Upgrade for KDE neon Security Issue

Last month we moved the neon archive to a new server so packages got built on our existing server then uploaded to the new server.  Checking the config it seemed I’d made the nasty error of leaving it open to the world rather than requiring an ssh gateway to access the apt repository, so anyone scanning around could have uploaded packages.  There’s no reason to think that happened but the default in security is to be paranoid for any possibility.  The security advisory is out, the archives have been wiped and all packages in User rebuilt so upgrade now to get the new package builds, or for extra security do a reinstall.  The new User Edition ISO is out and I’ll update the website once that gets mirrored enough.  Developer Editions packages are being rebuild now and go directly into the archives so you should start seeing those appear shortly as they are built. Sorry for the hassle folks, you wouldn’t want us to just hide it I’m sure.

 

Appstream Generated

Appstream has had a long history of getting its very sensible features into the hands of users. It’s an XML format which describes applications so that projects such as KDE can ship files with their apps which give a name, description, translations of this and pretty screenshots.

The first step is getting the Appstream metainfo files into the applications. KDE has this in many places but not all, if you spot an application please add one. It’s been supported in Extra CMake Modules for a while but the install directly changed recently just to confuse matters.

Then your archive has to extract the appstream files, in Neon we use Appstream Generator written by the Appstream master Matthias Klumpp and Harald set up some time ago but it broke last month.  That meant we had to update to a new version so Scarlett had to add a load of new packages to Neon to get Appstream Generator to build and I had to work out how to debug D to convince it to work. Then we moved our archive to a new server for space and because it was fun so parts of the job which runs it had to been rewritten to work remotely.  Finally there’s a pesky bug which means it looks at the oldest package not the newest one so any problems with the Appstream files stay around forever.  So for now I deleted old packages.

So at least you can install Minuet from Discover, it gained an appstream file back in 16.04 but it was broken so we had to wait for 16.08 to get a working one.

discover-minuet

But wait, this infrastructure for package managers is fiddly. Discover is showing the most popular installed app as Dilbert cartoons, which makes no sense.  Turns out the popcon data for applications is made using fancy Docker scripts on an obscure server we’ve largely forgotten about but Cron doesn’t like Docker and doesn’t let it output anything when running even though the same command works fine when run manually.  So I regenerated the popcon data manually in the hope we can work out how to cron it later on.  And finally Discover is back showing popular apps and all the latest ones at that.  Sorry for the delay folks.

discover-popcon

Getting it to work in Neon developer editions is future work I fear.