GUADEC Sports

Hello all!

One thing I enjoy to do when visiting a new city is to visit corners that are not touristic to not miss the “real” culture that you can experience in non-touristic places.

Not only that, but we all know we are used to eat more than usual when traveling, and we don’t keep doing some of our good habits.

For that reason, every GUADEC I try to put together some people and we go running for 5-7 km to different places every morning, with optional exercices once finished. It’s exercice to chill and enjoy, so no worries if you are not in shape.

I created a Riot room that you can access (even as a guest user) through the web, phone, etc. to discuss where we will meet and where we will go

So make sure to bring your sport shoes, don’t be lazy, and join! 😉

Clarification on a recent security flaw on a thumbnailer

Recently a GNOMEr pointed me to a blog post from someone that found a security issue with a thumbnailer called gnome-exe-thumbnailer which tries to thumbnail MSI files and parses VBScripts using Wine, and unfortunately it allowed execution of random code.

How thumbnailers works is that we allow libraries to register as thumbnailers to be used by our generic thumbnailing framework, and although they are out of process, they are not sandboxed. You can understand this issue as if it would be a plugin that has a security flaw.

This would have been a regular CVE in gnome-exe-thumbnailer and world would have move on, however the problem came when the author pointed out the fix was “Don’t use GNOME Files” and the framing of the blog post was, from my point of vision, misleading.

In reality this affect anyone using this thumbnailer, including MATE, XFCE, etc., the project has nothing to do with GNOME, we have never heard of it, and some distributions don’t even have it in their repositories (in this case I checked RHEL and Fedora and they don’t have it). I also find quite disrespectful towards whoever wrote that library to not raise a bug privately, and instead made a public blog post.

The CVE in question, named “Bad Taste” (with even a logo(!) of a wine glass) can be found here.

Does this affects me?

Probably not, since you would have need to install this library on purpose and also use a distribution like Debian/Ubuntu (so far what I checked) that includes it.

However be careful if you do since quite a few programs would use that thumbnailer, including Totem, Eye of GNOME, etc. and there is no way to disable thumbnailing on those (ironically Nautilus does allow to disable thumbnailing).

The fix

Uninstall gnome-exe-thumbnailer :). You can still use Nautilus.

Can GNOME do something?

Yes. We can sandbox thumbnailers (with the same technology as Flatpak, called bwrap). Work is actually almost done over the last 6 months, and hopefully will be merged and relesed soon.

This is also a reminder to all of us that we should move to a world of more sandboxed applications and plugins. This is actually one of the top priority items for us. In that front we have been working hard and pushing as much as we can with Flatpak to create a world of sandboxed apps. If you are interested on the security side of applications, you are welcome to help us shaping the future of it.

In conclusion, it takes 2 minutes to contact any of us and verify your statements/blog post/tech news. Please do, before posting.

As a take away, grab this mojito🍹 and fix the “Bad Taste” 😉

The new contribution workflow for GNOME

Hello community,

I have big good news to share with you. You might know we have been working for years on materializing what we wanted the future of contribution to be, we did multiple iterations and we worked full time on our developer experience… and finally, I’m glad to announce, we achieved it, we have a new way to contribute to GNOME!

One image says more than 1000 words, the whole process of contributing to GNOME is as easy as you will see, all documented in the new newcomers wiki

No specific distribution required. No specific version required. No dependencies hell. Reproducible, if it builds for me it will build for you. All with an UI and integrated, no terminal required. Less than five minutes of downloading plus building and you are contributing.

Can you imagine how this changes the GNOME contribution story? We went from requiring either latest Fedora or Ubuntu, fighting dependencies and random issues, taking more than 80 modules to build just for contributing to a single app. It was a pain.

As an example, Nautilus with the previous tool and workflow took around 6 hours the first time if no issues were present. Now it’s 5 minutes, with no possible build issues (forgive exceptions in the rule 🙂 ).

I think we just opened a new world for contributors.

The work behind it

Of course, a change as big as this didn’t come overnight, this is possible because GNOME and sponsors put the time and resources on it, with rock-stars like Alex Larsson creating Flatpak and Christian Hergert creating Builder, working both for years nonstop in these technologies, with no short term benefit.

Finally the benefit is here, the future we imagined and shaped 5 years ago is coming together, and it’s shining.

Thanks a lot to the people involved, also specially Bastian Ilso for his guidance, design and writing of the new wiki guide.

Hope you enjoy all the work we did, I’m looking forward for your feedback and to fix the issues you may find (contact us in IRC in #newcomers). And soon, to have your first contribution with GNOME done 🙂

 

PD: Please follow the newcomers wiki to have it working, lot of work to make this happen was done in Flatpak 0.9.1, when Ubuntu 16.04 has 0.8.4 for now, so we say to use a PPA for have it updated. I tested thoughtfully in Ubuntu 16.04 and Fedora 25, and it works out of the box following the wiki making sure Flatpak is updated. Thanks all for the feedback so far! 🙂

PD2: I just realized I had a small error when doing the switch to the new wiki and the instructions for Ubuntu 16.04 and PPA got lost. Now it’s fixed, try again and tell us how it goes! 🙂

PD3: Cool video of Jono Bacon showing what Endless does with the same technology https://twitter.com/jonobacon/status/817059475437879305

Nautilus 3.24 – The changes

Another release of GNOME and Nautilus is coming, 3.24. As we have been doing for every release I will explain the changes that have an impact on the users and explain the reasoning behind them, and also a brief look into what we worked on this release.

User changes

Accessing root files – The admin backend

Since Nautilus was created, if a user wanted to open a folder where the user didn’t have permissions, for example a system folder where only root has access, it was required to start Nautilus with sudo.

However running UI apps under root is strongly discouraged, and to be honest, quite inconvenient. Running any UI app with sudo is actually not even supported in Wayland by design due to the security issues that that conveys.

So now we put a gvfs backend (kudos to Cosimo Cecchi) and we added support in Nautilus to open folders and files with no permission to access then conveniently into Nautilus itself. Now if you try to open a folder that requires special permissions it will ask for the root password with a dialog and once provided it will allow the user to navigate them without needing to restart the application or opening a new instance. The password is saved with a timeout so you can use access the file for some time, as is common with PolKit.

Also this allows to use Nautilus to access these files when using Wayland.

Here’s a demo how it works:

Operations button

Two releases ago we introduced a new way to handle operations in Nautilus, using an integrated popover rather than a separated window. We also added a button that shows a pie chart with the completion progress of the operations.

One issue we faced is that this button was not visible enough when an operation started, making the user think nothing was happening and the operation didn’t actually started.

For that we added an animation that makes the button shine, but seems that was not enough and after going back and forward through some solutions we end up showing the operations popover when and operations started, which is the last resort we could go with.

This is by far the least ideal solution, since it kinda disturbs the user and makes them dismiss the popover in every window (because where do you show it? only in the source of the operation? only in the destination? only where the user is looking at? everywhere?)

So we created a new animation that tries to catch more attention, and we will like to receive some feedback on it. Here is a demo:

And so far we didn’t add any user change more, so it should be a good release for those that like stability.

Nautilus desktop works on Wayland sessions

Thanks to Florian Mullner, he came up with a simple but working solution. Now you can use the desktop when in a Wayland session. Keep in mind this requires XWayland, and it’s backported to 3.22 too.

What we have work on

Flow box view

As you may know, the views in Nautilus are quite old and on the technical side they lack the most basic modern stuff, due to it’s custom implementation. For more than 2 years we have been working on allow a new view based on GtkFlowBox to be created.

Issues with current implementation are:

• It’s not using gtk+ widgets or containers. This is by far the most important issue:
  • Any change or new feature  requires a whole “widget alike” object creation.
  • We cannot use any of the gtk+ widgets technology, including the gtk+ inspector or CSS
  • We cannot really create new visualisations like a placeholder for when copying files with some progress information or showing tags for files or any smart feature you could think
  • We have to maintain a big amount of code that Nautilus shouldn’t. This is widget work from gtk+
• Spacing between items is not dynamic
• Selection of items modify the visual of the picture, videos, icons with a blue overlay
• We cannot have several zooms without making the view unusable.
• The view and items “jumps” while it’s loading the files inside, making effectively useless to use Nautilus while the directory is being loaded.

This work it’s without hesitation the hardest and longest that Nautilus have faced for years. It required the desktop to be split from Nautilus, it requires modification in the most basic level of the code, porting to new technologies, etc.

Unfortunately, even if we managed to make all of this work, due to its performance issues we cannot switch to GtkFlowBox yet, and more work is required both in Nautilus and gtk+.

However I’m happy to announce that on the Hackfest we did last Novermber we decided to push forward this as a optional view to be able to iterate on its implementation and open the door for contributions from contributors and GSoC projects on it. This work is an experiment in several ways, not only in the technical part but also in the views itself and the code design. We will iterate on the feedback and code to make it shine before making it the default view. The same will apply to the list view once the icon view is ready.

This experimental view is now optionally checked as a gsetting called “use-experimental-views”. It’s not yet in the user preferences because it’s not in a usable state and it’s not intended to be used by nobody other than developers contributing to Nautilus.

Probably most of you already saw how this looks like on some of my posts in social medias almost a year ago. The state now is much better, here it is:

What did not make it into this release

You can take a look at the roadmap of Nautilus to see that most of the items I planned for this release were not implemented. Instead we implemented two different ones, the admin support and the new icon view.

This is expected, we decided a year ago to do a “tick-tack” release pace. Than means, one release with a lot of new changes and one with stabilisation and improvements in mind, and we kept that promise. We needed to stabilise and improve the new features, like the batch renaming and the decompression support, that we added last release.

So actually there are the same items that couldn’t be included and were mentioned in the previous release blog post.

The reasons this time are different. For the path bar, it was mostly because of the work in gtk4. We don’t want to have different path bars in gtk file chooser and Nautilus. So I would say we need to port Nautilus to gtk4 before committing the new path bar to gtk+. And that requires more work, and to gtk4 to stabilise a little.

For the action bar, was mostly because we need more design time on it. The difficulty in this project is not technical, but design wise.

You can look more details and bug fixes in the NEWS file.

Hope you enjoy the new release! As always, feel free to give any feedback or ask any questions in the comment section of this blog, be constructive please 🙂

Core Apps Hackfest – A success!

The GNOME Core Apps Hackfest just finished, I’m happy to say that it was a success!

Many people from different backgrounds were able to come, either from the community or from companies like Red Hat, Endless, Kinvolk, etc. all of us involved in different parts of the GNOME project.

The first we did was to write down what points  must be discussed during the 3 days, along with identifying the people involved in those topics. This was the trick to be productive in the hackfest, and all of us agreed it worked.

First day early in the morning, before all people joined

Roadmap for the hackfest

Since it’s hard to see what’s written:

• Tracker
  • System vs apps (containerisation)
  • Performance
  • Removable devices
• Maps
• Usage app (one  is being created)
• Control center redesign
  • Network panel
  • Details panel
• Calendar
  • Week view
  • Recurring events
  • Location checks/sugestions
• Books
• Software
  • Categories
  • Offline experience
  • Rollback
  • Shell extensions
  • Performance
  • Flatpaks installation
  • System vs user installs
  • EULA/Licenses
• Sharing portal
• Content selection portal
• Libgd
  • Flowbox view
  • Tagged entry
• Background apps
• Files
  • Action bar
  • Bookmarks / XDG folders
  • External devices
• Opening files with content apps
• Extras
  • Music
  • Videos (series view)
  • Newcomers initiative, new revamp planning

Quite a lot! From that list we identified the most important items and the optional ones that are short enough to allocate some time for. We also identified which items require the most amount of people from different backgrounds to be together so they can be handled as best as possible.

Some topics were very well covered. GNOME Software is now important for a few companies and distributions, so it took quite a lot of discussion during the hackfest . Another topic that was discussed extensively was opening files with content applications, basically using Music, Photos, etc. to open files from Files.

But we also discussed more technical items, thanks to having gtk+ maintainers in the hackfest we were able to talk about gtk4, it’s new OpenGL based drawing model, containers API, GtkListBo, GtkFlowBox and essentially all what we need for our applications and 3rd party developers in the upcoming months.

Some of us will write about the specific items in the upcoming days with blog posts, so keep an eye on planet.gnome.org to see all the discussion we had and what solutions and decisions we came up with for those.

I want to say a big thank you for the excellent organisation of Joaquim Rocha, and for hosting us to Kinvolk, especially to Chris Kühl

and Collabora for sponsoring an excellent dinner on the first day of the hackfest

We had a great one!

Relaxing a bit in the Collabora sponsored dinner

Also to Red Hat and Endless for sending quite a few employees, and last but not least, to the GNOME Foundation for sponsoring the community members, who were essential in our discussions.

Hope you had fun!

GNOME Core Apps Hackfest – Sponsors

As I mentioned in my previous blog post we organized a hackfest to discuss all about the core GNOME experience, with emphasis on core apps and taking into account its impact in 3rd party developers too.
But you can imagine, bringing together a not small amount of developer, designers and community in a single place involves travel costs, accommodation, an appropiate place where we can gather and discuss with internet and tables… and apart of that, small details that improves the overall experience like snacks and something to distract ourselves after a long journey, like a simple dinner all of us together.

This is not possible without the GNOME foundation and companies who believe this is important enough to sponsor people going and the organized events.
In this post I want to announce and thanks the (so far) two sponsors we have got already!

The sponsors

Kinvolk folks will provide us the venue and snacks every day, thanks!

Collabora will provide us a sponsored dinner the first day, thanks!

 

And of course thanks the GNOME foundation and Red Hat who will help a big part of travel and accommodation costs.

Hope to see you all there!

GNOME Core Apps Hackfest

It’s official now, we will have a GNOME Core Apps hackfest happening in Berlin, Germany on November 25-27!

The hackfest is aimed to raise the standard of the overall core experience in GNOME, this includes the core apps like Documents, Files, Music, Photos and Videos, etc. In particular, we want to identify missing features and sore points that needs to be addressed and the interaction between apps and the desktop.

Making the core apps push beyond the limits of the framework and making them excellent will not only be helpful for the GNOME desktop experience, but also for 3rd party apps, where we will implement what they are missing and also serve as an example of what an app could be.

In case you are interested, here is the wiki page with more information. All of you are welcome to attend.

Thanks to Kinvolk folks that will host us in their office!