.04, libqrencode
can be installed with:
# apt install U
libpam-google-authenticator U
libqrencode4
Time Synchronization
TOTP requires that the system time be
accurate, so synching the server with a
Network Time Protocol (NTP) service
is recommended. While not a require-
ment for TOTP to work, NTP will en-
sure system time synchronization with
an external service. By default, Ubuntu Figure 1: For each security question prompt, enter y.
A QR code will be displayed, which auth required U google-authenticator and then delete
you can scan with the Google Authentica- pam_google_authenticator.so nullok the flag file. When new users are
tor app on your phone. A plaintext key added to the server by the administra-
will also be displayed, which should be to: tor, the administrator can manually
treated with the security of a password. create the flag file in the new user’s
You should write down and securely store auth required U home directory with the commands in
the plaintext key or save it to a password pam_google_authenticator.so Listing 3.
manager. This plaintext key can be used To optionally automate this, you
to re-add the TOTP key to Google Authen- Then reload sshd: could create an empty flag file inside of
ticator if the existing phone is lost, re- /etc/skel:
placed, or broken. After adding the QR # systemctl reload sshd
app, you can enter the current code dis- Adding New Users
played in the app for the next prompt in If you periodically add new users to the By having the flag file inside of /etc/skel,
the shell console to verify it is working server that require SSH, these users will the flag file will be placed in the new us-
(you can use -1 to skip this, but it is not need to generate a key via a direct con- er’s home directory automatically, so the
recommended). You will also receive sev- sole login. If a console login is not feasi- administrator will not need to touch the
eral “scratch codes,” which can be used ble (e.g., servers running in a cloud ser- flag file after creating the account.
in emergencies if the Google Authentica- vice), then a temporary key will need to
tor device is not available. Next, you’ll be be generated by the system administra- Conclusion
given several prompts for security op- tor or ideally by a user creation script. With simple setup and low administra-
tions; choose y for yes for all of them (see An administrator can generate a tempo- tive overhead, adding Google Authenti-
Figure 1) The rate limiting options are es- rary key for a new user with the code in cation TOTP as an authentication
pecially important because these options Listing 1. method for SSH provides the additional
will prevent an attacker from attempting Once generated, you then share the security of MFA for remote server access
a brute-force attack on a time-based temporary secret key, QR code, or plain- at a low time cost. Q Q Q
password. text key with the user. The new user will
ideally need to rerun key generation on Info
Finalizing their first login, which you can enforce [1] google-authenticator-libpam:
Once a secret key has been generated for with various methods such as using a https://github.com/google/
every user that will need to use SSH, you flag file for new users. google-authenticator-libpam
must remove the nullok option to en-
force MFA. As a critical step before con- Flag File Enforcement Author
tinuing, you must test the google-authen- The /etc/skel directory contains de- Jesse Hagewood is a
ticator module to make sure it is work- fault shell profiles and configurations Certified Information
ing on your system, as well as confirm that are copied into users’ home direc- Systems Security
that all existing users have set up secret tories on account creation. You will Professional (CISSP)
keys and Google Authenticator on their need to update /etc/skel/.profile to and an AWS Certified
DevOps Professional.
devices. Once this step is complete, in / check for a flag file. Flag files are
He has been a Linux administrator since
etc/pam.d/sshd, change: empty files that are often used in shell
the start of his career, beginning with
scripts to determine how the script
managing self-hosted Linux email and
Listing 1: Generating a Temporary Key should behave. Append the if block in web servers for local newspapers and
# su - new_user
Listing 2 to /etc/skel/.profile. later on administering large SaaS
$ google-authenticator
The modification from Listing 2 will platforms. Currently, he is a DevOps
check if the flag file $HOME/.first_login Engineer at Ozmo, Inc. in Blacksburg,
$ exit
exists. If so, it will run Virginia
Listing 2: Modify /etc/skel/.profile Listing 3: Adding a New User and Creating a Flag
# Run google-authenticator if a flag file exists. # useradd -m new_user
then # su - new_user
google-authenticator $ google-authenticator
rm -f $HOME/.first_login $ exit
fi # touch /home/new_user/.first_login
QQQ
MakerSpace
Free MathCAD alternative for Linux
Computing Competency
Present complex equations with intermediate steps,
graphics, plots, and results in SMath. By Brooke Metcalfe
U
niversity students in engineer- MathCAD [1] is a good package for
ing often have assignments in writing engineering reports. The tool
which they must show their offers a workbook interface that allows
work step-by-step with sam- you to enter complex equations in a
ple calculations. Although Excel and Py- readable format, along with a rich
thon are useful for advanced calcula- function library, programming inter-
tions, they can’t present complex equa- face, graphics, and plots. Unfortu-
tions formally in a report. nately, MathCAD isn’t supported in
Linux, and it is generally out of the option that works in Linux, macOS, SMath Studio has a side panel of com-
budget for students or casual users. As and Windows. mon functions and symbols (Figure 1).
an alternative, SMath is a great free In this article I introduce SMath and All the functions are listed in the Insert
show you some of the useful features Function (fx) dialog box.
that I expect to use in my next engi-
neering term. I also look at an SMath Equations, Variables,
example that solves a typical high and Units
school or first-year university math SMath lets you create complex calcula-
problem. tions from the side panel (Figure 1) or
with keyboard shortcuts. Complex equa-
Getting Started tions can be modified with the arrow keys
The SMath installation files reside on to move the cursor between elements
the project’s website [2]. To install the (Figure 2).
software, the Mono development envi- SMath Sheets calculate from top left to
ronment needs to be loaded first. In bottom right, so it is important to define
Figure 2: Editing and viewing a Debian/Raspbian/Ubuntu systems, a variable before it is used. A variable is
calculation. enter: defined with :=, and the results of a cal-
culated value are displayed with the
sudo apt install mono-devel equals sign (=).
To add units to a variable, type a
In the next step, copy the SMath installa- single quote ( ') before entering the
tion files to a local directory on your lap- unit, or you can choose from a list of
top and run the SMath desktop: units (Figure 3). If a calculation has
mixed units, SMath automatically
# run SMath Studio in Linux: manages the conversion between
Figure 3: Inserting units. ./smathstudio_desktop_mono units (Figure 4).
To make things a little more present- example, the plot is configured to show checks whether the MyRoots variable is
able, SMath shows variables, calcula- the f(x) quadratic equation. valid (i.e., has roots).
tions, and results in black and units in You can quantitatively find the number If roots are found, the limits are
blue, although this feature is adjustable. of x intercepts in two ways (Figure 8): by passed to an integral function to calcu-
The final results of a calculation can be manually solving the quadratic formula late the area. (Integral and derivative
presented in fractions, unit conversions, for x when y=0, or with the SMath functions are found in the Functions side
or simply the numeric value. solve(2) function. To insert this function, panel.) If no roots are found, the string
type solve, then press the Tab key once "Equation doesn't cross axis" is passed
Solutions the dropdown menu displays solve(2). To to the area variable.
SMath also supports useful features find the area under the curve, the results Figure 11 shows the final SMath work-
such as interface widgets and plotting, of the solve function should be defined as sheet example, with the interface wid-
as well as conditional code. One prob- a new variable (e.g., MyRoots). gets and plotting and conditional code
lem that regularly needs to be solved The solve(2) function returns one or that find the x intercepts and area under
in high school and many first-year uni- two x intercepts where the curve touches a parabola with the quadratic equation.
versity courses is to find x intercepts or crosses the x-axis. If you don’t change
and the area under a parabola defined your settings to Calculation | On error | Examples
by a quadratic equation. The next ex- Continue (Figure 9), the logic will be inter- The package comes with a variety of ex-
ample solves this problem and high- rupted if a curve does not cross the x-axis. amples of modifiable calculations. One
lights some of the key features built Added logic can
into SMath. handle special
The first step in solving this problem cases. To solve
is to define the input variables. User in- for the area under
terfaces such as adjustable sliders can be the curve, I used
added from the Insert menu in the tool- the if statement
bar (Figure 5). Slider widgets define and then checked for
toggle variables (Figure 6). valid roots (Fig-
Plotting a parabola is a quick way to ure 10). An IsDe-
check the number of x intercepts for an fined function Figure 10: How to insert conditional code.
equation. To add a plot, use Insert |
Plot | 2D (Figure 7). Once a plot is
dropped onto a workbook it can be re-
sized and repositioned. For this
Summary
Spreadsheet packages such as Excel
are great tools, but they are weak at
clearly presenting complex equations.
SMath, on the other hand, presents
equations in their conventional forms
and has worksheets with customiz-
able layouts.
As a university student, I spend a lot
of time formatting lab reports. In the
past, I used static tools such as LaTex [3]
or the Microsoft Word Equation Editor to
build sample calculations. Now I find
that the dynamic presentation of com-
plex calculations in SMath can be a huge
time saver. Q Q Q
Info
[1] Mathcad: https://mathcad.com
Author
Brooke Metcalfe is in her third year of En-
vironmental Engineering at Carleton Uni-
Figure 12: Example beam calculation. versity in Ottawa, Canada.
QQQ
MakerSpace
Four Raspberry Pi advertising
and tracking blockers
Trustworthy
A Raspberry Pi with the right software filters out annoying
ads and nasty trackers for end devices on your local network.
By Erik Bärwaldt
A
dvertising on the Internet can connect and configure them once on the
be intrusive and annoying, local network. For the most part, the sys-
often with trackers that spy tems automatically update during opera-
on web browsing behavior. tion, which avoids additional overhead
For standalone workstations, such un- for customization and regular updates.
wanted content can be easily restricted Manual configuration of the clients is
or blocked by browser extensions. How- also largely eliminated. The tools sup-
ever, if you want to configure several port a wide variety of devices. In addi-
workstations, setting up the extensions tion to computers, smartphones, tablets,
can take a great deal of time. Luckily, and Internet of Things (IoT) devices are
special appliances can block unwanted automatically protected.
content centrally before it reaches the in-
tranet. I looked at different strategies and AdGuard Home
their implementations for blocking ads The AdGuard Home [1] DNS server
and trackers on websites. blocks certain domains that distribute
advertising and spy on surfing behavior.
Functionality Known malware domains can be
The solutions presented in this article blocked with blocking lists. The software
can be integrated directly downstream of does not require a client on the end de-
the router on the local network so that vice: Just install it on a Raspberry Pi and
all incoming and outgoing data traffic it protects the whole network.
runs through the tools. These appliances As its home base, AdGuard requires an
act as DNS servers in this process, except installed operating system, such as Rasp-
upribox, which sets up a wireless net- berry Pi OS. The recommendation is to
work you can use to access the Internet give the small-board computer (SBC) a
Lead Image © Vitaliy Gaydukov, 123RF.com
securely. Some of the solutions also offer static IP before the install to avoid prob-
integrated VPN servers and anonymize lems caused by an address change after
IP addresses. From outside the VPN, the a reboot. The application can then be in-
workstations on the internal network stalled and started with a single com-
can no longer be identified by their IP mand at the Raspberry Pi’s terminal:
Author addresses. All of the solutions discussed
Erik Bärwaldt is a self-employed IT admin are also free software, and the hardware $ curl -s -S -L U
and technical author living in the United usually is based on a Raspberry Pi. https://raw.githubusercontent.com/U
Kingdom. He writes for several IT One of the main advantages of central- AdGuardTeam/AdGuardHome/master/U
The software automatically detects the radio button to the left of one of the The Filters | DNS blocklists menu al-
hardware you are using, sets up the sys- alternatives. ready contains two filter lists with a total
tem, and shows at the end of the routine If the logging function is enabled, Ad- of 55,000 blocked domains. Checking a
information on how to access the tool’s Guard Home lists all requests in the box enables a list, whereas clicking the
web interface and control the application Query log tab. It not only lists the times, Check for updates button lets you update
at the prompt. As soon as you call the the requested servers, and the status mes- the enabled lists.
specified URL in a web browser, a graph- sages of the requests, but also – in the Cli- To add additional lists, click Add
ical setup wizard launches. The wizard ent column – the computer on the local blocklist. In the next dialog, you can
guides you through the basic configura- network from which the request origi- then decide whether or not to enable
tion in five steps, requiring you to create nated. You can use these logs to readjust one or more items from a list of pre-
a user account and password to protect the filter settings if necessary. For individ- defined blocking lists (Figure 3) or to
the system. ual clients, certain server requests can be add your own blocking list. The selec-
The wizard also provides detailed in- blocked by clicking Block (Figure 2). tion dialog for predefined blocking lists
structions for configuring the router
and various device classes. For the Ad-
Guard home server to work correctly,
you need to modify the DHCP and DNS
settings on the router for Internet ac-
cess; otherwise, problems could occur.
After completing the basic setup, log in
to the web browser and access the
dashboard (Figure 1).
The dashboard displays statistics
about the connected clients, DNS re-
quests, denied requests, and filtered web
pages in a graphical form. Underneath is
a table of clients, a list of the most fre-
quently requested domains, and a list of
the most frequently blocked domains.
AdGuard Home does not update these
statistics continuously, but you can up-
date them manually by clicking Refresh
statistics.
After closing and reopening the ad-
ministration interface, you do not need Figure 1: AdGuard Home’s start-up window is straightforward.
to specify the port number in the URL
unless you changed the default values
during the basic setup.
Various services (e.g., a parental con-
trol filter) are enabled in the Settings |
General Settings menu. In this dialog,
you also specify how often you want Ad-
Guard Home to update the blocking lists.
The Enforce safe search option blocks
predefined web pages.
Depending on the size of the local net-
work and the volume of the data traffic,
you might want to modify the log inter-
vals. In General settings | Log configura-
tion, you can define how long the server
keeps the logs and whether the client IP
addresses are anonymized.
In Settings | DNS settings, you can
enter additional DNS services on top of
the existing upstream DNS server. With
multiple DNS services, the software
supports load balancing and gives pri-
ority to the fastest server, but you can Figure 2: The AdGuard Home logging function supports manual
change this behavior by clicking on the domain blocking.
ware and software solution. However, advises you go for at least 3A. Addition-
ally, you need a From the image, boot the Raspberry Pi,
free local area net- which must be connected to the router
work (LAN) port with a standard LAN cable. The Rasp-
on the router or berry Pi does not need a keyboard,
switch to connect mouse, or screen.
the Raspberry Pi. After a wait of a couple of minutes, you
The developers can enable eBlockerOS on the Raspberry
also provide a list Pi with any workstation on the network
of compatible from http://setup.eblocker.org. The
routers and re- eBlocker system now uses address resolu-
peaters that have tion protocol (ARP) spoofing to locate end
been tested in devices on the LAN automatically and to
combination with intercept the data traffic as a gateway. A
eBlockerOS. The small orange eBlocker icon appears in the
list does not claim upper right corner of the screen, along
to be complete, with some status information relating to
but most commer- the current system. From this point on,
cially available de- eBlocker analyzes all data packets with the
vices and the all help of deep packet inspection, addition-
listed browsers ally checking notorious data collector do-
Figure 3: In AdGuard Home, you can add additional are compatible, al- mains by DNS blocking and modifying the
blacklists at the push of a button. though some user agent identifier that is sent.
To configure eBlockerOS, click on options as needed. In the future, you will for the current workstation from the
Dashboard for this device. A dialog ap- be able to access the dashboard by enter- Anonymization card. You can also
pears telling you that you can create a ing the IP address of the eBlocker system check the function of the tool or pause
bookmark for the browser. You are then followed by port number 3000. eBlocker for the workstation from the
taken to a spartan dashboard. Click on To configure the system in detail and card at top center. Also useful is the op-
the gear icon in the top right corner of protect it from unauthorized access, first tion to manage lists of domains you
the dashboard to configure the system. set an admin password by clicking Sys- want to block or allow by adding them
In the setup wizard, select Continue, ac- tem at bottom left in the vertical bar and to the Block Domains and Allow Do-
cept the license agreement, and then go then the Admin Password link. mains cards.
on to set the time zone in the next step. You can also change other security op-
The wizard prompts you for a name for tions. To anonymize the IP addresses, Pi-hole
the eBlocker system, but this name is eBlocker provides two options in the IP Pi-hole [5], designed for the Raspberry
only important if you will be running Anonymization group: By default, data Pi but also available for Intel/AMD ar-
multiple eBlockers on the LAN. packets are routed through the Tor net- chitectures, is one of the best known ad
The next step relates to automated ac- work, although a VPN connection with a and tracking blockers. The appliance re-
tivation of eBlocker for devices that you public service provider can be config- quires at least 2GB of free disk space and
add to the network. By default, eBlocker ured as an alternative. 512MB of RAM. Pi-hole turns the Rasp-
is not enabled for new devices. In the You can also set various options for berry Pi into a DNS server that filters all
last step you need to enter the license the DNS firewall, parental controls with data packets. You can even save profiles
key, a relic from the time of the commer- blacklists and whitelists, and mobile de- for defined terminal devices (e.g., to
cial eBlocker version. A valid license key vice protection in the appropriate cate- block adult websites).
will already be displayed, and you just gories. You can also view status indica- You can add the Pi-hole application to
need to enter a valid email address. This tors in the Doctor category. The Devices an existing operating system with curl.
address is used to contact you at short dialog box is where you switch eBlocker Before you install the application on Pi
notice in case of emergencies. protection on or off for individual ter- OS or Debian, the best approach is to
If updates are available, the wizard minal devices. enable an SSH server so that you can
prompts you to update eBlockerOS. For each terminal device on the LAN, later access the Raspberry Pi from any
After completing the update, the Rasp- you can view up-to-date status informa- terminal on the network. On Pi OS, you
berry Pi reboots, and a notification win- tion in the web browser. Type the IP ad- simply enable the SSH server with a
dow appears telling you about the in- dress of the eBlocker system in the slider in the operating system’s configu-
stalled updates. browser, followed by a colon and port ration dialog. On Debian, you need to
After clicking the Continue button number 3000. Alternatively, just type install the openssh-server package man-
again, you will be taken to the dashboard http://eblocker.box. ually and install Pi-hole in a terminal
(Figure 4). In the Device List, you will see eBlockerOS opens a window with nu- window with:
all the devices on the LAN that the sys- merous status “cards” (Figure 5). You
tem located during setup. From the set- can view system messages in the Mes- curl -sSL U
tings bar, you can configure the various sages card or enable IP anonymization https://install.pi-hole.net | bash
After the install, an ncurses configura- Pi-hole sorts by allowed and blocked do- add a single domain to the blocking
tion wizard pops up automatically. mains and the type of request. The sys- list, you would use the Domains dia-
In the wizard, first set a static IP ad- tem also shows as percentages which log. You can also opt to include all sub-
dress for the computer, select a DNS pro- upstream servers were used. At the very domains in the list. Alternatively, you
vider from the list (Pi-hole uses this pro- bottom of the window is additional sta- can add lists of domains to be blocked
vider to resolve web requests), and load tistical information about the clients in the Adlists section by typing the
a block list. The next step is to enable logged in to the network. URL of the new list in the address field
the web interface for management and One key feature in Pi-hole is its ability and then running the pihole -g com-
specify some more details for logging the to group individual endpoints and apply mand in the terminal to add the listing
data. The software then displays a separate filtering rules to each. For ex- to the system. Alternatively, you can
screen with all the important data, in- ample, you can group tablet PCs or follow the link provided in the dialog
cluding the password for logging in to smartphones that are predominantly to update the existing block lists in the
the web interface. A message tells you used by children in a separate group browser window.
that you need to enter the Pi-hole com- and define uniform rules for the group. The newly added lists appear in a
puter as the DNS server on all the termi- This filtering option eliminates the table below the input dialog and can
nal devices on your LAN. time-consuming configuration of indi- be removed again, if needed, by click-
You can now access the Pi-hole sys- vidual devices. ing on the red trash can icon on the
tem’s web interface from any web In the Groups menu in the sidebar, right of the list entry. By default, Pi-
browser on the local network. Type you can create arbitrary groups, which hole enables new blocking lists for all
http://pi.hole/admin or the Pi-hole IP ad- you then enable or disable individually groups. However, you can also assign
dress. After logging in, you are taken to with sliders. Just below Groups is the new lists specifically to individual
an interface that groups the settings op- Clients option, where you create indi- groups of terminal devices. Newly
tions for configuring the tool (Figure 6). vidual clients. The terminal devices dis- added lists can be switched on or off at
You will find the most important data covered by Pi-hole appear here along any time during operation with the
relating to existing clients, their requests, with their MAC addresses in a drop- slider in the Status column.
blocked calls, and filter lists displayed in down menu. You can create a separate To disable Pi-hole for specified periods
a graphically appealing way. Below this entry for each client on the LAN and as- of time, select the appropriate option
information, bar graphs visualize the sign each of the clients to a group, as from Disable Blocking in the sidebar by
number of network requests, followed shown in a table. specifying periods during which you do
by pie charts and tables on the most fre- One of two approaches can be taken not want the application to run any
quently accessed domains, which to extend Pi-hole’s blocking lists: To blocking functions.
One hundred entries are shown in each software now opens a dialog where you the dashboard. Upribox lets you change
case. If you want to add one of the do- can enter a new password and change the protection status of each workstation
mains to a blacklist, click Blacklist. After the name of the administrative user. on the WiFi network individually by set-
confirming the prompt, Pi-hole adds the For each device logged in to the wire- ting a radio button. The devices are in si-
domain into the additional list of individ- less LAN, you will also find its status in lent mode by default, which hides ads
ual domains to be blocked (Figure 7).
upribox
Upribox is one of the senior citizens
among central filtering solutions for in-
tranets. You can download the free soft-
ware for your Raspberry Pi (older third
generation only) as a 655MB image from
the project’s GitHub page [6].
The upribox already sets up a WiFi net-
work at initial startup, but you do need to
connect to the LAN over a cable connec-
tion to complete the setup. Working on
any computer on the network, log in to the
upribox WiFi network with the changeme
WPA2 key and call the URL https://upri.
box:4300 in the machine’s web browser.
After a security prompt, you are taken to
the system’s administration interface. On
the login screen, log in with the upri ac-
count and changethedefaults! password.
You are now taken to the dashboard with
the device overview (Figure 8).
To begin, change the password for the
upri user by clicking on the username Figure 8: The upribox dashboard looks simple, but it gives you all the
top right in the browser window. The information you need.
[QWPGGFCǡENGCTWPFGTUVCPFKPIQHJQY
Linux boots.
FOSSPicks 84
Graham Morrison
This month Graham looks at MuseScore
4, KZones, Whipper, YouPlot, DDSP-VST,
FreedroidRPG 1.0, Decky Loader, and more!
Tutorial – ImageMagick 90
Claudius Grieger
The free ImageMagick graphics toolbox
brings the feature set of a full-blown
image processor to the command line.
MADDOG’S
DOGHOUSE
Linux can be a great new option for users from Windows XP
Jon “maddog” Hall is an author,
educator, computer scientist, and
free software pioneer who has
been a passionate advocate for
Linux since 1994 when he first met
owners to students with a range of interests. BY JON “MADDOG” HALL Linus Torvalds and facilitated the
port of Linux to a 64-bit system.
He serves as president of Linux
t is not often that I write about our work at the Linux Profes- class work, the learning takes place in an environment that en-
Boot Camp
If you want to troubleshoot startup issues, you need a clear understanding of how
Linux boots. BY ALI IMRAN NAGORI
his article explains the process through as checking things such as the BIOS itself, CPU reg-
Figure 1: The traditional BIOS booting sequence. Figure 2: The MBR Block layout.
options that are not dependent on a certain OS. case Secure Boot is not set, the boot manager will
The main purpose of the Stage 2 bootloader pro- cause the ESP to use the GRUB bootloader.
gram is to locate the Linux kernel code (a disk Other than that, the boot manager will ask the
image), which is usually inside the /boot filesys- bootloader for a certificate. Then, the boot man-
tem [3], decompress it, read it into memory as per ager checks it against the keys in the UEFI Secure
the GRUB configuration file, and transfer control Boot key database before running the bootloader.
of the system over to the kernel to move on the Practically, to register the binary, most Linux sys-
boot process. tems utilize a small signed binary (Red Hat uses
the shim package, for example). Additionally, the
Step 4: The Kernel Phase GRUB 2 loader can also be signed with a key that
Once the kernel starts running, it initializes the sys- is user-managed via a Machine Owner Key (MOK)
tem’s hardware to determine what devices are pres- list. All boot binaries, including UEFI firmware driv-
ent. Also, it initializes the system’s device drivers, ers, EFI programs, and the OS, must have their
which allow it to communicate with the hardware. digital signature validated by the firmware. Only
Further, it sets up the system’s memory manage- after this step can the computer boot. This pro-
ment, and then it mounts the root filesystem, which tects the OS from possible threats such as pre-
contains the root directory of the system. Finally, it boot malware, rootkits, and software upgrades
starts the init process from /sbin/init, which is the that aren’t secure [6].
systemd process. Systemd is a replacement for the
old SysVinit process and is the first userspace pro- Step 4: The Bootloader Phase
cess to run on the system with the PID of 1. The GRUB 2 EFI boot loads after a successful Se-
cure Boot verification process. The GRUB 2 boot-
Step 5: The Startup Process loader, in turn, validates the kernel. In a nutshell, a
At this point, systemd manages the user space and bootloader is the very first piece of software that a
brings the system up to an operational state. For ex- computer’s boot process activates. It is in charge
ample, it mounts filesystems and starts other ser- of loading and handing off control to an OS kernel
vices [4]. such as Linux.
in the firmware. Operating systems such as Win- quite similar to a mini operating system. In con-
dows 8 may benefit from fewer steps when load- trast, the legacy BIOS firmware has many limited
ing the OS via UEFI. Consequently, this results in functionalities. Q Q Q
a much lower boot time [8].
Conclusion Info
In this article, I have succinctly covered the boot
[1] BIOS/MBR: https://neosmart.net/wiki/
process on Linux OS. I have tried to cover the
mbr-boot-process
two most used approaches: BIOS and UEFI. Al-
though lengthy, this is actually a very brief intro- [2] Ghori, Asghar. RHCSA Red Hat Enterprise Linux
duction to the boot process. Covering every as- 8: Training and Exam Preparation Guide (EX200),
pect and defining every term involving the boot First Edition. Endeavor Technologies, 2020
process would require a large book. Instead, I [3] /boot: https://refspecs.linuxfoundation.org/
have tried to showcase a basic idea of how the FHS_3.0/fhs/ch03s05.html.
boot process flow works. [4] “Startup process: https://docs.oracle.com/
Also, the boot process is continuously evolving.
en/operating-systems/oracle-linux/8/
Most modern systems are working on UEFI plat-
osmanage/osmanage-WorkingWiththe
forms with backward support for legacy BIOS.
GRUB2Bootloaderand
Moreover, current UEFI-compliant firmware is
ConfiguringBootServices.html#ol-bootconf
[5] UEFI POST: https://wiki.archlinux.org/title/
The Author Arch_boot_process
Ali Imran Nagori is a technical writer and [6] Comparing UEFI and BIOS:
Linux enthusiast who loves to write about https://blog.knoldus.com/uefi-v-s-bios
Linux system administration and related [7] Using UEFI: https://wiki.osdev.org/UEFI
technologies. He blogs at tecofers.com. You [8] UEFI deployment: https://uefi.org/sites/
default/files/resources/UEFI_on_Dell%20Biz-
can connect with him on LinkedIn.
Client_Platforms.pdf
LINUX VOICE FOSSPICKS
Graham has been playing with the source code to the amazing Mutable
Instruments Eurorack modules. The company is closing, but every firmware
to every product is open source. Merci, Émilie Gillet. BY GRAHAM MORRISON
Music notation strengthens MuseScore both as a notation powerhouse
MuseScore 4
and as an open source ambassador project without giving
too much usability away to the money funnel.
You will first notice the music notation rendering. Previ-
ous versions were always better than another great open
ince last looking at Muse- into an online service and training source alternative, LilyPond, but not by much, and it paled in
Kraft
rives fully formed and stable
enough for professional use on
whichever desktop you choose.
Kraft is a content management
reating and maintaining system for business documents. It
Clipboard
n the desktop, the clip- with very little option for interac-
Command runner
just
ommand runners are curi- The commands themselves are
CD ripper
Whipper
he name of this com- uncompressed 16-bit value,
YouPlot
While the input format is based
on tab-separated values (TSV), it’s
both flexible and configurable. By
default, it will make the table with
onsidering how much the first column representing the
DDSP-VST
DSP is an utterly unique instrument that preconfigures a
Project Website
DDSP generates uniquely organic and evolving sounds that can be controlled like https://github.com/magenta/ddsp-vst/blob/main/
acoustic instruments. README.md
Decky Loader
alve’s Steam Deck has Deck functionality. The only
RPG game
FreedroidRPG 1.0
reedroidRPG is an iso- as the AppImage you’ve been
Image Wizardry
The free ImageMagick graphics toolbox brings the feature set of a full-blown
image processor to the command line. BY CLAUDIUS GRIEGER
or more than 30 years, a group of about Testing and Unstable) and Fedora 37 still offered
Listing 3: Mass Rename landscape format, you can rotate them all clock-
$ for i in *.jpg; do \
wise in one fell swoop using the command
convert "$i" "${i%.jpg}.png"; \
mogrify -rotate "90" *.png
done
Listing 6: Watermark
$ composite -watermark 50 \
-gravity Center \
WATERMARK.png \
SOURCE.jpg TARGET.jpg
$ convert image.jpg -gravity SouthWest -pointsize 150 -fill white \ -geometry 800x600+10+10 \
-font DejaVu-Sans -annotate 0 '(c) PHOTO FROM XYZ / 2022' target.jpg *.png imageindex.jpg
spelling of the installed fonts is provided by the capabilities. The program has far more to offer,
command: and detailed knowledge of it fills books. If you
want to learn more about the extensive tool, the
convert -list font project homepage and the man pages of the in-
dividual tools are good places to start. The Im-
To set a watermark, it’s best to use ImageMagick’s ageMagick website also has a practical guide
composite program to blend the source image with about drawing with the tool [2].
an existing image that has an alpha channel (i.e., a When working with the graphics toolbox, al-
transparent background) (Figure 4). The value fol- ways bear in mind that learning a new tool will
lowing -watermark can be between 0 (transparent) take some time. Even if you never quite master
and 100 (fully opaque). The 50 in the example from it or use it to create elaborate image composi-
Listing 6 means 50 percent opacity. The command, tions, ImageMagick is still a handy all-around
like all others with an asterisk instead of the file- tool in everyday life because of its batch options
name, can be applied to all files of a certain type. for converting formats, easy resizing, or embed-
ding watermarks. QQQ
Merging Images
You can use the assemble command to merge im- Info
ages into a single file. Some photographers use
such images like this to capture folder contents [1] ImageMagick: https://imagemagick.org
at first glance. This can be very useful especially
[2] Drawing with ImageMagick:
in the cloud or if bandwidth makes it difficult to
preview images individually. The command from https://imagemagick.org/Usage/draw/
Listing 7 saves all PNG files of the current folder
with a size of 800x600 pixels side by side in a The Author
JPEG and with defined spacing. In each case, the
file name is inserted below the image (Figure 5). Claudius Grieger discovered ImageMagick at
the command line more or less by accident
Conclusions and has been using it ever since on his
Debian system for batch conversion of
The features mentioned in this article only
graphics and photos.
scratch the surface of ImageMagick’s
Figure 5: A labeled overview in an image helps you to save data volume in the cloud.
QQQ
LINUX
NEWSSTAND Order online:
https://bit.ly/Linux-Newsstand
Linux Magazine is your guide to the world of Linux. Monthly issues are packed with advanced technical
articles and tutorials you won't find anywhere else. Explore our full catalog of back issues for specific
topics or to complete your collection.
#268/March 2023
Data Poisoning
Think computers don’t make mistakes? If you slip some doctored-up training samples into the
mix, you can get a fancy machine-learning system to think a dog is a cat or a 1 is an 8 – and
you can trigger this bad behavior through a hidden signal no one else will notice.
On the DVD: MX Linux 21.3 and Puppy Linux FossaPup 9.5
#267/February 2023
Backup
In theory, everyone could use the same backup tool, but the best way to build regular and
systematic backups into your life is to find a solution that fits with your own habits and
methods. This month, we preview some popular backup apps in the Linux space so you
can find one that works for you.
On the DVD: Linux Mint 21 Cinnamon and Kali Linux 2022.4
#266/January 2023
Generative Adversarial Networks
What is the secret behind the recent explosion of computer art and fake videos?
One neural network lies to another neural network...
On the DVD: Ubuntu 22.10 and AlmaLinux 9.0
#265/December 2022
Quantum Computing
Most Linux users know that this futuristic technology leverages the weird power of quantum
mechanics. But how does it really work? What can I do with it? Are there tools available today
that will help me experiment? This month we take a deep dive into quantum computing.
On the DVD: Manjaro 21.3.7-220816 and Arch Linux 2022.10.01
#264/November 2022
Artificial Intelligence
Machine learning remains shrouded in mystery even though it is now an integral part of our
everyday world. This month we look behind the curtain at some popular techniques for
supervised and unsupervised learning.
On the DVD: Debian 11.5 and Rocky Linux 9.0
#263/October 2022
Build an IoT Linux
The most amazing thing about Linux is its flexibility. Linux systems run on the biggest computers
in the world – and on many of the diminutive devices that populate your home environment. If
you’ve always wondered how developers adapt Linux to run on tiny tech, you’ll appreciate this
month’s stories on Buildroot and the Yocto project.
On the DVD: Linux Magazine Archive issues 1-262
FEATURED
EVENTS
Users, developers, and vendors meet at Linux events around the world.
We at Linux Magazine are proud to sponsor the Featured Events shown here.
For other events near you, check our extensive events calendar online at
https://www.linux-magazine.com/events.
If you know of another Linux event you would like us to add to our calendar,
please send a message with all the details to info@linux-magazine.com.
Location: Salt Lake City, Utah Location: Brno, Czech Republic Location: Zagreb, Croatia
and Online
Website: https://us.pycon.org/2023/ Website: https://www.dorscluc.org/
Website: https://linuxappsummit.org/
We are so excited to welcome our DORS/CLUC is the oldest and biggest
community back to the Salt Palace The Linux App Summit (LAS) brings the regional conference that covers free and
Convention Center for the 20th global Linux community together to open source software, open standards,
Anniversary of PyCon US! The program learn, collaborate, and help grow the and Linux. During two days of talks,
is filled with 90+ of our community’s best Linux application ecosystem. Through workshops, and fun, this event brings
talks, brilliant keynote speakers, a lively talks, panels, and Q&A sessions, we together students, FOSS enthusiasts,
Expo Hall, and our famed lightning talks encourage attendees to share ideas, tinkerers, developers, companies, and
on each main conference day. Following make connections, and join our goal of more to learn, network, do business, and
the conference days, there are 4 days of building a common app ecosystem. Join plan projects together – all with a focus
sprints that are free and open to the public. us in-person or online. on free software and Linux.
Events
KubeCon + CloudNativeCon Apr. 17-21 Amsterdam, Netherlands https://events.linuxfoundation.org/
Europe 2023
PyCon US 2023 Apr. 19-27 Salt Lake City, Utah https://us.pycon.org/2023/
Hybrid Cloud Conference Apr. 20 Virtual Event https://www.techforge.pub/events/hybrid-cloud-congress-2/
Linux App Summit 2023 Apr. 21-23 Brno, Czech Republic https://linuxappsummit.org/
Cloud Expo Europe May 10-11 FrankfurtFrankfurt, Germany https://www.cloudexpoeurope.de/
DORS/CLUC 2023 May 11-12 Zagreb, Croatia https://www.dorscluc.org/
Icinga Camp Berlin May 17 Berlin, Germany https://icinga.com/community/events/icinga-camp-berlin-2023/
ISC High Performance May 21-25 Hamburg, Germany https://www.isc-hpc.com/about-overview.html
openSUSE Conf. 2023 May 26-28 Nürnberg, Germany https://events.opensuse.org/conferences/oSC23
CloudFest USA May 31-Jun. 3 Austin, Texas https://www.cloudfest.com/usa/
DrupalCon Pittsburgh June 5-8 Pittsburgh, Pennsylvania https://events.drupal.org/pittsburgh2023
Opensouthcode 2023 June 6-10 Málaga, Spain https://www.opensouthcode.org/conferences/
opensouthcode2023
OW2con'23 June 14-15 Paris-Chatillon, France https://www.ow2con.org/view/2023/
Akademy July 15-21 Thessaloniki, Greece & Online https://akademy.kde.org/
Images © Alex White, 123RF.com
Contact Info
Editor in Chief While every care has been taken in the content of
Joe Casad, jcasad@linux-magazine.com the magazine, the publishers cannot be held respon-
Copy Editors sible for the accuracy of the information contained
Amy Pettle, Aubrey Vaughn within it or any consequences arising from the use of
News Editors it. The use of the disc provided with the magazine or
Jack Wallen, Amber Ankerholz any material provided on it is at your own risk.
Editor Emerita Nomadica Copyright and Trademarks © 2023 Linux New
Authors Rita L Sooby Media USA, LLC.
Amber Ankerholz 8 Managing Editor No material may be reproduced in any form what-
Lori White soever in whole or in part without the written per-
Erik Bärwaldt 72 Localization & Translation mission of the publishers. It is assumed that all cor-
Paul Brown 28, 36 Ian Travis respondence sent, for example, letters, email,
faxes, photographs, articles, drawings, are sup-
Layout
Zack Brown 12 plied for publication or license to third parties on
Dena Friesen, Lori White
Bruce Byfield 6, 45, 54 a non-exclusive worldwide basis by Linux New
Cover Design
Media USA, LLC, unless otherwise stated in writing.
Joe Casad 3, 18 Lori White
Linux is a trademark of Linus Torvalds.
Cover Image
Mark Crutch 79 © Anna Ivanova, 123RF.com All brand or product names are trademarks
Nate Drake 22 Advertising of their respective owners. Contact us if we
Brian Osborn, bosborn@linuxnewmedia.com haven’t credited your copyright; we will always
Claudius Grieger 90 correct any oversight.
phone +49 8093 7679420
Jesse Hagewood 64 Marketing Communications Printed in Nuremberg, Germany by Zeitfracht GmbH.
Jon “maddog” Hall 80 Gwen Clark, gclark@linuxnewmedia.com Distributed by Seymour Distribution Ltd, United
Linux New Media USA, LLC Kingdom
Kristian Kißling 16 4840 Bob Billings Parkway, Ste 104
Lawrence, KS 66049 USA Represented in Europe and other territories by:
Rubén Llorente 58 Sparkhaus Media GmbH, Bialasstr. 1a, 85625
Publisher
Vincent Mealing 79 Glonn, Germany.
Brian Osborn
Published monthly as Linux Magazine (Print
Brooke Metcalfe 68 Customer Service / Subscription
ISSN: 1471-5678, Online ISSN: 2833-3950) by
For USA and Canada:
Graham Morrison 84 Email: cs@linuxnewmedia.com
Linux New Media USA, LLC, 4840 Bob Billings
Phone: 1-866-247-2802 Parkway, Ste 104, Lawrence, KS 66049, USA. Pe-
Ali Imran Nagori 81
(Toll Free from the US and Canada) riodicals Postage paid at Lawrence, KS and addi-
Dmitri Popov 41 tional mailing offices. Ride-Along Enclosed.
For all other countries: POSTMASTER: Please send address changes to
Mike Schilli 48 Email: subs@linux-magazine.com Linux Magazine, 4840 Bob Billings Parkway, Ste
Jack Wallen 8 www.linux-magazine.com 104, Lawrence, KS 66049, USA.
Green
Please note: On sale dates are
approximate and may be delayed
because of logistical issues.
Coding
The future looks brighter if everyone pays attention to
energy. Alternative sources are great, but another way
to conserve greenhouse gasses and build a sustainable
future is to use less. Next month we explore some
techniques for more energy-efficient programming.
Preview Newsletter
The Linux Magazine Preview is a monthly email
newsletter that gives you a sneak peek at the next
issue, including links to articles posted online.