Fedora

Fedora Community on Telegram

I noticed today that the official Fedora chat group on Telegram had passed the mark of 1000 users. I can’t believe how rapidly it has grown. I created the group for attendees of Flock 2015 and it was supposed to be a single-purpose thing. But after the event people were like “hey, let’s rename it to Fedora and keep it for general chat about Fedora”. Fast forward and we have 1000 users and a lot of other Fedora-related groups popped up.

It’s not an easy job to moderate such a large group. The number of admins has grown to 7 and there is even a separate private chat for communication among admins. Big kudos to Justin Flory who took the leadership here early after Flock and I’ve been mostly just enjoying the position of the group creator and honorable admin.

Fedora Project also has its official news channel on Telegram which is followed by almost 500 users. There are also at least 11 national chat groups, and for example the Russian one has over 300 users. There are also specialized groups (for ambassadors, for packagers,…).

Telegram recently raised the maximum number of users per (super)group to 10,000, so the Fedora community still has some room to grow 🙂

GNOME, Linux

ThunderBolt Security Levels and Linux desktop

Recently I got Dell XPS 13 as my new work laptop and I use it with the TB16 dock. This dock doesn’t seem to fully work with Linux, only monitors work. But if you go to BIOS settings and set the Thunderbolt Security level to “No security”. Then suddenly almost everything is working.

However, it’s not an ideal solution, especially if you’re at least a bit paranoid. External Thunderbolt devices may connect to the machine via PCI-Express which means they can potencially read your system memory. That’s why Thunderbolt comes with a security system.

There are 4 security levels:

  • none (legacy mode): no security, everything gets enabled.
  • dponly: no PCIe tunneling, only USB and DisplayPort.
  • user: ask the user if it is ok to connect the device.
  • secure: as “user” but also create and use a random key that later can be used on subsequent connects of the same device to ensure its identity.

Intel is already working on a Linux implementation of TB security. But the user and secure levels need user’s action, so there will have to be some support for it in the desktop. I discussed that with designers and they don’t really like the idea of poping up dialogs asking users if they trust the device. “Do I trust this projector? I’m not really sure, but since I’m plugging it in, I guess I do”.

I also checked how it works in Windows 10. And it works exactly that way. I plugged in the dock and I got a bunch of dialogs asking about every single plugged-in device. The experience is pretty terrible. And I have to agree with the designers, I’m not sure how this improves security.

On the other hand, I don’t think it’s a good idea to leave the Thunderbolt port completely unprotected. There is one relevant use case: you leave your computer unattanded and even though you locked your screen, someone can access your system through an unsecured TB3 port.

I wonder if it could be solved by automatically switching to a “reject everything” mode once you lock your screen. You lock your screen, leave your computer, and any device plugged into the TB3 port would be rejected. Once you come back and unlock your screen, it’s your responsibility what you plug in and any plugged device would be accepted.

I wonder if there is any relevant use case which would not be covered well by this policy. Any ideas?

Fedora, GNOME

Printing Improvements for Fedora 27 Workstation

Fedora 26 is not out yet, but it’s already time to think about how to improve the Workstation edition of Fedora 27. One of the areas my team is focusing on is printing (the desktop side of it). For GNOME 3.24 and Fedora 26 Workstation we landed a new interface for the printing module in GNOME Control Center. It gives a much cleaner overview of printers that are set up on your system.

One thing that I think deserves an improvement is printer sharing. GNOME Control Center doesn’t allow you to easily share a printer with other devices over the network. I’ve heard users complain about it and the competition provides it (even though Windows do it very unintuitively). Sharing via IPP is a pretty low hanging fruit because that’s what CUPS already perfectly supports, you just need to expose it in the UI.

A common use case is sharing a printer with your mobile devices. iOS uses AirPrint which is an extension of the IPP,  you just need to convince the device that it’s talking to an AirPrint server. To support Android devices, I think the best way is to use Google Cloud Print. We already support Google Cloud Print, but from the client side. I wonder if it’d be useful to support the server side as well. Google provides an open source server implementation, but it’s written in Go and unnecessarily advanced for our use cases, so writing our own implementation would probably be a better way to go. But I wonder if it’d be worth it. Do people use Google Cloud Print? If not, how do you print from your Android device?

Or are there any other things you think we should improve in printing (desktop-wise)?

Fedora

Netflix doesn’t block Fedora users any more!

Two weeks ago, I blogged about the fact that Netflix was blocking Chrome and Firefox with Fedora user agents although those browsers are now officially supported on Linux.  The blogpost got a lot of publicity, almost 5000 hits, and I was even accused of creating clickbaits on reddit 🙂 But it led to the wanted result – solving the issue.

Someone pointed me to Paul Adolph from Netflix. He no longer works in the department which is responsible for user agent filtering, but was very helpful and forwarded the issue to responsible engineers. They never told me why they were blocking Fedora (and it turned out other distributions such as CentOS, Debian, openSUSE too), but promised to fix it within the next couple of weeks. I assume it was just some outdated user agent filter.

I tested it today and it seems to be fixed, both for Chrome and Firefox. And also not only for Fedora, but also for other distributions (I tested CentOS, Debian, and openSUSE). So now you can watch Netflix on Fedora without any user agent tweaking. Just keep in mind that for Firefox you need to install ffmpeg Firefox is using for media playback, Chrome should work out of the box.

I’d like to thank Netflix for resolving the situation pretty quickly.

Fedora

Netflix blocks Fedora users

Netflix should finally support their HTML5 player in Firefox 52 on Linux.  This version has already landed in Fedora and been there for a couple of weeks and we’ve already received complaints from users who are confused. Both Netflix and Mozilla claim it should work, but it doesn’t for them.

Netflix still forwards them to their Silverlight player.  That’s pretty much a showstopper because Silverlight has been dead for quite a few years and it has never been easy to make it work on Linux.

In fact, Firefox 52 in Fedora does work with Netflix. As we found out the problem is in the user agent. The default user agent is:

Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

If you remove “Fedora” from the user agent, Netflix suddenly stops offering Silverlight and just works. One would say that they only want to support official builds from Mozilla and allow only the upstream user agent. It would be an unfortunate way to do it, but at least partly understandable. But things get really weird when you try replacing “Fedora” with  random strings. Because then it also works which means that Netflix blocks Fedora specifically!

Netflix has supported Chrome for much longer and it also has behaved the same there. We set the Fedora user agent via an extension and the only reason why it works in Chrome on Fedora is that we blacklisted the netflix.com domain for the Fedora user agent.

We could do the same in Firefox, but I think it’s something that should be fixed on the side of Netflix. Users should not be denied a service based on their user agent. It takes us 15 years back when Opera had to fake its user agent to work with websites. Moreover Fedora isn’t anyhow different in this than other Linux distributions, so why is it blocked while others are not?

As a Netflix customer, I tried to call their support. I got to a first line support person who didn’t have much of a clue, trying to convince me that Silverlight works just fine on Fedora (which is not really true). So I tried to explain the problem and asked if they could pass it on to responsible engineers. We’ve also been trying to reach them through various contacts. Linux is not probably an important platform for Netflix, but they at least care enough to block specifically Fedora, so they should care enough to fix it. Moreover there are many Linux engineers in the company who could care, too. If you know anyone working in Netflix, please tell them about this and ask them to pass it on to responsible people. If you’re both a Netflix and Fedora user, you may also try to contact their support and let them know that it doesn’t work for you. Maybe if they collect more such cases it will make them look at it.

Edit: I’ve been told that Netflix also blocks user agents of other popular distros. So to make it work you can replace “Fedora” with random strings so long as it’s not “openSUSE”, “Debian”,  “CentOS”. The only exception is Ubuntu which is not blocked.

Edit2: I’ve managed to contact the right people in Netflix and they promised to fix it within the next couple of weeks!

Fedora, GNOME, Linux

Nextcloud & Linux Desktop

I’ve used different services for my personal agenda and I always valued if they could well integrate into my Fedora Workstation. Some did it well, some at least provided a desktop app, some only had a web client. That’s fine for many people, but not for me. Call me old-school, but I still prefer using desktop applications and especially those who look and behave natively.

Last summer, I decided to install Nextcloud on my VPS. Originally I was planning to replace Dropbox with it, but then I found out I could actually use it for many other things, for all my personal agenda. Shortly after that I realized that I’d found what I was always looking for in terms of integration into my desktop. Nextcloud apps use standard protocols and formats and integrate very well with the desktop apps I use.

nextcloud

Nextcloud/ownCloud is supported by GNOME Online Accounts, so I log in to my server and automagically get this:

Files – my Nextcloud appears in Nautilus as a remote disk. I like that it doesn’t work like the official desktop client of Nextcloud or Dropbox and doesn’t sync files to the local drive. If you work with small files and documents remotely, you can hardly notice lags and they don’t consume space on your hard drive. If I want to work with large files (e.g. video) or offline, I just download them.

Documents – documents that are stored on your Nextcloud server appear among documents in GNOME Documents. The app makes an abstraction layer over different file sources and the user can work with documents no matter where they come from. A nice thing, but I’m a bit conservative in this and prefer working with files and Nautilus.

Contacts – the Nextcloud app for contacts uses CardDAV, so after a login in GOA your contact list appears in all applications that are using the evolution-data-server backend. In my case it’s Evolution and GNOME Contacts. Evolution is still my daily driver at work while I use the specialized apps at home.

Calendars – the calendar app for Nextcloud uses CalDAV, so after a login in GOA you get the same automagic like with contacts, your calendars appear in all apps that are using evolution-data-server. Again in my case it’s Evolution and GNOME Calendar.

Tasks – CalDAV is also used for tasks in Nextcloud, so if you enable calendars in GOA, your task lists will also appear in Evolution or GNOME Todo.

snc3admek-z-2017-03-01-22-47-36
GNOME Todo

Notes – the same applies to notes, you will also be able to automagically access them in Evolution or GNOME Bijiben.

News – the only thing I had to set up separately is a news reader. I use FeedReader which (among other services) supports Nextcloud/ownCloud, too. So I could replace Feedly with it and get a native client as a bonus.

snc3admek-z-2017-03-01-22-34-49
FeedReader

What’s really great is that except for the RSS reader everything is set up with one login. I’m done with Feedly, Evernote, Wunderlist and all those services that each require another login and generally have poor desktop integration. Now I can use Nextcloud, have all my data under control and get great and super-easy-to-setup integration into my desktop.

I can imagine even more areas where Nextcloud can improve my desktop experience. For instance, it’d be great if my desktop user settings could be synced via Nextcloud or I could back them up there and then restore them on my new machine. Or it’d be great if the desktop keyring could work with Passman and sync your passwords.

BTW integration into my Android phone is equally important to me and Nextcloud doesn’t fail me there either although setting it up was not as easy as in my Fedora Workstation. I needed to install CalDAV-Sync and CardDAV-Sync apps (DAVdroid which is officially recommended by Nextcloud never worked for me, a while back it didn’t want to sync my contact list at all, now it does, but doesn’t import photos). Then my contacts and calendars were synced to the default apps. For tasks I use OpenTasks. For RSS ownCloud/Nextcloud Reader and for notes MyOwnNotes. To access files Nextcloud provides their own app.

And if I’m not around my PC or phone, I can always access all the services via the web interface which is pretty nice, too. So all in all I’ve been really satisfied with Nextcloud and am really happy how dynamically it’s developing.

Linux, Red Hat

Flatpak and Endless OS at InstallFest Prague

I spent the last weekend in Prague attending InstallFest 2017. The event is called InstallFest because many, many years ago it started as an event where students could come and get help with installations of various Linux distributions. Times of installfests are gone and this event has transitioned into an open source conference with more practical focus.

The event has moved to a new venue – Faculty of Electrical Engineering of Czech University of Technology. It’s where Red Hat recently started a new open source lab. The venue was larger than the one in previous years and hosted 3 tracks + a small booth area.

I came to talk on two things – Flatpak and Endless OS. My Flatpak talk was on Saturday and got a 55-minute slot which seemed like a lot of time, but if you want to cover all the specifics of the technology, even 55 minutes is not much. The room was pretty full and the topic apparently stirred some attention. There was even one person interested in porting Flatpak to another distribution.

c6fo3iawuain_sf
My talk on Flatpak

My talk on Endless OS was the first one of the second day. I only asked for a 25-minute slot which was just enough to make a brief introduction of the system. I also brought with me both Endless devices I have in possession – Endless One and Endless Mini. There were not as many people as at my Flatpak talk, but those who came seemed pretty interested. Almost none of them had ever heard of the OS and PCs before. They asked if they’d ever be available in Europe (which I couldn’t answer because I have no idea) or if you can connect extending hardware to the PCs just like to Raspberry.

As a side note, I was positively surprised how many people wore Fedora t-shirts at the conference.

c6jmrcqwmaadxej
Myself with the Endless PCs