Home Home
Sign up | Login

openSUSE Board F2F Meeting

Minutes from the last Face to Face Board meeting

oSC14 CfP and Registration Open!

The oSC14 Program Committee is ready to accept your proposals!

Next Previous

openSUSE Forums – back on-line

January 16th, 2014 by

OWN-oxygen-openSUSE-ForumsAs we reported last week, our public forums have been compromised and defaced. Passwords were safe but the cracker did manage to get access to the database with our forum posts as well as email addresses. Read on to find out what happened, what we did to prevent further damage and what we’re going to do in the future.

vBulletin hacked

openSUSE has used vBullentin forum software for a very long time. While we haven’t always been happy with it, the issues never prompted us to put in the (substantial!) time and effort required to move to another solution.

On January 7, 2014, we received word from The Hacker News that our public forums were compromised and defaced by a cracker exploiting a zero day flaw in the underlying vBulletin forum software (vBulletin 4.2.1). A Pakistani cracker has claimed responsibility. According to The Hacker News, the cracker confirmed that he/she uploaded a PHP shell to the openSUSE Forum server using a private vBulletin’s zero-day exploit, that allows him/her to browse, read or overwrite any file on the Forum server without root privileges.

Damage?

The cracker claimed he had accessed almost 80.000 openSUSE Forum users’ passwords. However, openSUSE uses a Single Sign-on system (Access Manager from NetIQ) and the ‘passwords’ the hacker obtained were random strings. The cracker did however get access to the forum database which also contains the email addresses of our users.

Forums down

As Matthew Ehle told infoworld.com, the openSUSE admin team believes the crackers’ claim that a zero-day exploit was used. The openSUSE Forums were one patch behind the current release but the change/release log of the latest patch does not indicate it would have prevented this attack.

Because the vulnerability in vBullentin did not have a fix available, we took our forums offline and started looking for a solution.

The forums are back!

The forums are back!

What now

As Matthew said, “VBulletin provides some highly functional software, which is of course why it is so popular”. But last summer, the same attacker also breached the openSUSE vBullentin software and Matthew has had “a number of concerns about the architecture and security” of vBullentin for a while. We are therefor going to look for an alternative.

In the mean time, of course, we will update the vBullentin software with the latest patch. But even small patches have been known to cause issues with themes, plugins and other things, so this will take time. vBulletin v4 is still supported so there’s no real reason to move to v5 soon.

Protecting the current set-up

But there are ways to protect the server even when we don’t trust some of the software on it. Since the attack in the summer, our sysadmins have locked down the file system and the folder used in the attack has now also been made read-only.

Thanks to this locking, the hacker was only was able to read and overwrite some of the files on the forums server without root privileges. We were using “paranoid” file permissions, which greatly restricted his access on the server and did not allow him to escalate privileges and take over the system. This unlike some recent high-profile vBullentin breaches which compromised the entire operating system.

Back online

Kim Groneman, taking care of our forums, noted: “Though we will probably never know exactly how the cracker was able to put a script file in our system, with the file system locked down, here’s a good probability that it can’t happen again. Also, because we use Access Manager, there never was any danger of the cracker gaining access to user passwords. They are and always have been secure.”

Based on that, the team felt confident that the forums could be put back online.

Future

The openSUSE sysadmins have the use of Apparmor or SELinux in their public policy. This is enforced on all new services, but the old ones (including the forums) have not all yet been updated. Obviously, priorities have been re-shuffled in this regard.

But in the long run, working around the security problems of proprietary software is not the ideal solution. The team is thus looking at other solutions. bbPress and PHPbb are on the top of the list and people experienced with these solutions (and especially migrating to them from vBullentin) would be very welcome. Another piece of work needed is to move the NNTP gateway script to whatever the new solution will be – a PHP developer could be a great help. The team is working on a list of features that are required (and nice to have) and suggestions for other solutions can be ran by this.

openSUSE Conference 2014 Takes Place April 24th – 28th in Dubrovnik, Croatia

January 9th, 2014 by

Logo_Final
As announced at the openSUSE Conference 2013, this years openSUSE conference will take place in Dubrovnik, Croatia. This beautiful city will welcome us Geekos from the 24th to the 28th of April. The team has been hard at work to prepare things and below they start by giving you a taste of the city, the venue and themselves!

The openSUSE Conference

The openSUSE Conference is the annual gathering of the openSUSE Community and other Free and Open Source contributors and enthusiasts. This year will be the 6th event where the talks, workshops and discussions provide the framework to exchange knowledge, collaborate and create lasting connections and incredible memories. Last year our event took place in Greece – read reports on day one, day two and day three. Before we’ve had a smashing time in Prague and in a old factory hall in Nüremberg.

The theme this year

The openSUSE conference traditionally has a theme. This year, the theme is: “The Strength to Change“.

Change has been a constant in Free Software. With the rise of mobile devices and the associated operating systems like Android and Chromebooks, we have to adopt as a project. We discussed strategy again on our mailing lists and by the time of the conference, we can hopefully all talk together and come to some conclusions. Change is never easy, but it is important!

Subjects and conference schedule

Like always, we will cover a wide range of subjects at the event. This year, there will be the following tracks:

  • End user track
  • Business track
  • Community and Project
  • Technology & Development

More details are coming in the Call for Papers on the 20th of January, with proposals starting to get accepted February 14. The submission period will end on February 28.
CC by trishhartmann on flickr

Croatia and Dubrovnik

Republic of Croatia is a unitary democratic parliamentary republic at the crossroads of Central Europe, Balkans, and the Mediterranean. It joined the EU on 1st of July 2013, and it is best known for it’s sunny beaches, islands and warm adriatic sea as it is a summer vacation destination for many Europeans.

Dubrovnik is the southernmost city in Croatia, a gorgeous former city state which joined the UNESCO list of World Heritage Sites in 1979. The prosperity of the city of Dubrovnik was historically based on maritime trade. As the capital of the Republic of Ragusa, a maritime republic, the city achieved a high level of development, particularly during the 15th and 16th centuries. Dubrovnik became notable for its wealth and skilled diplomacy. The Republic was an early adopter of what are now regarded as modern laws and institutions and Dubrovnik became a cradle of Croatian literature. The city successfully balanced its sovereignty between the interests of Venice and the Ottoman Empire for centuries.

(Gorgeous picture on the right Creative Commons photo from Trishhartmann)

Local Community

The openSUSE conference proposal came from a team from the Croatian Association for Open Systems and Internet (HrOpen) and the Croatian Linux Users’ Association (HULK). The team has support from the UNIDU (which is where the event will take place) and is also backed by the Faculty of Electrical Engineering and Computing of University of Zagreb.

The leadership of the core team:

  • Svebor Prstačić, president of HrOpen
  • Tomo Sjekavica, assistant professor at UNIDU
  • Ivan Guštin, president of HULK
  • Darko Grabar, vice president of HrOpen

SVEUCILISTE - OTVARANJE CAMPUSA, 07.05.2012. BY ZT - (2)

The conference venue

The conference venue is provided by the University of Dubrovnik, (UNIDU). The University of Dubrovnik is the ‘youngest‘ university in Croatia. It was established in 2003 on the foundations of a very long tradition which goes back to the 17th century, but also on decades of modern higher education. In terms of program, organization and technical equipment, the University of Dubrovnik stands among the most modern of educational institutions.

The venue, called the New Campus, is situated just 5 minutes walk from the Dubrovnik old town, and is in walking distance of many hotels and private apartments that offer affordable accommodation deals. It was originally built as a hospital, then renewed and repurposed for the University in 2012. From the outside it displays the soul of Dubrovnik, but from the inside it is a very sleek and modern design.

Find it on Google Maps here and see some more pictures here.

If you want to get to know the university in advance of joining us, check out this great walk-around video on youtube!

(Pictures provided by the university)

What’s next

Next up is setting up the conference website and opening the Call for Papers and registration. This is all planned to take place later this month – keep an eye on this site! We will let you know when conference.opensuse.org is updated. You can already join our visitors’ mailing list (subscribe).

Want to help with oSC14?

Awesome! Please join our team mailing list (subscribe)and our regular IRC meetings. We can use every helping hand to work the program, the promotion and the local organization. Tasks range from keeping our news outlets up to date over designing artwork to lay cables at the venue. There is so much to do, we need you!

Article written by Svebor and the openSUSE conference team

openSUSE forums defaced, user emails leaked

January 7th, 2014 by

Testing-Group-Logo As hackernews.com noted, the public openSUSE forums have been compromised and defaced. A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database.

Passwords: Safe! Emails: Not so much :-/

Credentials for your openSUSE login are not saved in our application databases as we use a single-sign-on system (Access Manager from NetIQ) for all our services. This is a completely separate system and it has not been compromised by this crack. What the cracker reported as compromised passwords where indeed random, automatically set strings that are in no way connected to your real password.

However, some user data is stored in the local database for convenience, in the case of the forum the user email addresses. Those the hackers had access too and we’re very sorry for this data leak!

And now?

As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution. Stay tuned for updates here, on twitter, facebook or g+.

The openSUSE Travel Support Team wishes you a Happy New Year!

January 1st, 2014 by

Great News!!!

For almost 2 years Izabel Valverde and Kostas Koudaras run the Travel Support Program Team with the openSUSE Board & SUSE support.

After a great job done into TSP, Kostas is now member of the openSUSE Board so we have have 2 new members on TSP filling his spot and giving us an extra help. At the dawn of the new year we are pleased to announce the current openSUSE Travel Support Team: Efstathios Iosifidis a.k.a Diamond_gr, Izabel Valverde and Marcel Kühlhorn a.k.a. Tux93.

The new TSP Team wishes to Kostas good luck on his new journey and is thankful for all the work done.

Happy 2014 to everyone in the openSUSE Project!

Your TSP Team

Announcing openSUSE Education Li-f-e 13.1

December 18th, 2013 by

Get Li-f-e from here : Direct Download | Torrents | Metalinks | md5sum

openSUSE Education community is proud to bring you an early Christmas and New Year’s present: openSUSE Education Li-f-e. It is based on the recently released openSUSE 13.1 with all the official online updates applied.

We have put together a nice set of tools for everyone including teachers, students, parents and IT administrators. It covers quite a lot of territory: from chemistry, mathematics to astronomy and Geography. Whether you are into software development or just someone looking for Linux distribution that comes with everything working out of the box, your search ends here. Read the rest of this entry »

Reminder: Vote for the openSUSE Board!

December 14th, 2013 by

GeekoVote
It is december 14, dear Geekos! That means that tomorrow, December 15, the official deadline for voting for the openSUSE Board Elections ends! That’s right, you have only about 24 hours to cast your vote.

Elections

As we explained in the earlier announcement, there are 4 seats up this year and all openSUSE Members are eligible to vote. This year, the candidates are:

You can find each candidate’s Election Platform on the last link. Candidates marked with a (*) are SUSE employees.

Once you’ve done your democratic duty and decided who to vote for, click here to cast your vote! Note that you have to be logged in with your usual openSUSE credentials to see this page and cast your vote.

 

Be a part of it!

openSUSE Admin: manage the complexity

November 24th, 2013 by

200px-Caméléon_commun_In the Service Team’s Cave, where the infrastructure of openSUSE servers and services runs, the openSUSE Service Team faced an issue: requests to admin@opensuse.org were managed only by mail, making it hard to keep track of all the open issues and leading to coordination problems. As some requests to this list also contain log in credentials, the list itself could not have a public archive. This could have exposed sensitive data to the public. So it is always complicated telling people what’s going on there, and even more complicated, allowing interested people to subscribe. (Please note: including credentials in plain Emails is never ever a good idea – it is even not the intention of the Service Team to get such credentials. But sometimes people don’t care about their sensitive data, or just realize too late that their log files contain information that should not be visible).

But openSUSE – and especially the administration of all openSUSE services – is all about collaboration and communication. So hiding in a small cave might not be a good idea if you want to get some helping hands or reach out for collaboration.

Today we took one big step forward with our infrastructure by integrating admin@opensuse.org into the ticket system available at http://progress.opensuse.org/ ! At first this may not sound very interesting, but please remember that this service is already integrated into our authentication infrastructure. Now everyone with an openSUSE account is able to  check the state of public tickets (warning: tickets are set to private per default), create new ones a have a look at other public modules of this “openSUSE admin”-project – or become part of the team.

Just to avoid confusion: sending an email to admin@opensuse.org is not only still possible but also the preferred way to reach us.

For coordination and to be “reachable” for all those guys hanging around at some IRC channel, we now also have a public channel on irc.freenode.net: #opensuse-admin Feel free to say hello, thank you, or ask us questions.

openSUSE 13.1: Ready For Action!

November 19th, 2013 by

Dear contributors, friends and fans: The release is here! Eight months of planning, packaging, adding features, fixing issues, testing and fixing more issues has brought you the best that Free and Open Source has to offer, with our Green touch: Stable and Awesome.The geeko has landed

(In other languages: cs de es fr it ja nl ru zh zh-tw)

This release did benefit from the improvements to our testing infrastructure and much attention for bug fixing. While a combination of over 6000 packages supporting 5 architectures can never be perfect, we’re proud to say this really does represent the best Free Software has to offer! The latest desktops (five of them!), server and cloud technologies, software development tools and everything in between are included as well as a number of exciting, new technologies for you to play with. Enjoy!

openSUSE 13.1 is:

Stabilized
Much effort was put in testing openSUSE 13.1, with improvements to our automated openQA testing tool, a global bug fixing hackathon and more. The btrfs file system has received a serious workout and while not default, is considered stable for everyday usage. This release has been selected for Evergreen maintenance extending its life cycle to 3 years.

 

Networked
This release introduces the latest OpenStack Havana with almost 400 new features. Web server admins will appreciate the latest Apache, MySQL and MariaDB updates. Web developers benefit from an updated Ruby 2.0 on Rails 4 with improvements from core classes to better caching in the Rails framework and the latest php 5.4.2 comes with a build-in testing server. End users can now mount Amazon s3 buckets as local file system and use much improved Samba 4.1 with better windows domains support.

 

Evolved
openSUSE moves forward with AArch64, making openSUSE ready for development on the upcoming generation of 64bit ARM devices. 32bit ARM support has been heavily improved and a special Raspberry Pi build for openSUSE is available. This release also delivers GCC 4.8 with new error reporting abilities, the latest glibc supporting AArch64, C11 and Intel TSX Lock Elision, the new SDL2 and Qt 5.1, bringing QML and C++11 features to developers..

 

Polished
openSUSE 13.1 comes with much improved font hinting thanks to the new font engine in Freetype 2.5. YaST has been ported to Ruby, opening contribution up to a large number of skilled developers. In this release, ActiveDoc replaces doc.opensuse.org and the majority of packaged documents in openSUSE, lowering the barrier to contribution.

 

Faster
New is accelerated video with VDPAU support in MESA and an optimized version of glibc for 32bit systems. Linux 3.11 includes work on ‘page reclaim’, maintaining performance during disk operations.

 

Feature-full
Desktop users will appreciate the Android devices integration in the KDE file manager, in the shell and in music player Amarok. Artists have to try out the new Krita improvements with textured painting, greyscale masks & selections and more. GNOME Shell introduces a redesign of the system status bar and Header Bars in many applications, making better use of screen space. Enlightenment now also has an openSUSE theme.

 

Innovative
This release comes with a number of experimental technologies to try out. This includes preliminary Wayland support with Weston compositor in GNOME Shell and KDE Plasma Desktop as well as improved support for Ultra high-resolution in applications and shells. New is also the LightDM KDE greeter and a plasma NetworkManagement applet for testing.

“We’re proud of this release and of all those who worked on it. With a steady increase in contributors there was a lot of hard work put in by so many people from around the globe. Without all these contributors, initiatives like support for ARM would not be possible and we’re very thankful for their input.”

– said openSUSE Board member Andrew Wafaa.
Read the rest of this entry »

We’re Ready For The Release, Are You?!

November 18th, 2013 by

Release Geeko
Dear Geekos!

We’re sure you are all anxiously awaiting the release of openSUSE 13.1, coming in 24 hours. Yes, just around the corner! So we want to remind you that you can help us promote the release, plan release parties and of course read the many articles we’ve written! So much to do both before and after the release…

Before the release

There is still preparation to do: a lot to read about the release -so you can tell your friends about it- and some work in order to promote the release. You are very welcome in helping us to spread the word in your blog and other places!

Learn about the release

As a preparation for the release we wrote bunch of sneak peaks so you can learn about what is so cool in new openSUSE. Let’s start from the most visible parts – as always we have new versions of desktops environments. We write articles about both major ones – GNOME and KDE. Changes in these two are probably the most visible to the end user. We hope exactly the opposite happening with YaST. There were really big changes under the hood of YaST this release as we wrote. The interface and functionality are both the same, so users will barely notice, but we hope an horde of new developers attracted by the new code.

We also wrote about more hardcore/geeky stuff. "Cloud" is still a magical and cool word and we have everything you need to create your own cloud in openSUSE. Check out what is new in this area! And as this is more sysadmins cup of tea, let’s mention yet another article that we prepared. This one is full of useful tips and tricks. Even if you are skilled sysadmin, you might learn a thing or two there that will make your everyday life easier.

And last but not least, don’t forget about all the love and attention that have been put into Btrfs. Even whether is not the default option for new installations, openSUSE 13.1 looks like the best choice for everybody wanting to try this next generation filesystem.

Promote the release

You might have seen that we created some cool materials to promote the release. There are banners, backgrounds for social media accounts and more in this article and we have this cool “Release Geeko” background for you:

ReleaseIsComingBackground

Release Geeko background

Find more related artwork in our github repository.

During the release day

For the release itself, we created both Facebook event and G+ event to be sure that no one forgets (like if it is possible to forget the release date of your favorite Linux distribution). But more important, there will be public hangout on G+ as part of the G+ event, so you can join and share your excitement about the new release. Apart from that, we will be updating all our social channels all day long, so don’t worry, you will not miss anything… and you are also welcome to help in these tasks.

After the release

In the party department, there have been people planning launch parties already. At the moment of writing, we are already aware of parties in:

  • Orlando FL, just a couple of days ago
  • Nuremberg, punctually at the release day
  • Copenhagen, the day after
  • SUSE offices in Prague, next week
  • Zacatecas, during Free Software Lab-COZCyT
  • Taipei, in the near future (stay tuned, more information coming)

If you would like to attend a launch party in your neighborhood, check the Launch Party wiki and if there’s no party yet, read this article with some tips on solving that problem ;-)

We hope you are now a little more prepared for the release. And, of course, not forget to…

have a lot of fun!

openSUSE Summit Was Geeko Awesome

November 18th, 2013 by

Orlando - not so sunny

Our openSUSE Summit 2013 has just finished here in Orlando. We were hosted in a Mexican themed hotel in the area of Disney World, with our own special area setup nicely for our presentations and workshops. The location was a nice new touch for the geeko friends to reconnect and collaborate, if only because there was a large number of lizards all around here!

Weather wasn’t very loving down here in Florida, USA but being in such a family-like get together, it didn’t really matter. Read the rest of this entry »