## September 21, 2017

Less than a month after Krita 3.2.1, we’re getting ready to release Krita 3.3.0. We’re bumping the version because there are some important changes for Windows users in this version!

Alvin Wong has implemented support for the Windows 8 event API, which means that Krita now supports the n-trig pen in the Surface line of laptops (and similar laptops from Dell, HP and Acer) natively. This is still very new, so you have to enable this in the tablet settings:

And he also refactored Krita’s hardware-accelerated display functionality to optionally use Angle on Windows instead of native OpenGL. That means that many problems with Intel display chips and broken driver versions are worked around because Krita now indirectly uses Direct3D.

There are more changes in this release, of course:

• Some visual glitches when using hi-dpi screens are fixed (remember: on Windows and Linux, you need to enable this in the settings dialog).
• If you create a new image from clipboard, the image will have a title
• Favorite blending modes and favorite brush presets are now loaded correctly on startup
• GMIC
• the plugin has been updated to the latest version for Windows and Linux.
• the configuration for setting the path to the plugin has been removed. Krita looks for the plugin in the folder where the krita executable is, and optionally inside a folder with a name that starts with ‘gmic’ next to the krita executable.
• there are several fixes for handling layers and communication between Krita and the plugin
• Some websites save jpeg images with a .png extension: that used to confuse Krita, but Krita now first looks inside the file to see what kind of file it really is.
• PNG:
• 16 and 32 bit floating point images are now converted to 16 bit integer when saving the images as PNG.
• It’s now possible to save the alpha channel to PNG images even if there are no (semi-) transparent pixels in the image
• When hardware accelerated display is disabled, the color picker mode of the brush tool showed a broken cursor; this has been fixed.
• The Reference Images docker now only starts loading images when it is visible, instead on Krita startup. Note: the reference images docker uses Qt’s imageio plugins to load images. If you are running on Linux, remove all Deepin desktop components. Deepin comes with severely broken qimageio plugins that will crash any Qt application that tries to display images.
• File layers now correctly reload on change again
• Add several new commandline options:
• –nosplash to start Krita without showing the splash screen
• –canvasonly to start Krita in canvas-only mode
• –fullscreen to start Krita full-screen
• –workspace Workspace to start Krita with the given workspace
• Selections
• The Select All action now first clears the selection before selecting the entire image
• It is now possible to extend selections outside the canvas boundary
• Performance improvements: in several places superfluous reads from the settings were eliminated, which makes generating a layer thumbnail faster and improves painting if display acceleration is turned off.
• The smart number input boxes now use the current locale to follow desktop settings for numbers
• The system information dialog for bug reports is improved
• macOS/OSX specific changes:
• Bernhard Liebl has improved the tablet/stylus accuracy. The problem with circles having straight line segments is much improved, though it’s not perfect yet.
• On macOS/OSX systems with and AMD gpu, support for hardware accelerated display is disabled because saving to PNG and JPG hangs Krita otherwise.

#### Windows

Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. There are no 32 bits packages at this point, but there will be for the final release.

#### Linux

When it is updated, you can also use the Krita Lime PPA to install Krita 3.3.0-rc.1 on Ubuntu and derivatives.

#### OSX

Note: the gmic-qt and pdf plugins are not available on OSX.

### Source code

#### Key

The Linux appimage and the source tarball are signed. You can retrieve the public key over https here:
0x58b9596c722ea3bd.asc
. The signatures are here.

#### Support Krita

Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time.

## September 20, 2017

It's been a while since I posted about Fedora specific Bluetooth enhancements, and even longer that I posted about PlayStation controllers support.

Dual-Shock 3 and 4 support

We've had support for Dual-Shock 3 (aka Sixaxis, aka PlayStation 3 controllers) for a long while, but I've added a long-standing patchset to the Fedora packages that changes the way devices are setup.

The old way was: plug in your joypad via USB, disconnect it, and press the "P" button on the pad. At this point, and since GNOME 3.12, you would have needed the Bluetooth Settings panel opened for a question to pop up about whether the joypad can connect.

This is broken in a number of ways. If you were trying to just charge the joypad, then it would forget its original "console" and you would need to plug it in again. If you didn't have the Bluetooth panel opened when trying to use it wirelessly, then it just wouldn't have worked.

Set up is now simpler. Open the Bluetooth panel, plug in your device, and answer the question. You just want to charge it? Dismiss the query, or simply don't open the Bluetooth panel, it'll work dandily and won't overwrite the joypad's settings.

And finally, we also made sure that it works with PlayStation 4 controllers.

Note that the PlayStation 4 controller has a button combination that allows it to be visible and pairable, except that if the device trying to connect with it doesn't behave in a particular way (probably the same way the 25€ RRP USB adapter does), it just wouldn't work. And it didn't work for me on a number of different devices.

Cable pairing for the win!

And the boring stuff

Hey, do you know what happened last week? There was a security problem in a package that I glance at sideways sometimes! Yes. Again.

A good way to minimise the problems caused by problems like this one is to lock the program down. In much the same way that you'd want to restrict thumbnailers, or even end-user applications, we can forbid certain functionality from being available when launched via systemd.

We've finally done this in recent fprintd and iio-sensor-proxy upstream releases, as well as for bluez in Fedora Rawhide. If testing goes well, we will integrate this in Fedora 27.

## September 18, 2017

When I upgraded my Asus laptop to Stretch, one of the things that stopped working was the screen brightness keys (Fn-F5 and Fn-F6). In Debian Jessie they had always just automagically worked without my needing to do anything, so I'd never actually learned how to set brightness on this laptop. The fix, like so many things, is easy once you know where to look.

It turned out the relevant files are in /sys/class/backlight/intel_backlight. cat /sys/class/backlight/intel_backlight/brightness tells you the current brightness; write a number to /sys/class/backlight/intel_backlight/brightness to change it.

That at least got me going (ow my eyes, full brightness is migraine-inducing in low light) but of course I wanted it back on the handy function keys.

I wrote a script named "dimmer", with a symlink to "brighter", that goes like this:

#!/bin/zsh

curbright=$(cat /sys/class/backlight/intel_backlight/brightness) echo dollar zero$0
if [[ $(basename$0) == 'brighter' ]]; then
newbright=$((curbright + 200)) else newbright=$((curbright - 200))
fi
echo from $curbright to$newbright

sudo sh -c "echo $newbright > /sys/class/backlight/intel_backlight/brightness"  That let me type "dimmer" or "brighter" to the shell to change the brightness, with no need to remember that /sys/class/whatsit path. I got the names of the two function keys by running xev and typing Fn and F5, then Fn and F6. Then I edited my Openbox ~/.config/openbox/rc.xml, and added: <keybind key="XF86MonBrightnessDown"> <action name="Execute"> <execute>dimmer<execute> </action> </keybind> <keybind key="XF86MonBrightnessUp"> <action name="Execute"> <execute>brighter<execute> </action> </keybind>  ## September 16, 2017 This past week artist David Revoy visited the Université Cergy-Pontoise in Paris France to give a Krita training. The university’s teacher, Nicolas Priniotakis, has been using linux and other open source technology such as Blender. This was the first time the students have been exposed to Krita…and the results were a success with the help of David! You can read more about David’s trip and see what was taught during the class from his blog: https://www.davidrevoy.com/article335/krita-digital-painting-courses-at-university-cergy-pontoise ## September 11, 2017 At the moment the appstream-builder in Fedora requires a 48x48px application icon to be included in the AppStream metadata. I’m sure it’s no surprise that 48×48 padded to 64×64 and then interpolated up to 128×128 (for HiDPI screens) looks pretty bad. For Fedora 28 and higher I’m going to raise the minimum icon size to 64×64 which I hope people realize is actually a really low bar. For Fedora 29 I think 128×128 would be a good minimum. From my point of view the best applications in the software center already ship large icons, and the applications with tiny icons are usually of poor quality, buggy, or just unmaintained upstream. I think it’s fine for a software center to do the equivalent of “you must be this high to ride” and if we didn’t keep asking more of upstreams we’d still be in a world with no translations, no release information and no screenshots. Also note, applications don’t have to do this; it’s not like they’re going to fall out of the Fedora — they’re still installable on the CLI using DNF, although I agree this will impact the number of people installing and using a specific application. Comments welcome. ## September 10, 2017 4 days sketching through São Paulo with 250 people from whole Brazil and beyond... ## September 09, 2017 WebDriver is an automation API to control a web browser. It allows to create automated tests for web applications independently of the browser and platform. WebKitGTK+ 2.18, that will be released next week, includes an initial implementation of the WebDriver specification. ## WebDriver in WebKitGTK+ There’s a new process (WebKitWebDriver) that works as the server, processing the clients requests to spawn and control the web browser. The WebKitGTK+ driver is not tied to any specific browser, it can be used with any WebKitGTK+ based browser, but it uses MiniBrowser as the default. The driver uses the same remote controlling protocol used by the remote inspector to communicate and control the web browser instance. The implementation is not complete yet, but it’s enough for what many users need. ## The clients The web application tests are the clients of the WebDriver server. The Selenium project provides APIs for different languages (Java, Python, Ruby, etc.) to write the tests. Python is the only language supported by WebKitGTK+ for now. It’s not yet upstream, but we hope it will be integrated soon. In the meantime you can use our fork in github. Let’s see an example to understand how it works and what we can do. from selenium import webdriver # Create a WebKitGTK driver instance. It spawns WebKitWebDriver # process automatically that will launch MiniBrowser. wkgtk = webdriver.WebKitGTK() # Let's load the WebKitGTK+ website. wkgtk.get("https://www.webkitgtk.org") # Find the GNOME link. gnome = wkgtk.find_element_by_partial_link_text("GNOME") # Click on the link. gnome.click() # Find the search form. search = wkgtk.find_element_by_id("searchform") # Find the first input element in the search form. text_field = search.find_element_by_tag_name("input") # Type epiphany in the search field and submit. text_field.send_keys("epiphany") text_field.submit() # Let's count the links in the contents div to check we got results. contents = wkgtk.find_element_by_class_name("content") links = contents.find_elements_by_tag_name("a") assert len(links) > 0 # Quit the driver. The session is closed so MiniBrowser # will be closed and then WebKitWebDriver process finishes. wkgtk.quit()  Note that this is just an example to show how to write a test and what kind of things you can do, there are better ways to achieve the same results, and it depends on the current source of public websites, so it might not work in the future. ## Web browsers / applications As I said before, WebKitWebDriver process supports any WebKitGTK+ based browser, but that doesn’t mean all browsers can automatically be controlled by automation (that would be scary). WebKitGTK+ 2.18 also provides new API for applications to support automation. • First of all the application has to explicitly enable automation using webkit_web_context_set_automation_allowed(). It’s important to know that the WebKitGTK+ API doesn’t allow to enable automation in several WebKitWebContexts at the same time. The driver will spawn the application when a new session is requested, so the application should enable automation at startup. It’s recommended that applications add a new command line option to enable automation, and only enable it when provided. • After launching the application the driver will request the browser to create a new automation session. The signal “automation-started” will be emitted in the context to notify the application that a new session has been created. If automation is not allowed in the context, the session won’t be created and the signal won’t be emitted either. • A WebKitAutomationSession object is passed as parameter to the “automation-started” signal. This can be used to provide information about the application (name and version) to the driver that will match them with what the client requires accepting or rejecting the session request. • The WebKitAutomationSession will emit the signal “create-web-view” every time the driver needs to create a new web view. The application can then create a new window or tab containing the new web view that should be returned by the signal. This signal will always be emitted even if the browser has already an initial web view open, in that case it’s recommened to return the existing empty web view. • Web views are also automation aware, similar to ephemeral web views, web views that allow automation should be created with the constructor property “is-controlled-by-automation” enabled. This is the new API that applications need to implement to support WebDriver, it’s designed to be as safe as possible, but there are many things that can’t be controlled by WebKitGTK+, so we have several recommendations for applications that want to support automation: • Add a way to enable automation in your application at startup, like a command line option, that is disabled by default. Never allow automation in a normal application instance. • Enabling automation is not the only thing the application should do, so add an automation mode to your application. • Add visual feedback when in automation mode, like changing the theme, the window title or whatever that makes clear that a window or instance of the application is controllable by automation. • Add a message to explain that the window is being controlled by automation and the user is not expected to use it. • Use ephemeral web views in automation mode. • Use a temporal user profile in application mode, do not allow automation to change the history, bookmarks, etc. of an existing user. • Do not load any homepage in automation mode, just keep an empty web view (about:blank) that can be used when a new web view is requested by automation. ## The WebKitGTK client driver Applications need to implement the new automation API to support WebDriver, but the WebKitWebDriver process doesn’t know how to launch the browsers. That information should be provided by the client using the WebKitGTKOptions object. The driver constructor can receive an instance of a WebKitGTKOptions object, with the browser information and other options. Let’s see how it works with an example to launch epiphany: from selenium import webdriver from selenium.webdriver import WebKitGTKOptions options = WebKitGTKOptions() options.browser_executable_path = "/usr/bin/epiphany" options.add_browser_argument("--automation-mode") epiphany = webdriver.WebKitGTK(browser_options=options)  Again, this is just an example, Epiphany doesn’t even support WebDriver yet. Browsers or applications could create their own drivers on top of the WebKitGTK one to make it more convenient to use. from selenium import webdriver epiphany = webdriver.Epiphany()  ## Plans During the next release cycle, we plan to do the following tasks: • Complete the implementation: add support for all commands in the spec and complete the ones that are partially supported now. • Add support for running the WPT WebDriver tests in the WebKit bots. • Add a WebKitGTK driver implementation for other languages in Selenium. • Add support for automation in Epiphany. • Add WebDriver support to WPE/dyz. ## September 05, 2017 Previously: v4.12. Here’s a short summary of some of interesting security things in Sunday’s v4.13 release of the Linux kernel: security documentation ReSTification The kernel has been switching to formatting documentation with ReST, and I noticed that none of the Documentation/security/ tree had been converted yet. I took the opportunity to take a few passes at formatting the existing documentation and, at Jon Corbet’s recommendation, split it up between end-user documentation (which is mainly how to use LSMs) and developer documentation (which is mainly how to use various internal APIs). A bunch of these docs need some updating, so maybe with the improved visibility, they’ll get some extra attention. CONFIG_REFCOUNT_FULL Since Peter Zijlstra implemented the refcount_t API in v4.11, Elena Reshetova (with Hans Liljestrand and David Windsor) has been systematically replacing atomic_t reference counters with refcount_t. As of v4.13, there are now close to 125 conversions with many more to come. However, there were concerns over the performance characteristics of the refcount_t implementation from the maintainers of the net, mm, and block subsystems. In order to assuage these concerns and help the conversion progress continue, I added an “unchecked” refcount_t implementation (identical to the earlier atomic_t implementation) as the default, with the fully checked implementation now available under CONFIG_REFCOUNT_FULL. The plan is that for v4.14 and beyond, the kernel can grow per-architecture implementations of refcount_t that have performance characteristics on par with atomic_t (as done in grsecurity’s PAX_REFCOUNT). CONFIG_FORTIFY_SOURCE Daniel Micay created a version of glibc’s FORTIFY_SOURCE compile-time and run-time protection for finding overflows in the common string (e.g. strcpy, strcmp) and memory (e.g. memcpy, memcmp) functions. The idea is that since the compiler already knows the size of many of the buffer arguments used by these functions, it can already build in checks for buffer overflows. When all the sizes are known at compile time, this can actually allow the compiler to fail the build instead of continuing with a proven overflow. When only some of the sizes are known (e.g. destination size is known at compile-time, but source size is only known at run-time) run-time checks are added to catch any cases where an overflow might happen. Adding this found several places where minor leaks were happening, and Daniel and I chased down fixes for them. One interesting note about this protection is that is only examines the size of the whole object for its size (via __builtin_object_size(..., 0)). If you have a string within a structure, CONFIG_FORTIFY_SOURCE as currently implemented will make sure only that you can’t copy beyond the structure (but therefore, you can still overflow the string within the structure). The next step in enhancing this protection is to switch from 0 (above) to 1, which will use the closest surrounding subobject (e.g. the string). However, there are a lot of cases where the kernel intentionally copies across multiple structure fields, which means more fixes before this higher level can be enabled. NULL-prefixed stack canary Rik van Riel and Daniel Micay changed how the stack canary is defined on 64-bit systems to always make sure that the leading byte is zero. This provides a deterministic defense against overflowing string functions (e.g. strcpy), since they will either stop an overflowing read at the NULL byte, or be unable to write a NULL byte, thereby always triggering the canary check. This does reduce the entropy from 64 bits to 56 bits for overflow cases where NULL bytes can be written (e.g. memcpy), but the trade-off is worth it. (Besdies, x86_64’s canary was 32-bits until recently.) IPC refactoring Partially in support of allowing IPC structure layouts to be randomized by the randstruct plugin, Manfred Spraul and I reorganized the internal layout of how IPC is tracked in the kernel. The resulting allocations are smaller and much easier to deal with, even if I initially missed a few needed container_of() uses. randstruct gcc plugin I ported grsecurity’s clever randstruct gcc plugin to upstream. This plugin allows structure layouts to be randomized on a per-build basis, providing a probabilistic defense against attacks that need to know the location of sensitive structure fields in kernel memory (which is most attacks). By moving things around in this fashion, attackers need to perform much more work to determine the resulting layout before they can mount a reliable attack. Unfortunately, due to the timing of the development cycle, only the “manual” mode of randstruct landed in upstream (i.e. marking structures with __randomize_layout). v4.14 will also have the automatic mode enabled, which randomizes all structures that contain only function pointers. A large number of fixes to support randstruct have been landing from v4.10 through v4.13, most of which were already identified and fixed by grsecurity, but many were novel, either in newly added drivers, as whitelisted cross-structure casts, refactorings (like IPC noted above), or in a corner case on ARM found during upstream testing. lower ELF_ET_DYN_BASE One of the issues identified from the Stack Clash set of vulnerabilities was that it was possible to collide stack memory with the highest portion of a PIE program’s text memory since the default ELF_ET_DYN_BASE (the lowest possible random position of a PIE executable in memory) was already so high in the memory layout (specifically, 2/3rds of the way through the address space). Fixing this required teaching the ELF loader how to load interpreters as shared objects in the mmap region instead of as a PIE executable (to avoid potentially colliding with the binary it was loading). As a result, the PIE default could be moved down to ET_EXEC (0x400000) on 32-bit, entirely avoiding the subset of Stack Clash attacks. 64-bit could be moved to just above the 32-bit address space (0x100000000), leaving the entire 32-bit region open for VMs to do 32-bit addressing, but late in the cycle it was discovered that Address Sanitizer couldn’t handle it moving. With most of the Stack Clash risk only applicable to 32-bit, fixing 64-bit has been deferred until there is a way to teach Address Sanitizer how to load itself as a shared object instead of as a PIE binary. early device randomness I noticed that early device randomness wasn’t actually getting added to the kernel entropy pools, so I fixed that to improve the effectiveness of the latent_entropy gcc plugin. That’s it for now; please let me know if I missed anything. As a side note, I was rather alarmed to discover that due to all my trivial ReSTification formatting, and tiny FORTIFY_SOURCE and randstruct fixes, I made it into the most active 4.13 developers list (by patch count) at LWN with 76 patches: a whopping 0.6% of the cycle’s patches. ;) Anyway, the v4.14 merge window is open! © 2017, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License. ## September 04, 2017 My new book is now shipping! And it's being launched via a terrific Humble Bundle of books on electronics, making, Raspberry Pi and Arduino. Humble Bundles, if you haven't encountered them before, let you pay what you want for a bundle of books on related subjects. The books are available in ePub, Mobi, and PDF formats, without DRM, so you can read them on your choice of device. If you pay above a certain amount, they add additional books. My book is available if you pay$15 or more.

You can also designate some of the money you pay for charity. In this case the charity is Maker Ed, a crowdfunding initiative that supports Maker programs primarily targeted toward kids in schools. (I don't know any more about them than that; check out their website for more information.)

Jumpstarting the Raspberry Pi Zero W is a short book, with only 103 pages in four chapters:

1. Getting Started: includes tips on headless setup and the Linux command line;
2. Blink an LED: includes ways to blink and fade LEDs from the shell and from several different Python libraries;
3. A Temperature Notifier and Fan Control: code and wiring instructions for three different temperature sensors (plus humidity and barometric pressure), and a way to use them to control your house fan or air conditioner, either according to the temperature in the room or through a Twitter command;
4. A Wearable News Alert Light Show: wire up NeoPixels or DotStars and make them respond to keywords on Twitter or on any other web page you choose, plus some information on powering a Pi portably with batteries.

All the code and wiring diagrams from the book, plus a few extras, are available on Github, at my Raspberry Pi Zero Book code repository.

To see the book bundle, go to the Electronics & Programming Humble Bundle and check out the selections. My book, Jumpstarting the Raspberry Pi Zero W, is available if you pay $15 or more -- along with tons of other books you'll probably also want. I already have Make: Electronics and it's one of the best introductory electronics books I've seen, so I'm looking forward to seeing the followup volume. Plus there are books on atmospheric and environmental monitoring, a three-volume electronic components encyclopedia, books on wearable electronics and drones and other cool stuff. I know this sounds like a commercial, but this bundle really does look like a great deal, whether or not you specifically want my Pi book, and it's a limited-time offer, only good for six more days. ### Could you tell us something about yourself? Hi there, I’m Miri. I’ve been drawing ever since I could pick up a pencil and switched to digital in the past 3 or so years, currently enrolled in college to grind out credits and hopefully become an animator. ### Do you paint professionally, as a hobby artist, or both? At this moment in time I’m just a hobbyist who does volunteer work for the Smite Community Magazine, but I’d love to be a professional someday. ### What genre(s) do you work in? Mainly fantasy and mythology gods and gaming fanart, I really love drawing characters. ### Whose work inspires you most — who are your role models as an artist? Oh man, I really love Araki Hirohiko’s figure style, the way he draws poses is just fascinating and what really kickstarted my interest in drawing people. Jaguddada on DeviantArt is absolutely hands down my favorite digital painter, the way he handles colors and how his digital paint strokes look like oil on canvas just fascinates me, I’d love to learn color theory and his painting skills one day. Baby steps! ### How and when did you get to try digital painting for the first time? I think it was in 2014 with Paint Tool Sai, I had interest in making fanart of some band I was into, it was rough and blocky and simple, but really fun. ### What makes you choose digital over traditional painting? The ability to just erase mistakes like they never even happened, and being able to redline things without it smudging, just having so many ways to fix mistakes like they weren’t even there to begin with, and the non-messy cleanup when you’re finished drawing. No pencils littered everywhere or shavings, no drying out markers to replace, etc. ### How did you find out about Krita? I made the switch to Linux in early 2016, finding out that Sai and CS6 wouldn’t be available unless I used WINE to emulate them, I just started looking for a free software that fit my taste. GIMP was okay, but it had a few quirks I couldn’t really iron out, and it was a bit simple for me. I think I found out about Krita through an art thread on some imageboard for taking requests, tried it out, it ran like a smoother SAI and I haven’t looked back. ### What was your first impression? I was like “Wow, this is a lot to take in and learn.” I’m still trying to figure out everything! There’s so many buttons I’m still unsure on what they do, I am just a simpleton! ### What do you love about Krita? I really love how it’s Linux friendly, and how it’s like a great replacement for Sai, like, I can actually make cool things in it without too much effort, and then there’s even levels further that I haven’t even explored yet that will probably even improve my stuff even more in the future. Also the opacity slider right above layers? Found that the first time I opened it, and it’s been my best friend ever since, took me a while on other programs to figure out what that bar did. ### What do you think needs improvement in Krita? Is there anything that really annoys you? There was one bug in the past when I used my left handed script that it would reset the pen size and opacity and brush type once you flipped it over from using the eraser, and it was my burden. Also the unexpected crashes. But the bug got fixed so I finally got to update my Krita again and that was a very good day. Also, not sure if it exists and I just haven’t found it yet, but Sai had a clipping tool that made it so you could clip layers to other layers so if you colored out of one of the layers it wouldn’t bleed to the rest of the drawing, that’s something I’ve googled but haven’t found the answer to yet, but it would be a godsend to find. ### What sets Krita apart from the other tools that you use? Free Software and Linux compatible. Cannot stress it enough. Linux support is a dealmaker and the fact I don’t have to pay out of pocket for a program that works just as good if not even better than the paid ones is really awesome. ### If you had to pick one favourite of all your work done in Krita so far, what would it be, and why? Every new piece beomes my favorite for a certain time, until I start pointing out flaws in it, and then go back to an older piece. I’m really into my Ra + Thoth piece, though, just because of the details and shading coming out so nice, not to mention a background I was really pleased with. ### What techniques and brushes did you use in it? Oh god it’s been so long, I believe I used the paint settings marker brush with it’s slight opacity for shading, one of the square brushes under blending for lighting, and the pencil tool from Deevad’s set for outlining. I’m really obsessed with the paint set of default pens for the basics. ### Where can people see more of your work? Deviantart: Pluuck Twitter: Hikkikomiri (Or if you like MOBAs, check out the latest SMITE community gaming magazine!) ### Anything else you’d like to share? Honestly, never give up. Accept critique but don’t let it eat you away to make you fear picking up a pen again. What may be something you find a struggle, may be even harder for someone else. Be unique, be creative, and always keep improving. ## September 03, 2017 Dear Lazyweb, I need your help. Does anyone have a newish server system (it’s not going to work on Laptops) that has any output from sudo dmidecode | grep "DMI type 42"? If you do, can you tar up the contents of /sys/firmware/dmi/tables and send it to me via email. If I can get this code working then I’ll have another more exciting blog post coming up. Thanks! ## August 31, 2017 Time for our monthly development report, explaining a bit of what I did this month. Thanks again to everybody who help me on Patreon, each month we're getting higher! If you don't know about it yet, you can help me to spend more time working on FreeCAD by href="https://www.patreon.com/yorikvanhavre">sponsoring me with any amount you want... ## August 30, 2017 A long time ago there was a post about why we don't have a Windows port. While I still stand by what I wrote six years ago, the times they are a changing. Then two years ago there was yet another post regarding Windows. The gist of it was that the real blocker for a Windows release isn't so much a technical one but the lack of a person (or several) dedicated to maintaining it. Not just for the moment until all the patches got merged but for the foreseeable future. Then Peter Budai came along. Like some people before he managed to compile darktable on Windows and offered us the patches he had to do, but other than what we had seen before he stuck around, helped fix bugs and was open to suggestions how to solve things in a better way. Eventually we became confident that the lack of Windows maintainership might be solved. To cut a long story short, we are extremely pleased – albeit wary – to announce a very first official pre-alpha development snapshot for 64 bit Windows. We know it's still buggy, but as a sign of goodwill and request for help in testing it we would like to ask you to give it a try. Please report useful bugs in our bug tracker. You can find the link to the binary on the pixls.us forum (a great place btw., you should check it out). I got myself stuck yesterday with GRUB running from an ext4 /boot/grub, but with /boot inside my LUKS LVM root partition, which meant GRUB couldn’t load the initramfs and kernel. Luckily, it turns out that GRUB does know how to mount LUKS volumes (and LVM volumes), but all the instructions I could find talk about setting this up ahead of time (“Add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub“), rather than what the correct manual GRUB commands are to get things running on a failed boot. These are my notes on that, in case I ever need to do this again, since there was one specific gotcha with using GRUB’s cryptomount command (noted below). Available devices were the raw disk (hd0), the /boot/grub partition (hd0,msdos1), and the LUKS volume (hd0,msdos5): grub> ls (hd0) (hd0,msdos1) (hd0,msdos5)  Used cryptomount to open the LUKS volume (but without ()s! It says it works if you use parens, but then you can’t use the resulting (crypto0)): grub> insmod luks grub> cryptomount hd0,msdos5 Enter password... Slot 0 opened.  Then you can load LVM and it’ll see inside the LUKS volume: grub> insmod lvm grub> ls (crypto0) (hd0) (hd0,msdos1) (hd0,msdos5) (lvm/rootvg-rootlv)  And then I could boot normally: grub> configfile$prefix/grub.cfg


After booting, I added GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub and ran update-grub. I could boot normally after that, though I’d be prompted twice for the LUKS passphrase (once by GRUB, then again by the initramfs).

To avoid this, it’s possible to add a second LUKS passphrase, contained in a file in the initramfs, as described here and works for Ubuntu and Debian too. The quick summary is:

Create the keyfile and add it to LUKS:

# dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
# chmod 0400 /crypto_keyfile.bin


Adjust the /etc/crypttab to include passing the file via /bin/cat:

sda5_crypt UUID=4aa5da72-8da6-11e7-8ac9-001cc008534d /crypto_keyfile.bin luks,keyscript=/bin/cat


Add an initramfs hook to copy the key file into the initramfs, keep non-root users from being able to read your initramfs, and trigger a rebuild:

# cat > /etc/initramfs-tools/hooks/crypto_keyfile <<EOF
#!/bin/bash
if [ "$1" = "prereqs" ] ; then cp /crypto_keyfile.bin "${DESTDIR}"
fi
EOF
# chmod a+x /etc/initramfs-tools/hooks/crypto_keyfile
# chmod 0700 /boot
# update-initramfs -u


This has the downside of leaving a LUKS passphrase “in the clear” while you’re booted, but if someone has root, they can just get your dm-crypt encryption key directly anyway:

# dmsetup table --showkeys sda5_crypt
0 155797496 crypt aes-cbc-essiv:sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 0 8:5 2056


And of course if you’re worried about Evil Maid attacks, you’ll need a real static root of trust instead of doing full disk encryption passphrase prompting from an unverified /boot partition. :)

## August 28, 2017

Really enjoyed this year’s GUADEC. Thanks everyone for coming and the local team for pulling off a perfectly organized conference.

GUADEC 2017 Manchester from jimmac on Vimeo.

Check out a few photos too.

My first total eclipse! The suspense had been building for years.

Dave and I were in Wyoming. We'd made a hotel reservation nine months ago, by which time we were already too late to book a room in the zone of totality and settled for Laramie, a few hours' drive from the centerline.

For visual observing, I had my little portable 80mm refractor. But photography was more complicated. I'd promised myself that for my first (and possibly only) total eclipse, I wasn't going to miss the experience because I was spending too much time fiddling with cameras. But I couldn't talk myself into not trying any photography at all.

Initially, my plan was to use my 90mm Mak as a 500mm camera lens. It had worked okay for the the 2012 Venus transit.

I spent several weeks before the eclipse in a flurry of creation, making a couple of solar finders, a barn-door mount, and then wrestling with motorizing the barn-door (which was a failure because I couldn't find a place to buy decent gears for the motor. I'm still working on that and will eventually write it up). I wrote up a plan: what equipment I would use when, a series of progressive exposures for totality, and so forth.

And then, a couple of days before we were due to leave, I figured I should test my rig -- and discovered that it was basically impossible to focus on the sun. For the Venus transit, the sun wasn't that high in the sky, so I focused through the viewfinder. But for the total eclipse, the sun would be almost overhead, and the viewfinder nearly impossible to see. So I had planned to point the Mak at a distant hillside, focus it, then slip the filter on and point it up to the sun. It turned out the focal point was completely different through the filter.

With only a couple of days left to go, I revised my plan. The Mak is difficult to focus under any circumstances. I decided not to use it, and to stick to my Canon 55-250mm zoom telephoto, with the camera on a normal tripod. I'd skip the partial eclipse (I've photographed those before anyway) and concentrate on getting a few shots of the diamond ring and the corona, running through a range of exposures without needing to look at the camera screen or do any refocusing. And since I wasn't going to be usinga telescope, my nifty solar finders wouldn't work; I designed a new one out of popsicle sticks to fit in the camera's hot shoe.

### Getting there

We stayed with relatives in Colorado Saturday night, then drove to Laramie Sunday. I'd heard horror stories of hotels canceling people's longstanding eclipse reservations, but fortunately our hotel honored our reservation. WHEW! Monday morning, we left the hotel at 6am in case we hit terrible traffic. There was already plenty of traffic on the highway north to Casper, but we turned east hoping for fewer crowds. A roadsign sign said "NO PARKING ON HIGHWAY." They'd better not try to enforce that in the totality zone!

When we got to I-25 it was moving and, oddly enough, not particularly crowded. Glendo Reservoir had looked on the map like a nice spot on the centerline ... but it was also a state park, so there was a risk that everyone else would want to go there. Sure enough: although traffic was moving on I-25 at Wheatland, a few miles north the freeway came to a screeching halt. We backtracked and headed east toward Guernsey, where several highways went north toward the centerline.

East of Glendo, there were crowds at every highway pullout and rest stop. As we turned onto 270 and started north, I kept an eye on OsmAnd on my phone, where I'd loaded a GPX file of the eclipse path. When we were within a mile of the centerline, we stopped at a likely looking pullout. It was maybe 9 am. A cool wind was blowing -- very pleasant since we were expecting a hot day -- and we got acquainted with our fellow eclipse watchers as we waited for first contact.

Our pullout was also the beginning of a driveway to a farmhouse we could see in the distance. Periodically people pulled up, looking lost, checked maps or GPS, then headed down the road to the farm. Apparently the owners had advertised it as an eclipse spot -- pay 35, and you can see the eclipse and have access to a restroom too! But apparently the old farmhouse's plumbing failed early on, and some of the people who'd paid came out to the road to watch with us since we had better equipment set up. There's not much to say about the partial eclipse. We all traded views -- there were five or six scopes at our pullout, including a nice little H-alpha scope. I snapped an occasional photo through the 80mm with my pocket camera held to the eyepiece, or with the DSLR through an eyepiece projection adapter. Oddly, the DSLR photos came out worse than the pocket cam ones. I guess I should try and debug that at some point. Shortly before totality, I set up the DSLR on the tripod, focused on a distant hillside and taped the focus with duct tape, plugged in the shutter remote, checked the settings in Manual mode, then set the camera to Program mode and AEB (auto exposure bracketing). I put the lens cap back on and pointed the camera toward the sun using the popsicle-stick solar finder. I also set a countdown timer, so I could press START when totality began and it would beep to warn me when it was time to the sun to come back out. It was getting chilly by then, with the sun down to a sliver, and we put on sweaters. The pair of eclipse veterans at our pullout had told everybody to watch for the moon's shadow racing toward us across the hills from the west. But I didn't see the racing shadow, nor any shadow bands. And then Venus and Mercury appeared and the sun went away. ### Totality One thing the photos don't prepare you for is the color of the sky. I expected it would look like twilight, maybe a little darker; but it was an eerie, beautiful medium slate blue. With that unworldly solar corona in the middle of it, and Venus gleaming as bright as you've ever seen it, and Mercury shining bright on the other side. There weren't many stars. We didn't see birds doing anything unusual; as far as I can tell, there are no birds in this part of Wyoming. But the cows did all get in a line and start walking somewhere. Or so Dave tells me. I wasn't looking at the cows. Amazingly, I remembered to start my timer and to pull off the DSLR's lens cap as I pushed the shutter button for the diamond-ring shots without taking my eyes off the spectacle high above. I turned the camera off and back on (to cancel AEB), switched to M mode, and snapped a photo while I scuttled over to the telescope, pulled the filter off and took a look at the corona in the wide-field eyepiece. So beautiful! Binoculars, telescope, naked eye -- I don't know which view was best. I went through my exposure sequence on the camera, turning the dial a couple of clicks each time without looking at the settings, keeping my eyes on the sky or the telescope eyepiece. But at some point I happened to glance at the viewfinder -- and discovered that the sun was drifting out of the frame. Adjusting the tripod to get it back in the frame took longer than I wanted, but I got it there and got my eyes back on the sun as I snapped another photo ... and my timer beeped. I must have set it wrong! It couldn't possibly have been two and a half minutes. It had been 30, 45 seconds tops. But I nudged the telescope away from the sun, and looked back up -- to another diamond ring. Totality really was ending and it was time to stop looking. ### Getting Out The trip back to Golden, where we were staying with a relative, was hellish. We packed up immediately after totality -- we figured we'd seen partials before, and maybe everybody else would stay. No such luck. By the time we got all the equipment packed there was already a steady stream of cars heading south on 270. A few miles north of Guernsey the traffic came to a stop. This was to be the theme of the afternoon. Every small town in Wyoming has a stop sign or signal, and that caused backups for miles in both directions. We headed east, away from Denver, to take rural roads down through eastern Wyoming and Colorado rather than I-25, but even so, we hit small-town stop sign backups every five or ten miles. We'd brought the Rav4 partly for this reason. I kept my eyes glued on OsmAnd and we took dirt roads when we could, skirting the paved highways -- but mostly there weren't any dirt roads going where we needed to go. It took about 7 hours to get back to Golden, about twice as long as it should have taken. And we should probably count ourselves lucky -- I've heard from other people who took 11 hours to get to Denver via other routes. ### Lessons Learned Dave is fond of the quote, "No battle plan survives contact with the enemy" (which turns out to be from Prussian military strategist Helmuth von Moltke the Elder). The enemy, in this case, isn't the eclipse; it's time. Two and a half minutes sounds like a lot, but it goes by like nothing. Even in my drastically scaled-down plan, I had intended exposures from 1/2000 to 2 seconds (at f/5.6 and ISO 400). In practice, I only made it to 1/320 because of fiddling with the tripod. And that's okay. I'm thrilled with the photos I got, and definitely wouldn't have traded any eyeball time for more photos. I'm more annoyed that the tripod fiddling time made me miss a little bit of extra looking. My script actually worked out better than I expected, and I was very glad I'd done the preparation I had. The script was reasonable, the solar finders worked really well, and the lens was even in focus for the totality shots. Then there's the eclipse itself. I've read so many articles about solar eclipses as a mystical, religious experience. It wasn't, for me. It was just an eerily beautiful, other-worldly spectacle: that ring of cold fire staring down from the slate blue sky, bright planets but no stars, everything strange, like nothing I'd ever seen. Photos don't get across what it's like to be standing there under that weird thing in the sky. I'm not going to drop everything to become a globe-trotting eclipse chaser ... but I sure hope I get to see another one some day. ## August 26, 2017 We’ve created a special version of Krita 4.0 pre-alpha for Windows users to test. This version contains two big new features that should solve the biggest problems Krita has on the Windows platform: • Support for ANGLE. This is really technical, but basically, ANGLE is a technology that presents an OpenGL API but lets Direct3D do the work. On Windows, many OpenGL drivers are very buggy, and that could lead to crashes, black or blank screens. It’s the most-hated issue we have, and it is not even a bug in Krita! If you’re a Windows user and had to disable OpenGL in the Configure Krita dialog, then you should test this build! • Support for Windows Ink/Windows 8 Pointer Events. That’s to say, native support for the n-trig pen technology in Microsoft’s Surface line of products — also used by Asus, Dell and HP in their convertibles that can use a pen. Note: that this is a build from our development branch. It has got all kinds of nifty, but highly unstable features, like scripting, saving in the background, svg graphics… If you load a Krita 3.x file with vector layers and save it with this version of Krita, you will NOT be able to open it in your regular, stable Krita. This build is purely experimental! Do NOT use it for real work. DO help us with testing! ### Test Instructions for Angle • Open the survey in your browser: https://goo.gl/forms/vYxPMbqGyVhPCc2q2 • Download the test build and debug symbols • Open the first zipfile in Windows Explorer, and drag the krita_4.0-prealpha_angle_ink-1-x64 folder to your desktop • Open the second zipfile in Windows Explorer and drag the bin, lib and share folders into the krita_4.0-prealpha_angle_ink-1-x64 folder on your desktop. • With Windows Explorer, navigate into the krita_4.0-prealpha_angle_ink-1-x64 folder on your desktop • Start Krita by double-clicking on the krita link or on the bin\krita.exe file • You will now be given a choice: • Please first choose Test Desktop OpenGL. Create a new image and try to draw for a bit. Fill in the results in the survey: whether you experienced a crash or not. • Next, restart Krita and choose Test ANGLE. Create a new image and draw for a bit. Fill in the results in the survey. NOTE: You won’t be able to enable/disable OpenGL/Angle in Krita’s Settings/Configure Krita/Display settings dialog; it will be forced enabled for this test. ### Test Instructions for Windows Ink/Windows Pointer API This is only relevant for Windows 8 and 10: Windows 7 does not support this API (and Krita does not support Windows 95, 98, XP or Vista). You should be using a Surface Pro with a pen or another convertible that uses Microsoft’s n-trig pen technology. It does not matter whether you have the wintab driver installed. • Open the survey in your browser: https://goo.gl/forms/N5Exyx8aKSOeAUmu2 • If you haven’t performed the previous test for Angle, download the test build and debug symbols • Open the first zipfile in Windows Explorer, and drag the krita_4.0-prealpha_angle_ink-1-x64 folder to your desktop • Open the second zipfile in Windows Explorer and drag the bin, lib and share folders into the krita_4.0-prealpha_angle_ink-1-x64 folder on your desktop. • With Windows Explorer, navigate into the krita_4.0-prealpha_angle_ink-1-x64 folder on your desktop • Start Krita by double-clicking on the krita link or on the bin\krita.exe file • Press either Test Desktop OpenGL or Test ANGLE when you see the dialog discussed above: this does not matter • Go to Settings/Configure Krita/Tablet and check the experimental pointer api/windows ink support checkbox: • Close Krita and start Krita again • Create a new document and draw with the default brush. Check whether pressure gives a variation in size and opacity. Note your findings in the survey: https://goo.gl/forms/5TSCWNZvvjN5SVoq1 ### Thanks! Thanks for helping to test this important new features. ## August 25, 2017 I am pleased to announce a new release 0.7.2 of Entangle is available for download from the usual location:  http://entangle-photo.org/download/  The this is mostly a bug fix release, but there was a little internal refactoring work to prepare for future support of timelapse / animation video display and possible webcam support. • Requires Gtk >= 3.10.0 • Fix some introspection annotations • Use GdkSeat APIs if available • Use GtkOverlay and GtkRevealer in preference to custom widgets • Refactoring to prepare to support display of video files • Draw symbolic icons for video/image files while waiting for thumbnails to load • Ensure session highlight has a min 1 pixel visible border • Ensure session browser scrolls fully to right • Check for Adwaita icon theme which now includes symbolic icons • Remove left over check for DBus GLib • Remove use of deprecated GDK monitor functions • Remove use of deprecated GTK API for loading URIs • Fix handling of motion-notify event that broke client side window dragging • Fix warning when setting size of settings viewport • Update bug reporting address • Turn off over-zealous compiler warning about loop optimizations • Add ability to enter IP address of network camera • Fix URI pattern used to locate gphoto gvfs mounts • Add example plugin for bracketing photos of a total eclipse Krita 3.2.1 is a bug fix release. The following issues were fixed: • Crash on startup if only OpenGL 2.1 is found: if you had to disable opengl for 3.2.0, you can try to enable it again • A crash when changing layer types in the gmic-qt plugin • A bug where gmic-qt could crash on odd-sized images • A regression where using the text tool would break the brush tool • The option to use the native platform’s file dialogs was restored • A bug where selecting the line tool would disable the flow slider • Some issues with the LUT docker were fixed ### Download #### Windows Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. #### Linux (If, for some reason, Firefox thinks it needs to load this as text: to download, right-click on the link.) When it is updated, you can also use the Krita Lime PPA to install Krita 3.2.1 on Ubuntu and derivatives. #### OSX Note: the gmic-qt and pdf plugins is not available on OSX. ### Source code #### md5sums For all downloads: #### Key The Linux appimage and the source tarball are signed. You can retrieve the public key over https here: 0x58b9596c722ea3bd.asc . The signatures are here. #### Support Krita Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time. The Google Summer of Code is nearly at an end. One of our students, Alexey Kapustin, has made a Windows build of his work. Alexey has created a version of Krita that helps us figure out how people actually use Krita by aggregating anonymous data on how often Krita is started, how long it’s used, which tools are used, which options and filters are most popular and so on. Of course, this is still an experimental version: if it becomes part of the regular release it will be opt-in, not opt-out. Within the KDE community we have created a policy for this kind of thing: https://community.kde.org/Policies/Telemetry_Policy . If you want to help Alexey and are a Windows user, please download his special version of Krita 4.0 pre-alpha and play with it. There’s still a lot of work to do, of course, but first we need testers! https://files.kde.org/krita/4/windows/krita-4.0.0-prealpha-telemetry2.zip ## August 24, 2017 In 2010, during a developer sprint in Deventer, the Krita team sat down together with Peter Sikking to hammer out a vision statement for the project. Our old goal, be KDE’s Gimp/Photoshop, didn’t reflect what we really wanted to do. Here are some documents describing the creation of Krita’s vision: Creating the vision took a lot of good, hard work, and this was the result (you need to read this as three paragraphs, givings answers to “what is it”, “for whom is it” and “what’s the value”): Krita is a KDE program for sketching and painting, offering an end–to–end solution for creating digital painting files from scratch by masters. Fields of painting that Krita explicitly supports are concept art, creation of comics and textures for rendering. Modeled on existing real-world painting materials and workflows, Krita supports creative working by getting out of the way and with a snappy response. Seven years later, this needed updating. We’ve added new fields that Krita supports, such as animation, and real-world painting materials and workflows — that never really materialized because as soon as we sat down with real-world artists, we learned that they couldn’t care less: they cared about being productive. So, after discussion on the mailing list and during our weekly meetings, we modified the vision document: Krita is a free and open source cross-platform application that offers an end-to-end solution for creating digital art files from scratch. Krita is optimized for frequent, prolonged and focused use. Explicitly supported fields of painting are illustrations, concept art, matte painting, textures, comics and animations. Developed together with users, Krita is an application that supports their actual needs and workflow. Krita supports open standards and interoperates with other applications. Let’s go through the changes. We now mention “free and open source” instead of KDE because with expansion of Krita on Windows and OSX, we now have many users who do not know that KDE stands for Free Software that respects your privacy and the way you want to work. We considered “Free Software” instead, but this is really a moment where we need to make clear that “free software” is not “software for free”. We still mention “files” explicitly; we’ve never really been interested in what you do with those files, but, for instance, printing from Krita just doesn’t have any priority for us. Krita is for creating your artwork, not for publishing it. We replaced the “for masters” with “frequent, prolonged and focused use”. The meaning is the same: to get the most out of Krita you have to really use it. Krita is not for casually adding scribbles to a screenshot. But the “for masters” often made people wonder whether Krita could be used by beginning artists. The answer is of course “yes” — but you’ll have to master an application with thousands of possibilities. In the second paragraph, we’ve added animations and matte painting. Animation was introduced for the third time in 2016; it’s clearly something a lot of people love to do. Matte painting gets close to photo manipulation, which isn’t in our vision, but focused on creating a new artwork. We’ve always felt that Krita could be used for that, as well. Note: no 3d, no webpage design, no product design, no wedding albums, no poster or other print design. Finally, the last paragraph got almost completely rewritten. Gone is real-world materials as an inspiration, and in are our users as inspiration: we won’t let you dictate what Krita can do, or how Krita lets you do stuff, UX design isn’t something that can be created by voting. But we do listen, and for the past years we’ve let you vote for which features you would find most useful, while still keeping the direction of Krita as a whole in our hands. But we want to create an application that lets you get stuff done. We removed the “snappy” response, since that’s pretty much a given. We’re not going to try to create an application that’s ponderous or works against you all the way. Finally, we do care about interoperability and standards, and have spent countless hours of work on improving that, so we felt it needed to be said. ## August 23, 2017 After more than a year of hard work we are excited to release GIMP 2.9.6 featuring many improvements, some new features, translation updates for 23 languages, and 204 bug fixes. As usual, for a complete list of changes please see NEWS. Here we’d like to focus on the most important changes. ## Performance¶ GIMP now has support for experimental multi-threading in GEGL and will try to use as many cores as are available on your computer. We know GIMP can explode when using more than one core, but we keep it that way so that we get as many bug reports as possible for this officially unstable development version. This is because we really, really want to ship GIMP 2.10 with usable parallel processing. On the other hand, you can always set the amount of cores to 1 if you couldn’t be bothered to report bugs. For that, please tweak the amount of threads on the System Resources page of the Preferences dialog. ## GUI, Usability, and Configurability¶ Benoit Touchette improved mask creation workflow for users who use a ton of masks in their projects. Now GIMP remembers the last type of mask initialization, and you can use key modifiers + mouse click on layer previews to create, apply, or remove masks. There’s a new button in the Layers dockable dialog for that as well. To make that feature possible, Michael Natterer introduced saving of last dialogs’ settings across sessions and made these defaults configurable via the new Interface / Dialog Defaults page in the Preferences dialog. Additionally, the Preferences dialog got a vertical scrollbar where applicable to keep its height more sensible, and settings on individual pages of the dialog can be reset separately now. The Quit dialog got a few updates: automatically exiting when all the images in the list have been saved, and a Save As button for every opened image (clicking an image in the list will raise it easy checks). Yet another new feature is an option (on the screenshot above) to choose fill color or pattern for empty spaces after resizing the canvas. ## Better Hi-DPI Support¶ While most changes for better Hi-DPI displays support are planned for v3.0, when GIMP is expected to be based on either GTK+3 or GTK+4, we were able to remove at least some of the friction by introducing icon sizes at different resolutions and a switch for icon sizes on the Icon Theme page of the Preferences dialog. ## On-canvas Interaction Changes¶ Michael Natterer did a huge under-the-hood work that is likely to affect user interaction with GIMP bigly. Simply put, he moved a lot of on-canvas code from tools like Rectangle Select, Measure and Path into reusable code. The effect of that is multifold: • New tools can reuse on-canvas elements of other tools (adding shape drawing tools should be easier now, although we are not planning that for 2.10, unless someone sends a clean patch). • GEGL-based filters can be interacted with directly on the canvas (Spiral and Supernova so far as test case). So far one still needs to write C code to make a GEGL-based filter use on-canvas interaction. We expect to spend some time figuring out a way to simplify this, possibly using the GUM language (see below). ## Layers, Linear and Perceptual Workflows¶ Since we want to make workflows in linear color spaces more prominent in GIMP, it was time to update the blend modes code. You can now switch between two sets of layer modes: legacy (perceptual) and default (linear). The user interface for switching was a quick design, we’d like to come up with something better, so we are interested in your input. Moreover, we made both compositing of layers and blending color space configurable, should you have the need to use that for advanced image manipulation. We also added a new Colors -> Linear Invert command to provide radiometrically correct color inversion. And the histogram dialog now features a toggle between gamma and linear modes—again, it’s a design we’d like to improve. Thanks to Øyvind Kolås and his Patreon supporters, GIMP now also has a simple ‘blendfun’ framework that greatly simplifies implementing new color modes. Ell made use of that by adding Linear Burn, Vivid Light, Linear Light, Pin Light, Hard Mix, Exclusion, Merge, Split, and Luminance (RGB) blending modes (most of them now also supported in the PSD plug-in). Another prominent change is the introduction of the Pass Through mode for layer groups. When this mode is used instead of any other one, GIMP mixes layers inside that group directly to the layers below, skipping creation of the group projection. The feature was implemented by Ell. The screenshot below features a user-submitted PSD file that has TEXTURES layer group in the Pass Through mode, as opened in GIMP 2.9.4 (left) and GIMP 2.9.6 (right). Newly added color tags simplify managing large projects with a lot of layers and layer groups. The screenshot below is a real-life PSD file opened in GIMP 2.9.6. To make more use of that feature, we need someone to step up and implement multiple layers selection. For an initial research, see this wiki page. For full access to all the new features, we updated the Layer Attributes dialog to provide the single UI for setting layer’s name, blending mode, opacity, and offset, toggling visibility, link status, various locks, color tags. ## CIELCH and CIELAB¶ Under the influence of Elle Stone (and with her code contributions), CIE LCH and CIE LAB color spaces are finding more use in GIMP now. Color dialogs now have an LCH color selector that, in due time, will most likely replace outdated HSV selector for reasons outlined by Elle in this article. The LCH selector also supports gamut checking. A new Hue-Chroma filter in the Colors menu works much like Hue-Saturation, but operates in CIE LCH color space. Moreover, the Fuzzy Select and the Bucket Fill tool now can select colors by CIE L, C, and H. Finally, both the Color Picker and the Sample Points dialog now display pixel values in CIE LAB and CIE LCH. ## Tools¶ New Handle Transform tool contributed by Johannes Matschke in 2015 has been finally cleaned up by Michael Natterer and available by default. It’s a little tricky to get used to, but we hear reports that once you get the hang of it, you love it. Thanks to Ell, the Warp Transform tool is now a lot faster, partially thanks to a switch that toggles high-quality preview that isn’t always necessary. All transformation tools don’t display grid by default anymore, and during an interactive transformation the original layer gets hidden now. The latter greatly simplifies transforming upper layer in relation to a lower layer. Before that, the original layer used to block the view. Free Select tool now waits for Enter being pressed to confirm selection, which enables you to tweak positions of polygonal selection. ## Painting¶ An important new feature that is somewhat easy to overlook is being able to paint on transparent layers with modes other than normal. Thanks to shark0r, the Smudge tool now has a Flow control that allows mixing in both constant and gradient color while smudging. There’s another new option to never decrease alpha of existing pixels while smudging in the tools options now as well. For more on this, please read this forum thread. Canvas rotation has been improved: it got snappier in certain cases, and rulers, scrollbars, as well as the Navigation dialog follow the rotation now. Alexia introduced some improvements to the brush engine. For bitmap brushes, GIMP now caches hardness and disables dynamic change of hardness to improve painting performance. Bitmap brushes also don’t get clipped anymore, when hardness is less than 100. Plus there’s a specialized convolution algorithm for the hardness blur to make it faster now. ## Processing Raw Images¶ Since 2.9.4, GIMP is capable of opening raw (digital camera) images via darktable, and the plan was to open it up to more plug-in developers, because nothing sparks a thoughtful, civil conversation like a raw processor of choice. This is now possible: 2.9.6 ships with a RawTherapee plug-in (v5.2 or newer should be installed) and a new file-raw-placeholder plug-in that registers itself for loading all raw formats, but does nothing except returning an error message pointing to darktable and RawTherapee, if neither is installed. Moreover, you can now choose preferred raw plug-in, when multiple options are available on your computer. For this, open the Preferences dialog and go to the Image Import page, then click on the plug-in you prefer and click OK to confirm your choice. You will need to restart GIMP. ## Better PSD Support¶ The PSD plug-in now supports a wider range of blending modes for layers, at both importing and exporting: Linear Burn, Linear Light, Vivid Light, Pin Light, and Hard Mix blending modes. It also finally supports exporting layer groups and reads/writes the Pass Through mode in those. Additionally, GIMP now imports and exports color tags from/to PSD files. ## WebP support¶ We already shipped GIMP 2.9.2 with initial support for opening and exporting WebP files, however the plug-in was missing a number of essential features. Last year, we replaced it with a pre-existing plug-in initially written by Nathan Osman back in 2011 and maintained through the years. We now ship it by default as part of GIMP. The new plug-in received additional contributions from Benoit Touchette and Pascal Massimino and supports both ICC profiles, metadata loading/exporting, and animation. ## Metadata Viewing and Editing¶ Thanks to Benoit Touchette, GIMP now ships a new metadata viewer that uses Exiv2 to display Exif, XMP, IPTC, and DICOM metadata (the latter is displayed on the XMP tab). Moreover, Benoit implemented a much anticipated metadata editor that supports adding/editing writing XMP, IPTC, DICOM, and GPS/Exif metadata, as well as loading/exporting metadata from/to XMP files. ## Filters¶ Thanks to contributions from Thomas Manni and Ell, GIMP now has 9 more GEGL-based filters, including much anticipated Wavelet Decompose, as well as an Extract Component plug-in that simplifies fetching e.g. CMYK’s K channel or LAB’s L* channel from an image. Another new feature that we expect to develop further is GUM—a simple metadata language that helps automatically building more sensible UI for GEGL filters. Here’s a quick video: ## Resources and Presets¶ To make GIMP more useful by default, we now ship it with some basic presets for the Crop tool: 2×3, 3×4, 16:10, 16:9, and Square. Documents templates have been updated and now feature popular, contemporary presets for both print and digital media. ## What’s Next¶ We still have a bunch of bugs to fix before we can release 2.10 and we appreciate all the huge and tiny useful patches contributors send us to that effect. GIMP 2.9.8 is expected to ship with more bug fixes and an updated Blend (Gradient Fill) tool that works completely on canvas, including adding and removing color stops and assigning colors. ## August 21, 2017 The title of this article sucks, I know, couldn't think of anything better... This is a concept I wanted to play with since a long time, and last month I was finally able to setup a proof of concept. The only missing part was to write an article explaining it, so here it goes. For who is... ## August 18, 2017 Over the last few days I’ve merged in the PKCS7 support into fwupd as an optional feature. I’ve done this for a few reasons: • Some distributors of fwupd were disabling the GPG code as it’s GPLv3, and I didn’t feel comfortable saying just use no signatures • Trusted vendors want to ship testing versions of firmware directly to users without first uploading to the LVFS. • Some firmware is inherently internal use only and needs to be signed using existing cryptographic hardware. • The gpgme code scares me. Did you know GPGME is a library based around screen scraping the output of the gpg2 binary? When you perform an action using the libgpgme APIs you’re literally injecting a string into a pipe and waiting for it to return. You can’t even use libgcrypt (the thing that gpg2 uses) directly as it’s way too low level and doesn’t have any sane abstractions or helpers to read or write packaged data. I don’t want to learn LISP S-Expressions (yes, really) and manually deal with packing data just to do vanilla X509 crypto. Although the LVFS instance only signs files and metadata with GPG at the moment I’ve added the missing bits into python-gnutls so it could become possible in the future. If this is accepted then I think it would be fine to support both GPG and PKCS7 on the server. One of the temptations for X509 signing would be to get a certificate from an existing CA and then sign the firmware with that. From my point of view that would be bad, as any firmware signed by any certificate in my system trust store to be marked as valid, when really all I want to do is check for a specific (or a few) certificates that I know are going to be providing certified working firmware. Although I could achieve this to some degree with certificate pinning, it’s not so easy if there is a hierarchical trust relationship or anything more complicated than a simple 1:1 relationship. So this is possible I’ve created a LVFS CA certificate, and also a server certificate for the specific instance I’m running on OpenShift. I’ve signed the instance certificate with the CA certificate and am creating detached signatures with an embedded (signed-by-the-CA) server certificate. This seems to work well, and means we can issue other certificates (or CRLs) if the server ever moves or the trust is compromised in some way. So, tl;dr: (should have been at the top of this page…) if you see a /etc/pki/fwupd/LVFS-CA.pem appear on your system in the next release you can relax. Comments, especially from crypto experts welcome. Thanks! ## August 17, 2017 Later than planned, here’s Krita 3.2.0! With the new G’Mic-qt plugin integration, the smart patch tool, finger painting on touch screens, new brush presets and a lot of bug fixes. Read the full release notes for more information!. Here’s GDQuest’s video introducing 3.2.0: Note: the gmic-qt plugin is not available on OSX. Krita now ships with a pre-built gmic-qt plugin on Windows and the Linux AppImage. If you have tested the beta or release candidate builds, you might need to reset your configuration. ### Changes since the last release candidate: • Don’t reset the LUT docker when moving the Krita window between moitors • Correctly initialize the exposure display filter in the LUT docker • Add the missing pan tool a ction • Improve the “Normal” blending mode performance by 30% (first patch for Krita by Daria Scherbatyuk!) • Fix a crash when creating a second view on an image • Fix a possible crash when creating a second window • Improve finding the gmic-qt plugin: Krita now first looks whether there is one available in the same place as the Krita executable • Fix scroll wheel behaviour if Krita is built with Qt 5.7.1. or later • Fix panning in gmic-qt when applying gmic-qt to a non-RGBA image • Scale channel values correctly when using a non-RGBA image with gmic-qt • Fix the default setting for allowing multiple krita instances ### Download #### Windows Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. #### Linux (If, for some reason, Firefox thinks it needs to load this as text: to download, right-click on the link.) When it is updated, you can also use the Krita Lime PPA to install Krita 3.2.0 on Ubuntu and derivatives. #### OSX Note: the gmic-qt and pdf plugins is not available on OSX. ### Source code #### md5sums For all downloads: #### Key The Linux appimage and the source tarball are signed. You can retrieve the public key over https here: 0x58b9596c722ea3bd.asc . The signatures are here. #### Support Krita Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time. ## August 16, 2017 When we went public with our troubles with the Dutch tax office two weeks ago, the response was overwhelming. The little progress bar on krita.org is still counting, and we’re currently at 37,085 euros, and 857 donators. And that excludes the people who sent money to the bank directly. It does include Private Internet Access‘ sponsorship. Thanks to all you! So many people have supported us, we cannot even manage to send out enough postcards. So, even though we’re going to get another accountant’s bill of about 4500 euros, we’ve still got quite a surplus! As of this moment, we have €29,657.44 in our savings account! That means that we don’t need to do a fund raiser in September. Like we said, we’ve still got some features to finish. Dmitry and I are currently working on • Make Krita save and autosave in the background (done) • Improved animation rendering speed (done) • Improve Krita’s brush engine multi-core adaptability (under way) • Improve the general concurrency in Krita (under way) • Add touch functionality back (under way) • Implement the new text tool (under way) • Lazy brush: plug in a faster algorithm • Stacked brushes: was done, but needs to be redone • Replace the reference images docker with a reference images tool (under way) • Add patterns and filters to the vector support All of that should be done before the end of the year. After that, we want to spend 2018 working on stability, polish and performance. So much will have changed that from 3.0 to 4.0 is a bigger step than from 2.9 to 3.0, even though that included the port to a new version of Qt! We will be doing new fund raisers in 2018, but we’re still discussing what the best approach would be. Kickstarters with stretch goals are very much feature oriented, and we’ve all decided that it’s time to improve what we have, instead of adding still more features, at least, for a while… In the meantime, we’re working on the 3.2 release. We wanted to have it released yesterday, but we found a regression, which Dmitry is working hard on fixing right now. So it’ll probably be tomorrow. ## August 14, 2017 While I was testing various attempts at motorizing my barn-door mount, trying to get it to track the sun, I had to repeatedly find the sun in my telescope. In the past, I've generally used the shadow of the telescope combined with the shadow of the finderscope. That works, more or less, but it's not ideal: it doesn't work as well with just a telescope with no finder, which includes both of the scopes I'm planning to take to the eclipse; and it requires fairly level ground under the telescope: it doesn't work if there are bushes or benches in the way of the shadow. For the eclipse, I don't want to waste any time finding the sun: I want everything as efficient as possible. I decided to make a little solar finderscope. One complication, though: since I don't do solar observing very often, I didn't want to use tape, glue or, worse, drill holes to mount it. So I wanted something that could be pressed against the telescope and held there with straps or rubber bands, coming off again without leaving a mark. A length of an angled metal from my scrap pile seemed like a good size to be able to align itself against a small telescope tube. Then I needed front and rear sights. For the front sight, I wanted a little circle that could project a bulls-eye shadow onto a paper card attached to the rear sight. I looked at the hardware store for small eye-bolts, but no dice. Apparently they don't come that small.I settled for the second-smallest size of screw eye. The screw eye, alas, is meant to screw into wood, not metal. So I cut a short strip of wood a reasonable size to nestle into the inside of the angle-iron. (That ripsaw Dave bought last year sure does come in handy sometimes.) I drilled some appropriately sized holes and fastened screw eyes on both ends, adding a couple of rubber grommets as spacers because the screw eyes were a little too long and I didn't want the pointy ends of the screws getting near my telescope tube. I added some masking tape on the sides of the angle iron so it wouldn't rub off the paint on the telescope tube, then bolted a piece of cardboard cut from an old business card to the rear screw eye. Voila! A rubber-band-attached solar sight that took about an hour to make. Notice how the shadow of the front sight exactly fits around the rear sight: you line up the shadow with the rear sight to point the scope. It seems to work pretty well, and it should be adaptable to any telescope I use. I used a wing nut to attach the rear cardboard: that makes it easy to replace it or remove it. With the cardboard removed, the sight might even work for night-time astronomy viewing. That is, it does work, as long as there's enough ambient light to see the rings. Hmm... maybe I should paint the rings with glow-in-the-dark paint. ## August 11, 2017 I've been meaning forever to try making a "barn door" tracking mount. Used mainly for long-exposure wide-field astrophotography, the barn door mount, invented in 1975, is basically two pieces of wood with a hinge. The bottom board mounts on a tripod and is pointed toward the North Star; "opening" the hinge causes the top board to follow the motion of the sky, like an equatorial telescope mount. A threaded rod and a nut control the angle of the "door", and you turn the nut manually every so often. Of course, you can also drive it with a motor. We're off to view the eclipse in a couple of weeks. Since it's my first total eclipse, my plan is to de-emphasize photography: especially during totality, I want to experience the eclipse, not miss it because my eyes are glued to cameras and timers and other equipment. But I still want to take photos every so often. Constantly adjusting a tripod to keep the sun in frame is another hassle that might keep my attention away from the eclipse. But real equatorial mounts are heavy and a time consuming to set up; since I don't know how crowded the area will be, I wasn't planning to take one. Maybe a barn door would solve that problem. Perhaps more useful, it would mean that my sun photos would all be rotated approximately the right amount, in case I wanted to make an animation. I've taken photos of lunar and partial solar eclipses, but stringing them together into an animation turned out to be too much hassle because of the need to rotate and position each image. I've known about barn-door mounts since I was a kid, and I knew the basic theory, but I'd never paid much attention to the details. When I searched the web, it sounded complicated -- it turned out there are many types that require completely different construction techniques. The best place to start (I found out after wasting a lot of time on other sites) is the Wikipedia article on "Barn door tracker", which gives a wonderfully clear overview, with photos, of the various types. I had originally been planning a simple tangent or isosceles type; but when I read construction articles, it seemed that those seemingly simple types might not be so simple to build: the angle between the threaded rod and the boards is always changing, so you need some kind of a pivot. Designing the pivot looked tricky. Meanwhile, the pages I found on curved-rod mounts all insisted that bending the rod was easy, no trouble at all. I decided to try a curved-rod mount first. The canonical reference is a 2015 article by Gary Seronik: A Tracking Platform for Astrophotography. But I found three other good construction guides: Optical Ed's "Making a Curve Bolt Barn Door", a Cloudy Nights discussion thread "Motorized Barn Door Mount Kit", and Massapoag Pond Photography's "Barn Door Tracker". I'm not going to reprise all their construction details, so refer to those sites if you try making your own mount. The crucial parts are a "piano hinge", a long hinge that eliminates the need to line up two or more hinges, and the threaded rod. Buying a piano hinge in the right size proved impossible locally, but the folks at Metzger's assured me that piano hinges can be cut, so I bought one longer than I needed and cut it to size. I used a 1/4-20 rod, which meant (per the discussions in the Cloudy Nights discussion linked above) that a 11.43-inch radius from the hinge to the holes the rod passes through would call for the nut to turn at a nice round number of 1 RPM. I was suspicious of the whole "it's easy to bend the threaded rod ina 11.43-inch circle" theory, but it turned out to be true. Draw the circle you want on a sheet of newspaper, put on some heavy gloves and start bending, frequently comparing your rod to the circle you drew. You can fine-tune the curvature later. I cut my boards, attached the hinge, measured about 11.4" and drilled a hole for the threaded rod. The hole needed to be a bit bigger than 5/8" to let the curved rod pass through without rubbing. Attach the curved rod to the top wood piece with a couple of nuts and some washers, and then you can fine-tune the rod's curvature, opening and closing the hinge and re-bending the rod a little in any place it rubs. A 5/8" captive nut on the top piece lets you attach a tripod head which will hold your camera or telescope. A 1/4" captive nut on the bottom piece serves to attach the mount to a tripod -- you need a 1/4", not 3/8": the rig needs to mount on a tripod head, not just the legs, so you can align the hinge to the North Star. (Of course, you could build a wedge or your own set of legs, if you prefer.) The 3/4" plywood I was using turned out to be thicker than the captive nuts, so I had to sand the wood thinner in both places. Maybe using half-inch plywood would have been better. The final piece is the knob/nut you'll turn to make the mount track. I couldn't find a good 1/4" knob for under15. A lot of people make a wood circle and mount the nut in the center, or use a gear so a motor can drive the mount. I looked around at things like jam-jar lids and the pile of metal gears and sprinkler handles in my welding junkpile, but I didn't see anything that looked quite right, so I decided to try a wing nut just for testing, and worry about the knob later. Turns out a wing nut works wonderfully; there's no particular need for anything else if you're driving your barn-door manually.

Testing time! I can't see Polaris from my deck, and I was too lazy to set up anywhere else, so I used a protractor to set the hinge angle to roughly 36° (my latitude), then pointed it approximately north. I screwed my Pro-Optic 90mm Maksutov (the scope I plan to use for my eclipse photos) onto the ball head and pointed it at the moon as soon as it rose. With a low power eyepiece (20x), turning the wing nut kept the moon more or less centered in the field for the next half-hour, until clouds covered the moon and rain began threatening. I didn't keep track of how many turns I was making, since I knew the weather wasn't going to allow a long session, and right now I'm not targeting long-exposure photography, just an easy way of keeping an object in view.

A good initial test! My web searches, and the discovery of all those different types of barn-door mounts and pivots and flex couplings and other scary terms, had seemed initially daunting. But in the end, building a barn-door mount was just as easy as people say it is, and I finished it in a day.

And what about a motor? I added one a few days later, with a stepper and an Arduino. But that's a separate article.

## August 10, 2017

A few months ago I started implementing Speculaas, a Clojure.spec implementation for Node.js. This is the  announcement of a series of blog posts on this site in which I will show how to use this npm package for specification based testing of your code.

Have fun,

Maurits

A couple of weeks ago I’ve added some new functionality to dfu-tool which is shipped in fwupd. The dfu-tool utility (via libdfu) now has the ability to forward-patch binary files, somewhat like bsdiff does. To do this it compares the old firmware with the new firmware, finding blocks of data that are different and storing the new content and the offset in a .dfup file. The reason for storing the new content rather than a binary diff (like bsdiff) is that you can remove non-free and non-redistributable code without actually including it in the diff file (which, you might be doing if you’re neutering/removing the Intel Management Engine). This does make reversing the binary patch process impossible, but this isn’t a huge problem if we keep the old file around for downgrades.

$sha1sum ~/firmware-releases/colorhug-1.1.6.bin 955386767a0108faf104f74985ccbefcd2f6050c ~/firmware-releases/colorhug-1.1.6.bin$ sha1sum ~/firmware-releases/colorhug-1.1.7.bin
9b7dbb24dbcae85fbbf045e7ff401fb3f57ddf31  ~/firmware-releases/colorhug-1.1.7.bin

$dfu-tool patch-create ~/firmware-releases/colorhug-1.1.6.bin ~/firmware-releases/colorhug-1.1.7.bin colorhug-1_1_6-to-1_1_7.dfup -v Dfu-DEBUG: binary growing from: 19200 to 19712 Dfu-DEBUG: add chunk @0x0000 (len 3) Dfu-DEBUG: add chunk @0x0058 (len 2) Dfu-DEBUG: add chunk @0x023a (len 19142) Dfu-DEBUG: blob size is 19231$ dfu-tool patch-dump colorhug-1_1_6-to-1_1_7.dfup
checksum-old: 955386767a0108faf104f74985ccbefcd2f6050c
checksum-new: 9b7dbb24dbcae85fbbf045e7ff401fb3f57ddf31
chunk #00     0x0000, length 3
chunk #01     0x0058, length 2
chunk #02     0x023a, length 19142

$dfu-tool patch-apply ~/firmware-releases/colorhug-1.1.6.bin colorhug-1_1_6-to-1_1_7.dfup new.bin -v Dfu-DEBUG: binary growing from: 19200 to 19712 Dfu-DEBUG: applying chunk 1/3 @0x0000 (length 3) Dfu-DEBUG: applying chunk 2/3 @0x0058 (length 2) Dfu-DEBUG: applying chunk 3/3 @0x023a (length 19142)$ sha1sum new.bin
9b7dbb24dbcae85fbbf045e7ff401fb3f57ddf31  new.bin


Perhaps a bad example here, the compiler changed between 1.1.6 and 1.1.7 so lots of internal offsets changed and there’s no partitions inside the image; but you get the idea. For some system firmware where only a BIOS default was changed this can reduce the size of the download from megabytes to tens of bytes; the largest thing in the .cab then becomes the XML metadata (which also compresses rather well). Of course in this case you can also use bsdiff if it’s already installed — I’ve not yet decided if it makes sense for fwupd to runtime require tools like bspatch as these could be needed by the firmware builder bubblewrap functionality, or if it could just be included as statically linked binaries in the .cab file. Comments welcome.

## August 08, 2017

Most of the time when you’re distributing firmware you have permission from the OEM or ODM to redistribute the non-free parts of the system firmware, e.g. Dell can re-distribute the proprietary Intel Management Engine as part as the firmware capsule that gets flashed onto the hardware. In some cases that’s not possible, for example for smaller vendors or people selling OpenHardware. In this case I’m trying to help Purism distribute firmware updates for their hardware, and they’re only able to redistribute the Free Software coreboot part of the firmware. For reasons (IFD, FMAP and CBFS…) you need to actually build the target firmware on the system you’re deploying onto, where build means executing random low-level tools to push random blobs of specific sizes into specific unnecessarily complex partition formats rather than actually compiling .c into executable code. The current solution is a manually updated interactive bash script which isn’t awesome from a user-experience or security point of view. The other things vendors have asked for in the past is a way to “dd” a few bytes of randomness into the target image at a specific offset and also to copy the old network MAC address into the new firmware. I figured fwupd should probably handle this somewhat better than a random bash script running as root on your live system.

I’ve created a branch that allows you to ship an archive (I’m suggesting using the simple .tar format, as the .cab file will be compressed already) within the .cab file as the main “release”. Within the .tar archive will be a startup.sh file and all the utilities or scripts needed to run the build operation, statically linked if required. At firmware deploy time fwupd will explode the tar file into a newly-created temp directory, create a bubblewrap container which has no network and limited file-system access and then run the startup.sh script. Once complete, fwupd will copy out just the firmware.bin file and then destroy the bubblewrap container and the temporary directory. I’ve not yet worked out how to inject some things into the jail, for instance we sometimes need the old system firmware blob if we’re applying a bsdiff rather than just replacing all the data. I’m tempted to just mount /var/lib/fwupd/builder/ into the jail as read-only and then get the fwupd plugin to create the required data there at startup before the jail gets created.

Not awesome, but more reliable and secure than just running random bash files as root. Comments welcome.

## August 07, 2017

After last week’s rollercoaster ride (if you haven’t seen it, check the news, then the update!), it was hard to get back into making releases and writing code. Yet, here is the release candidate for Krita 3.2.0. Fixes since the second beta include:

• Some cleanups when handling OpenGL
• Show a clearer error when loading the wintab32.dll file fails on Windows
• Fix a regression where bezier tools couldn’t close the curve and couldn’t create a second curve
• Fixes for working with multiple windows in subwindow mode where one of the documents is set to “stays on top”
• Fix resetting the Level of Detail cache when changing the visibility of a layer: this fixes an issue where after changing the visibility of a layer, the color picker would pick from an older version of the layer.
• Save the last used folder in the Reference Images Docker
• Don’t create nested autosave documents.
• Add recognizing uc-logic tablets on Linux
• Improve the stabilizer
• Improve the communication between Krita and the gmic-qt plugin
• Fix progress reporting after the gmic-qt filter returns
• Fix loading a custom brush preset that uses the text brush
• Update the new brush preset set

#### Windows

Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes.

#### Linux

When it is updated, you can also use the Krita Lime PPA to install Krita 3.2.0-rc.1 on Ubuntu and derivatives.

### Source code

#### Key

The Linux appimage and the source tarball are signed. You can retrieve the public key over https here:
0x58b9596c722ea3bd.asc
. The signatures are here.

#### Support Krita

Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time.

## August 05, 2017

I do most of my coding on my home machine. But when I travel (or sit in boring meetings), sometimes I do a little hacking on my laptop. Most of my code is hosted in GitHub repos, so when I travel, I like to update all the repos on the laptop to make sure I have what I need even when I'm offline.

That works great as long as I don't make branches. I have a variable $myrepos that lists all the github repositories where I want to contribute, and with a little shell alias it's easy enough to update them all: allgit() { pushd ~ foreach repo ($myrepos)
echo $repo : cd ~/src/$repo
git pull
end
popd
}


That works well enough -- as long as you don't use branches.

Git's branch model seems to be that branches are for local development, and aren't meant to be shared, pushed, or synchronized among machines. It's ridiculously difficult in git to do something like, "for all branches on the remote server, make sure I have that branch and it's in sync with the server." When you create branches, they don't push to the server by default, and it's remarkably difficult to figure out which of your branches is actually tracking a branch on the server.

A web search finds plenty of people asking, and most of the Git experts answering say things like "Just check out the branch, then pull." In other words, if you want to work on a branch, you'd better know before you go offline exactly which branches in which repositories might have been created or updated since the last time you worked in that repository on that machine. I guess that works if you only ever work on one project in one repo and only on one or two branches at a time. It certainly doesn't work if you need to update lots of repos on a laptop for the first time in two weeks.

Further web searching does find a few possibilities. For checking whether there are files modified that need to be committed, git status --porcelain -uno works well. For checking whether changes are committed but not pushed, git for-each-ref --format="%(refname:short) %(push:track)" refs/heads | fgrep '[ahead' works ... if you make an alias so you never have to look at it.

Figuring out whether branches are tracking remotes is a lot harder. I found some recommendations like git branch -r | grep -v '\->' | while read remote; do git branch --track "${remote#origin/}" "$remote"; done and for remote in git branch -r; do git branch --track ${remote#origin/}$remote; done but neither of them really did what I wanted. I was chasing down the rabbit hole of writing shell loops using variables like

  localbranches=("${(@f)$(git branch | sed 's/..//')}")
remotebranches=("${(@f)$(git branch -a | grep remotes | grep -v HEAD | grep -v master | sed 's_remotes/origin/__' | sed 's/..//')}")

when I thought, there must be a better way. Maybe using Python bindings?

### git-python

In Debian, the available packages for Git Python bindings are python-git, python-pygit2, and python-dulwich. Nobody on #python seemed to like any of them, but based on quick attempts with all three, python-git seemed the most straightforward. Confusingly, though Debian calls it python-git, it's called "git-python" in its docs or in web searches, and it's "import git" when you use it.

It's pretty straightforward to use, at least for simple things. You can create a Repo object with

from git import Repo
repo = Repo('.')

and then you can get lists like repo.heads (local branches), repo.refs (local and remote branches and other refs such as tags), etc. Once you have a ref, you can use ref.name, check whether it's tracking a remote branch with ref.tracking_branch(), and make it track one with ref.set_tracking_branch(remoteref). That makes it very easy to get a list of branches showing which ones are tracking a remote branch, something that had proved almost impossible with the git command line.

Nice. But now I wanted more: I wanted to replace those baroque git status --porcelain and git for-each-ref commands I had been using to check whether my repos needed committing or pushing. That proved harder.

Checking for uncommitted files, I decided it would be easiest stick with the existing git status --porcelain -uno. Which was sort of true. git-python lets you call git commands, for cases where the Python bindings aren't quite up to snuff yet, but it doesn't handle all cases. I could call:

    output = repo.git.status(porcelain=True)

but I never did find a way to pass the -uno; I tried u=False, u=None, and u="no" but none of them worked. But -uno actually isn't that important so I decided to do without it.

I found out later that there's another way to call the git command, using execute, which lets you pass the exact arguments you'd pass on the command line. It didn't work to call for-each-ref the way I'd called repo.git.status (repo.git.for_each_ref isn't defined), but I could call it this way:

    foreachref = repo.git.execute(['git', 'for-each-ref',
'--format="%(refname:short) %(push:track)"',

and then parse the output looking for "[ahead]". That worked, but ... ick. I wanted to figure out how to do that using Python.

It's easy to get a ref (branch) and its corresponding tracking ref (remote branch). ref.log() gives you a list of commits on each of the two branches, ordered from earliest to most recent, the opposite of git log. In the simple case, then, what I needed was to iterate backward over the two commit logs, looking for the most recent SHA that's common to both. The Python builtin reversed was useful here:

    for i, entry in enumerate(reversed(ref.log())):
for j, upstream_entry in enumerate(reversed(upstream.log())):
if entry.newhexsha == upstream_entry.newhexsha:
return i, j


(i, j) are the number of commits on the local branch that the remote hasn't seen, and vice versa. If i is zero, or if there's nothing in ref.log(), then the repo has no new commits and doesn't need pushing.

### Making branches track a remote

The last thing I needed to do was to make branches track their remotes. Too many times, I've found myself on the laptop, ready to work, and discovered that I didn't have the latest code because I'd been working on a branch on my home machine, and my git pull hadn't pulled the info for the branch because that branch wasn't in the laptop's repo yet. That's what got me started on this whole "update everything" script in the first place.

If you have a ref for the local branch and a ref for the remote branch, you can verify their ref.name is the same, and if the local branch has the same name but isn't tracking the remote branch, probably something went wrong with the local repo (like one of my earlier attempts to get branches in sync, and it's an easy fix: ref.set_tracking_branch(remoteref).

But what if the local branch doesn't exist yet? That's the situation I cared about most, when I've been working on a new branch and it's not on the laptop yet, but I'm going to want to work on it while traveling. And that turned out to be difficult, maybe impossible, to do in git-python.

It's easy to create a new local branch: repo.head.create(repo, name). But that branch gets created as a copy of master, and if you try to turn it into a copy of the remote branch, you get conflicts because the branch is ahead of the remote branch you're trying to copy, or vice versa. You really need to create the new branch as a copy of the remote branch it's supposed to be tracking.

If you search the git-python documentation for ref.create, there are references to "For more documentation, please see the Head.create method." Head.create takes a reference argument (the basic ref.create doesn't, though the documentation suggests it should). But how can you call Head.create? I had no luck with attempts like repo.git.Head.create(repo, name, reference=remotebranches[name]).

I finally gave up and went back to calling the command line from git-python.

repo.git.checkout(remotebranchname, b=name)

I'm not entirely happy with that, but it seems to work.

I'm sure there are all sorts of problems left to solve. But this script does a much better job than any git command I've found of listing the branches in my repositories, checking for modifications that require commits or pushes, and making local branches to mirror new branches on the server. And maybe with time the git-python bindings will improve, and eventually I'll be able to create new tracking branches locally without needing the command line.

The final script, such as it is: gitbranchsync.py.

## August 03, 2017

Last week at GUADEC Christian gave me a huge laptop to borrow with the request to “make the color sensor work in Fedora”.

This thing is a beast: the display is 17″ and 4K resolution, two GPUs, two hard-disks and a battery. It did not fit in my laptop bag, only just squeezed in my suitcase, and weighed a metric ton. I was pretty confident I could make the color sensor work, as I previously reverse engineered the Huey and we had existing support for the embedded Huey as found in the W700 ThinkPad. Just like the W700, the sensor is located in the palm-rest, and so the laptop lid needs to be shut (and the display kept on) when showing calibration patches. I told Christian it should be a case of adding an unlock code, another PID to the udev rules and then we should be good. How wrong could I be!

Lets look on what’s shipped by default with the Laptop. In Microsoft Windows 10, the Pantone application prompts you to recalibrate your display once per week. When you manually run the calibration wizard, it asks you to choose your display temperature and also the gamma value for the curve, defaulting to D65 whitepoint and 2.2 gamma.

It then asks you to shut the lid and uses a combination of flashing the Thinkpad red-dot LED and using sound effects to show you the progress of the calibration. By opening the lid a tiny fraction we can see the pattern is as follows:

1. Black offset
2. Red primary
3. Green primary
4. Blue primary
5. Red gamma ramp, 7 steps
6. Green gamma ramp, 7 steps
7. Blue gamma ramp, 7 steps

The USB traffic was intercepted for two runs, and dumped to CSV files. These were further post-processed by a python script to filter down and to help understand the protocol used.

From completely reverse engineering the protocol, we can show that the Pantone X-Rite sensor in the palm-rest of the P70 is nothing more than a brightness sensor with a display-specific primary correction matrix. You can’t actually get a RGB or XYZ color out of the sensor, the only useful thing that it can do is linearize the VCGT ramps, and with only 7 measurements for each channel I’m surprised it can do anything very useful at all.

Is it not known how the sensor and calibration tool can create an ICC profile without hardcoding the primaries in the sensor EEPROM itself, and this is probably what happens here. Whilst the sensor would be able to linearize a display where the hardware-corrected backlight suddenly becomes non-linear, it is completely unable to return a set of display primaries. Said another way, the sensor can’t tell the difference between a 100% red and 100% blue patch.

These findings also correlate with the findings from AnandTech who say that calibrating the display with the embedded sensor actually makes the LCD worse when measuring saturation accuracy, whitepoint and grayscale accuracy.

If you’re serious about color calibration, please don’t use the built-in sensor, and if you are buying a top-end Xeon system save a few dollars and don’t bother with the color sensor. For $20 extra Pantone could have used a calibrated XYZ one-piece sensor from MAZeT, which would have given them a true “color sensor” that could have sampled much quicker and with true XYZ-adapted readings. The irony is of course, you can’t even use the HueyCOLOR sensor as a ambient light sensor. As the device is in the palm-rest, you frequently cover it with your hand — and any backlight adjustment would feed back into the sensor causing the backlight to flash. If you actually want to make a colord sensor driver for this hardware we’d need to extend the capability bitfield to show it’s only capable of brightness, and also continue parsing the EEPROM to find the spectral sensitivities, but that’s not something that I think is useful to do. If you want to know about the low-level protocol used and more information about the device, I’ve written some notes which document the protocol used. Disappointing. ## August 02, 2017 I didn’t blog yet about my experience during this year’s Akedemy, the annual conference and gathering of the KDE community. This time it was in Almería, Spain. The organizers made a wonderful work, and everything went perfectly good. The event was well covered locally, with at least three newspaper articles. (Photo by Guille Fuertes) I could meet old friends and make new ones, visited a few awesome places, and I think we all had a wonderful time there. It was also a very productive event, with lots of progress done or started for the different projects. On my side, I had some very interesting feedback after my talk about GCompris. I was asking for some help on a few things, including deb, flatpak and appimage packaging on linux. For flatpak, Aleix Pol showed me the initial work he already did, and I could help him adding a missing dependency. For the appimage, I was very happy to see the next day a message from probono on our irc channel, who saw my slides and started working on the appimage for GCompris :). That was a great surprise and I couldn’t hope for better help for it, as he is basically the man behind the appimage project, and already helped creating the appimage for Krita. And finally for the deb package, we have just been contacted by a Kubuntu packager who is willing to have an up-to-date package in their next release. The community is awesome, thank you all! (Photos by Paul Brown) Besides, I could attend several very interesting talks, and had a whole lot of interesting technical and human talks that helped me to learn a lot, at least I believe so. So much thanks to the KDE community for always being so cool, and again big thanks to KDE e.V. for supporting this event and my participation to it. When we posted the news about our tax wrangle yesterday, we did expect to make some waves. We didn’t expect the incredible response from all of you! A day later, over 500 awesome people have donated a total of €9562 (at the time of writing, check the fancy progress bar we’ve finally managed to create!). Fourteen people have joined the development fund, too! Thank you all! But that’s not all, we were stunned when we were approached by the team at Private Internet Access. They wanted to help us out and sponsor Krita with £20,000! Private Internet Access provides worldwide fast, multi-gigabit VPN Tunnel gateways. They already sponsor a great many awesome organizations, and now also Krita! Of course, this makes our work much easier. Not only do we don’t have to worry whether we can pay the tax bill, but we can also start sending money to Dmitry again! And that’s why if you’ve been wondering whether you should still help Krita with a donation (or by getting something from the shop), please don’t hesitate! To recap, our current plans are: • Make exporting and rendering animations much faster • Improve the performance of some brush engines on multi-core systems • Add touch functionality to Krita • Continue the implementation of the new text tool • Finish the remaining kickstarter features: lazy brush, stacked brushes, reference image tool. • Release Krita 3.2 (soon!) and Krita 4.0 (this year) And then, since we’ve basically reworked all parts of Krita, spend some time working on bugs, polish and, as always, performance. Boudewijn Rempt, Krita Maintainer One-time Donation €1 minimum Monthly Subscription €1 minimum Stichting Krita Foundation Korte Assenstraat 11 7411JP Deventer, the Netherlands. IBAN: NL72INGB0007216397 BIC: INGBNL2A ## August 01, 2017 WTF, July development news in August, I hear you yelling (it's not only me!) But there was some last minute topic I really wanted to complete to include in this report... But now that it is complete, I think it deserves another post on its own, so I'll only mention it here briefly. It will... Please check the August 2nd update, too! Even while we’re working on a new beta for Krita 3.2 and a new development build for 4.0 (with Python, on Windows!), we have to release some bad news as well. The Krita Foundation is having trouble with the Dutch tax authorities. This is the situation: In February, we received an audit from the tax inspector. We were quite confident we wouldn’t have any problems because when we setup the Krita Foundation in 2013, we took the advice of a local tax consultant on how to setup the Foundation and its administration. We registered for VAT with the tax authorities and kept our books as instructed by the consultant. However, the tax inspector found two problems springing from the fact the Foundation sells training videos and books, so it is not 100% funded by donations. This means that the tax authorities see the Foundation is as partly a company, partly as not a company. • We claimed back VAT for things bought by the Foundation. But we should only have claimed the VAT back to the percentage of income generated from sales, which is about 15%. (The rest of our income is donations.) • The Foundation was created to be able to have Dmitry work full-time on Krita. Because we sell stuff, the tax inspector has determined that we’re a company, and should have paid VAT in the Netherlands over the work Dmitry has been doing in Russia. Even though there is no VAT in Russia on the kind of work Dmitry is doing. But because we’re not a company, we cannot reclaim the VAT. In other words, because we’re mostly not a company, we should not have claimed back the VAT we paid; but we’re also considered fully a company, so we should have paid VAT in the Netherlands over Dmitry’s work, which we could not have claimed back because the Foundation is mostly not a company. (It didn’t matter that Dmitry owns the copyright on his work, and that the Foundation doesn’t own anything related to Krita except for the trademark…) The result is a tax bill of 24,000 euros. We have consulted with an accountant, and together we got the bill reduced to 15,006 euros, including fines and interest, but the accountant’s bill came to 4,000 euros. The discussions with the tax inspector and accountant have taken months to resolve. The stress that caused has not just eaten into our coding productivity, it also meant we had no certainty at all, so we missed our usual May fundraiser. At one point, we were almost certain the Krita Foundation would go broke. We ended 2016 with about 30,000 euros in the bank, enough to keep us going until June: it has dwindled to € 5.461,63 by now. Fortunately, we did have the help of three extra-ordinary sponsors who helped us survive through this period. We also have found a sponsor for some extra work on Krita, mainly focused on improving performance on systems with many cores and restoring some touch functionality and touch ui to Krita. Still, we have not been able to be as productive as we wanted, and some of the cool things we were working on aren’t done yet, and maybe won’t get done in time for Krita 4.0. Then there is another complication: until the middle of 2016, I had a day job next to my work on Krita, giving me in effect two full-time jobs. I suffered a break-down in the middle of 2016, and had to stop my day job. I lived on my savings until they ran out by the end of 2016, when I started working full-time for the Foundation as well, so our expenses have gone up too. For the future, we’ve separated the sales of training videos, artbooks and sales on the Windows Store and Steam out to a separate company, so the Krita Foundation is 100% a non-profit. That means that there is no VAT payable in the Netherlands over the work Dmitry does in Russia. We checked the new setup with the accountants, and they have given green light for it. Now we’ve got the bills, we can start making plans again: • As I said in the beginning. we’re currently working on Krita 3.2 and the next pre-alpha development release of 4.0. Our community is healthy, with more and more people chipping in and having fun hacking on Krita, working on the documentation and creating illustrations, comics and animations with Krita. • In September, we will run a fundraiser for development in 2018. After we’ve finished the backlog of kickstarter-promised features for 4.0 or 4.1, our focus will be on stability and polish for a year. “Zero bugs!” — that’s going to be the rallying cry for the fundraiser and for 2018! Though there is no reason to wait until September to make a donation or join the development fund! Note: in the interests of full transparency, you can find our end-of-year reports for 2013, 2014, 2015 and 2016 here. Boudewijn Rempt, Krita Maintainer One-time Donation €1 minimum Monthly Subscription €1 minimum Stichting Krita Foundation Korte Assenstraat 11 7411JP Deventer, the Netherlands. IBAN: NL72INGB0007216397 BIC: INGBNL2A ## July 30, 2017 I've remapped my CapsLock key to be another Ctrl key since time immemorial. (Actually, since the ridiculous IBM PC layout replaced the older keyboards that had Ctrl there already, to the left of the A.) On normal current Debian distros, that's fairly easy: you can edit /etc/default/keyboard to have XKBOPTIONS="ctrl:nocaps. You might think that would work in Raspbian, since it also has /etc/default/keyboard and raspi-config writes keyboard options to it if you set any (though of course CapsLock isn't among the choices it offers you). But it doesn't work in the PIXEL desktop: there, that key still acts as a Caps Lock. Apparently lxde (under PIXEL's hood) overrides the keyboard options in /etc/default/keyboard without actually giving you a UI to set them. But you can add your own override by editing ~/.config/lxkeymap.cfg. Make the option line look something like this: option = ctrl:nocaps  Then when you restart PIXEL, you should have a Control key where CapsLock used to be. ## July 26, 2017 A quick update, as we've touched upon Evince recently. I mentioned that we switched from using external tools for decompression to using libarchive. That's not the whole truth, as we switched to using libarchive for CBZ, CB7 and the infamous CBT, but used a copy/paste version of unarr to support RAR files, as libarchive support lacks some needed features. We hope to eventually remove the internal copy of unarr, but, as a stop-gap, that allowed us to start supporting CBR comics out of the box, and it's always a good thing when you have one less non-free package to grab from somewhere to access your media. The second new format is really two formats, from either side of the 2-digit-year divide: PostScript-based Adobe Illustrator and PDF-based Adobe Illustrator. Evince now declares to support "the format" if both of the backends are built and supported. It only took 12 years, and somebody stumbling upon the feature request while doing bug triaging. The nooks and crannies of free software where the easy feature requests get lost :) Both features will appear in GNOME 3.26, the out-of-the-box CBR support is however available now in an update for the just released Fedora 26. ## July 25, 2017 As of 2017: • I have been at the company I helped to start for 18 years • I have been married for 12 years • I have a 9-year-old child (and 6, and 1) I’m going for a personal high-score. ## July 23, 2017 This week's hike was to Nambé Lake, high in the Sangre de Cristos above Santa Fe. It's a gorgeous spot, a clear, shallow mountain lake surrounded by steep rocky slopes up to Lake Peak and Santa Fe Baldy. I assume it's a glacial cirque, though I can't seem to find any confirmation of that online. There's a raucous local population of Clark's nutcrackers, a grey relative of the jays (but different from the grey jay) renowned for its fearlessness and curiosity. One of my hiking companions suggested they'd take food from my hand if I offered. I broke off a bit of my sandwich and offered it, and sure enough, a nutcracker flew right over. Eventually we had three or four of them hanging around our lunch spot. The rocky slopes are home to pikas, but they're shy and seldom seen. We did see a couple of marmots in the rocks, and I caught a brief glimpse of a small, squirrel-sized head that looked more grey than brown like I'd expect from a rock squirrel. Was it a pika? I'll never know. We also saw some great flowers. Photos: Nambé Lake Nutcrackers. ## July 22, 2017 We’re releasing the second beta for Krita 3.2.0 today! These beta builds contain the following fixes, compared to the first 3.2.0 beta release. Keep in mind that this is a beta: you’re supposed to help the development team out by testing it, and reporting issues on bugs.kde.org. • There are still problems on Windows with the integration with the gmic-qt plugin, but several lockups have been fixed. • The smart patch tool merge was botched: this is fixed now. • It wasn’t possible anymore to move vector objects with the mouse (finger and tablet worked fine). This is fixed now. • Fixed the size and flow sliders • Fixes to saving jpg or png images without a transparency channel #### Download The KDE download site has been updated to support https now. #### Windows Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. #### Linux (If, for some reason, Firefox thinks it needs to load this as text: to download, right-click on the link.) A snap image for the Ubuntu App Store will be available from the Ubuntu application store. When it is updated, you can also use the Krita Lime PPA to install Krita 3.2.0-beta.2 on Ubuntu and derivatives. #### OSX ### Source code #### md5sums For all downloads: #### Key The Linux appimage and the source tarball are signed. You can retrieve the public key over https here: 0x58b9596c722ea3bd.asc . The signatures are here. #### Support Krita Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time. ## July 21, 2017 @GodTributes took over my title, soz. Dude, where's my maintainer? Last year, probably as a distraction from doing anything else, or maybe because I was asked, I started reviewing bugs filed as a result of automated flaw discovery tools (from Coverity to UBSan via fuzzers) being run on gdk-pixbuf. Apart from the security implications of a good number of those problems, there was also the annoyance of having a busted image file bring down your file manager, your desktop, or even an app that opened a file chooser either because it was broken, or because the image loader for that format didn't check for the sanity of memory allocations. (I could have added links to Bugzilla entries for each one of the problems above, but that would just make it harder to read) Two big things happened in gdk-pixbuf 2.36.1, which was used in GNOME 3.24: • the removal of GdkPixdata as a stand-alone image format loader. We really don't want to load GdkPixdata files from sources other than generated sources or embedded data structures, and removing that loader closed off those avenues. We still ended up fixing a fair number of naive assumptions in helper functions though. • the addition of a thumbnailer for gdk-pixbuf supported images. Images would not be special-cased any more in gnome-desktop's thumbnailing code, making the file manager, the file chooser and anything else navigating directories full of broken and huge images more reliable. But that's just the start. gdk-pixbuf continues getting bug fixes, and we carry on checking for overflows, underflows and just flows, breaks and beats in general. Programmatic Thumbellina portrait-maker Picture, if you will, a website making you download garbage files from the Internet, the ROM dump of a NES cartridge that wasn't properly blown on and digital comic books that you definitely definitely paid for. That's a nice summary of the security bugs foisted upon GNOME in past year or so, even if, thankfully, we were ahead of the curve in terms of fixing those issues (the GStreamer NSF decoder bug was removed in 2013, the comics backend in evince was rewritten over a period of 2 years and committed in March 2017). Still, 2 pieces of code were running on pretty much every file downloaded, on purpose or not, from the Internet: Tracker's indexers and the file manager's thumbnailers. Tracker started protecting itself not long after the NSF vulnerability, even if recent versions of GStreamer weren't vulnerable, as we mentioned. That left the thumbnailers. Some of those are first party, like the gdk-pixbuf, and those offered by core applications (Evince, Videos), written by GNOME developers (yours truly for both epub/mobi and Nintendo DS). They're all good quality code I'd vouch for (having written or maintained quite a few of them), but they can rely on third-party libraries (say GStreamer, poppler, or libarchive), have naive or insufficiently defensive code (gdk-pixbuf loaders, GStreamer plugins) or, worst of all: THIRD-PARTY EXTENSIONS. There are external plugins and extensions for image formats in gdk-pixbuf, for video and audio formats in GStreamer, and for thumbnailers pretty much anywhere. We can't control those, but the least we can do when they explode in a wet mess is make sure that the toilet door is closed. Not even Nicholas Cage can handle this Alcatraz For GNOME 3.26 (and today in git master), the thumbnailer stall will be doubly bolted by a Bubblewrap sandbox and a seccomp blacklist. This closes a whole vector of attack for the GNOME Desktop, but doesn't mean we're completely out of the woods. We'll need to carry on maintaining and fixing security bugs in those libraries and tools we depend on, as GStreamer plugin bugs still affect Videos, gdk-pixbuf bugs still affect Photos and Eye Of Gnome, etc. And there are limits to what those 2 changes can achieve. The sandboxing and syscall blacklisting avoids those thumbnailers writing anything but an image file in PNG format in a specific directory. There's no network, the filename of the original file is hidden and sanitised, but the thumbnailer could still create a crafted PNG file, and the sandbox doesn't work inside a sandbox! So no protection if the application running the thumbnailer is inside Flatpak. In fine GNOME 3.26 will have better security for thumbnailers, so you won't "need to delete GNOME Files". But you'll probably want to be careful with desktops that forked our thumbnailing code, namely Cinnamon and MATE, which don't implement those security features. The next step for the thumbnailers will be beefing up our protection against greedy thumbnailers (in terms of CPU and memory usage), and sharing the code better between thumbnailers. Note for later, more images of cute animals. ## July 18, 2017 We’re releasing the first beta for Krita 3.2.0 today! Compared to Krita 3.1.4, released 26th of May, there are numerous bug fixes and some very cool new features. Please test this release, so we can fix bugs before the final release! ### Known bugs It’s a beta, so there are bugs. One of them is that the size and flow sliders are disabled. We promise faithfully we won’t release until that’s fixed, but in the meantime, no need to report it! ### Features • Krita 3.2 will use the gmic-qt plugin created and maintained by the authors of G’Mic We’re still working with them to create binary builds that can run on Windows, OSX and most versions of Linux. This plugin replaces completely the older gmic plugin. • We added Radian’s brush set to Krita’s default brushes. These brushes are good for create a strong painterly look: • There are now shortcuts for changing layer states like visibility and lock. • There have been many fixes to the clone brush • There is a new dialog from where you can copy and paste relevant information about your system for bug reports. • We’ve integrated the Smart Patch tool that was previously only in the 4.0 pre-alpha builds! • The Gaussian Blur filter now can use kernels up to 1000 pixels in diameter ## Bug Fixes Among the bigger bug fixes: • Painting with your finger on touch screens is back. You can enable or disable this in the settings dialog. • If previously you suffered from the “green brush outline” syndrome, that should be fixed now, too. Though we cannot guarantee the fix works on all OpenGL systems. • There have been a number of performance improvements as well • The interaction with the file dialog has been improved: it should be better at guessing which folder you want to open, which filename to suggest and which file type to use. And of course, there were dozens of smaller bug fixes. #### Download The KDE download site has been updated to support https now. #### Windows Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. #### Linux (For some reason, Firefox thinks it needs to load this as text: to download, right-click on the link.) A snap image for the Ubuntu App Store will be available from the Ubuntu application store. When it is updated, you can also use the Krita Lime PPA to install Krita 3.2.0-beta.1 on Ubuntu and derivatives. #### OSX ### Source code #### md5sums For all downloads: #### Key The Linux appimage and the source tarball are signed. You can retrieve the public key over https here: 0x58b9596c722ea3bd.asc . The signatures are here. #### Support Krita Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time. ## July 16, 2017 For the Raspberry Pi Zero W book I'm writing, the publisher, Maker Media, wants submissions in Word format (but stressed that LibreOffice was fine and lots of people there use it, a nice difference from Apress). That's fine ... but when I'm actually writing, I want to be able to work in emacs; I don't want to be distracted fighting with LibreOffice while trying to write. For the GIMP book, I wrote in plaintext first, and formatted it later. But that means the formatting step took a long time and needed exceptionally thorough proofreading. This time, I decided to experiment with Markdown, so I could add emphasis, section headings, lists and images all without leaving my text editor. Of course, it would be nice to be able to preview what the formatted version will look like, and that turned out to be easy with a markdown editor called ReText, which has a lovely preview mode, as long as you enable Edit->Use WebKit renderer (I'm not sure why that isn't the default). Okay, a chapter is written and proofread. The big question: how to get it into the Word format the publisher wants? First thought: ReText has a File->Export menu. Woohoo -- it offers ODT. So I should be able to export to ODT then open the resulting file in LibreOffice. Not so much. The resulting LibreOffice document is a mess, with formatting that doesn't look much like the original, and images that are all sorts of random sizes. I started going through it, resizing all the images and fixing the formatting, then realized what a big job it was going to be and decided to investigate other options first. ReText's Export menu also offers HTML, and the HTML it produces looks quite nice in Firefox. Surely I could open that in LibreOffice, then save it (maybe with a little minor reformatting) as DOCX? Well, no, at least not directly. It turns out LibreOffice has no obvious way to import an HTML file into a normal text document. If you Open the HTML file, it displays okay (except the images are all tiny thumbnails and need to be resized one by one); but LibreOffice can't save it in any format besides HTML or plaintext. Those are the only formats available in the menu in the Save dialog. LibreOffice also has a Document Converter, but it only converts Office formats, not HTML; and there's no Import... in LO's File. There's a Wizards->Web Page, but it's geared to creating a new web page and saving as HTML, not importing an existing HTML-formatted document. But eventually I discovered that if I "Create a new Text Document" in LibreOffice, I can Select All and Copy in Firefox, followed by Paste into Libre Office. It works great. All the images are the correct size, the formatting is correct needing almost no corrections, and LibreOffice can save it as DOCX, ODT or whatever I need. ### Image Captions I mentioned that the document needed almost no corrections. The exception is captions. Images in a book need captions and figure numbers, unlike images in HTML. Markdown specifies images as ![Image description][path/to/image.jpg)  Unfortunately, the Image description part is only visible as a mouseover, which only works if you're exporting to a format intended for a web browser that runs on desktop and laptop computers. It's no help in making a visible caption for print, or for tablets or phones that don't have mouseover. And the mouseover text disappears completely when you paste the document from Firefox into LibreOffice. I also tried making a table with the image above and the caption underneath. But I found it looked just as good in ReText, and much better in HTML, just to add a new paragraph of italics below the image: ![][path/to/image.jpg) *Image description here*  That looks pretty nice in a browser or when pasted into LibreOffice. But before submitting a chapter, I changed them into real LibreOffice captions. In LibreOffice, right-click on the image; Add Caption is in the context menu. It can even add numbers automatically. It initially wants to call every caption "Illustration" (e.g. "Illustration 1", "Illustration 2" and so on), and strangely, "Figure" isn't one of the available alternatives; but you can edit the category and change it to Figure, and that persists for the rest of the document, helpfully numbering all your figures in order. The caption dialog when you add each caption always says that the caption will be "Illustration 1: (whatever you typed)" even if it's the fourteenth image you've captioned; but when you dismiss the dialog it shows up correctly as Figure 14, not as a fourteenth Figure 1. The only problem arises if you have to insert a new image in the middle of a chapter. If you do that, you end up with two Figure 6 (or whatever the number is) and it's not clear how to persuade LibreOffice to start over with its renumbering. You can fix it if you remove all the captions and start over, but ugh. I never found a better way, and web searches on LibreOffice caption numbers suggest this is a perennial source of frustration with LibreOffice. The bright side: struggling with captions in LibreOffice convinced me that I made the right choice to do most of my work in emacs and markdown! ## July 14, 2017 Loading… ## July 13, 2017 It’s summer — a bit rainy, but still summer! So it’s time for a summer sale — and we’ve reduced the price for the Made with Krita 2016 art books to just 7,95. That means that shipping (outside the Netherlands) is more expensive than the book itself, but it’s a great chance to get acquainted with forty great artists and their work with Krita! The book is professionally printed on 130 grams paper and softcover bound in signatures. The cover illustration is by Odysseas Stamoglou. Every artist is showcased with a great image, as well as a short bio. Made with Krita 2016 On sale: €7,95 Forty artists from all over the world, working in all kinds of styles and on all kinds of subjects show how Krita is used in the real world to create amazing and engaging art. The book also contains a biographical section with information about each individual artist. Made with Krita 2016 is now on sale: 7,95€, excluding shipping. Shipping is 11,25€ (3,65€ in the Netherlands). ## July 11, 2017 The official Blender release is now being downloaded over half a million times per month, and a total of 6.5M last year. During the period of July 2016 and July 2017, Blender has seen the release of Blender 2.78 and a/b/c fix releases. This is not counting: • Experimental Builds on Buildbot • Release Candidates and Test Builds • Other services offering Blender (app stores like Steam or community sites like GraphicAll) • Linux repositories Below is the full report for each platform. ## July 10, 2017 Previously: v4.11. Here’s a quick summary of some of the interesting security things in last week’s v4.12 release of the Linux kernel: x86 read-only and fixed-location GDT With kernel memory base randomization, it was stil possible to figure out the per-cpu base address via the “sgdt” instruction, since it would reveal the per-cpu GDT location. To solve this, Thomas Garnier moved the GDT to a fixed location. And to solve the risk of an attacker targeting the GDT directly with a kernel bug, he also made it read-only. usercopy consolidation After hardened usercopy landed, Al Viro decided to take a closer look at all the usercopy routines and then consolidated the per-architecture uaccess code into a single implementation. The per-architecture code was functionally very similar to each other, so it made sense to remove the redundancy. In the process, he uncovered a number of unhandled corner cases in various architectures (that got fixed by the consolidation), and made hardened usercopy available on all remaining architectures. ASLR entropy sysctl on PowerPC Continuing to expand architecture support for the ASLR entropy sysctl, Michael Ellerman implemented the calculations needed for PowerPC. This lets userspace choose to crank up the entropy used for memory layouts. LSM structures read-only James Morris used __ro_after_init to make the LSM structures read-only after boot. This removes them as a desirable target for attackers. Since the hooks are called from all kinds of places in the kernel this was a favorite method for attackers to use to hijack execution of the kernel. (A similar target used to be the system call table, but that has long since been made read-only.) Be wary that CONFIG_SECURITY_SELINUX_DISABLE removes this protection, so make sure that config stays disabled. KASLR enabled by default on x86 With many distros already enabling KASLR on x86 with CONFIG_RANDOMIZE_BASE and CONFIG_RANDOMIZE_MEMORY, Ingo Molnar felt the feature was mature enough to be enabled by default. Expand stack canary to 64 bits on 64-bit systems The stack canary values used by CONFIG_CC_STACKPROTECTOR is most powerful on x86 since it is different per task. (Other architectures run with a single canary for all tasks.) While the first canary chosen on x86 (and other architectures) was a full unsigned long, the subsequent canaries chosen per-task for x86 were being truncated to 32-bits. Daniel Micay fixed this so now x86 (and future architectures that gain per-task canary support) have significantly increased entropy for stack-protector. Expanded stack/heap gap Hugh Dickens, with input from many other folks, improved the kernel’s mitigation against having the stack and heap crash into each other. This is a stop-gap measure to help defend against the Stack Clash attacks. Additional hardening needs to come from the compiler to produce “stack probes” when doing large stack expansions. Any Variable Length Arrays on the stack or alloca() usage needs to have machine code generated to touch each page of memory within those areas to let the kernel know that the stack is expanding, but with single-page granularity. That’s it for now; please let me know if I missed anything. The v4.13 merge window is open! Edit: Brad Spengler pointed out that I failed to mention the CONFIG_SECURITY_SELINUX_DISABLE issue with read-only LSM structures. This has been add now. © 2017, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License. ## July 06, 2017 It's official: I'm working on another book! This one will be much shorter than Beginning GIMP. It's a mini-book for Make Media on the Raspberry Pi Zero W and some fun projects you can build with it. I don't want to give too much away at this early stage, but I predict it will include light shows, temperature sensors, control of household devices, Twitter access and web scraping. And lots of code samples. I'll be posting more about the book, and about various Raspberry Pi Zero W projects I'm exploring during the course of writing it. But for now ... if you'll excuse me, I have a chapter that's due today, and a string of addressable LEDs sitting on my desk calling out to be played with as part of the next chapter. While my colleagues are working on mice that shine in all kinds of different colours, I went towards the old school. For around 10 units of currency, you should be able to find the uDraw tablet for the PlayStation 3, the drawing tablet that brought down a company. The device contains a large touchpad which can report one or two touches, for right-clicking (as long as the fingers aren't too close), a pen interface which will make the cheapest of the cheapest Wacom tablets feel like a professional tool from 30 years in the future, a 4-button joypad (plus Start/Select/PS) with the controls either side of the device, and an accelerometer to play Marble Madness with. The driver landed in kernel 4.10. Note that it only supports the PlayStation 3 version of the tablet, as the Wii and XBox 360 versions require receivers that aren't part of the package. Here, a USB dongle should be provided. Recommended for: point'n'click adventure games, set-top box menu navigation. The second driver landed in kernel 4.12, and is a primer for more work to be done. This driver adds support for the Retrode 2's joypad adapters. The Retrode is a USB console cartridge reader which makes Sega Mega Drive (aka Genesis) and Super Nintendo (aka Super Famicom) cartridges show up as files on a mass storage devices in your computer. It also has 4 connectors for original joypads which the aforementioned driver now splits up and labels, so you know which is which, as well as making the mouse work out of the box. I'd still recommend picking up the newer optical model of that mouse, from Hyperkin. Moving a mouse with a ball in it is like weighing a mobile phone from that same era. I will let you inspect the add-ons for the device, like support for additional Nintendo 64 pads and cartridges, and Game Boy/GB Color/GB Advance, and Sega Master System adapters. Recommended for: cartridge-based retro games, obviously. Integrated firmware updates, and better integration with Games is in the plans. I'll leave you with this video, which shows how you could combine GNOME Games, a Retrode, this driver, a SNES mouse, and a cartridge of Mario Paint. Let's get creative :) ## July 05, 2017 Many upstream applications are changing their application ID from something like boxes.desktop to org.gnome.Boxes.desktop so they can be packaged as flatpaks. Where upstream doesn’t yet have this, we rewrite the desktop file in flatpak-builder so it can be packaged and deployed safely. However, more and more upstreams are building flatpaks and thus more and more apps seem to be changing desktop ID every month. This poses a problem for the ODRS review system: When we query using the reverse-DNS-style we don’t match the hundreds of reviews submitted against the old ID. This makes the application look bad, and users file bugs against GNOME Software saying it’s broken either because “no reviews are showing up”, or that “a previously 5 star application with 30 reviews is now 2 stars with just one review”. This also happens when companies get taken over, or when the little toy project moves from a hosting site to a proper home, e.g. com.github.FeedReader to org.gnome.FeedReader. So, what can we do? AppData (again) to the rescue. Adding the following XML to the file allows new versions of gnome-software to do the right thing; we then get reviews and ratings for both the old and new names.  <provides> <id>old-name.desktop</id> </provides>  If you renamed your application in the last couple of years, I’d love you to help out and add this tag to your .appdata.xml file – in all supported branches if possible. I can’t promise cookies, but your application will have more reviews and that can’t be a bad thing. Thanks! ## July 04, 2017 I’ve just released the latest version of fwupd from the development branch. 0.9.5 has the usual bug fixes, translation updates and polish, but also provides two new goodies: We now support for updating Logitech peripherals over a protocol helpfully called DFU, which is not to be confused with the standard USB DFU protocol. This allows us to update devices such as the K780 keyboard over the Unifying layer. Although it takes a few minutes to complete, it works reliably and allows us to finally fix the receiver end of the MouseJack vulnerability. Once the user has installed the Unifying dongle update and in some cases a peripheral update they are secure again. The K780 update is in “testing” on the LVFS if anyone wants to try this straight away. You should send huge thanks to Logitech as they have provided me access to the documentation, hardware and firmware engineers required to make this possible. All the released Logitech firmwares will move to the “stable” state once this new fwupd release has hit Fedora updates-testing. The other main feature in this release is the Intel Management Engine plugin. The IME is the source of the recent AMT vulnerability that affects the “ME blob” that is included in basically every consumer PC sold in the last decade. Although we can’t flash the ME blob using this plugin, it certainly makes it easy to query the hardware and find out if you are running a very insecure system. This plugin is more that inspired by the AMT status checker for Linux by Matthew Garrett, so you should send him cookies, not me. Actually updating the ME blob would be achieved using the standard UEFI UpdateCapsule, but it would mean your vendor does have to upload a new system firmware to the LVFS. If you’ve got a Dell you are loved, other vendors are either still testing this and don’t want to go public yet (you know who you are) or don’t care about their users. If you still don’t know what the LVFS is about, see the whitepaper and then send me an email. Anyway, obligatory technical-looking output: $ fwupdmgr get-devices
Guid:                 2800f812-b7b4-2d4b-aca8-46e0ff65814c
DeviceID:             /dev/mei
DisplayName:          Intel AMT (unprovisioned)
Plugin:               amt
Flags:                internal
Version:              9.5.30


If the AMT device is present, and the display name has provisioned and the AMT version is between 6.0.x and 11.2.x, and you have not upgraded your firmware, you are vulnerable to CVE-2017-5689 and you should disable AMT in your system firmware. I’ve not yet decided if this should bubble up to the session in the form of a notification bubble, ideas welcome.

The new release is currently building for Fedora, and might be available in other distributions at some point.

## June 30, 2017

With one of our internal web applications based on Ruby on Rails, we’ve discovered a file descriptor leak in one of the delayed job worker processes. The worker leaked descriptors whenever it invoked a message being send to the message bus using qpid-messaging.

Since we’re using gems compiled as C++ and C extensions, in order to find the root cause, I used the packages provided through the package manager and gdb.

Big thanks to Dan Callaghan who walked me through most of the process and then found the leak in the C++ sources.

TL;DR;

• identify the leaking descriptors and reproduce it with lsof
• attach strace to the process and identify file descriptors which are not being closed
• install debuginfo packages for all dependencies
• use gdb to figure out what is going on

### Reproducer

I’ve used lsof and a friend wrote a small script to quickly monitor the worker process. Looking at the opened files of the process revealed a long list which looked like half closed sockets. It turned out later, that it wasn’t the same problem since the sockets were created, but never bound/connected.

I was unable to reproduce the problem on my local development environment, but found away to do it on our staging environment which resembles production much closer. So whenever I invoked an action in the UI which resulted in a message being sent, I was able to see another file descriptor leak with lsof.

### Strace the process

With the reproducer at hand, I started to strace the process:

# Note we're not filtering system calls with -e here.
# Weirdly CLOSE was not reported when just filtering network calls
strace -s 1000 -p  -o strace_output_log.strace

Dan helped me looking through the produced log output, which revealed that the system under investigation created a socket and called getpeername right after it, without binding it resulting in a leaked file descriptor.

10971 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 35
10971 getpeername(35, 0x7fffae712a90, [112]) = -1 ENOTCONN (Transport endpoint is not connected)

### Install debuginfo packages and use gdb

In order to debug the system, we need debuginfo packages installed, otherwise you wont be able to step through the sources using gdb. When you attach gdb to the process it will tell you what packages it is missing, for example:

Missing separate debuginfos, use: debuginfo-install qpid-proton-c-0.10-3.fc25.x86_64

You then go install those (be mindful that you the repositories configured e.g. section name fedora-debuginfo):

debuginfo-install qpid-proton-c-0.10-3.fc25.x86_64

and basically start debugging.

Our first suspicion was the qpid messaging library and we check if it’s invocation of getpeername was leaking the file descriptors. I’ve added a break point at the point of the source code we thought was suspicious and in a separate terminal used lsof to see which file descriptor number is leaked. For example:

# I've used a watch, which executes the lsof every 2 seconds by
# default. The grep filters some of the files I'm not interested in
$gmic -median_video bigbuckbunny.mp4 -normalize 0.255 -o median.jpg  Fig.5.1.1: Sequence in the « Big Buck Bunny” video, directed by the Blender foundation. Fig.5.1.2: Result: Average image of the « Big Buck Bunny” sequence above. Fig.5.1.3: Result: Median image of the « Big Buck Bunny” sequence above. And to stay in the field of video processing, we can also mention the addition of the commands -morph_files and -morph_video that render temporal interpolations of video sequences, taking the estimated intra-frame object motion into account, thanks to a quite smart variational and multi-scale estimation algorithm. The video below illustrates the rendering difference obtained for the retiming of a sequence using temporal interpolation, with (right) and without (left) motion estimation. Fig.5.1.4: Video retiming using G’MIC temporal morphing technique. ## 5.2. Deformations and “Glitch Art” Those who like to mistreat their images aggressively will be delighted to learn that a bunch of new image deformation and degradation effects have appeared in G’MIC. First of all, the filter “Deformations / Conformal maps” allows one to distort an image using conformal maps. These deformations have the property of preserving the angles locally, and are most often expressed as functions of complex numbers. In addition to playing with predefined deformations, this filter allows budding mathematicians to experiment with their own complex formulas. Fig.5.2.1: Filter “Conformal maps” applying a angle-preserving transformation to the image of Mona Lisa. Fans of Glitch Art may also be concerned by several new filters whose rendering look like image encoding or compression artifacts. The effect “Degradations / Pixel sort” sorts the pixels of a picture by row or by column according to different criteria and to possibly masked regions, as initially described on this page. Fig.5.2.2: Filter “Pixel sort” for rendering a kind of “Glitch Art” effect. Degradations / /Pixel sort also has two little brothers, filters “Degradations / Flip & rotate blocks” and “Degradations / Warp by intensity“. The first divides an image into blocks and allows to rotate or mirror them, potentially only for certain color characteristics (like hue or saturation, for instance). Fig.5.2.3: Filter “Flip & rotate blocks” applied to the hue only to obtain a “Glitch Art” effect. The second locally deforms an image with more or less amplitude, according to its local geometry. Here again, this can lead to the generation of very strange images. Fig.5.2.4: Filter “Warp by intensity” applied to the image of Mona Lisa (poor Mona!). It should be noted that these filters were largely inspired by the Polyglitch plug-in, available for Paint.NET, and have been implemented after a suggestion from a friendly user (yes, yes, we try to listen to our most friendly users!). ## 5.3. Image simplification What else do we have in store? A new image abstraction filter, Artistic / Sharp abstract, based on the Rolling Guidance algorithm mentioned before. This filter applies contour-preserving smoothing to an image, and its main consequence is to remove the texture. The figure below illustrates its use to generate several levels of abstraction of the same input image, at different smoothing scales. Fig.5.3.1: Creating abstractions of an image via the filter “Sharp abstract“. In the same vein, G’MIC also gets a filter Artistic / Posterize which degrades an image to simulate posterization. Unlike the filter with same name available by default in GIMP (which mainly tries to reduce the number of colors, i.e. do color quantization), our version adds spatial simplification and filtering to approach a little more the rendering of old posters. Fig.5.3.2: Filter “Posterize” of G’MIC, compared to the filter with same name available by default in GIMP. ## 5.4. Other filters If you still want more (and in this case one could say you are damn greedy!), we will end this section by discussing some of the new, but unclassifiable filters. We start with the filter “Artistic / Diffusion tensors“, which displays a field of diffusion tensors, calculated from the structure tensors of an image (structure tensors are symmetric and positive definite matrices, classically used for estimating the local image geometry). To be quite honest, this feature had not been originally developed for an artistic purpose, but users of the plug-in came across it by chance and asked to make a GIMP filter from it. And yes, this is finally quite pretty, isn’t it? Fig.5.4.1: Filter “Diffusion Tensors” filter and its multitude of colored ellipses. From a technical point of view, this filter was actually an opportunity to introduce new drawing features into the G’MIC mathematical evaluator, and it has now become quite easy to develop G’MIC scripts for rendering custom visualizations of various image data. This is what has been done for instance, with the command -display_quiver reimplemented from scratch, and which allows to generate this type of rendering: Fig. 5.4.2: Rendering vector fields with the G’MIC command -display_quiver. For lovers of textures, we can mention the apparition of two new fun effects: First, the “Patterns / Camouflage” filter. As its name suggests, this filter produces a military camouflage texture. Fig. 5.4.3: Filter “Camouflage“, to be printed on your T-shirts to go unnoticed in parties! Second, the filter “Patterns / Crystal background” overlays several randomly colored polygons in order to synthesize a texture that vaguely looks like a crystal seen under a microscope. Pretty useful to quickly render colored image backgrounds. Fig.5.4.4: Filter “Crystal background” in action. And to end this long overview of new G’MIC filters developed since last year, let us mention “Rendering / Barnsley fern“. This filter renders the well-known Barnsley fern fractal. For curious people, note that the related algorithm is available on Rosetta Code, with even a code version written in the G’MIC script language, namely: # Put this into a new file 'fern.gmic' and invoke it from the command line, like this: #$ gmic fern.gmic -barnsley_fern

barnsley_fern :
1024,2048
-skip {"
f1 = [ 0,0,0,0.16 ]; g1 = [ 0,0 ];
f2 = [ 0.2,-0.26,0.23,0.22 ]; g2 = [ 0,1.6 ];
f3 = [ -0.15,0.28,0.26,0.24 ]; g3 = [ 0,0.44 ];
f4 = [ 0.85,0.04,-0.04,0.85 ]; g4 = [ 0,1.6 ];
xy = [ 0,0 ];
for (n = 0, n<2e6, ++n,
r = u(100);
xy = r<=1?((f1**xy)+=g1):
r<=8?((f2**xy)+=g2):
r<=15?((f3**xy)+=g3):
((f4**xy)+=g4);
uv = xy*200 + [ 480,0 ];
uv[1][1] = h - uv[1][1];
I(uv) = 0.7*I(uv) + 0.3*255;
)"}
-r 40%,40%,1,1,2


And here is the rendering generated by this function:

Fig.5.4.5: Fractal “Barnsley fern“, rendered by G’MIC.

# 6. Overall project improvements

All filters presented throughout this article constitute only the visible part of the G’MIC iceberg. They are in fact the result of many developments and improvements made “under the hood”, i.e., directly on the code of the G’MIC script language interpreter. This interpreter defines the basic language used to write all G’MIC filters and commands available to users. Over the past year, a lot of work has been done to improve the performances and the capabilities of this interpreter:

• The mathematical expressions evaluator has been considerably enriched and optimized, with more functions available (especially for matrix calculus), the support of strings, the introduction of const variables for faster evaluation, the ability to write variadic macros, to allocate dynamic buffers, and so on.

• New optimizations have been also introduced in the CImg library, including the parallelization of new functions (via the use of OpenMP). This C++ library provides the implementations of the “critical” image processing algorithms and its optimization has a direct impact on the performance of G’MIC (in this respect, note that CImg is also released with a major version 2.0).

• Compiling G’MIC on Windows now uses a more recent version of g++ (6.2 rather than 4.5), with the help of Sylvie Alexandre. This has actually a huge impact on the performances of the compiled executables: some filters run up to 60 times faster than with the previous binaries (this is the case for example, with the Deformations / Conformal Maps filter, discussed in section 5.2).

• The support of large .tiff images (format BigTIFF, with files that can be larger than 4Gb) is now enabled (read and write), as it is for 64-bit floating-point TIFF images

• The 3D rendering engine built into G’MIC has also been slightly improved, with the support for bump mapping. No filter currently uses this feature, but we never know, and prepare ourselves for the future!

Fig.6.1: Comparison of 3D textured rendering with (right) and without “Bump mapping” (left).

$gmic -median_video bigbuckbunny.mp4 -normalize 0.255 -o median.jpg  And to stay in the field of video processing, we can also mention the addition of the commands -morph_files and -morph_video that render temporal interpolations of video sequences, taking the estimated intra-frame object motion into account, thanks to a quite smart variational and multi-scale estimation algorithm. The video below illustrates the rendering difference obtained for the retiming of a sequence using temporal interpolation, with (right) and without (left) motion estimation. ## 5.2. Deformations and “Glitch Art” Those who like to mistreat their images aggressively will be delighted to learn that a bunch of new image deformation and degradation effects have appeared in G’MIC. First of all, the filter “Deformations / Conformal maps“ allows one to distort an image using conformal maps. These deformations have the property of preserving the angles locally, and are most often expressed as functions of complex numbers. In addition to playing with predefined deformations, this filter allows budding mathematicians to experiment with their own complex formulas. Fans of Glitch Art may also be concerned by several new filters whose rendering look like image encoding or compression artifacts. The effect “Degradations / Pixel sort“ sorts the pixels of a picture by row or by column according to different criteria and to possibly masked regions, as initially described on this page. Degradations / /Pixel sort also has two little brothers, filters “Degradations / Flip & rotate blocks“ and “Degradations / Warp by intensity“. The first divides an image into blocks and allows to rotate or mirror them, potentially only for certain color characteristics (like hue or saturation, for instance). The second locally deforms an image with more or less amplitude, according to its local geometry. Here again, this can lead to the generation of very strange images. It should be noted that these filters were largely inspired by the Polyglitch plug-in, available for Paint.NET, and have been implemented after a suggestion from a friendly user (yes, yes, we try to listen to our most friendly users!). ## 5.3. Image simplification What else do we have in store? A new image abstraction filter, Artistic / Sharp abstract, based on the Rolling Guidance algorithm mentioned before. This filter applies contour-preserving smoothing to an image, and its main consequence is to remove the texture. The figure below illustrates its use to generate several levels of abstraction of the same input image, at different smoothing scales. In the same vein, G’MIC also gets a filter Artistic / Posterize which degrades an image to simulate posterization. Unlike the filter with same name available by default in GIMP (which mainly tries to reduce the number of colors, i.e. do color quantization), our version adds spatial simplification and filtering to approach a little more the rendering of old posters. ## 5.4. Other filters If you still want more (and in this case one could say you are damn greedy!), we will end this section by discussing some of the new, but unclassifiable filters. We start with the filter “Artistic / Diffusion tensors“, which displays a field of diffusion tensors, calculated from the structure tensors of an image (structure tensors are symmetric and positive definite matrices, classically used for estimating the local image geometry). To be quite honest, this feature had not been originally developed for an artistic purpose, but users of the plug-in came across it by chance and asked to make a GIMP filter from it. And yes, this is finally quite pretty, isn’t it? From a technical point of view, this filter was actually an opportunity to introduce new drawing features into the G’MIC mathematical evaluator, and it has now become quite easy to develop G’MIC scripts for rendering custom visualizations of various image data. This is what has been done for instance, with the command -display_quiver reimplemented from scratch, and which allows to generate this type of rendering: For lovers of textures, we can mention the apparition of two new fun effects: First, the “Patterns / Camouflage“ filter. As its name suggests, this filter produces a military camouflage texture. Second, the filter “Patterns / Crystal background“ overlays several randomly colored polygons in order to synthesize a texture that vaguely looks like a crystal seen under a microscope. Pretty useful to quickly render colored image backgrounds. And to end this long overview of new G’MIC filters developed since last year, let us mention “Rendering / Barnsley fern“. This filter renders the well-known Barnsley fern fractal. For curious people, note that the related algorithm is available on Rosetta Code, with even a code version written in the G’MIC script language, namely: # Put this into a new file 'fern.gmic' and invoke it from the command line, like this: #$ gmic fern.gmic -barnsley_fern
barnsley_fern :
1024,2048
-skip {"
f1 = [ 0,0,0,0.16 ];           g1 = [ 0,0 ];
f2 = [ 0.2,-0.26,0.23,0.22 ];  g2 = [ 0,1.6 ];
f3 = [ -0.15,0.28,0.26,0.24 ]; g3 = [ 0,0.44 ];
f4 = [ 0.85,0.04,-0.04,0.85 ]; g4 = [ 0,1.6 ];
xy = [ 0,0 ];
for (n = 0, n<2e6, ++n,
r = u(100);
xy = r<=1?((f1**xy)+=g1):
r<=8?((f2**xy)+=g2):
r<=15?((f3**xy)+=g3):
((f4**xy)+=g4);
uv = xy*200 + [ 480,0 ];
uv[1] = h - uv[1];
I(uv) = 0.7*I(uv) + 0.3*255;
)"}
-r 40%,40%,1,1,2


And here is the rendering generated by this function:

# 6. Overall project improvements

All filters presented throughout this article constitute only the visible part of the G’MIC iceberg. They are in fact the result of many developments and improvements made “under the hood”, i.e., directly on the code of the G’MIC script language interpreter. This interpreter defines the basic language used to write all G’MIC filters and commands available to users. Over the past year, a lot of work has been done to improve the performances and the capabilities of this interpreter:

• The mathematical expressions evaluator has been considerably enriched and optimized, with more functions available (especially for matrix calculus), the support of strings, the introduction of const variables for faster evaluation, the ability to write variadic macros, to allocate dynamic buffers, and so on.

• New optimizations have been also introduced in the CImg library, including the parallelization of new functions (via the use of OpenMP). This C++ library provides the implementations of the “critical” image processing algorithms and its optimization has a direct impact on the performance of G’MIC (in this respect, note that CImg is also released with a major version 2.0).

• Compiling G’MIC on Windows now uses a more recent version of g++ (6.2 rather than 4.5), with the help of Sylvie Alexandre. This has actually a huge impact on the performances of the compiled executables: some filters run up to 60 times faster than with the previous binaries (this is the case for example, with the Deformations / Conformal Maps filter, discussed in section 5.2).

• The support of large .tiff images (format BigTIFF, with files that can be larger than 4Gb) is now enabled (read and write), as it is for 64-bit floating-point TIFF images

• The 3D rendering engine built into G’MIC has also been slightly improved, with the support for bump mapping. No filter currently uses this feature, but we never know, and prepare ourselves for the future!

• And as it is always good to relax after a hard day’s work, we added the game of Connect Four to G’MIC :). It can be launched via the shell command gmic -x_connect4 or via the plug-in filter “Various / Games & demos / Connect-4“. Note that it is even possible to play against the computer, which has a decent but not unbeatable skill (the very simple AI uses the Minimax algorithm with a two-level decision tree). Finally, let us mention the undergoing redesign work of the G’MIC Online web service, with a beta version already available for testing. This re-development of the site, done by Christophe Couronne and Véronique Robert (both members of the GREYC laboratory), has been designed to better adapt to mobile devices. The first tests are more than encouraging. Feel free to experiment and share your impressions! # 7. What to remember? First, the version 2.0 of G’MIC is clearly an important step in the project life, and the recent improvements are promising for the future developments. It seems that the number of users are increasing (and they are apparently satisfied!), and we hope that this will encourage open-source software developers to integrate our new G’MIC-Qt interface as a plug-in for their own software. In particular, we are hopeful to see the new G’MIC in action under Krita soon, this would be already a great step! Second, G’MIC continues to be an active project, and evolve through meetings and discussions with members of artists and photographers communities (particularly those who populate the forums and IRC of pixls.us and GimpChat). You will likely able to find us there if you need more information, or just if you want to discuss things related to (open-source) image processing. And while waiting for a future hypothetical article about a future release of G’MIC, you can always follow the day-after-day progress of the project via our Twitter feed. Until then, long live open-source image processing! Credit: Unless explicitly stated, the various non-synthetic images that illustrate this post come from Pixabay. ## We need your Flock session proposals! This year’s Flock is more action-oriented compared to previous Flocks. The majority of session slots are hackfests and workshops; only one day (Tuesday the 29th) is devoted to traditional talks. The registration system allows you to submit 4 different types of proposals: • Talk (30 min) – A traditional talk, 30-minute time slot. • Talk (60 min) – A traditional talk, 60-minute time slot. • Do-Session (120 min) – A 2-hour long hackfest or workshop. • Do-Session (120 min) – A 3-hour long hackfest or workshop. There is no session proposal limit. Feel free to submit as many proposals as you have ideas for. Our CFP ends June 15 so you have one week to get those awesome proposals in! Submit your Flock session proposal now! ## How to create a strong proposal How can you ensure your proposal is sufficiently strong enough for acceptance into Flock? Here are some tips and guidelines: ### Align your proposal to Fedora’s new mission statement. Fedora’s mission statement was updated almost two months ago. The revised and final mission statement is: Fedora creates an innovative platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users. If you can explain the connection between your session and this goal, you’ll make the proposal stronger. Even if you are not directly working on a hardware, cloud, or container effort, you can relate your session to the goal. For example, say you’d like to propose a Fedora badges hackfest. Task the badges hackfest specifically with creating badges for activities associated with efforts aligned specifically with hardware, cloud, and container to strengthen it. ### Make sure the folks relevant to your topic are involved. If you want to propose a Fedora badges workshop, that’s totally cool. You might want talk to Marie Nordin or Masha Leonova, and see what their plans are, give them a heads up, and coordinate or even propose it together with one or both of them. The committee reviewing proposals occasionally sees duplicate / overlapping topics proposed. Generally, the committee chooses the proposal that has the subject matter experts most involved in the topic. A weak proposal on a topic has no indication of involvement or coordination with subject matter experts most actively involved in a topic. ### Make the audience for your topic clear. Think about who you are giving your talk to or who you want to show up to your workshop or hackfest. If you’re proposing a Fedora Hubs hackfest, are there enough Pythonistas in Fedora to help? (Yes, yes, there are. ) Tailor your content for your audience – while you may be able to get folks familiar with Python, they may not be familiar with Flask or how Fedora Hubs widgets work, so make sure your proposal notes this material will be covered. General user talks are discouraged. This Flock will be focused on empowering Fedora contributors and actively getting stuff done, so make sure your audience is a subset of existing Fedora contributors. ### Focus on taking or inspiring action. A major focus of this year’s Flock is taking action, so talks that inspire action and hackfests / workshops where action will take place are going to be strong proposals. ## Questions? Feel free to ask on the flock-planning list if you have any questions. Or, if you have private concerns / questions, you can email flock-staff@fedoraproject.org. The Flock planning committee is looking forward to seeing your proposals! Submit your Flock session proposal now! Save ## June 06, 2017 I know, I know. We use mailers like mutt because we don't believe in HTML mail and prefer plaintext. Me, too. But every now and then a situation comes up where it would be useful to send something with emphasis. Or maybe you need to highlight changes in something. For whatever reason, every now and then I wish I had a way to send HTML mail. I struggled with that way back, never did find a way, and ended up writing a Python script, htmlmail.py to send an HTML page, including images, as email. ### Sending HTML Email But just recently I found a neat mutt hack. It turns out it's quite easy to send HTML mail. First, edit the HTML source in your usual mutt message editor (or compose the HTML some other way, and insert the file). Note: if there's any quoted text, you'll have to put a <pre> around it, or otherwise turn it into something that will display nicely in HTML. Write the file and exit the editor. Then, in the Compose menu, type Ctrl-T to edit the attachment type. Change the type from text/plain to text/html. That's it! Send it, and it will arrive looking like a regular HTML email, just as if you'd used one of them newfangled gooey mail clients. (No inline images, though.) ### Viewing HTML Email Finding out how easy that was made me wonder why the other direction isn't easier. Of course, I have my mailcap set up so that mutt uses lynx automatically to view HTML email: text/html; lynx -dump %s; nametemplate=%s.html; copiousoutput  Lynx handles things like paragraph breaks and does in okay job of showing links; but it completely drops all emphasis, like bold, italic, headers, and colors. My terminal can display all those styles just fine. I've also tried links, elinks, and w3m, but none of them seem to be able to handle any text styling. Some of them will do bold if you run them interactively, but none of them do italic or colors, and none of them will do bold with -dump, even if you tell them what terminal type you want to use. Why is that so hard? I never did find a solution, but it's worth noting some useful sites I found along the way. Like tips for testing bold, italics etc. in a terminal:, and for testing whether the terminal supports italics, which gave me these useful shell functions: echo -e "\e[1mbold\e[0m" echo -e "\e[3mitalic\e[0m" echo -e "\e[4munderline\e[0m" echo -e "\e[9mstrikethrough\e[0m" echo -e "\e[31mHello World\e[0m" echo -e "\x1B[31mHello World\e[0m" ansi() { echo -e "\e[{1}m${*:2}\e[0m"; } bold() { ansi 1 "$@"; }
italic()        { ansi 3 "$@"; } underline() { ansi 4 "$@"; }
strikethrough() { ansi 9 "$@"; } red() { ansi 31 "$@"; }


And in testing, I found that a lot of fonts didn't offer italics. One that does is Terminus, so if your normal font doesn't, you can run a terminal with Terminus: xterm -fn '-*-terminus-bold-*-*-*-20-*-*-*-*-*-*-*'

Not that it matters since none of the text-mode browsers offer italic anyway. But maybe you'll find some other use for italic in a terminal.

## June 02, 2017

we're proud to announce the fifth bugfix release for the 2.2 series of darktable, 2.2.5!

the github release is here: https://github.com/darktable-org/darktable/releases/tag/release-2.2.5.

as always, please don't use the autogenerated tarball provided by github, but only our tar.xz. the checksum is:

    $sha256sum darktable-2.2.5.tar.xz e303a42b33f78eb1f48d3b36d1df46f30873df4c5a7b49605314f61c49fbf281 darktable-2.2.5.tar.xz$ sha256sum darktable-2.2.5.dmg
f6e8601fca9a08d988dc939484d03e137c16dface48351ef523b5e0bbbaecf18  darktable-2.2.5.dmg


Important note: to make sure that darktable can keep on supporting the raw file format for your camera, please help us by visiting https://raw.pixls.us/ and making sure that we have the full raw sample set for your camera under CC0 license!

and the changelog as compared to 2.2.4 can be found below.

## New features:

• When appending EXIF data to an exported image, do not fail if reading of EXIF from the original file fails
• Support XYZ as proofing profile
• Clear DerivedFrom from XMP before writing it
• bauhaus: when using soft bounds, keep slider step constant

## Bugfixes:

• Some GCC7 build fixes
• cmstest: fix crash when missing XRandR extension.
• Fix crash in Lua libs when collapsing libs
• Mac packaging: some fixes
• RawSpeed: TiffIFD: avoid double-free
• Fix a few alloc-dealloc mismatches

## Base Support:

• Canon EOS 77D
• Canon EOS 9000D
• Nikon D500 (14bit-uncompressed, 12bit-uncompressed)
• Nikon D5600 (12bit-compressed, 12bit-uncompressed, 14bit-compressed, 14bit-uncompressed)
• Panasonic DC-FZ82 (4:3)
• Panasonic DMC-FZ80 (4:3)
• Panasonic DMC-FZ85 (4:3)
• Panasonic DC-GH5 (4:3)

## White Balance Presets:

• Pentax K-3 II

## Noise Profiles:

• Nikon D500
• Panasonic DMC-FZ300
• Panasonic DMC-LX100
• Pentax K-70
• Sony ILCE-5000

## June 01, 2017

I got a tip that there were tiger salamanders with gills swimming around below Los Alamos reservoir, so I had to go see for myself.

They're fabulous! Four to five inch salamanders with flattened tails and huge frilly gills behind their heads -- dozens of them, so many the pond is thick with them. Plenty of them are hanging out in the shallows or just below the surface of the water, obligingly posing for photos.

I had stupidly brought only the pocket camera, not the DSLR -- and then the camera's battery turned out to be low -- so I was sparing with camera, but even so I was pleased at how well they came out, with the camera mostly managing to focus on the salamanders rather than (as I had feared) the surface of the murky water. I may go back soon with the DSLR. It's an easy, pleasant hike.

## May 29, 2017

So here we are for our monthly report of what has been going on on the FreeCAD front this month. As usual, I will mostly talk about what I have been doing myself, but don't forget that many people are working on FreeCAD, so there is always much more happening than what I talk about...

## May 26, 2017

SIGGRAPH 2017 (Los Angeles, 30 July – 3 August) is around the corner! To continue and celebrate the long standing tradition of Blender and SIGGRAPH, this year we have 3 announcements.

## Talk selected for SIGGRAPH 2017

Ton and the Blender Animation Studio team will present Beyond “Cosmos Laundromat”: Blender’s Open Source studio pipeline, a talk focused on Open Source pipelines and Blender.

Here is the abstract: For “Cosmos Laundromat” – CAF 2016 Jury Award winner – the Blender team, headed by CG pioneer and producer Ton Roosendaal, developed and used a complete open source creation pipeline. The team released several other shorts since then, including a 360-degrees VR experience and a pitch for the feature animation “Agent 327”. Developing and sharing open source technologies is a great challenge, and leads to great bene for the small and medium animation studios.

## Blender booth

SIGGRAPH hosts one of the largest exhibitions of the computer graphics industry, and this year Blender is going back to it. There will be demos, goodies and a new Blender demo-reel!

## Giveaway: free exhibit pass

Follow this link for a free pass (worth $50 – get them before they run out), so you can drop by the exhibit hall in the LA Convention Center. We would love to see you there! Today we’re releasing Krita 3.1.4. This strictly a bug-fix release, but everyone is encouraged to update. • Fix a crash when trying to play an animation when OpenGL is disabled in Krita • Fix rendering animation frames if the directory you’re trying to render to doesn’t exist • Don’t open the tablet/screen resolution conflict dialog multiple times • Don’t scale down previews that are too small in the transform tool: this fixes a rare crash with the transform tool • Don’t crash when trying to close the last view on the last document while the document is modified. • Fix a crash when cycling quickly through layers that have a color tag • Fix loading some Gimp 2.9 files: note that Gimp 2.9’s file format is not officially supported in Krita • Fully remove the macro recorder plugin: in 3.1.4, only the menu entries had stayed around. • Make it impossible to hide the template selector in the new image dialog; hiding the template selector would also hide the cancel button in the dialog. #### Download The KDE download site has been updated to support https now. #### Windows Note for Windows users: if you encounter crashes, please follow these instructions to use the debug symbols so we can figure out where Krita crashes. #### Linux (For some reason, Firefox thinks it needs to load this as text: to download, right-click on the link.) A snap image for the Ubuntu App Store will be available from the Ubuntu application store. When it is updated, you can also use the Krita Lime PPA to install Krita 3.1.4 on Ubuntu and derivatives. #### OSX ### Source code #### md5sums For all downloads: #### Key The Linux appimage and the source tarball are signed. You can retrieve the public key over https here: 0x58b9596c722ea3bd.asc . The signatures are here. #### Support Krita Krita is a free and open source project. Please consider supporting the project with donations or by buying training videos or the artbook! With your support, we can keep the core team working on Krita full-time. Last year, GDQuest’s Nathan Lovato ran a succesful kickstarter: “Create Professional 2D Game Art: Krita Video Training”. Over the past year, he has produced a great number of videos for Krita, and has helped the Krita team out with release videos as well. This year, he’s going to teach you how to use your art in a real game. Learn how to use Godot to create games with GDQuest, on Kickstarter now to bring you the first premium course for the engine, with the support of the Godot developers. During the campaign, you get a free game creation tutorial on YouTube, every day! Please check it out now, and spread the word: Make Professional 2d Games: Godot Engine Online Course GDQuest reached the goal in less than 12 hours. Everything above it means more content for the backers, but also for everyone! GDQuest will also contribute to Godot 3.0’s demos and documentation. All the money will go to the course’s production and official free educational resources. Check out the Free daily tutorials on Youtube!. ## May 23, 2017 I'm working on a project involving PyQt5 (on which, more later). One of the problems is that there's not much online documentation, and it's hard to find out details like what signals (events) each widget offers. Like most Python packages, there is inline help in the source, which means that in the Python console you can say something like >>> from PyQt5.QtWebEngineWidgets import QWebEngineView >>> help(QWebEngineView)  The problem is that it's ordered alphabetically; if you want a list of signals, you need to read through all the objects and methods the class offers to look for a few one-liners that include "unbound PYQT_SIGNAL". If only there was a way to take help(CLASSNAME) and pipe it through grep! A web search revealed that plenty of other people have wished for this, but I didn't see any solutions. But when I tried running python -c "help(list)" it worked fine -- help isn't dependent on the console. That means that you should be able to do something like python -c "from sys import exit; help(exit)"  Sure enough, that worked too. From there it was only a matter of setting up a zsh function to save on complicated typing. I set up separate aliases for python2, python3 and whatever the default python is. You can get help on builtins (pythonhelp list) or on objects in modules (pythonhelp sys.exit). The zsh suffixes :r (remove extension) and :e (extension) came in handy for separating the module name, before the last dot, and the class name, after the dot. ############################################################# # Python help functions. Get help on a Python class in a # format that can be piped through grep, redirected to a file, etc. # Usage: pythonhelp [module.]class [module.]class ... pythonXhelp() { python=$1
shift
for f in $*; do if [[$f =~ '.*\..*' ]]; then
module=$f:r obj=$f:e
s="from ${module} import${obj}; help($obj)" else module='' obj=$f
s="help($obj)" fi$python -c $s done } alias pythonhelp="pythonXhelp python" alias python2help="pythonXhelp python2" alias python3help="pythonXhelp python3"  So now I can type python3help PyQt5.QtWebEngineWidgets.QWebEngineView | grep PYQT_SIGNAL  and get that list of signals I wanted. ## May 22, 2017 Just over a year ago Bastille security announced the discovery of a suite of vulnerabilities commonly referred to as MouseJack. The vulnerabilities targeted the low level wireless protocol used by Unifying devices, typically mice and keyboards. The issues included the ability to: • Pair new devices with the receiver without user prompting • Inject keystrokes, covering various scenarios • Inject raw HID commands This gave an attacker with$15 of hardware the ability to basically take over remote PCs within wireless range, which could be up to 50m away. This makes sitting in a café quite a dangerous thing to do when any affected hardware is inserted, which for the unifying dongle is quite likely as it’s explicitly designed to remain in an empty USB socket. The main manufacturer of these devices is Logitech, but the hardware is also supplied to other OEMs such as Amazon, Microsoft, Lenovo and Dell where they are re-badged or renamed. I don’t think anybody knows the real total, but by my estimations there must be tens of millions of affected-and-unpatched devices being used every day.

Shortly after this announcement, Logitech prepared an update which mitigated some of these problems, and then again a few weeks later prepared another update that worked around and fixed the various issues exploited by the malicious firmware. Officially, Linux isn’t a supported OS by Logitech, so to apply the update you had to start Windows, and download and manually deploy a firmware update. For people running Linux exclusively, like a lot of Red Hat’s customers, the only choice was to stop using the Unifying products or try and find a Windows computer that could be borrowed for doing the update. Some devices are plugged in behind racks of computers forgotten, or even hot-glued into place and unremovable.

The MouseJack team provided a firmware blob that could be deployed onto the dongle itself, and didn’t need extra hardware for programming. Given the cat was now “out of the bag” on how to flash random firmware to this proprietary hardware I asked Logitech if they would provide some official documentation so I could flash the new secure firmware onto the hardware using fwupd. After a few weeks of back-and-forth communication, Logitech released to me a pile of documentation on how to control the bootloader on the various different types of Unifying receiver, and the other peripherals that were affected by the security issues. They even sent me some of the affected hardware, and gave me access to the engineering team that was dealing with this issue.

It took a couple of weeks, but I rewrote the previously-reverse-engineered plugin in fwupd with the new documentation so that it could update the hardware exactly according to the official documentation. This now matches 100% the byte-by-byte packet log compared to the Windows update tool. Magic numbers out, #define’s in. FIXMEs out, detailed comments in. Also, using the documentation means we can report sensible and useful error messages. There were other nuances that were missed in the RE’d plugin (for example, making sure the specified firmware was valid for the hardware revision), and with the blessing of Logitech I merged the branch to master. I then persuaded Logitech to upload the firmware somewhere public, rather than having to extract the firmware out of the .exe files from the Windows update. I then opened up a pull request to add the .metainfo.xml files which allow us to build a .cab package for the Linux Vendor Firmware Service. I created a secure account for Logitech and this allowed them to upload the firmware into a special testing branch.

This is where you come in. If you would like to test this, you first need a version of fwupd that is able to talk to the hardware. For this, you need fwupd-0.9.2-2.fc26 or newer. You can get this from Koji for Fedora.

Then you need to change the DownloadURI in /etc/fwupd.conf to the testing channel. The URI is in the comment in the config file, so no need to list it here. Then reboot, or restart fwupd. Then you can either just launch GNOME Software and click Install, or you can type on the command line fwupdmgr refresh && fwupdmgr update — soon we’ll be able to update more kinds of Logitech hardware.

If this worked, or you had any problems please leave a comment on this blog or send me an email. Thanks should go to Red Hat for letting me work on this for so long, and even more thanks to Logitech to making it possible.

ONiRiXEL 3D Animation Studio is a small startup based in Toulouse, France. In this article by Jean-Gabriel Loquet, they share how they used Blender to create a high-end stereoscopic video for the European Space Agenty. ONiRiXEL is a Corporate member of the Blender Network.

We are specialized in the production of 3D CGI animation films, mainly for corpororate or institutional films and commercials, but we also love to work on fiction and documentaries, shoot live action, create VFX, perform film preproduction and/or postproduction, or create 3D VR or AR apps as well.

Blender is at the heart of our pipeline, thanks to its “all-in-one” functionality and overall awesomeness: we use it for concept and previs, 3D modeling and texturing, animation, simulation, lighting and rendering with Cycles, compositing and video editing, for monoscopic and stereoscopic projects.

## The European Space Agency ESA

The ISS (partly operated by ESA) 3D render by ONiRiXEL, for the space debris movie.

ESA is the European equivalent of NASA: its purpose is to provide for, and to promote, for exclusively peaceful purposes, cooperation among European States in space research and technology and their space applications, with a view to their being used for scientific purposes and for operational space applications systems.

Amongst many, one of ESA’s missions is to investigate about space debris, communicate about this issue with the space operations community, find and implement solutions to mitigate the risks associated therewith.

To raise awareness about this issue, ESA hosted the 7th European Conference on Space Debris Risks and Mitigation in April 2017 in ESOC (the European Space Operations Center) in Darmstadt, Germany. According to ESA: “3D animation is the most suitable way to explain technical principles and to give a clear picture of the situation in space”. Thus, the agency enthrusted the creation of a 3D animation movie about space debris to ONiRiXEL 3D Studio, along with the french consulting startup (also based in Toulouse) ID&SENSE.

The projection of the movie was the main act during the opening ceremony of the conference.

## Orbitography simulation with Orekit

The accuracy of spacecraft position, speed and attitude was paramount for ESA so the project team got in touch with the developers of the open source flight dynamics computation library Orekit, in order to implement correct representation of the orbital data provided by ESA.

The input data were the Kepler orbital parameters for each object (active satellite, defunct satellite, launcher upper stage, and spacecraft fragment):

The Orekit team developed a software interface that read these parameters, translated them into ephemeris data (location and attitude of each object for any point in time), which was eventually written to files in Blender’s particle cache format (one for each object and for every frame), and thus already animated in Blender with extremely good accuracy!
Active spacecraft use controlled attitude depending on their orbit (typically nadir pointing with yaw compensation for LEO, LOF aligned for GEO) and other categories use a tumbling mode with random initial attitude and angular velocity. Attitude for the solar arrays is also computed with respect to the body attitude to ensure a proper orientation in the direction of the sun in each movie scene.

Screen capture of Blender reading the Orekit computed spacefraft animation

The next step was to create relatively simple 3D models for the Orekit-simulated objects, with a reasonnable amount of polygons as there were over 20.000 duplications instanciated by Blender’s particle engine. Finally we setup materials, lighting, and camera animation, and thanks to Cycles’ magic: voilà!

Rendered frame of the movie by ONiRiXEL with Orekit computed spacefraft animation

The interface developped by the Orekit team also allowed the visualization of the object’s trajectory as curves:

Rendered frame of the movie by ONiRiXEL with Orekit computed spacefraft trajectory as a curve

Some scenes concerned only one piece of spacecraft, and allowed for more detailed modelling:

Screen capture of ONiRiXEL’s 3D model of Herschel Space Telescope in Blender

## Blender’s stereoscopic pipeline

Another of Blender’s strengths on this project was also to support a solid, end-to-end strereoscopic pipeline from conception to delivery of the movie.

We used stereoscopic preview of animation:

Screen capture of ONiRiXEL’s stereoscopic animation preview for the movie in Blender

Stereoscopic rendering and compositing:

Screen capture of ONiRiXEL’s stereoscopic compositing for the movie in Blender

And even stereoscopic editing and encoding, all within Blender:

Screen capture of ONiRiXEL’s stereoscopic video editing for the movie in Blender

## ESA’s space debris movie 2017: “A Journey to Earth”

The resulting 12 minutes 3D animation film was realeased by ESA under the CC-BY-SA licence, and is available for download on their website.

Rendered frame of ESA’s space debris movie by ONiRiXEL 3D

It is also available on Youtube in monoscopic or stereoscopic versions.

In the end, this was a challenging but very exciting project, with an extremely efficient production pipeline, with a very high satisfaction of the final client (ESA),
all made possible by open source software in general, and Blender in particular.

You can get in touch with us on the ONiRiXEL 3D Animation Studio website for more info, or check our Blender Network profile.

## May 19, 2017

ICC Examin allows since version 1.0 ICC Color Profile viewing on the Android mobile platform. ICC Examin shows ICC color profile elements graphically. This way it is much easier to understand the content. Color primaries, white point, curves, tables and color lists are displayed both numerically and as graphics. Matrices, international texts, Metadata are much easier to read.

Features:
* most profile elements from ICC specification version 2 and version 4
* additionally some widely used non standard tag are understood

ICC color profiles are used in photography, print and various operating systems for improving the visual appearance. A ICC profile describes the color response of a color device. Read more about ISO 15076-1:2010 Standard / Specification ICC.1:2010-12 (Profile version 4.3.0.0), color profiles and ICC color management under www.color.org .

The ICC Examin App is completely rewritten in Qt/QML. QML is a declarative language, making it easy to define GUI elements and write layouts with fewer code. In recent years the Qt project extended support from desktop platforms to mobiles like Nokias Meego, Sailfish OS, iOS, Android, embedded devices and more. ICC Examin is available as a paid app in the Google Play Store. Sources are currently closed in order to financially support further development. This ICC Examin version continues to use Oyranos CMS. New is the dependency to RefIccMAX for parsing ICC Profile binaries. In the process both the RefIccMAX library and the Oyranos Color Management System obtained changes and fixes in git for cross compilation with Android libraries. Those changes will be in the next respective releases.

The FLTK Toolkit, as used in previous versions, was not ported to the Android or other mobile platforms. Thus a complete rewrite was unavoidable. The old FLTK based version is still maintained by the same author.

Wandering the yard chasing invasive weeds, Dave noticed an area that had been disturbed recently by some animal -- probably a deer, but there were no clear prints so we couldn't be sure.

But among the churned soil, he noticed something that looked different from the other rocks.

A pot sherd, with quite a nice pattern on it!

(I'm informed that fragments of ancient pots are properly called "sherds"; a "shard" is a fragment of anything other than a pot.)

Our sherd fairly large as such things go: the longest dimension is about two inches.

Of course, we wanted to know how old it was, and whether it was "real". We've done a lot of "archaeology" in our yard since we moved in, digging up artifacts ranging from bits of 1970s ceramic and plastic dinnerware to old tent pegs to hundreds of feet of old rotting irrigation tubing and black plastic sheeting. We even found a small fragment of obsidian that looked like it had been worked (and had clearly been brought here: we're on basalt, with the nearest obsidian source at least fifteen miles away). We've also eyed some of the rock rings and other formations in the yard with some suspicion, though there's no way to prove how long ago rocks were moved. But we never thought we'd find anything older than the 1970s when the house was built, or possibly the 1940s when White Rock was a construction camp for the young Los Alamos lab.

So we asked a friend who's an expert in such matters. She tells us it's a Santa Fe black-on-white, probably dated somewhere between 1200-1300 AD. Santa Fe black-on-white comes in many different designs, and is apparently the most common type of pottery found in the Los Alamos/Santa Fe area. We're not disappointed by that; we're excited to find that our pot sherd is "real", and that we could find something that old in the yard of a house that's been occupied since 1975.

It's not entirely a surprise that the area was used 700 years ago, or even earlier. We live in a community called La Senda, meaning "The Path". A longtime resident told us the name came from a traditional route that used to wind down Pajarito Canyon to the site of the current Red Dot trail, which descends to the Rio Grande passing many ancient petroglyphs along the way. So perhaps we live on a path that was commonly used when migrating between the farmland along the Rio and the cliff houses higher up in the canyons.

What fun! Of course we'll be keeping our eyes open for more sherds and other artifacts.

## May 16, 2017

This year, four students, from three separate continents, will participate, within the wider KDE project, in Google’s Summer of Code for Krita. We’d like to say “welcome!” to all four, and give them a chance to introduce themselves!

### Aniketh Girish: Integrate Krita With share.krita.org

I’m Aniketh Girish. I’m a first-year Computer Science and Engineering student pursuing my bachelor’s from Amrita University. I’m an active member of the FOSS club in our university (FOSS@Amrita). I started contributing to KDE in September 2016. I was selected for Season of KDE(KDE-SoK) 2016-17, in which I worked on the project Kstars. I was invited as a speaker for KDE India Conference 2017 in IIT Guwahati, where I gave a talk on the topic “Object tracking using OpenCV and Qt”. I have also contributed to other projects of KDE like Konsole, KIO and several more.

My project for GSoC 2017 aims to integrate share.krita.org with our Krita application. I intend to accomplish this project using the Open Collaboration Services called libattica. I will create a user friendly GUI for it as well.

The second part of the project is to make the GUI of resource manager much more appealing. The existing resource manager is quite buggy and not very user-friendly, so it requires a lot of triaging. Therefore I will make the resource manager’s GUI much better, using the open collaboration service to share the bundles and other resources available from share.krita.org. I’ll also fix any issues I find.

Blogs:

### Eliakin Costa: Showcasing Python Scripting in Krita

I’m Eliakin Costa, 23 years old, from Brazil. My project for GSoC is “Develop a showcase of Krita’s new scripting support”, a continuation of my recent work on Krita. I have to implement scripts to be executed in the Scripter (a GUI to execute and save python scripts inside Krita) and plugins to be added to the Krita GUI. A really important part of my work is to talk with more users to compile a good group of scripts and plugins to be implemented during this period and define how my work will be available for the users. I’m really excited to code and to help Krita’s community.

### Григорий Танцевов: Watercolor Brushes in Krita

I’m a third year student of Bauman Moscow State Technical University. I am interested in programming, music and art. I did not have the opportunity to seriously engage in programming during my school years because I grew up in a small city. But I compensated for this by studying mathematics and physics.

My first programming experience was in grade 6, when I did a primitive drawing program using Pascal. Later, I began to learn the basics of programming in special courses at the College of my city. As part of the university’s curriculum, I studied programming languages like Lisp, C, C++, C#. Now my main programming language is C++.

As a part of GSoC i’m going to make watercolor brush for Krita based on the procedural brush.

### Alexey Kapustin: Telemetry for Understanding Which Functions in Krita Are Used Most.

I’m Alexey Kapustin, a 3rd year student at the Software Engineering Faculty of Bauman Moscow State Technical University. I’m interested in C ++, Python, Javascript, web development. I also study at the Technopark Mail.ru in the 3rd semester. (Russian School of Web Architects).

This summer I will be doing telemetry for Krita. I think this is very useful for developers. Also it will help me to get new skills.

By popular request, there is now a list of recently updated applications in the gnome-software overview page.

Upstream applications have to do two things to be featured here:

1. Have an upstream release within the last 2 months (will be reduced as the number of apps increases)
2. Have upstream release notes in the AppData file

Quite a few applications from XFCE, GNOME and KDE have already been including <release> tags and this visibility should hopefully encourage other projects to do the same. As a small reminder, the release notes should be small, and easily understandable by end users. You can see lots of examples in the GNOME Software AppData file. Any questions, please just email me or leave comments here. Thanks!

## May 15, 2017

Blender brings cult comic Agent 327 to life in 3D animation

The studio of Blender Institute releases ambitious three-minute teaser for full-length animated feature based on Dutch artist Martin Lodewijk’s classic comics

Amsterdam, NetherlandsMay 15, 2017) – It has created a string of award-winning shorts, raised over a million dollars in crowdfunding, and helped to shape development of the world’s most popular 3D application. But now Blender Institute has embarked on its most ambitious project to date. The studio has just releasedAgent 327: Operation Barbershop: a three-minute animation based on Martin Lodewijk’s cult comics, and co-directed by former Pixar artist Colin Levy – and the proof of concept for what it hopes will become a major international animated feature created entirely in open-source software.
Watch it here: http://agent327.com

A history of award-winning open movies

Since its foundation in 2007, Blender Institute has created eight acclaimed animated and visual effects shorts, culminating in 2015’s Cosmos Laundromat, winner of the Jury Prize at the SIGGRAPH Computer Animation Festival. Each ‘open movie’ has been created entirely in open-source tools – including Blender, the world’s most widely used 3D software, whose development is overseen by the Institute’s sister organization, the Blender Foundation.

Assets from the films are released to the public under a Creative Commons license, most recently via Blender Cloud, the Institute’s crowdfunding platform, also used to raise the €300,000 budget for Agent 327: Operation Barbershop.Based on Martin Lodewijk’s cult series of comics, the three-minute movie teaser brings the Dutch artist’s underdog secret agent vividly to life.

Creating a cult spy thriller

“Agent 327 is the Netherlands’ answer to James Bond,” said producer Ton Roosendaal, original creator of the Blender 3D software. “He’s fighting international supervillains, but the underfunded Dutch secret service agency doesn’t have the resources of MI6. Rather than multi-million-dollar gadgets, he has to rely on his own resourcefulness to get things done – and in the end, he always pulls it off. To me, that also reflects the spirit of Blender itself.”

Created by a core team of 10 artists and developers over the course of a year, Operation Barbershop sees Agent 327 going undercover in an attempt to uncover a secret criminal lair. Confronted first by the barbershop’s strangely sinister owner, then his old adversary Boris Kloris, Agent 327 becomes embroiled in a life-or-death struggle – only to confront an even more deadly peril in the shop’s hidden basement.

Translating a 1970s comic icon into 3D

A key artistic challenge on the project was translating the stylized look of the original 1970s comics into 3D. “Agent 327 doesn’t really fit the mainstream design template for animated characters,” says Blender Institute production coordinator Francesco Siddi. “His facial features are designed and exaggerated in a very Europan way. How many Disney movies do you see with characters like that?”

For the work, the Institute’s modeling and design artists, led by Blender veteran Andy Goralczyk, carried out a series of look development tests. Concept designs were created in open-source 2D painting software Krita, while test models were created in Blender itself, and textured in GIMP.

Another issue was balancing action and storytelling. Although a richly detailed piece, Operation Barbershop isn’t a conventional animated short, but a proof of concept for a movie. It’s designed to introduce Agent 327’s universe, and to leave the viewer wanting more. To achieve the right mix of narrative and exposition, Colin Levy and co-director and lead animator Hjalti Hjálmarsson ping-ponged ideas off one another, mixing animated storyboards, live action, and 3D previs.

Building an open-source feature animation pipeline

As with all of the Institute’s open movies, technical development on the project feeds back into public builds of Blender. In the case of Operation Barbershop, the work done on Cycles, the software’s physically based render engine – which now renders scenes with hair and motion blur 10 times faster – was rolled out in Blender 2.78b in February. Work on Blender’s dependency graph, which controls the way a character rig acts upon the geometry of the model, will follow in the upcoming Blender 2.8. “For users, it’s going to mean much better performance, enabling much more complex animation set-ups than are possible now,” says Siddi.

Other development work focused on the Blender Institute’s open-source pipeline tools: render manager Flamenco and production-tracking system Attract. “The pipeline for making shorts in Blender is already super-solid, but we wanted to build a workflow that could be used on a feature film,” says Siddi. “Operation Barbershop was great for identifying areas for improvement, like the way we manage asset libraries.”

Joining Hollywood’s A-list

For the Agent 327 movie itself, the Blender Institute is establishing Blender Animation Studio, a separate department devoted to feature animation, for which it aims to recruit a team of 80 artists and developers from its international network. To help raise the film’s proposed budget of €14 million, the Institute has signed with leading talent agency WME, which also represents A-list Hollywood directors like Martin Scorsese, Ridley Scott, and Michael Bay.

“Blender Animation Studio is devoted to producing feature animation with world-class visuals and storytelling, created entirely in free and open-source software,” says founder and producer Ton Roosendaal, “We’ve proved that Blender can create stunning short films. Now we aim to create stunning features, while building and sharing a free software production pipeline.”

Although the Agent 327 movie isn’t the first film to be created in Blender – a distinction that belongs to 2010 Argentinean animated comedy Plumíferos – it will be by far the largest and most ambitious, and one that the Blender Institute hopes will revolutionize feature animation.

“As an independent studio, we’re in the unique position of being in complete control of the tools we use in production,” says Roosendaal. “That’s a luxury enjoyed only by the world’s largest animation facilities. We intend to create movies that redefine the concept of independent animated feature production.”

## May 14, 2017

This is the second of a series of interviews of various people surrounding GIMP development and community. See also the interview of Mitch, GIMP maintainer

GIMP is made not only by hard-core developers but also through the hard work of many less technically-inclined contributors. Michael Schumacher, aka Schumaml, is a great example of an important core contributor who has been with the project for over 10 years. Mostly known as the project administrator, nowadays he takes care of everything but programming: administrative tasks, management, PR, support…

Schumaml was recently named the maintainer of the 2.8 branch, the stable version of GIMP which only receives bugfixes, showing that it does not require a developer to manage important roles successfully.

This interview was held on Saturday, February 4, 2017, at about 12:27 AM in front of a fireplace and after a day of hacking at Wilber Week. With us were several team members, including Debarshi Ray (Rishi (R)), Øyvind Kolås (pippin (P)) and Simon Budig who also asked questions.

Jehan: Hello Michael. You are the GIMP administrator, at least that’s what everybody says.

Schumaml: That’s what everybody says, yes.

J: How would you describe your contribution to the GIMP project?

S: I don’t do much coding. It’s just that so many people — from my perspective — do coding on GIMP already and have a better grasp of the source code and how it is made up. So I don’t think I can contribute much in that regard. I try to do administrative stuff like handling the monetary aspect of the project such as telling GNOME that we need money for events like Wilber Week or for LGM reimbursements…
I also care about the bug reports we have. I try to have them categorized, have a proper status, make sure that they get replies, and that we don’t leave a bug report unattended for a long time.
Also, I have administrative privileges on the GIMP web server, on mailing lists, and… what else. Do I forget anything? That’s about it, yeah.

I’ve been called the tie-wearing GIMP office manager and I even got a t-shirt with a printed tie and a “TWOM” label, because I’ve actually been wearing a proper shirt (made to measure) at one GIMP meeting during the Libre Graphics Meeting 2012 in Vienna.

J: How long have you been contributing?

S: I think I started somewhere between 2001 and 2004. The first contributions were probably getting GIMP buildable on MSYS, the minimal GNU build system on the Windows platform. Because I was annoyed that there were only GIMP builds for releases and not for every commit in between.

J: Was it like nightly builds?

S: No it was not like nightly builds. I just wanted to be able to have a current build for the MS Windows platform and also made on the MS Windows platform, so that I could build on my Windows system I was using at the time. Just to be able to follow GIMP development more closely than using a build someone made for a development release.

J: So you mostly use GIMP on Windows?

S: Back more than 10 years ago, I did use Windows exclusively. So basically, back then I had done the porting of GIMP to the Windows platform.

J: Do you use GIMP?

S: I use GIMP. Not as much as many other people but I use it to test many things of GIMP itself. I use it to edit photos I make. I don’t publish many of the images because when I’m editing them, I print them or I use them for some documentation work, so it goes to a customer. I even still use it on MS Windows, but now my main platform is Linux.

J: What kind of job do you do?

S: I’m working for a company that used to be a part of Siemens, which had been carved out by now. We are selling communication systems - in the past, you would have called these telephony systems. Nowadays this stuff is called “Communication Enabled Business Processes”, like everything which has to do with communication: calling someone or texting someone or exchanging chats or whatever. We are providing the software, the service, and the consulting.

J: Why do you contribute to GIMP?

S: It started due to pure selfishness: being able to have the most current GIMP available to me.

Since then, a lot has changed: I believe in Free Software. I believe software should be available for everyone for every purpose. GIMP is a Free Software project. Around the time I got hooked up with GIMP, I also got hooked up with Wikipedia, which follows the same approach towards knowledge. I feel like — yeah well — I’m contributing to something that helps a lot of people all over the world. I think that’s a good thing. GIMP happens to be the the first major project I contributed to, and I like it. It’s also in-line with the topics I specialized in at university: image synthesis, image manipulation. It kind of seemed like a logical extension.

Rishi: What do you think of Michael Schumacher?

S: (laughs) The formula one driver?

R: Yeah.

S: First thing, you know about his current condition, like probably still in the coma. I hope that he will get better. He probably won’t make it to his former self but at least to a state allowing him to live in a somewhat decent way. He got famous when I was in the so-called German “Gymnasium” (part of secondary education). It was a bit of an annoyance then - I got the same nickname - “Schumi” - as he had. I didn’t follow his career too closely, but knew about every race he won because I would be congratulated at school.

pippin: Have you ever made use of sharing the name?

S: No I haven’t. It got me an interview opportunity with a locale radio station because they were calling all people who had the name “Michael Schumacher” and they were asking them “How hard does this affect your personal life? Has it ever affected you?“. Once, I almost had an appointment canceled because someone thought I was mocking them, but that was the only incident ever.

I’ve never used it. I’ve never abused it. Nowadays, after the end of his professional racing career, it basically didn’t matter anymore.

P: Any controversial theme you wish to be asked?

S: Like the fact that I would like to kill spammers? (Maintain several mailing lists, one forum, be a recipient for “can we haz ads on gimp.org, plz?“, and you’ll know what I mean)

Simon: Not very controversial.

J: What do you want to see in GIMP?

S: Feature-wise, I’m quite OK with what GIMP is right now. I have to admit that some of the current stuff in the GIMP development version is still above my head - for example, I have no real concept yet of the difference between compositing and blending. Learning that it was 2 different things was quite useful. I hope that we can get the documentation of GIMP up-to-speed in time.

I’m more concerned about the project management. As in: how do we decide what new features go into GIMP, how they get into GIMP, and what GIMP development will look like. Particularly post-2.10. You can see it yourself: Right now, our release cycles are much too long. Even the fact that we have actual release cycles is probably bad. If you have a look at services like Twitter or similar, they are constantly releasing. They just push new features out to the people and there is a constant review “this is working, this is not working“. With our long release cycles, users get surprised by “Oh this does not work as it used to. Why have they changed it?“.

The project is still a bit old-fashioned in regard to releases. We are trailing current development models. “Development models” is the term I use because I’m not sure how to refer to this. I’m intrigued by the idea of having stable branches with continuously added new features, but I’m not quite sure if I want 2.10 to be constantly evolving. I would prefer to have 2.12. That’s details.

J: How do you see GIMP in 20 years?

S: First thing: in 20 years, I’ll be 60 (laughs). So I’m not even sure how I see myself at that point. I very much would like to still be part of the project in 20 years. I would still like to be able to see it as an image manipulation program. One of the major Free Software ones. I have no idea at all what it will look like (laughs) because there is so much that can change. Especially in the user interaction. How people interact with software might be the defining factor for how applications will look in 20 years.

J: What’s the feature you are really waiting for?

S: The feature I’m really waiting for… It’s not a feature of painting or image manipulation. It’s about organization. This thing we want to do, Plug-in or Resource Registry 2.0. Properly built and really managed. The thing we talked so much about, have so many great ideas, but always seem to lack the time to do. This is the feature I would like to see.

J: Do you contribute under influence?

S: Yeah, have a look at the 2.8.20 NEWS file. At the typos, which I totally didn’t notice. So now I prefer to not contribute under influence.

J: Indeed you are now the maintainer of the 2.8 branch, or at least the releaser. If not mistaken, you took care of 2.8.18 and 2.8.20 releases. What can you say about this?

S: I guess I should start at why I am doing more 2.8 releases. As I explained before, I’m not interested in coding that much but more engaged in user support and maintenance. Approximately one month before the release of 2.8.18, we had received a report about a security issue in the XCF loading code. It was fixed quickly, for both the development and 2.8 branches, but there was no plan to do a 2.8 release. We have instructions for this, and mitch replied “Just do it!” when I asked about it.

It still felt like flying blind. Had I done the version changes - to 2.8.18, and afterwards advancing to 2.8.19 - correctly? Was the tarball made correctly? Would it build on any other system than mine? It did, but I had still missed two action: the release tag is supposed to be signed (i.e. git tag -s) and the GNOME translations teams should be notified about planned releases with a string freeze be put in place until the release to make it easy for them to complete translations. 2.8.20 was much better prepared and even had an extra long string freeze. I had planned to do it in October 2016, but had to delay it to February 2017, during Wilber Week.

Releasing is definitely something you want to do right, and this means taking a moment of uninterrupted time to do it. My approach towards bug handling has changed a bit, too. I pay much more attention to bugs with attached patches, and try to apply and test those (we really neglected to do this) in order to get them into a stable release.

J: This was a good interview.

S: Thank you for doing it.

# Happy 2nd Birthday Discuss

## Time keeps on slippin'

I was idling in our IRC chat room earlier when @Morgan_Hardwood wished us all a “Happy Discuss Anniversary”. Wouldn’t you know it, another year slipped right by! (Surely there’s no way it could already be a year since the last birthday post? Where does the time go?)

We’ve had a bunch of neat things happen in the community over the past year! Let’s look at some of the highlights.

## Support

I want to start with this topic because it’s the perfect opportunity to recognize some folks who have been supporting the community financially…

When I started all of this I decided that I definitely didn’t want ads to be on the site anywhere. I had gotten enough donations from my old blog and GIMP tutorials that I could cover costs for a while entirely from those funds (I also re-did my personal blog recently and removed all ads from there as well).

I don’t like ads. You don’t like ads. We’re a big enough community that we can keep things going without having to bring those crappy things into our lives. So to reiterate, we’re not going to run ads on the site.

We’re also averaging about $22usd/month in hosting costs with Digital Ocean, so we’re still only about$27/month in total hosting costs. Maybe $30 if we include the hosting for the main website which is at Stablehost. ## IRC We’ve had an IRC room for a long time (longer than discuss I think), but I only just got around to including a link on the site for folks to be able to join through a nice web client (Kiwi IRC). It was included as part of an oft-requested set of links to get back to various parts of the main site from the forums. I also added these links in the menu for the site as well (the header links are hidden when on mobile, so this way you can still access the links from whatever device you’re using): If you have your own IRC client then you can reach us on irc.freenode.net #pixls.us. Come and join us in the chat room! If you’re not there you are definitely missing out on a ton of stimulating conversation and enlightening discussions! ## May 11, 2017 At Collabora Productivity we recently encountered the need to investigate calls in a third-party application to COM services offered by one or more other applications. In particular, calls through the IDispatch mechanism. In practice, it is use of the services that Microsoft Office offers to third-party applications that we want to trace and dump symbolically. We looked around for existing tools but did not find anything immediately suitable, especially not anything available under an Open Source license. So we decided to hack a bit on one of the closest matches we found, which is Deviare-InProc. It is on GitHub, https://github.com/nektra/Deviare-InProc. Deviare-InProc already includes code for much of the hardest things needed, like injecting a DLL into a target process, and hooking function calls. What we needed to do was to hook COM object creation calls and have the hook functions notice when objects that implement IDispatch are created, and then hook their Invoke implementations. The DLL injection functionality is actually "just" part of the sample code included with Deviare-InProc. The COM tracing functionality that we wrote is based on the sample DLL to be injected. One problem we encountered was that in some cases, we would need to trace IDispatch::Invoke calls that are made in a process that has already been started (through some unclear mechanism out of our control). The InjectDLL functionality in Deviare-InProc does have the functionality to inject the DLL into an existing process. But in that case, the process might already have performed its creation of IDispatch implementing COM objects, so it is too late to get anything useful from hooking CoGetClassObject(). We solved that with a hack that works nicely in many cases, by having the injected DLL itself create an object known to implement IDispatch, and hoping its Invoke implementation is the same as that used by the interesting things we want to trace. Here is a snippet of a sample VBScript file: Set objExcel = CreateObject("Excel.application") set objExcelBook = objExcel.Workbooks.Open(FullName) objExcel.application.visible=false objExcel.application.displayalerts=false objExcelBook.SaveAs replace(FileName, actualFileName, prefix & actualFileName) & "csv", 23 objExcel.Application.Quit objExcel.Quit And here is the corresponding output from tracing cscript executing that file. (In an actual use case, no VBScript source would obviously be available to inspect directly.) Process #10104 successfully launched with dll injected! Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. # CoGetClassObject({00024500-0000-0000-C000-000000000046}) (Excel.Application.15) # riid={00000001-0000-0000-C000-000000000046} # CoCreateInstance({0000032A-0000-0000-C000-000000000046}) (unknown) # riid={00000149-0000-0000-C000-000000000046} # result:95c668 # CoCreateInstance({00000339-0000-0000-C000-000000000046}) (unknown) # riid={00000003-0000-0000-C000-000000000046} # result:98aad8 # result:95dd8c # Hooked Invoke 0 of 95de1c (old: 487001d) (orig: 76bafec0) 95de1c:Workbooks() -> IDispatch:98ed74 98ed74:Open({"c:\temp\b1.xls"}) : ({"c:\temp\b1.xls"}) -> IDispatch:98ea14 95de1c:Application() -> IDispatch:95de1c 95de1c:putVisible(FALSE) 95de1c:Application() -> IDispatch:95de1c 95de1c:putDisplayAlerts(FALSE) 98ea14:SaveAs(23,"c:\temp\converted_b1.csv") 95de1c:Application() -> IDispatch:95de1c 95de1c:Quit() 95de1c:Quit() Our work on top of Deviare-InProc is available at https://github.com/CollaboraOnline/Deviare-InProc. Binaries are available at https://people.collabora.com/~tml/injectdll/injectdll.zip (for 32-bit applications) and https://people.collabora.com/~tml/injectdll/injectdll64.zip (64-bit). The zip archive contains an executable, injectdll.exe (injectdll64.exe in the 64-bit case) and a DLL. Unpack the zip archive somewhere. Then go there in Command Prompt, and in case the program you want to trace the IDispatch::Invoke use of is something you know how to start from the command line, you can enter this command: injectdll.exe x:\path\to\program.exe “program arg1 arg2 …” where program.exe is the executable you want to run, and arg1 arg2 … are command-line parameters it takes, if any. If program.exe is a 64-bit program, instead download injectdll64.zip, and run injectdll64.exe, otherwise similar. if you can’t start the program you want to investigate from the command line, but you need to inspect it after it has already started, just pass only the process id of the program to injectdll.exe instead. (Or injectdll64.exe) This is somewhat less likely to succeed, depending on how the program uses IDispatch. In any case, the output (symbolic trace) will go to the standard output of the program being traced, which typically is nowhere at all, and not useful. It will not go to the standard output of the injectdll.exe program. In order to redirect the output to a file, set an environment variable DEVIARE_LOGFILE that contains the full pathname to the log file to produce. This environment variable must be visible in the program that is being traced; it is not enough to set it in the Command Prompt window where you run injectdll.exe. Obviously all this is a work in progress, and as needed will be hacked on further. For instance, the name "injectdll" is just the name of the original sample program in upstream Deviare-InProc; we should really rename it to something specific for this use case. ## May 10, 2017 We are releasing GIMP 2.8.22 with various bug fixes. All platforms will benefit from a change to the image window hierarchy in single window mode, which improves painting performance when certain GTK+ themes are used. This version fixes an ancient CVE bug, CVE-2007-3126. Due to this bug, the ICO file import plug-in could be crashed by specially crafted image files. Our attempts to reproduce the bug failed with 2.8 and thus the impact had likely been minimal for years, but now it is gone for good. Users on the Apple macOS platforms will benefit from fixes for crashes during drag&drop and copy&paste operations. On the Microsoft Windows platforms, crashes encountered when using the color picker with special multi-screen setups are gone, and picking the actual color instead of black from anywhere on the screen should finally be possible. Check out the full list of fixed issues since 2.8.20. The source code, the Microsoft Windows installer and the Apple Disk Image for GIMP 2.8.22 are available from our downloads page; so yes, this time we made an effort to publish everything in one go :) The second premium Krita game art course, Make Cel Shaded Game Characters, is out! It contains 14 tutorials and a full commented art time-lapse that will help you improve your lighting fundamentals and show you how to make a game character. The series is based on David Revoy’s webcomic, Pepper and Carrot! He paints it all using Krita, and that was a great occasion to link our respective work. David released most of his work under the CC-By 4.0 licence, allowing anyone to reuse it as long as you give proper credits. Check out the course page for more information! https://gumroad.com/l/cartoon-game-art-krita-course ## May 08, 2017 The Open Desktop Ratings service is a simple Flask web service that various software centers use to retrieve and submit application reviews. Today it processed the 3000th review, and I thought I should mark this occasion here. I wanted to give a huge thanks to all the people who have submitted reviews; you have made life easier for people unfamiliar with installing software. There are reviews in over a hundred different languages and over 600 different applications have been reviewed. Over 4000 people have clicked the “was this useful to you” buttons in the reviews, which affect how the reviews are ordered for a particular system. Without people clicking those buttons we don’t really know how useful a review is. Since we started this project, 37 reviews have been reported for abuse, of which 15 have been deleted for things like swearing and racism. Here are some interesting graphs, first, showing the number of requests we’re handling per month. As you can see we’re handling nearly a million requests a month. The second show the number of people contributing reviews. At about 350 per month this is a tiny fraction compared to the people requesting reviews, but this is to be expected. The third shows where reviews come from; the notable absence is Ubuntu, but they use their own review system rather than the ODRS. Recently Debian has been increasing the fastest, I assume because at last they ship a gnome-software package new enough to support user reviews, but the reviews are still coming in fastest from Fedora users. Maybe Fedora users are the kindest in the open source community? Maybe we just shipped the gnome-software package first? :) One notable thing missing from the ODRS is a community of people moderating reviews; at the moment it’s just me deciding which reviews are indeed abuse, and also fixing up common spelling errors in the submitted text. If this is something you would like to help with, please let me know and I can spend a bit of time adding a user type somewhere in-between benevolent dictator (me) and unauthenticated. Ideas welcome. ## May 06, 2017 Don’t have time or money for an airport shoe shine? Use my hot tip to polish up those clogs while you’re on the move: ## May 05, 2017 Late notice, but Dave and I are giving a talk on the moon tonight at PEEC. It's called Moonlight Sonata, and starts at 7pm. Admission:$6/adult, $4/child (we both prefer giving free talks, but PEEC likes to charge for their Friday planetarium shows, and it all goes to support PEEC, a good cause). We'll bring a small telescope in case anyone wants to do any actual lunar observing outside afterward, though usually planetarium audiences don't seem very interested in that. If you're local but can't make it this time, don't worry; the moon isn't a one-time event, so I'm sure we'll give the moon show again at some point. ## May 03, 2017 # Welcome digiKam! ## Lending a helping hand One of the goals we have here at PIXLS.US is to help Free Software projects however we can, and one of those ways is to focus on things that we can do well that might help make things easier for the projects. It may not be much fun for project developers to deal with websites or community outreach necessarily. This is something I think we can help with, and recently we had an opportunity to do just that with the awesome folks over at the photo management project digiKam. As part of a post announcing the release of digiKam 5.5.0 on discuss. we learned that they were in need of a new webmaster, and they needed something soon to migrate away from Drupal 6 for security reasons. They had a rudimentary Drupal 7 theme setup, but it was severely lacking (non-responsive and not adapted to the existing content). Mica (@paperdigits) reached out to Gilles Caulier and the digiKam community and offered our help, which they accepted! At that point Mica gathered requirements from them and found in the end that a static website would be more than sufficient for their needs. We coordinated with the KDE folks to get a git repo setup for the new website, and rolled up our sleeves to start building! Mica chose to use the Hugo static-site generator to build the site with. This was something new for us, but turned out to be quite fast and fun to work with (it generates the entire digiKam site in just about 5 seconds). Coupled with a version of the Foundation 6 blog theme we were able to get a base site framework up and running fairly quickly. We scraped all of the old site content to make sure that we could port everything as well as make sure we didn’t break any urls along the way. We iterated some design stuff along the way, ported all of the old posts to markdown files, hacked at the theme a bit, and finally included comments that are now hosted on discuss. What’s wild is that we managed to pull the entire thing together in about 6 weeks total (of part-time working on it). The digiKam team seems happy with the results so far, and we’re looking forward to continue helping them by managing this infrastructure for them. A big kudos to Mica for driving the new site and getting everything up and running. This was really all due to his hard work and drive. Also, speaking of discuss, we also have a new category created specifically for digiKam users and hackers: https://discuss.pixls.us/c/software/digikam. This is the same category that news posts from the website will post in, so feel free to drop in and say hello or share some neat things you may be working on with digiKam! WebKitGTK+ has supported remote debugging for a long time. The current implementation uses WebSockets for the communication between the local browser (the debugger) and the remote browser (the debug target or debuggable). This implementation was very simple and, in theory, you could use any web browser as the debugger because all inspector code was served by the WebSockets. I said in theory because in the practice this was not always so easy, since the inspector code uses newer JavaScript features that are not implemented in other browsers yet. The other major issue of this approach was that the communication between debugger and target was not bi-directional, so the target browser couldn’t notify the debugger about changes (like a new tab open, navigation or that is going to be closed). Apple abandoned the WebSockets approach a long time ago and implemented its own remote inspector, using XPC for the communication between debugger and target. They also moved the remote inspector handling to JavaScriptCore making it available to debug JavaScript applications without a WebView too. In addition, the remote inspector is also used by Apple to implement WebDriver. We think that this approach has a lot more advantages than disadvantages compared to the WebSockets solution, so we have been working on making it possible to use this new remote inspector in the GTK+ port too. After some refactorings to the code to separate the cross-platform implementation from the Apple one, we could add our implementation on top of that. This implementation is already available in WebKitGTK+ 2.17.1, the first unstable release of this cycle. From the user point of view there aren’t many differences, with the WebSockets we launched the target browser this way: $ WEBKIT_INSPECTOR_SERVER=127.0.0.1:1234 browser


This hasn’t changed with the new remote inspector. To start debugging we opened any browser and loaded

http://127.0.0.1:1234

With the new remote inspector we have to use any WebKitGTK+ based browser and load

inspector://127.0.0.1:1234

As you have already noticed, it’s no longer possible to use any web browser, you need to use a recent enough WebKitGTK+ based browser as the debugger. This is because of the way the new remote inspector works. It requires a frontend implementation that knows how to communicate with the targets. In the case of Apple that frontend implementation is Safari itself, which has a menu with the list of remote debuggable targets. In WebKitGTK+ we didn’t want to force using a particular web browser as debugger, so the frontend is implemented as a builtin custom protocol of WebKitGTK+. So, loading inspector:// URLs in any WebKitGTK+ WebView will show the remote inspector page with the list of debuggable targets.

It looks quite similar to what we had, just a list of debuggable targets, but there are a few differences:

• A new debugger window is opened when inspector button is clicked instead of reusing the same web view. Clicking on inspect again just brings the window to the front.
• The debugger window loads faster, because the inspector code is not served by HTTP, but locally loaded like the normal local inspector.
• The target list page is updated automatically, without having to manually reload it when a target is added, removed or modified.
• The debugger window is automatically closed when the target web view is closed or crashed.

## How does the new remote inspector work?

The web browser checks the presence of WEBKIT_INSPECTOR_SERVER environment variable at start up, the same way it was done with the WebSockets. If present, the RemoteInspectorServer is started in the UI process running a DBus service listening in the IP and port provided. The environment variable is propagated to the child web processes, that create a RemoteInspector object and connect to the RemoteInspectorServer. There’s one RemoteInspector per web process, and one debuggable target per WebView. Every RemoteInspector maintains a list of debuggable targets that is sent to the RemoteInspector server when a new target is added, removed or modified, or when explicitly requested by the RemoteInspectorServer.
When the debugger browser loads an inspector:// URL, a RemoteInspectorClient is created. The RemoteInspectorClient connects to the RemoteInspectorServer using the IP and port of the inspector:// URL and asks for the list of targets that is used by the custom protocol handler to create the web page. The RemoteInspectorServer works as a router, forwarding messages between RemoteInspector and RemoteInspectorClient objects.

blendFX is a small studio for 3D, VR, AR and VFX based in Leipzig/Germany.
We produce virtual and augmented reality applications, architectural visualizations, 3d reconstructions and animations & visual effects for TV and cinema, with a focus on high quality content for mobile VR.

Rendering of Renaissance Period

## How we came to VR

We started working with virtual reality in 2014. During our first experiments it became clear quite quickly that we wanted to concentrate on mobile VR, simply because it’s more accessible and affordable. For the time being, however, smartphones are simply not capable of rendering high quality content with reflections, transparencies and nice antialiased edges. That’s why we began focusing on pre-rendered content, using stereoscopic panoramas. We developed a workflow with Blender and Unity, where we integrate interactive elements and 3d animations into stereo panoramas. The resulting apps perform very well on recent smartphones like the Samsung S6 and S7.

## Rochlitz VR

“Rochlitz VR” is a virtual reality app which we created for Schlösserland Sachsen. It’s a virtual reconstruction of one of the chambers from the old castle “Schloss Rochlitz” in Saxony, Germany. Today you can see the remains of 5 different periods from the 800 years long history of the “captain’s chamber” (“Hauptmannsstube”) in that room. There are doors and traces of paint from the gothic period, the backwall of a fireplace and romanesque windows, a painted ceiling from the renaissance and on top of that plumbing, drillholes and wallpaper from the GDR (German Democratic Republic) period in Eastern Germany. It’s a really weird and crappy looking room.

The room as it looks like today

Usually rooms like this are being restored to one particular time period. But then of course you lose the chance to see what the room would have looked like in other periods. In this case the castle museum wanted to make it clear to the visitors that the castle has been in constant change throughout the ages. Traces of all these periods can be found today. So the museum needed a way to make this room accessible and understandable for visitors without destroying its current peculiar state with all the various items from different time periods. Virtual Reality turned out to be the perfect medium for this!
Together with conservators and museologists we reconstructed the captain’s chamber how it might have looked like in those 5 different periods. The Rochlitz Virtual Reality Experience will be shown on 4 Samsung Gear VR devices inside the captain’s chamber starting in spring 2017.

## How

We used Blender for the entire process of modeling, texturing and rendering.
The captain’s chamber changed a lot throughout the 800 years, and so we had to heavily adjust the model for each time period.
The 3d modeling turned out to be a crucial part of the scientific reconstruction. The conservators and museologists would provide us with data, measurements and theories of how the room should have looked like back in the days, but it was only during the actual modeling process where we found that some of these theories would have been impractical or even impossible in real life. So the 3D model of the room was also a tool to test a scientific hypothesis.

Screenshot of the blendfile of the gothic period

For the gothic period Nora Pietrowski, the museum’s conservator, gave us the flowery wall paintings, which we mapped onto the four sides of the room. The painted ceiling of the renaissance period was also created by Nora. Then with Blender’s 3d painting tools we added subtle dirt and weather effects to the walls and the floor.
One of the most interesting periods was the one of the second half of the 20th century. The museum wanted to stay as scientifically accurate as possible with the reconstruction. That’s why most of the rooms we reconstructed have no furniture, because there is no detailed information of what kind of furniture actually was in the room. However, there are two photos from the GDR period that do show some the furnishing. That was a good reference for us to rebuild the room with a bit more detail.

Rendering of the GDR Period. In the back you can see the reference photo on the wall.

## Rendering

For rendering we used Blender’s path tracing engine Cycles and its stereoscopic panorama rendering mode, which Dalai Felinto had added in 2015. However, we found that equirectangular rendering is wasting a lot of processing power for the poles of the spherical images, which made rendering a lot slower than it needed to be. So we hired Dalai to code a script to render cube maps, which not only render much faster but also even look better on the poles than the usual equirectangular panoramas. Rendering a cube map panorama creates 6 different images, one for each side of the cube. Each side has a resolution of 1280×1280 pixels. And because we are rendering stereo we end up with 12 images, which add up to a resolution of 15360×1280 pixels for each stereo panorama. Luckily Cycles can take advantage of GPU rendering, which made the renders a bit less painful.

Cubemap Stripe

Another thing we needed was pole merging: It’s a common problem of stereoscopic panoramas that top and bottom (zenith and nadir) look a bit weird because of left and right eye perspective overlap. One way to fix that is simply to let the parallax converge to zero right on the poles of the panorama, also known as pole merging. And since we are not Blender coders ourselves but know some very skilled programmers at the Blender Institute we simply drove to Amsterdam in spring 2016 and talked to Sergey Sharybin, one of the amazing core developers. Within hours we had a working prototype and not much later pole merging was implemented to Blender. Amazing!

For testing the VR renderings internally we used VRAIS, a VR viewer which we developed ourselves together with our colleagues from Mikavaa. To get feedback from conservators and museologists on the test renderings and panoramas we used ReViz, a VR viewer with comment and revisioning system, developed by Mikavaa.

The high resolution stereoscopic panoramas where then taken to the game engine Unity, where we put interactive elements in to the scenes in order to create an intuitive and immersive VR experience, which the visitors of the castle will be able to enjoy with a GearVR headset. The user can travel to the different time periods simply by focusing the interactive overlays on the walls or by using the time line.

Screenshot of some UI elements in the app

## The Installation

Four turning chairs have been customized for this exhibition. The 4 headsets need to be continuously attached to a power supply in order to prevent discharging during constant usage. For that the museum’s constructor designed a custom solution with wiper contacts so that the USB cable that charges the GearVR headset can be attached to the turning chair without any cable clutter.

The goal is to be able to have four visitors experience RochlitzVR simultaneously without the need for museum attendants. So the GearVR itself needs to be protected against theft. Therefore a USB-C cable mount was designed that can be screwed onto the GearVR body. The cable itself is quite strong by itself. The museum figured that anyone who would bring the tools to cut those cables would also be able to bring gear to cut stronger metal cables, so the USB cable as theft protection should do it. Further, the phone itself is hidden behind the plastic GearVR cover, which is held in place by 4 screws.

The installation in the captain’s chamber

VR is still a relatively young medium (even though last year’s hype has already faded a bit). But especially for cases like this we think that it can be a brilliant addition for museums, exhibitions and education. Of course it would be even more exiting to be able to walk around in VR, like you can for example with the HTC Vive, but for exhibitions that’s not really practical: it is way more heavy, more expensive and you definitely need someone to operate it and help the users, which makes it even more expensive. It just adds too much maintenance costs for a small museum.

This project took over a year from start to finish, with some breaks in between. We think it’s quite remarkable that an old castle is open and forward thinking enough to embrace a fresh technology like VR, where there is still a lot of development and change happening all the time. Therefore it was an absolute pleasure to work with the castle’s museologist Frank Schmidt, who also initiated the whole thing.
Being able to use Blender for this project was a great experience. Over the course of the last year several features have been implemented that helped us a lot in our workflow. Cycles was improved a lot and is now even faster than when we started. So I think it’s safe to say that Blender really is a perfect tool for producing high quality VR content, and we can’t wait to see what the future brings!

## May 02, 2017

Previously: v4.10.

Here’s a quick summary of some of the interesting security things in this week’s v4.11 release of the Linux kernel:

refcount_t infrastructure

Building on the efforts of Elena Reshetova, Hans Liljestrand, and David Windsor to port PaX’s PAX_REFCOUNT protection, Peter Zijlstra implemented a new kernel API for reference counting with the addition of the refcount_t type. Until now, all reference counters were implemented in the kernel using the atomic_t type, but it has a wide and general-purpose API that offers no reasonable way to provide protection against reference counter overflow vulnerabilities. With a dedicated type, a specialized API can be designed so that reference counting can be sanity-checked and provide a way to block overflows. With 2016 alone seeing at least a couple public exploitable reference counting vulnerabilities (e.g. CVE-2016-0728, CVE-2016-4558), this is going to be a welcome addition to the kernel. The arduous task of converting all the atomic_t reference counters to refcount_t will continue for a while to come.

CONFIG_DEBUG_RODATA renamed to CONFIG_STRICT_KERNEL_RWX

Laura Abbott landed changes to rename the kernel memory protection feature. The protection hadn’t been “debug” for over a decade, and it covers all kernel memory sections, not just “rodata”. Getting it consolidated under the top-level arch Kconfig file also brings some sanity to what was a per-architecture config, and signals that this is a fundamental kernel protection needed to be enabled on all architectures.

A common way attackers use to escape confinement is by rewriting the user-mode helper sysctls (e.g. /proc/sys/kernel/modprobe) to run something of their choosing in the init namespace. To reduce attack surface within the kernel, Greg KH introduced CONFIG_STATIC_USERMODEHELPER, which switches all user-mode helper binaries to a single read-only path (which defaults to /sbin/usermode-helper). Userspace will need to support this with a new helper tool that can demultiplex the kernel request to a set of known binaries.

seccomp coredumps

Mike Frysinger noticed that it wasn’t possible to get coredumps out of processes killed by seccomp, which could make debugging frustrating, especially for automated crash dump analysis tools. In keeping with the existing documentation for SIGSYS, which says a coredump should be generated, he added support to dump core on seccomp SECCOMP_RET_KILL results.

structleak plugin

Ported from PaX, I landed the structleak plugin which enforces that any structure containing a __user` annotation is fully initialized to 0 so that stack content exposures of these kinds of structures are entirely eliminated from the kernel. This was originally designed to stop a specific vulnerability, and will now continue to block similar exposures.

ASLR entropy sysctl on MIPS
Matt Redfearn implemented the ASLR entropy sysctl for MIPS, letting userspace choose to crank up the entropy used for memory layouts.

NX brk on powerpc

Denys Vlasenko fixed a long standing bug where the kernel made assumptions about ELF memory layouts and defaulted the the brk section on powerpc to be executable. Now it’s not, and that’ll keep process heap from being abused.

That’s it for now; please let me know if I missed anything. The v4.12 merge window is open!