Agreguesi i feed

Most Linux hardening work stays focused on access. Flip on a control, lock things down, move on. Doesn't mean you're actually covered.

Most Linux hardening focuses on access. This vulnerability bypasses that entirely.

It’s the first day of May, and it’s time for another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last post, and this update covers highlights of what we’ve been doing since then.

Remembering Seth Nickell

This week we received the very sad news of the death of Seth Nickell. It’s been a long time since Seth was active in the GNOME project, so many of our members won’t be familiar with him or his work. However, Seth played an important part in GNOME’s history, and was a special and unique character.

Jonathan wrote a wonderful post about Seth, with some great stories. Federico migrated the memorial page from the old wiki to the handbook, and added Seth there (work is currently ongoing to develop that page). Seth’s death has also been covered by LWN, which includes dedications from GNOME contributors.

Whether you knew Seth or came to GNOME after his time, I think we can all appreciate the contributions that he made, which live on in the project and wider ecosystem to this day.

GNOME Fellowship

Applications for the first round of the new GNOME Fellowship program closed last week, on 20th April. We had a great response and received some excellent proposals, and now we have the tough job of deciding who is going to receive support through the program.

To that end, the Fellowship Committee met this week to review the proposals and begin the selection process. We have identified a shortlist of candidates, and will be meeting again next week to narrow the selection further.

Since this is the first round of the Fellowship, we are establishing the selection process as we go. Hopefully we’ll get to put this to use again in future Fellowship rounds!

Conferences

Linux App Summit (LAS) will be held in Berlin on 16-17 May – that’s in a little over two weeks! The schedule has been finalized and looks great, and this year’s LAS is shaping up to be a fantastic event. Please do consider going, and please do register!

Due to high demand, the organizing team have decided to stream the talks from this year, so look out for details about remote participation.

Aside from LAS, preparations for July’s GUADEC conference continue to be worked on. Travel sponsorship is still available if you need assistance in order to attend, so do consider applying for that.

Office transitions ongoing

Work to update many of our backoffice systems and processes has continued at a steady pace over the past fortnight. Many of the big moves are done (new payments system, email accounts, mailing system, accounting procedures, credit card platform), and we are now firmly in the final stages, making sure that our new address is used everywhere, emails are going to the right places, recurring payments are transferred over to new credit cards, and vendors are setup on the new payments system.

The value of this work is already showing, with smoother accounting procedures, more up to date finance reports, and better tracking of incoming queries.

That’s it for this update. Thanks for reading, and take care.

Update on what happened across the GNOME project in the week from April 24 to May 01.

GNOME Circle Apps and Libraries NewsFlash feed reader ↗

Follow your favorite blogs & news sites.

Jan Lukas announces

Hi TWIG. Newsflash can now swipe between articles. This closes off one of the oldest still standing feature requests. And hopefully makes all the mobile users happy.

Third Party Projects

xjuan reports

Casilda 1.2.4 Released!

I am very happy to announce a new version of Casilda!

A simple Wayland compositor widget for Gtk 4 and GNOME

This release comes with several new features like fractional scaling support, bug fixes and extra polish that it is making it start to feel like a proper compositor. You can read more about it at https://blogs.gnome.org/xjuan/2026/04/19/casilda-1-2-4-released/

Anton Isaiev says

RustConn (connection manager for SSH, RDP, VNC, SPICE, Telnet, Serial, Kubernetes, MOSH, and Zero Trust protocols)

Versions 0.11.0–0.12.7 bring the three biggest features since the project started, plus a mountain of polish driven by community feedback.

Cloud Sync landed. You can now synchronize connection configurations between devices and team members through any shared directory - Google Drive, Syncthing, Nextcloud, Dropbox, or even a USB stick. Two modes: Group Sync (per-group .rcn files with Master/Import access) and Simple Sync (single-file bidirectional merge). A file watcher auto-imports changes, and the new Cloud Sync settings page shows sync status, synced groups, and available files. CLI got sync status, sync list, sync export, sync import, and sync now commands.

SSH Tunnel Manager is a standalone window for managing headless SSH port-forwarding tunnels without terminal sessions - Local, Remote, and Dynamic forwards with auto-start on launch and auto-reconnect. SSH jump host support was extended to RDP, VNC, and SPICE connections, so you can tunnel graphical sessions through a bastion host. Ctrl+T opens the tunnel manager.

Tab management was completely reworked around AdwTabView. Tab Overview (Ctrl+Shift+O) gives a GNOME Web-style grid of all open tabs. Tab Pinning keeps important tabs at the left edge. A tab switcher in the Command Palette (% prefix) provides fuzzy search across open tabs. Right-click context menu gained Close Others / Left / Right / All / Ungrouped actions.

Other highlights: custom terminal color themes with full 16-color ANSI palette editor; terminal scrollbar; font zoom (Ctrl+Scroll); copy-on-select; SSH Keep-Alive and verbose mode; Hoop.dev as the 11th Zero Trust provider; custom SSH agent socket override (fixes KeePassXC/Bitwarden agent in Flatpak); RDP mouse jiggler; terminal activity/silence monitor; host online check with auto-connect; highlight rules now render with actual colors via Cairo overlay; connection dialog rebuilt with adw:: widgets following GNOME HIG.

Packaging grew significantly. RustConn is now available as Flatpak on Flathub, Snap with strict confinement, AppImage, native .deb and .rpm packages via OBS repositories (Debian 13, Ubuntu 24.04/26.04, Fedora 43/44, openSUSE Tumbleweed/Slowroll/Leap 16.0), plus ARM64 builds. A huge thank you to the community maintainers: the AUR package for Arch Linux, the FreeBSD port, and there is an open request to include RustConn in Debian proper.

Thank you to everyone who reported issues, contributed translations, and tested pre-releases - your feedback shaped every one of these 25 releases. Special thanks to GaaChun for the complete Simplified Chinese translation, and to Phil Dodd and Todor Todorov for the support.

Project: https://github.com/totoshko88/RustConn Flatpak: https://flathub.org/en/apps/io.github.totoshko88.RustConn

Capypara says

Field Monitor 50.0

Field Monitor - the remote desktop viewer focused on accessing VMs - has been updated to version 50.0.

Some highlights:

• Support for multiple monitors for SPICE connections.
• Support for sharing USB devices with SPICE sessions using the XDG USB Portal (even with the Flatpak).
• KVM/QEMU VMs can now be accessed with hardware accelerated GPU rendering - if enabled.
• Field Monitor now validates server certificates and asks you for your trust if a certificate isn’t automatically trusted by your system.
• Several bugfixes to RDP and SPICE sessions, such as cursor rendering issues and overall performance.

Field Monitor is available via Flathub: https://flathub.org/apps/de.capypara.FieldMonitor

Christian says

The first public release of Gitte is out!

Gitte is a GTK4/libadwaita git GUI written in Rust, built on Relm4 and git2 (no shelling out to the git binary).

What’s in the initial release:

• Browse repositories with a saved repositories start screen
• View the working copy, stage and unstage changes, commit them, amend commits
• Read the commit log and inspect diffs file by file
• Manage branches, tags, remotes, and stashes
• Push from and pull to remotes, auto-fetching remotes in the background

It’s early days, so expect rough edges. Bug reports and feedback are very welcome.

Get Gitte from Flathub: https://flathub.org/apps/de.wwwtech.gitte

Parabolic ↗

Download web video and audio.

Nick reports

Parabolic V2026.4.1 is here with plenty of bug fixes!

Here’s the full changelog:

• Fixed an issue where some settings would not save correctly
• Fixed an issue where playlist downloads with a resolution limit had no audio
• Fixed an issue where portrait/vertical videos in playlists downloaded at incorrect resolutions
• Fixed an issue where downloads from sites with muxed-only streams would fail
• Fixed an issue where downloading a time frame clip from a long video produced an incomplete result
• Fixed an issue where downloading a time frame clip from a long video could hang indefinitely with aria2c enabled
• Fixed an issue where X/Twitter quoted downloads could produce the same video twice
• Fixed an issue where deno was unable to be updated in-app on Linux
• Fixed an issue where browser cookies could not be found when running via Flatpak on Linux
• Fixed an issue where Parabolic would not start on KDE desktops
• Fixed an issue where Parabolic did not open links from browser extension on Windows

That’s all for this week!

See you next week, and be sure to stop by #thisweek:gnome.org with updates on your own projects!

GNOME is once again participating in GSoC. This year, we have contributors working on adding Debug Adapter Protocol support to GJS, incorporating vocab-style puzzles into GNOME Crosswords, creating a native GTK4/Rust rewrite of the Pitivi timeline ruler, porting gitg to GTK4, implementing app uninstallation in the GNOME Shell app grid, and enabling recovery from GPU resets.

As we onboard the contributors, we will be adding them to Planet GNOME, where you can get to know them better and follow their project updates.

GSoC is a great opportunity to welcome new people into our project. Please help them get started and make them feel at home in our community!

Special thanks to our community mentors, who are donating their time and energy to help welcome and guide our new contributors: Philip Chimento, Jonathan Blandford, Yatin, Alex Băluț, Alberto Fanjul,  Adrian Vovk, Jonas Ådahl, and Robert Mader.

Yesterday, I wanted to debug a glycin (or Shell) issue on GNOME OS. Turns out, there is currently no documentation that works or includes all necessary steps.

Here is the simplest variant if you don’t develop on GNOME OS and have an internet connection that can download 16 GB in a reasonable amount of time.

First we get a toolbox image to build our code.

$ toolbox create gnomeos-nightly -i quay.io/gnome_infrastructure/gnome-build-meta:gnomeos-devel-nightly

After entering the toolbox with

$ toolbox enter gnomeos-nightly

we can clone and build our project with sysext-utils that are included in our image:

$ meson setup ./build --prefix /usr --libdir="lib/$(gcc -print-multiarch)" $ sysext-build example ./build

This creates a example.sysext.raw file.

Now, we need a GNOME OS to test our build. We can download the image and install it in Boxes. After logging in, we can just drag and drop the example.sysext.raw into the VM.

Before we can install it, we need to get the development tools for our VM:

$ run0 updatectl enable devel --now

After that, we need to restart the VM.

Finally, we can test our build:

$ run0 sysext-add ~/Downloads/example.sysext.raw

Adding the --persistent flag to this command will make the changes stay active across reboots.

If the changes made it impossible to boot into the VM again, we can start the VM in “Safe mode” from the boot menu. After logging in, we can manually remove the extension:

$ run0 rm /var/lib/extensions/example.raw

Happy hacking!

Version:next-20260430 (linux-next) Released:2026-04-30

Version:5.10.254 (longterm) Released:2026-04-30 Source:linux-5.10.254.tar.xz PGP Signature:linux-5.10.254.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.10.254

Version:5.15.204 (longterm) Released:2026-04-30 Source:linux-5.15.204.tar.xz PGP Signature:linux-5.15.204.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.15.204

Version:6.1.170 (longterm) Released:2026-04-30 Source:linux-6.1.170.tar.xz PGP Signature:linux-6.1.170.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.1.170

Version:6.6.137 (longterm) Released:2026-04-30 Source:linux-6.6.137.tar.xz PGP Signature:linux-6.6.137.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.6.137

Version:6.12.85 (longterm) Released:2026-04-30 Source:linux-6.12.85.tar.xz PGP Signature:linux-6.12.85.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.12.85

Version:6.18.26 (longterm) Released:2026-04-30 Source:linux-6.18.26.tar.xz PGP Signature:linux-6.18.26.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.18.26

Version:7.0.3 (stable) Released:2026-04-30 Source:linux-7.0.3.tar.xz PGP Signature:linux-7.0.3.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-7.0.3

Recently, I have been using GNOME OS, as my daily driver.

After being a seasoned Linux for long, dabbling in distros like Alpine Linux, Arch Linux, Fedora (and even Silverblue), I tried switching to something more opinionated and that "works by default" all while being hard to break.

And given my existing relationship with GNOME, GNOME OS was a choice worth looking into.

One feature of GNOME OS is that it is immutable (i.e. system files are read-only). It also doesn't ship with a package manager, so it doesn't have functionality built-in to install extra packages.

You can install GUI Applications normally using Flathub (and Snap/AppImage), but installing non-GUI applications like development tools or CLI packages is not built-in.

There are of course several solutions you can use, such as homebrew, coldbrew, but today we will focus on mise.

What is mise?

mise pitches itself as "One tool to manage languages, env vars, and tasks per project, reproducibly."

However, I only use a fraction of it's functionality, in that I only use it to install packages.

How to install it?

The instructions are here: https://mise.jdx.dev/getting-started.html

But essentially it's as easy as running this (remember to read the source of the installer first):

curl https://mise.run | sh Activating mise

Then you will need to "activate" mise, which essentially makes tools installed by mise available by modifying your $PATH variable

echo 'eval "$(~/.local/bin/mise activate bash --shims)"' >> ~/.bashrc

The instructions above are for bash, so you will need to consult the docs to get instructions for your shell.

You will need to re-login for the mise command to be available, or open a new shell.

A note on shims

Feel free to skip this section, as it's just an explainer

Also, note that the above command use the --shims flag, which is NOT the default. It essentially means that mise will modify the $PATH variable, instead of doing a weird thing where it will re-activate itself after each command you run.

The non-shim way to activate mise is useful when you use mise to install different package versions across different repositories, but that sometimes breaks IDEs and is our of the scope of this blog post.

Installing packages

You can start installing your first package with mise:

mise use -g java

The above command installs java globally (hence the -g flag), which you can now confirm by running:

$ java --version openjdk 26.0.1 2026-04-21 OpenJDK Runtime Environment (build 26.0.1+8-34) OpenJDK 64-Bit Server VM (build 26.0.1+8-34, mixed mode, sharing)

You can install much more tools, of which you can find a non-complete list here: mise-tools.

For example, you can similarly install a specific major version of nodejs

mise use -g node@22

Or install the latest LTS version of node

mise use -g node@lts

Or you can be overlay specific

mise use -g node@v25.9.0 mise use -g node@25.9.0 # this works too! Searching

Use mise search to find packages.

mise search typ Tool Description typos Source code spell checker. https://github.com/crate-ci/typos typst A new markup-based typesetting system that is powerful and easy to learn. https://github.com/typst/typst typstyle Beautiful and reliable typst code formatter. https://github.com/Enter-tainer/typstyle quicktype Generate types and converters from JSON, Schema, and GraphQL provided by https://quicktype.io. https://www.npmjs.com/package/quicktype Uninstalling mise unuse -g node Updating mise self-update # updating mise itself mise up # updating tools installed by mise mise outdated # checking if you have outdated tools Config File

Tools you install with mise globally will be saved in the file ~/.config/mise/config.toml, which you can commit to your dotfiles so you can have similar tools across different machines.

Here's an example of my mise config file at the time of writing this blog post.

# ~/.config/mise/config.toml [tools] bat = "latest" btop = "latest" bun = "latest" caddy = "latest" "cargo:mergiraf" = "latest" deno = "latest" difftastic = "latest" doggo = "latest" fastfetch = "latest" fzf = "latest" github-cli = "latest" "github:railwayapp/railpack" = "latest" glab = "latest" helix = "latest" java = "latest" lazygit = "latest" node = "latest" "npm:vscode-langservers-extracted" = "latest" oha = "latest" pipx = "latest" pnpm = "latest" prettier = "latest" rust = "latest" scooter = "latest" tmux = "latest" usage = "latest" yt-dlp = { version = "latest", rename_exe = "yt-dlp" } zellij = "latest" "github:patryk-ku/music-discord-rpc" = { version = "latest", asset_pattern = "music-discord-rpc" } rclone = "latest" mc = "latest" go = "latest" "go:git.sr.ht/~migadu/alps/cmd/alps" = "latest" "npm:localtunnel" = "latest"

After the tools inside the config has changed, you can run the following comand to make mise re-install packages from the config file

mise install Mise Backends

Mise is able to install packages from multiple sources. These sources are called "backends" by mise.

When you type mise use -g node@22, it will resolve node against the registry and figure out that the default backend for node is core

Core

The default backend is called core and tools from this backend are usually provided from the official source.

Other tools that are available from core include Node.js, Ruby, Python, etc...

We could also have been explicit with the backend we want to use

mise use -g core:node

You can find a list of all core packages here.

Aqua

You can also install packages from the Aqua registry.

Language Package Managers

You can also install tools from their respective package managers. Here are a few examples

npm

You can install prettier, typescript, oxlint and other JavaScript/TypeScript tools published on the npm registry. Find the tools on npm

mise use -g npm:prettier pipx

You can install black, poetry and other Python tools from pypi. Find the tools on pypi

mise use -g pipx:black pipx:git+https://github.com/psf/black.git # from a github repo cargo

You can install cargo packages with this backed. You need to have rust installed beforehand though, which you can do with mise

mise use -g rust

Then install your packages

mise use -g cargo:eza

There are more language package manager backends like: gem, go and more.

Github

You can install packages from Github directly, as long as the project you are trying to install from uses Github releases

mise use -g github:railwayapp/railpack

mise will usually auto-detect which asset you want to use, but you can also specify the asset glob in ~/.config/mise/config.toml

[tools] "github:patryk-ku/music-discord-rpc" = { version = "latest", asset_pattern = "music-discord-rpc" }

Hashicorp co-founder Mitchell Hashimoto says GitHub's frequent outages have made it "no longer a place for serious work," prompting him to move his Ghostty terminal emulator project elsewhere after 18 years on the platform. The Register reports: "I've been angry about it. I've hurt people's feelings. I've been lashing out. Because GitHub is failing me, every single day, and it is personal. It is irrationally personal," he wrote. The reason for his ire is the service has become unreliable. "For the past month I've kept a journal where I put an 'X' next to every date where a GitHub outage has negatively impacted my ability to work," he wrote. "Almost every day has an 'X'. On the day I am writing this post, I've been unable to do any PR review for ~2 hours because there is a GitHub Actions outage." Hashimoto penned his post a few days before an April 28 incident that saw pull requests fail to complete due to an Elasticsearch SNAFU. Incidents like that mean Hashimoto has decided GitHub "is no longer a place for serious work if it just blocks you out for hours per day, every day." "It's not a fun place for me to be anymore," he lamented. "I want to be there but it doesn't want me to be there. I want to get work done and it doesn't want me to get work done. I want to ship software and it doesn't want me to ship software." The developer says he wants GitHub to improve, but "I also want to code. And I can't code with GitHub anymore. I'm sorry. After 18 years, I've got to go." He's open to a return if GitHub can deliver "real results and improvements, not words and promises." But for now, he's working to move Ghostty to another collaborative code locker. "We have a plan but I'm also very much still in discussions with multiple providers (both commercial and FOSS)," Hashimoto wrote. "It'll take us time to remove all of our dependencies on GitHub and we have a plan in place to do it as incrementally as possible." He's doing the equivalent of leaving a toothbrush at a former partner's house by leaving a read-only mirror of Ghostty on GitHub, and by keeping his personal projects on the Microsoft-owned service. But Hashimoto's moving his day job somewhere new. "Ghostty is where I, our maintainers, and our open source community are most impacted so that is the focus of this change. We'll see where it goes after that," he concluded.

Read more of this story at Slashdot.

I heard the news about Seth Nickell’s passing last week, and have been in a bit of a funk ever since.

Seth was brilliant, iconoclastic, fearless.

It’s been a long while since Seth was an active part of the GNOME Community, but his influence on the project can still be seen in its DNA if you know where to look. He arrived on the GNOME scene while still in school with hundreds of ideas on how to improve things. It was an interesting time: We had just launched GNOME 1.5 and were searching for a new path towards GNOME 2.0. The Sun usability study had been published and the community had internalized the need to change directions. Seth rolled up his sleeves and did the work needed to help light that path.

Seth championed radical proposals such as instant apply, button ordering, message dialog fixes, and more. He cleaned up the control-center proposing some of the most visible changes from GNOME 1 to 2. He also did the initial designs for epiphany, pushing for a cleaner browser experience during an era of high browser complexity. He had a vision of desktops as a democratic tool, as easy and natural to use as any other tool in the human experience.

As a designer, Seth was focused on trying to understand who we were designing for and making sure we were solving problems for them. While he wasn’t beyond fixing paddings / layouts, he wanted to get the Big Picture right. He wasn’t beyond rolling up his sleeves writing code to move things forward, but was at his best as a champion and visionary, arguing for us to take risks and continue to innovate.

Spending time was Seth was a hoot. He had such a flair for the dramatic. I remember…

• …the time he sold the design for what would become NetworkManager to a bunch of engineers. He got up on the stage and announced: “We are going to make this [holding an ethernet cable] as easy to use as this [producing a power plug]!” It’s hard to describe how many steps it took to set up networking back then.
• …his vision of an improved messaging system — Project Yarrr. He used (U+2620) as the SVN repo name partially to see how many internal tools weren’t UTF-8 clean.
• …him breaking out into an operatic rendition of “Tradition” when  developers were pushing back on a change he was proposing.
• …the time he changed everyone’s background in the RH office to have crop circles over night. He showed up the next morning in a robe dressed as an old-testament prophet, beating a drum and carrying a “RHEL5 IS NIGH” sign.
• …hanging  printouts of hate mail he got for various design choices outside of the Mega Cube (a group activity)!
• And everyone who was around for the Dark Princess Incident will always remember it.

Being one of the public faces of GNOME2 was hard, and he moved on. Later, he worked on OLPC and Sugar, and made his mark there. After that, he seemed to travel a lot. We lost touch, though he’d reappear every couple of years to say hi. I hope he found what he was looking for.

Farewell, my friend. The world now has less color in it.

I got myself a Yubikey recently, and I wanted to use it as a nice convenience to:

1. Grant me sudo privileges
2. Unlock my session
3. Decrypt my LUKS-encrypted disk

I've only managed to do the first two, since they both rely on Linux Pluggable Authentication Modules (PAM). Luckily for me, one of PAM's modules supports U2F, the standard Yubikeys rely on.

First I need to install pam-u2f to add U2F support to PAM, and pamu2fcfg to configure my key.

$ sudo rpm-ostree install pam-u2f pamu2fcfg

Since I'm running an immutable OS I need to reboot, and then I can create the correct directory and file to dump an U2F key into it.

$ mkdir -p ~/.config/Yubico $ pamu2fcfg > ~/.config/Yubico/u2f_keys

Then I make sure to have a root session open in case I lock myself out of sudoers.

$ sudo su #

In a different terminal, I can edit the sudoers file to add this line

#%PAM-1.0 auth sufficient pam_u2f.so cue openasuser auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so session include system-auth

I save this file and open a new terminal. I type in sudo vi and it asks me to touch my FIDO authenticator before opening vi! If I touch the Yubikey, it indeed opens vi with root privileges.

Let's break down the line:

• auth for authentication
• sufficient passing this authentication challenge is enough (it's not an additional factor of authentication)
• pam_u2f.so the module we load is for U2F, the standard Yubikeys use
• cue print "Please touch the FIDO authenticator." when the user needs to authenticate
• openasuser to fetch the authentication file without root privileges

It's also possible to use it to unlock my session, but it would be a bit reckless to allow anyone with my Yubikey to log into my laptop. If my backpack gets stolen and it has both my Yubikey and my laptop, anyone can log in.

It's possible to make the login screen require either my user password, or all of

• The Yubikey itself
• The PIN of the Yubikey
• Me to touch the Yubikey

If someone fails more than three times to enter the correct PIN, the Yubikey will lock itself and require a PUK to be unlocked. This gives me an additional layer of security, and it's more convenient than having to type a full length passphrase.

I've added the following line to /etc/pam.d/greetd (the greeter I use):

#%PAM-1.0 auth sufficient pam_u2f.so cue openasuser pinverification=1 userpresence=1 auth substack system-auth [...]

[!warning] I can lose my Yubikey

I use my Yubikey as a nice convenience to set up a weaker PIN while not compromising too much on security. I use it instead of a password, no in addition to it.

Since I can lose or break my Yubikey and I don't want to buy two of them, I make the U2F login sufficient but not required. This means I can still fallback to password authentication if I lose my Yubikey.

Finally, DankMaterialShell uses its own lockscreen manager too. I still want to be able to fallback to password authentication if need be, so I'll configure it to accept U2F OR the password, not both.

This means that the lockscreen will call /etc/pam.d/dankshell-u2f to know what to do when the screen is locked. Since this file doesn't exist, I can create it with the following content.

#%PAM-1.0 auth sufficient pam_u2f.so cue openasuser pinverification=1 userpresence=1

I need a fallback for when I don't have my Yubikey, so I also create the one for this occasion

#%PAM-1.0 auth include system-auth

Finally, I have a consistent setup where both my login and lock screen require me to plug my key, enter its PIN and touch it, or enter my full password. When it comes to sudo, I can only touch my key without requiring an PIN.

My next quest will be to use my Yubikey to unlock my LUKS-encrypted disk.

At the start of the month, Bilal gave us all a giant gift with Goblint. On the first week it was already impressive. Now it’s an invaluable tool for anyone that ever interfaced with GObject, glib or GTK. It will catch leaks, bugs, or even offer to auto fix and modernize your code to the modern paradigms we use. It’s one of those things that is going to save countless hours of debugging and more importantly, prevent the issues before they even get committed. Jonathan Blandford wrote about using it two days ago, and I suggest you read the post.

Everyone is trying to use goblint, and we are all stumbling upon the same issues integrating it into our tooling. Initially, it was only able to produce Sarif reports, which GitLab still has behind a feature flag, in addition to only  be available in GitLab Enterprise Editions.

I added an export for GitLab’s Code Quality format which has some support in the non-proprietary Community Edition we use in the GNOME and Freedesktop.org instances. Sadly, almost everything nice is still only available in the enterprise editions, but at least there is this little Widget in the Merge Requests page.

Additionally, we now have CI templates for Goblint. One is adding a job to the existing gnomeos-basic-ci component we use everywhere. Simply go to your latest pipeline and look for the job.

The report will also show up in Merge Requests that have been updated since yesterday.  The gnomeos-basic-ci has other goodies like sanitizers, static analyzers, test coverage, etc wired out of the box, so you should give it a try if you are not using it yet.

If you do but don’t want the goblint job, you can disable it easily with inputs: goblint: "disabled" similar to all the other tools the component provides.

include: - project: "GNOME/citemplates" file: "templates/default-rules.yml" - component: "gitlab.gnome.org/GNOME/citemplates/gnomeos-basic-ci@26.1"

If you want only a goblint job, I’ve also added a standalone template that you can use. (Or copy-paste from it).

include: - component: "gitlab.gnome.org/GNOME/citemplates/goblint@26.1" inputs: job-stage: "lint"

In order for the Code Quality report to work, you will need to have a report uploaded from your target branch, so GitLab will have something to compare the one from the merge request with. The template rules will handle that for you, but keep it in mind.

At this moment all the lints are warnings so the job will never be fatal. This is why we can enabled it by default without worrying about breaking pipelines for now. You can further configure its behavior to your needs, and error out if you want to, through the configuration file.

min_glib_version = "2.76" [rules.g_declare_semicolon] level = "ignore" [rules.untranslated_string] level = "error" ignore = ["**/test-*.c"]

It’s also very likely that we are going to add goblint and its LSP server to the GNOME SDK Flatpak runtime, along with GNOME OS, so it will always be available for use with tools like Builder and foundry.

Enjoy

 

 

 

 

 

 

 

 

 

 

A few years back I did a quick exploration of what GNOME app icons might look like in an alternate universe where we kept on using VGA displays. Chiselling pixels away is therapeutic. So while there is absolutely no use for these, I keep on making them if only to bring some attention to what really matters for GNOME, having nice apps.

Here's a batch of mostly GNOME Circle app icons, with some 3rd party ones thrown in.

If you're reading this on my site rather than Planet GNOME or some flickering terminal in an abandoned Vault, then congratulations. You've stumbled upon a working Pip-Boy module! Found it half-buried under irradiated rubble, its phosphor display still humming with that familiar green glow. Enjoy these icons the way the dwellers of Vault 101 were always meant to, one glorious scanline at a time.