Already a couple of years old, but heard on KSCN yesterday, The Amazing (a Swedish band) playing “Flashlight”. Slightly psychedelic pop-rock with a touch of jazz. Lovely!

Below a live version recorded at WFUV;

Watch this video on YouTube.

Certaines histoires commencent mal. Très mal. Mais, petit à petit, la vie se fraie un chemin à travers les pires situations pour s’épanouir en frêles et merveilleux bourgeons.

Cette histoire commence le 7 janvier 2015. Ce jour là, je croise Damien Van Achter, atterré par ce qui se passe à Paris. Il me parle de morts. Je ne comprends pas. J’ouvre alors Twitter et découvre l’ampleur des attentats contre Charlie Hebdo.

Je ne le sais pas encore mais ces attentats vont changer ma vie. En bien. En incroyablement, merveilleusement bien.

Sur le moment, choqué à mon tour, je me fends d’un tweet immédiat, instinctif. Étant moi-même parfois auteur d’humour de mauvais goût, je me sens attaqué dans mes valeurs.

Ce tweet sera retweeté plus de 10.000 fois, publié dans les médias, à la télévision, dans un livre papier et, surtout, sur Facebook où il sera mis en image par Pierre Berget, repartagé et lu par des centaines de milliers de personnes.

Parmi elles, une jeune femme. Intriguée, elle se mettra à lire mon blog et m’enverra un paiement libre. Après m’avoir croisé par hasard à l’inauguration du coworking Rue du Web, elle me contactera sur Facebook pour discuter certaines de nos idées respectives.

Deux ans plus tard, le 9 mars 2017, jour de mon 36ème anniversaire, cette jeune femme dont je suis éperdument amoureux a donné naissance à Miniploum, mon fils. Le plus beau des cadeaux d’anniversaire…

Je souris, je savoure la vie et je suis heureux. Ce bonheur, cet amour que j’ai la chance de vivre, ne le dois-je pas en partie aux réseaux sociaux qui ont transformé un ignoble attentat en une nouvelle vie ?

Rappelons-nous que chaque drame, chaque catastrophe porte en elle les germes de futurs bonheurs. Des bonheurs qui ne font peut-être pas toujours les grands titres de la presse, qui sont moins vendeurs mais qui sont les fondations de chacune de nos vies.

Souvenons-nous également que les outils, quels qu’ils soient, ne deviennent que ce que nous en faisons. Ils ne sont ni bons, ni mauvais. Il est de notre responsabilité d’en faire des sources de bonheur…

Ce texte est a été publié grâce à votre soutien régulier sur Tipeee et sur Paypal. Je suis @ploum, blogueur, écrivain, conférencier et futurologue. Vous pouvez me suivre sur Facebook, Medium ou me contacter.

Ce texte est publié sous la licence CC-By BE.

Ce jeudi 20 avril 2017 à 19h se déroulera la 58ème séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Gestion de configuration et de cloud avec SaltStack

Thématique : sysadmin|développement

Public : sysadmin|développeurs|entreprises|étudiants

L’animateur conférencier : Sébastien Wains (ETNIC)

Lieu de cette séance : HEPH Condorcet, Chemin du Champ de Mars, 15 – 7000 Mons – Auditorium 2 (G01) situé au rez de chaussée (cf. ce plan sur le site d’Openstreetmap; ATTENTION, l’entrée est peu visible de la voie principale, elle se trouve dans l’angle formé par un très grand parking).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l’entrée de la séance. Merci d’indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d’un verre de l’amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : CETIC, OpenSides, MeaWeb et Phonoid.

Si vous êtes intéressé(e) par ce cycle mensuel, n’hésitez pas à consulter l’agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d’échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires montoises impliquées dans les formations d’informaticiens (UMONS, HEH et Condorcet), et avec le concours de l’A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : A l’ère du cloud, les besoins en automatisation sont de plus en plus importants. Le nombre d’éléments de configuration à gérer augmente, sans pour autant que les effectifs ne suivent cette tendance. Outre cet aspect, c’est aussi de nouvelles pratiques et de nouveaux besoins qu’il faut satisfaire. Le monde de l’administrateur système est en (r)évolution.

Des outils ont été créés pour accompagner ces évolutions techniques, on pense rapidement à la gestion de configuration et des outils comme Puppet ou Chef.

La gestion de configuration n’est cependant plus suffisante, il faut en effet contrôler, vérifier et éventuellement corriger les éléments de configuration dont on a la charge via un outil “chef d’orchestre”.

SaltStack se propose de faire tout cela, et plus encore. Il se différencie des outils “classiques” tels que Puppet car il est construit autour d’un bus d’événements, qui ouvre la porte à une infinité de possibilités.

La présentation brossera les différents concepts de Salt et tentera de répondre aux questions suivantes :

• est-ce utile ?
• est-ce facile à prendre en main ?
• est-ce facilement intégrable dans mon système informatique ?
• est-ce extensible ?

Short bio : Sébastien est un Linuxien enthousiaste. Il a développé une passion pour l’informatique et particulièrement Linux vers 16 ans. Malgré son graduat en comptabilité et gestion, il a cependant débuté sa carrière en tant qu’administrateur systèmes, gérant alors quelques serveurs et une trentaine d’utilisateurs. Son approche pragmatique se reposant sur ses connaissances en gestion lui a permis d’évoluer et d’être à la tête d’un parc Linux de près de 260 serveurs utilisés par plusieurs milliers d’utilisateurs chez ETNIC, organisme d’intérêt public actif en Fédération Wallonie-Bruxelles.

A new release is now available for the cvechecker application. This is a stupid yet important bugfix release: the 3.7 release saw all newly released CVEs as being already known, so it did not take them up to the database. As a result, systems would never check for the new CVEs.

It is recommended to remove any historical files from /var/lib/cvechecker/cache like so:

~# rm /var/lib/cvechecker/cache/nvdcve-2.0-2017.*
~# rm /var/lib/cvechecker/cache/nvdcve-2.0-modified.*

This will make sure that the next run of pullcves pull will re-download those files, and attempt to load the resulting CVEs back in the database.

Sorry for this issue :-(

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

 	
	     char newmode[modelen + 2];
	  -  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
	  +  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	     FILE *result = fopen (file, newmode);

	-  char newmode[modelen + 2];
	-  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	+  char newmode[modelen + 3];
	+  memcpy (mempcpy (newmode, mode, modelen), "ce", 3);

  Wed Mar 22 *17:19:51* 2017
  *ORA-00210: cannot open the specified control file*
  ORA-00202: control file:
  
'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_0
01'
  ORA-27054: NFS file system where the file is created or resides is
  not mounted with correct options
  *Linux-x86_64 Error: 13: Permission denied*
  Additional information: 2
  ORA-205 signalled during: ALTER DATABASE   MOUNT...
  Shutting down instance (abort) 

I published the following diary on isc.sans.org: “Logical & Physical Security Correlation“.

Today, I would like to review an example how we can improve our daily security operations or, for our users, how to help in detecting suspicious content. Last week, I received the following email in my corporate mailbox. The mail is written in French but easy to understand: It is a notification regarding a failed delivery (they pretended that nobody was present at the delivery address to pick up the goods)… [Read more]

[The post [SANS ISC] Logical & Physical Security Correlation has been first published on /dev/random]

I published the following diary on isc.sans.org: “Diverting built-in features for the bad“.

Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code… [Read more]

[The post [SANS ISC] Diverting built-in features for the bad has been first published on /dev/random]

Here are the Robot Framework keywords needed nowadays to setup a socks5 proxy (e.g ssh -ND 9050 bastion.example.com):

*** Settings ***
Documentation     Open a Web Page using a socks 5 proxy (demo)
Library           Selenium2Library

*** Test Cases ***
Create Webdriver and Open Page
    ${profile}=   Evaluate   sys.modules['selenium.webdriver'].FirefoxProfile()
sys
    Call Method   ${profile}   set_preference   network.proxy.socks   127.0.0.1
    Call Method   ${profile}   set_preference   network.proxy.socks_port
${9060}
    Call Method   ${profile}   set_preference   network.proxy.socks_remote_dns
${True}
    Call Method   ${profile}   set_preference   network.proxy.type   ${1}
    Create WebDriver   Firefox   firefox_profile=${profile}
    Go To    http://internal.example.com

Jenkins can spread the load of Jobs by using H instead of * in the cron fields. It means that:

H 3 * * *

Means: Run between 3 and 4 am.

The minute will be decided by Jenkins, by applying a hash function over the job name.

What about this one:

H H * * *

Means: Run once a day. The moment will be calculated by a Jenkins based on the job name.

But what if I have hundreds of jobs, I want to run them once a day, but during night? Something like:

H H(0-5) * * *

Means: Run the job once everyday between 12am and 6am.

But when you scale up your Jenkins, you want the jobs to run between e.g. 7pm and 6am. Because you also want to use the hours before midnight.,

There is a BAD WAY to do it:

H H(0-6),H(19-23) H/2 * *

That would run the jobs in the morning and the evening, every 2 days. It is complex and will not behave correctly at the end of months.

The GOOD WAY to do it is to set the timezone in the cron expression, something which is not documented yet. It is there since Jenkins 1.615 so you probably have it in your Jenkins:

TZ=GMT+7
H H(0-10) * * *

What does this mean? In the timezone GMT+7, run the jobs once between 12am and 11 am. Which means between 7pm and 6am in my timezone.

$ date -d '0:00 GMT+7'
Wed Mar 29 19:00:00 CEST 2017
$ date -d '11:00 GMT+7'
Thu Mar 30 06:00:00 CEST 2017

It is a lot more simple syntax and is more reliable. Please note that the validation (preview) below the Cron settings is not using that TZ (I opened JENKINS-43228 for this).

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

I published the following diary on isc.sans.org: “Pro & Con of Outsourcing your SOC“.

I’m involved in a project to deploy a SIEM (“Security Information &Event Management“) / SOC (“Security Operation Center“) for a customer. The current approach is to outsource the services to an external company also called a MSSP (“Managed Security Services Provider“). We had an interesting chat about the pro & con to have an internal or external SOC… [Read more]

[The post [SANS ISC] Pro & Con of Outsourcing your SOC has been first published on /dev/random]

In my job at Acquia, I’ve been working almost exclusively on Drupal 8 core. In 2012–2013 I worked on authoring experience (in-place editing, CKEditor, and more). In 2014–2015, I worked on performance, cacheability, rendering and generally the stabilizing of Drupal 8. Drupal 8.0.0 shipped on November 19, 2015. And since then, I’ve spent most of my time on making Drupal 8 be API-first: improving the RESTful Web Services support that Drupal 8 ships with, and in the process also strengthening the JSONAPI& GraphQL contributed modules.

In the process, I’ve learned a lot about the impact of past decisions (by myself and others) on backwards compatibility. The benefit of backwards compatibility (BC). But the burden of ensuring BC can increase exponentially due to certain architectural decisions. I’ve been experiencing that first-hand, since I’m tasked with making Drupal 8’s REST support rock-solid, where I am seeing time and time again that “fixing bugs + improving DX” requiresBC breaks. Tough decisions.

In this talk (which will be a core conversation at DrupalCon Baltimore), I analyzed the architectural patterns in Drupal 8, and provided suggestions on how to do better. I don’t have all the answers. But what matters most is not answers, but a critical mindset going forward that is consciously considering BC implications for every patch that goes into Drupal 8!

Preview:

I published the following diary on isc.sans.org: “Whitelists: The Holy Grail of Attackers“.

As a defender, take the time to put yourself in the place of a bad guy for a few minutes. You’re writing some malicious code and you need to download payloads from the Internet or hide your code on a website. Once your malicious code spread in the wild, it will be quickly captured by honeypots, IDS, … (name your best tool) and analysed automatically of manually by the good guys… [Readmore]

[The post [SANS ISC] Whitelists: The Holy Grail of Attackers has been first published on /dev/random]

Almost a year ago, BigPipe was the first experimental module added to Drupal 8. It was still experimental in Drupal 8.2 (October 2016), but it was upgraded from alpha to beta stability. Later today, Drupal 8.3.0 is going to be released, and BigPipe is now stable!

Install it!

BigPipe is a zero-risk module. So … why not install it right now? You can uninstall it at any time. It won’t cause problems in any browser, on any web server, or with any proxy. Because:

There is zero risk of data loss. And when the environment — i.e. web server or (reverse) proxy — doesn’t support streaming, then BigPipe-delivered responses behave as if BigPipe was not installed. Nothing breaks, you just go back to the same perceived performance as before.

If you’re still on Drupal 8.2 for a while — also install it! There are no functional changes for BigPipe between 8.3 and 8.2.

Stability

In hindsight, we could have made BigPipe stable from day one, or at least in Drupal 8.2.

There have been only 4 bug reports since then, 3 of which were trivial forgotten edge cases, and the other one was a bug in the Render system which happened to also affect BigPipe¹. Still, it is important to very thoroughly validate such a module before marking it stable, because:

This is the sort of module that needs wider testing because it changes how pages are delivered, so before it can be considered stable, it must be tested in as many circumstances as possible, including the most exotic ones.

Given that in the past year only a handful of (non-critical) bugs have been reported … that gave Drupal core committers the confidence to mark it “stable”.

Sessionless BigPipe contrib module

There’s only one thing that is new in BigPipe in Drupal 8.3: some internal refactoring, which makes it possible for the Sessionless BigPipe contrib module to exist.
This contributed module accelerates Page Cache misses using the BigPipe technique.

Future

1. Only one feature is still planned for the future: interface previews— see Callum Hart’s excellent blog post about it for an introduction.
2. I hope to enable BigPipe by default in the Standard install profile in 8.4.0 :)

I hope you enjoy faster personalized & authenticated page loads thanks to BigPipe! :)

I want to thank my employer Acquia for giving me the time to make this happen!

I published the following diary on isc.sans.org: “Tracking Website Defacers with HTTP Referers”.

In a previous diary, I explained how pictures may affect your website reputation. Although a suggested recommendation was to prevent cross-linking by using the HTTP referer, this is a control that I do not implement on my personal blog, purely for research purposes. And it successfully worked… [Read more]

[The post [SANS ISC] Tracking Website Defacers with HTTP Referers has been first published on /dev/random]

Mark Shuttleworth, founder of Ubuntu and Canonical, dropped a bombshell: Ubuntu drops Unity 8 and –by extension– also the Mir graphical server. Starting from the 18.04 release, Ubuntu will use Gnome 3 as the default Desktop environment.

Sadly, the desktop environment installed by default and used by millions of Ubuntu users –Unity 7– has no path forward now. Unity 7 runs on X.org graphical stack, while the Linux world –including Ubuntu now– is slowly but surely moving to Wayland. It’s clear that Unity has its detractors, and it’s true that the first releases (6 years ago!) were limited and buggy. However, today, Unity 7 is a beautiful and functional desktop environment. I happily use it at home and at work.

Dead code (soon-to-be) is dead code, so even as a happy user I don’t see the interest in staying with Unity. I prefer to make the jump now instead of being two years with a desktop on life support. Among other environments, I have been a full time user of CDE, Window Maker, Gnome 1.*, KDE 2.*, Java Desktop System, OpenSolaris Desktop, LXDE and XFCE. I’ll survive :).

The plan of this post is to collect (as post-it) changes I felt I needed to make to a Ubuntu Gnome 3 setup to make it work for me. I made the jump 1 week before the release of 17.04, so I’ll stick with 17.04 and skip the 16.10 instructions (in short: you’ll need to install gnome-shell-extension-dashtodock from an external source instead of the Ubuntu repos).

The easiest way to make the jump is, of course, installing the Ubuntu Gnome distribution. If you’re upgrading, you can of course do it manually. In case you want to remove Unity and install Gnome:
$ sudo apt-get remove --purge ubuntu-desktop lightdm && sudo apt-get install ubuntu-gnome-desktop && apt-get remove --purge $(dpkg -l |grep -i unity |awk '{print $2}') && sudo apt-get autoremove -y

Changes so far:

1. Install Gnome 3 and extensions to customize the Gnome 3 experience:
   $ sudo apt-get install -y gnome-tweak-tool gnome-shell-extension-top-icons-plus gnome-shell-extension-dashtodock gnome-shell-extension-better-volume gnome-shell-extension-hide-activities gnome-shell-extension-move-clock gnome-shell-extension-refreshwifi gnome-shell-extension-disconnect-wifiI also liked the Pixel Saver extension a lot, however it feels unnatural on a 3 screen setup like I use at work. In case you want to use it:
   $ sudo apt-get install gnome-shell-extension-pixelsaver

2. Start gnome-tweak-tool and enable “Better volume indicator” (scroll wheel to change volume), “Dash to dock” (a more Unity-like Dock, configurable), “Disconnect wifi” (allow disconnection of network without setting Wifi to off), “Hide activities button” (Remove “Activites” on the topleft), “Move clock” (move clock from middle to the right), “Refresh Wifi connections” (auto refresh wifi list) and “Topicons plus” (put non-Gnome icons like Dropbox and pidgin on the top menu). On the Windows tab, I enabled the Maximise and Minise Titlebar Buttons.
3. Make the window top bars smaller if you wish. Just create ~/.config/gtk-3.0/gtk.css with these lines:
   /* From: http://blog.samalik.com/make-your-gnome-title-bar-smaller-fedora-24-update/ */
window.ssd headerbar.titlebar {
padding-top: 4px;
padding-bottom: 4px;
min-height: 0;
}
window.ssd headerbar.titlebar button.titlebutton {
padding: 0px;
min-height: 0;
min-width: 0;
}

That’s it (so far ).

Thx to @sil, @adsamalik and Jonathan Carter.

The post CAA checking becomes mandatory for SSL/TLS certificates appeared first on ma.ttias.be.

This was news to me in a few ways; first, there's a new DNS resource record called CAA (Certificate Authority Authorization) and second, Certificate Authorities are now required to check that record before issuing a certificate, to determine if they're allowed to do so.

Cool!

What's a CAA (Certificate Authority Authorization)?

When in doubt, consult the RFC: RFC 6844,  DNS Certification Authority Authorization (CAA) Resource Record.

In short, it looks like this:

ttias.be. CAA 0 issue "letsencrypt.org"

The CAA record is a new resource record, next to the usual A, CNAME, MX, TXT, ... records you might already know.

The syntax is as follows;

CAA <flags> <tag> <value>

Which translates to;

• flag: An unsigned integer between 0-255.
• tag: An ASCII string that represents the identifier of the property represented by the record.
• value: The value associated with the tag.

In reality, you'll see the configurations mostly as follows;

ttias.be. CAA 0 issue "letsencrypt.org"

-> this means that only Let's Encrypt can issue a certificate for the domain "ttias.be". Note this doesn't cover the subdomains, like www.

ttias.be. CAA 0 issue "letsencrypt.org"
ttias.be. CAA 0 issue "globalsign.org"

-> this means both Let's Encrypt and Globalsign can issue certificates for the domain "ttias.be".

ttias.be. CAA 0 issuewild "letsencrypt.org"

-> the issuewild tag indicates that wildcard certificates can be issued for "ttias.be", covering "*.ttias.be", but not "*.mail.ttias.be".

Receiving notifications of CAA violations

If a certificate authority receives a certificate request for a domain, but the CAA record denies it, the CA can send a notification to the domain owner. This is configured & managed via the iodef tag.

ttias.be.  CAA 0 iodef "mailto:m@ttias.be"

-> this configures it so that if a CA receives a certificate request for "ttias.be", you'll be notified on "m@ttias.be".

ttias.be.  CAA 0 iodef "https://ma.ttias.be/callback"

-> this configures it so that a HTTPS call will be done to that URL to inform you of this certificate request attempt. It's unclear whether it's a GET or a POST or what the payload is, that might depend on the CA?

Query'ing CAA records

Alas, this doesn't work yet in dig, as you get the A record if you query for a CAA record.

$ dig google.com CAA
google.com.		143	IN	A	172.217.17.142

Current versions of dig don't understand the CAA record yet, so you have to be explicit and query for Resource Record Type 257, the identifier given to CAA.

$ dig google.com type257
google.com.		86399	IN	TYPE257	\# 19 0005697373756573796D616E7465632E636F6D
google.com.		86399	IN	TYPE257	\# 15 00056973737565706B692E676F6F67

Notice how the value isn't exactly readable? That's because it's binary encoded and needs to be decoded first, to be human readable.

Update: the dig version on CentOS 7 works just fine.

$ dig -v
DiG 9.9.4-RedHat-9.9.4-38.el7_3.2
$ dig google.com CAA
google.com.		86400	IN	CAA	0 issue "pki.goog"
google.com.		86400	IN	CAA	0 issue "symantec.com"

Tools like dnscaa provide that ability.

$ ./digcaa google.com
google.com. 86399   IN  CAA 0 issue "symantec.com"

Support for CAA records are coming in the next version of DNS Spy, too.

Do I have to add CAA records to get a certificate?

No, just like HSTS, the CAA records are completely optional. You should add them, for increased security though.

As of September 2017, Certificate Authorities are obligated to check for CAA records and honor those preferences. Not having CAA records is essentially the same as saying "everyone can issue a certificate for my domain".

The post CAA checking becomes mandatory for SSL/TLS certificates appeared first on ma.ttias.be.

Last week Megan Sanicki, executive director of the Drupal Association, and I published a joint statement. In this blog post, I wanted to follow up with a personal statement focused on the community at large.

I've talked to a lot of people the last two weeks, and it is clear to me that our decisions have caused much alarm and distress in our community. I feel this follow-up is important even though I know it doesn't undo the hurt I've caused.

I want to deeply apologize for causing grief and uncertainty, especially to those in the BDSM and kink communities who felt targeted by the turmoil. This incident was about specific actions of a single member of our community. This was never meant to be about sexual practices or kinks, so it pains me that I unintentionally hurt you. I do support you and respect you as a key part of our community.

Shortly after I started Drupal more than 15 years ago, I based its core values on openness and equality. Gender, race, religion, beliefs, sexuality ... all are welcome in our community. We've always had people with wildly different views and identities. When we walk into a sprint at DrupalCon, we've been able to put our opinions aside, open our laptops, and start collaborating. Diversity has always been a feature, not a bug. I strongly feel that this foundation is what made Drupal what it is today; a global family.

Serving a community as unique and diverse as Drupal is both rewarding and challenging. We've navigated through several defining moments and transitions in our history. I feel what we are going through now is another one of these defining moments for our culture and community. In an excruciating but illuminating way this has shown some of what is best about our community: we care. I'm reminded that what brings us together, what we all have in common, is our love and appreciation of open-source software. Drupal is a positive force, a collective lifting by thousands and thousands, created and maintained by those individuals cooperating toward a common goal, whose other interests have no need to be aligned.

I want to help our community heal and I'm open to learn and change. As one of the next steps, I will make a follow-up post on improving our governance to a healthier model that does not place such sensitive decisions on me. I love this community, and recognize that the things we hold in common are more important than our differences.

(Comments on this post are allowed but for obvious reasons will be moderated.)

I have been a long time user of Cyanogenmod, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if LineageOS would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.

Today, I made my choice and installed LineageOS.

The requirements list

When looking for new ROMs to use, I had a number of requirements, some must-have, others should-have or would-have (using the MoSCoW method.

First of all, I want the ROM to be installable through ClockworkMod 6.4.0.something. This is a mandatory requirement, because I don't want to venture out in installing a different recovery (like TWRP). Not that much that I'm scared from it, but it might require me to install stuff like Heimdal and update my SELinux policies on my system to allow it to run, and has the additional risk that things still fail.

I tried updating the recovery ROM in the past (a year or so ago) using the mobile application approaches themselves (which require root access, that my phone had at the time) but it continuously said that it failed and that I had to revert to the more traditional way of flashing the recovery.

Given that I know I need to upgrade within a day (and have other things planned today) I didn't want to loose too much time in upgrading the recovery first.

Second, the ROM had to allow OTA updates. With CyanogenMod, the OTA didn't fully work on my phone (it downloaded and verified the images correctly, but couldn't install it automatically - I had to reboot in recovery manually and install the ZIP), but it worked sufficiently for me to easily update the phone on a weekly basis. I wanted to keep this luxury, and who knows, move towards an end-to-end working OTA.

Furthermore, the ROM had to support Android 7.1. I want the latest Android to see how long this (nowadays aged) phone can handle things. Once the phone cannot get the latest Android anymore, I'll probably move towards a new phone. But as long as I don't have to, I'll put my money in other endeavours ;-)

Finally, the ROM must be in active development. One of the reasons I want the latest Android is also because I want to keep receiving the necessary security fixes. If a ROM doesn't actively follow the security patches and code, then it might become (too) vulnerable for comfort.

ROMs, ROMs everywhere (?)

First, I visited the Galaxy S3 discussion on the XDA-Developers site. This often contains enough material to find ROMs which have a somewhat active development base.

I was still positively surprised by the activity on this quite old phone (the i9300 was first released in May, 2012, making this phone almost 5 years old).

The Vanir mod seemed to imply that TWRP was required, but past articles on Vanir showed that CWM should also work. However, from the discussion I gathered that it is based on LineageOS. Not that that's bad, but it makes LineageOS the "preferred" ROM first (default installed software list, larger upstream community, etc.)

The Ressurrection Remix shows a very active discussion with good feedback from the developer(s). It is based on a number of other resources (including CyanogenMod), so seems to borrow and implement various other features. Although I got the slight impression that it would be a bit more filled with applications I might not want, I kept it on the short-list.

SLIMROM is based on AOSP (the Android Open Source Project). It doesn't seem to support OTA though, and its release history is currently still premature. However, I will keep an eye on this one for future reference.

After a while, I started looking for ROMs based on AOSP, as the majority of ROMs shown are based on LineageOS (abbreviated to LOS). Apparently, for the Samsung S3, LineageOS seems to be one of the most popular sources (and ROMs).

So I put my attention to LineageOS:

• It supports CWM installations
• It offers OTA update support
• It closely tracks upstream
• It is in active development

So, why not?

Using LineageOS without root

While deciding to use LineageOS or go through with additional ROM seeking, I stumbled upon the installation instructions that showed that the ROM can be installed without automatically enabling rooted Android access. I'm not sure if this was the case with Cyanogenmod (I've been running with a rooted Cyanogenmod for too long to remember) but it opened a possiblity for me...

Personally, I don't mind having a rooted phone, as long as it is the user who decides which applications can get root access and which can't. For me, the two applications that used root access was an open source ad blocker called AdAway and the Android shell (for troubleshooting purposes, such as killing the media server if it locked my camera).

But some applications seem to think that a rooted phone automatically means that the phone is open access and full of malware. It is hard to find any trustworthy, academical research on the actual secure state of rooted versus non-rooted devices. I believe that proper application vetting (don't install applications that aren't popular and long-existing, check the application vendors, etc.) and keeping your phone up-to-date is much more important than not rooting.

And although these applications happily function on old, unpatched Android 4.x devices they refuse to function on my (rooted) Android 7.1 phone. So, the ability to install LineageOS without root (rooting actually requires flashing an additional package) is a nice thing as I can start with a non-rooted device first, and switch back to a rooted device if I need it later.

With that, I decided to flash my phone with the latest LineageOS nightly for my phone.

Switching password manager

I tend to use such ROM switches (or, in case of CyanogenMod, major version upgrades) as a time to revisit the mobile application list, and reduce it to what I really used the last few months.

One of the changes I did on my mobile application list is switch the password application. I used to use Remember Passwords but it hasn't seen updates for quite some time, and the backup import failed last time I migrated to a higher CyanogenMod version (possibly Android version related). Because I don't want to synchronize the passwords or see the application have any Internet oriented activity, I now use Keepass2Android Offline.

This is for passwords which I don't auto-generate using SuperGenPass, my favorite password manager. I don't use the bookmarklet approach myself, but download and run it separately when generating passwords - or use a SuperGenPass mobile application.

First impressions

It is too soon to say if it is fully functional or not. Most standard functionality works OK (phone, SMS, camera) but it is only after a few days that specific issues can come up.

Only the first boot was very slow (probably because it was optimizing the application list in the background), the second boot was well below half a minute. I didn't count it, but it's fast enough for me.

We are making an editor for industrial uses at Heidenhain. This is to make big Klartext programs, editable. I’m sure other industries could also use that.

Nowadays these programs often come out of a conversion from a CAD-CAM format. Before you can mill and turn your pesky military secrets on one of the machines controlled by a Heidenhain set, you’ll have to tweak the program that you converted from your CAD-CAM product. We are making the editor for that.

I wrote on this blog how we will instantaneously open those >4GB files, ready for editing. It looks a lot like how I made the E-mail client modest open the headers instantaneously on the N900. Basically, having a partition or index tablethat gets mmapped.

We’re also making the overlaying (the changes made by the user) undoable. The APIs for that kinda look like this. All examples on my blog are amateur extracts of the real thing, of course.

I feel like it’s actually going to work out. Architecturally and organizationally the other developers in our team are getting at the right level of expertise and sense of wanting this.

That is most important for anything to make it happen.

It feels a bit like how Nokia was: I’m learning a lot about myself from techleading: how to propose a design, concept or idea; how to convince deeply technical people; how to push others to go further than what they can already do. How to make a team quit competing and start sharing a common goal. The infrastructure for that was provided to me by Nokia. At Heidenhain, I feel like having played a small role in it.