PwnKit (polkit’s pkexec exploit) – CVE-2021-4034

The update fixing the issue for Mageia 8 was released Wed, 26 Jan 2022 10:31 UTC (05:31 EST).

For anyone still running Mageia 7 (or older releases), the recommendation is …

As root run “chmod 0755 /usr/bin/pkexec”.
That will mean pkexec doesn’t work anymore. Running things like rpmdrake as a
regular user will not work. You must use an alternative approach to get root
privileges (open a terminal, use “su -” and then run rpmdrake or use sudo rpmdrake
if you’ve configured sudo).

Posted in Mageia, QA, security, Updates | 1 Comment

Interview of Nicolas Lécureuil, chair of the Mageia Board, on Linuxfr.org

Last month a very nice interview of Nicolas Lécureuil, chairman of the Mageia Board, appeared on LinuxFr.org
It was written by Ysabeau. We translated it, so that you can enjoy it, too.

Nicolas Lécureuil (Neoclust)

Nicolas Lécureuil, alias Neoclust, is a long time user of LinuxFr.org. He has an account on the website dedicated to Linux since 2005. Nicolas became the president of the Board of Mageia early in 2021. Nicolas has been, and still is, very active everywhere in the Mageia forums, discussion lists and the cauldron development, where new versions of the distribution are being cooked. In this interview, we will see that he is an early Mageian. Also, we will discover his ambitions and projects for this distribution, which is one of the most accessible to the general public.

Contents

A new chair of the Board
Mageia and its environment
Mageia development
To finish

A new chair of the Board

How did you fall into the cauldron?

I accidentally started to contribute to Mandrake, I had seen a CD in a magazine, tested it and wanted to help.

Right away I found very nice people on IRC who were listening. Using KDE, a desktop environment that I found easy to access, as basis, I started to contribute by sending patches to the then maintainer, who was an employee of Mandrakesoft.

In a second step I started to really contribute to KDE.

One day, when an employee of Mandriva (after Mandrakesoft and Connectiva had merged) left, Anne Nicolas (Ennael) suggested me to replace him, I cannot thank her enough for that proposal. It is with pleasure that I joined the workforce. The feeling that I had as a contributor did not change, the colleagues were just as nice. I have gotten to know some people better. I will not mention them, I would be too afraid to forget one.

My role at Mandriva at the beginning was to take care of the “desktop” part of the distribution on the one hand and the relationship with our customers for their KDE bugs on the other hand.

Subsequently, I was a packager and in charge of the integration of the MBS (Mandriva Business server) distribution. This distribution was based on Mageia and made it possible to provide Pulse, which is a web software for managing IT equipment (inventory, deployment of packages, imaging, backup, etc.) to some of our customers.

So it was only natural for me to join my old friends, colleagues and contributors for Mageia. Even though I miss some (Coling and Mikala for example), I have always had a great time working with old and new persons alike. This entire little world makes me richer every day.

How does one become a member of the Mageia Board and its president?

Board members are elected by Mageia members, so you need to be known / recognized for your commitment to the distribution, eg by sorting out bugs and attending meetings on IRC. The mandates of secretary, treasurer and president, except on administrative matters, are irrelevant, as all decisions are collegial with the Board or the Council. It is true, being French-speaking necessarily helps with all administrative questions for these three roles.

What is the profile of the current members?

There is no profile so to speak, the people are very varied, both professionally and geographically, there is a nurse, a student, a few software developers, Finns, Canadians, people from the United States. United Kingdom, English, French, etc. But it’s the passion and commitment around Mageia that brings them together.

How do you see this governance of Mageia? And by the way, does this begin to happen?

I see this governance as ambitious and full of co-constructions. For the moment we are getting our bearings and starting in the office to work on what we can propose to the Council, the first project being the renewal of our server park.

The second project is to relaunch the development of certain bricks of our distribution such as urpmi. In fact urpmi is a complete, simple, and very well working package manager. It lacks support for new rpm features.

We have in our hands a very good distribution that we can have ambition for, if we fill in a few gaps.

We might consider creating an LTS, if we can find new contributors to take care of security updates, because for now (except for packages maintained in stable by their official maintainers [like the kernel / glibc / rpm / …] I take care of a lot of these updates and I wouldn’t be against a little helping hand [it would allow me to free up some time for other tasks in the distribution]). An LTS version would allow some companies to consider using Mageia more confidently.

Do you have specific goals for your term of office?

I have several goals, but these are my commitments only, until I have discussed them with the Council.

The first is to relaunch communication around Mageia. We have a great team, the Atelier team, which is very responsive, it is up to us, developers, packagers, etc., to give them the facts to be well communicated. I would also like new people to be able to join these bodies because by having a new eye, new ideas, it can revive our way of communicating (we have to admit it, communication has never been our strong point).

We started with blog articles in order to boost the contribution to our distribution because, as in many projects, it is often the same people who contribute, some run out of steam and therefore take a step back from the project (but this is true for many projects in and outside the IT world).

We also need to attract new contributors. As I like to say: I’d rather have people who just take good care of one piece of software / one brick and do nothing else, rather than someone who wants to touch everything and ends up doing little.

I’m happy to always have had knowledgeable contributors around KDE / Plasma. I had mikala at one time (who can always come back if in the mood and especially if the time returns) and now I have David²) doing a tremendous job and I cannot thank him enough.

Do you have any training or background related to IT, if so, is this useful to you for Mageia?

I learned a lot on my own, and very much with the help and knowledge of other contributors.

I was originally trained as a biochemist, but I have always loved computer science. So after my studies, I took a course to get a degree as Linux support technician. I think my scientific background gave me a certain rigor. And, thanks to my company, which gives me the opportunity, I am gradually learning to develop.

Mageia and its environment

At the base of Mageia, we have an association governed by French law, what about the impact of Mageia outside of France?

I admit that I do not yet fully understand the impact of Mageia outside of France. What I do know is that we have contributors all over the world, and quite significantly in Spain with Blogdrake (ES).

If a Mageia community outside of France participates in an event to promote the distribution we are always interested to know, because we can make a blog post with pictures afterwards.

How do you analyze the fact that Mageia is no longer in the top ten in the Distrowatch ranking?

I think this is mostly due to the fact that we haven’t communicated much or well in recent years about our project. As a result, fewer people would be looking to find out about us on this site.

However, the Distrowatch ranking has never been a goal or a benchmark for me, because although it is a kind of “thermometer”, I don’t know of any average user who actually uses it. It highlights the number of clicks on the site but in no way the quality of the distribution, nor that of its community.

In fact, Mageia has a loyal community whether on the French side with Mageialinux-online (MLO) (FR) or Spanish with Blogdrake (ES) (to name just two).

Are there interactions between Mageia and other distributions?

There is, to only speak of David and I, an interaction with the Java team at Fedora. At Mageia, we use Fedora’s Java stack, and we try to provide them with fixes for that stack as soon as possible. I have planned to bring back to them the security fixes that we add to Mageia.

Has the pandemic affected the development of Mageia? If so, how?

Honestly, I have no idea.

We don’t have any audience measurement system, neither within the distribution nor within the development team, so on the usage side, we can’t say anything. In terms of engagement, it’s mixed. There are new people arriving to lend a hand, in teams such as communications and QA (testing packages and updates before “the general public”), and others who find themselves with more work in real life. In the end, we don’t feel that the pandemic has had much of an impact on Mageia’s development.

Mageia development

In the comments of the Mageia 8 release announcement²), Mageia was criticized for choosing not to include Nextcloud 21 right away because of the PHP version. Can you give us the background to this decision? (precision: Nextcloud has since been integrated into the distribution).

When maintaining a distribution there are several things to consider:

  • the delivery date of the distribution
  • the duration of maintenance of the latter
  • the migration that end users will need to do

Regarding the last point, we quite logically consider a migration when switching from one stable version to another but rarely when updating packages in a stable version. It is quite unpleasant for an administrator during a simple security update to have to change their configuration.

Mageia 8 came out with PHP 8 and we expected an outcry because “it was too early”, “they are definitely not thinking” …

On the development mailing list, there have been rich discussions on this topic. This made it possible to highlight that it seems important to us that we would need to be able to either maintain several versions of PHP (in this specific case), or allow to co-install several versions (PHP 7 versus PHP 8).

The concern we had to face was that the end of life of PHP 7 was nearing at the beginning of the cycle, which would have forced users to migrate within a stable version of Mageia with all possible migration concerns.

Today, if a similar choice were to arise, what decision could Mageia make?

I think we have to analyze this situation and work so that such a worry, such a frustration does not happen again, while being aware of our “capacity to do”, that is to say, our capacity, on support time, to maintain one or more versions of the same software, of the same library.

I think in the distribution cycle we have to discuss well in advance which releases we want and stick to them and communicate about them. Consequently, it would have been done long before we were going to switch to php8 and so it would have left time for everyone to react.

Generally speaking, how do you decide which software to package, which software to put aside?

It’s all about utility. Our packers add what they use. However, even based on this logic some software is not allowed to be added.

In fact, if a software is proposed to be maintained, it must comply with a certain number of rules:

  • a compatible license above all;
  • no downloads during the build, all builds must be idempotent;
  • generally, no dead applications that are no longer maintained or applications with security vulnerabilities that have not been corrected for some time;
  • no application that requires hundreds of dependencies to be added to the distribution, without a maintainer.

Still in the comments of this announcement, about the duration of maintenance of Mageia 7 and versions N – 1 in general, you answer “We can very well consider modifying this date, that would not seem silly to me”. What would that give?

For the Mageia 7, it’s not huge, I’ll admit, but we’ve extended support for a month, until June 30th. It is quite complicated now, with the number of volunteers, to commit to too large an extension of the support. However, if we manage to include new contributors, this can / will be discussed again, whether they are packagers or help QA (quality assurance).

Because our QA doesn’t just test the installation of packages, it can not be done automatically. Our QA also checks that the CVEs ³) are no longer valid with the new versions. It takes time, but it is an added value for Mageia.

Mageia has a relatively long lifecycle, which is comfortable, but some heavily used software has significantly shorter cycles. Do you think it would be possible to change the current policy of Mageia and have more updates of such software between two versions?

I would very much like us to adopt this policy. It has already started with, for example, the update of LibreOffice. We will update to version 7.2 as soon as it becomes available.

I also think that it is possible to adopt this for some software if the maintainers are active and responsive. Regarding Plasma and other desktop environments, it’s a bit more complicated because, for example, for Plasma, there is Plasma-workspace as such, but there are also the KFrameworks to be updated regularly (one release per month), and the KDE Gears (KDE Applications like Dolphin, KMail, K3b…) which have major updates in April, August and December and lots of small minor versions in between.

It would be possible to release each new version, but that involves a very large amount of RPM packages to test and verify that they install correctly. The QA team lacks the hands for this (however this can change depending on the number of people involved).

One of the recurring criticisms from outside is about Mageia’s abundance of desktop environments. How do you respond to that?

To that I reply that it is a false debate for me. Indeed, if a contributor comes to Mageia with the desire to maintain a desktop environment and if they are told that it is better to maintain Plasma or Gnome, there is a one in two chance that he or she will not do it and either go elsewhere or become a simple user again. However, we would need to audit the desktop environments and keep only those that are maintained and functional.

Mageia until now used Google or Framasoft tools for certain tasks (collaborative writing, event planning, etc.). Are there plans for the distribution to use its own tools instead?

Currently there are no projects from the Mageia sysadmin team to host such tools, we already have quite a few projects going on, but once the list is cleared, it is not impossible.

If we want to get closer to the cauldron where the future Mageia is concocted, for instance by packaging, what should we do, have, know? How does that work?

To get closer to the development version, there are several approaches depending on what you want to do.

The first is to simply use it: when doing this, you can also (and it is even recommended) subscribe to the Mageia dev mailing list. This allows you to be aware of changes (for example recently when rpm changed its database manager).

The second is for people who want to get involved. To do this there is, in addition to the dev list, the packages-commits list, which allows you to have real-time mails of modifications in the distribution (rpms side), and soft-commits to have the modifications in the software (mcc , urpmi, installer, etc.).

In both cases, you need to migrate an installation from Mageia 8 to Cauldron by modifying urpmi repositories using the method given in the Mageia wiki. Since Cauldron’s contents are often changed over the course of a day, it is best to use a specific mirror. If you are in France, we suggest using the one from free.fr.

As a first step, using the cauldron in a virtual machine is strongly recommended. Its use in production is not recommended. Updates are too frequent there and can sometimes break the system while waiting for most components to be recompiled (eg when updating the Perl or Python stack, etc.).

To finish

At the professional level, what free software do you use, on what OS?

Professionally my two most important tools are Vim and Git. I have never managed to use a graphical text editor to effectively replace Vim. I use them on Debian and Mageia (with a preference for one of the 2 😉).

Besides Mageia, do you have any other favorite GNU / Linux distribution or other free system (* BSD, Haiku, etc.)? And why, what are your favorite free programs?

For work I use Debian and Centos, as we provide our software on these two operating systems.

I use my computers almost only for work, so the amount of software used is quite limited, because in addition to Vim and Git I use Jitsi, Firefox, VLC.

Which question would you have loved to be asked? (obviously you can answer it)

What makes Mageia a great distro?

Mageia has, like everyone, its peculiarities, its specificities, it meets most of the usual needs, it is a good distribution, even if it may not appeal to everyone. This is based on several elements:

its active and attentive contributors who do their utmost to satisfy their use and that of users;
its very active community, whether in France or in other countries.

Listening is very important to have a good distribution, that’s why I think we should set up a system outside Bugzilla, to ask questions, and get the opinions of users in a more simple and efficient way.

Which question would you have hated to be asked? (hoping I didn’t ask you).

Isn’t it too hard to start to head Mageia after Ennael?

Simply because I owe everything to Anne, because if she hadn’t called on me twelve years ago, I don’t know if my professional path would have allowed me to have the time to contribute.

It allowed me to be part of a team of great people (no need to name them, they will recognize themselves) and to learn a lot of things.

Thanks again to her 🙂

Thank you very much Nicolas.

¹) David Geiger alias david_david who is the co-maintainer of KDE in Mageia.

²) https://linuxfr.org/news/la-huitieme-mageia

³) CVE is short for Common Vulnerabilities and Exposures

Posted in They Make Mageia | Tagged , , , | 4 Comments

More on Open Source Experience

We have already announced that we will have a stand at Open Source Experience in Paris on the 9th and 10th of November. However, we did not say why we are so happy to be able to join this new event.


Open Source Experience aims to bring the entire open source ecosystem together for two dynamic days. “Entire” really means entire: From communities like Mageia to all sorts of companies, from students to experts, from journalists to politicians, from investors to researchers and inventors and much more, it is for anyone with a dedication to open source. Note that it is not just about open-source software, but also about open source hardware and network solutions, consultancy, training, cloud, data centres, security, AI, IoT, etc, more than can be mentioned.

Many interested people will visit the event, and certainly not only from France. The event will be hybrid: physical meetings on the 9th and 10th of November 2021 and a digital event platform, so (international) visitors who would otherwise be unable to attend can participate. At least one of the speakers happens to be a Mageia contributor and board member in his free time, Bruno Cornec. He will give two talks, one about an alternative for REST, the other about how (and how not) to open source a project.

Open Source Experience is an excellent opportunity to introduce Mageia to people who would potentially enjoy helping to make Mageia, but also to see what is going on in the open-source world, to learn and discover new developments, meet with other people and projects and to make the open-source ecosystem stronger.

Posted in events | Tagged | 2 Comments

Mageia at the Campus du Libre and at the Open Source Experience

We’re happy to announce two real-life events.

Mageia will be present again at the Campus du Libre in Lyon. The event will be held on Saturday 6 November 2021 from 10h till 17h30 on the Campus de la Doua, in the Nautibus building.

Thanks to DTux, alias DTux69, Mageia will also be present at the Open Source Experience on 9 & 10 November 2021 in the Palais des Congrès in Paris.

If you’re in France in November, these are excellent opportunities to meet some nice core members of Mageia.

Additional information, added on September 24, 16h01 UTC:

We’ll have a stand at both events, our members there will be happy to meet you, regardless of how experienced or inexperienced you are. You’re encouraged to visit the stand, especially if you have any questions regarding Mageia, if you’d like to contribute to our wonderful project, or if you’d simply like to meet other Mageians.

Posted in Uncategorized | Tagged | 6 Comments

Mageia at GUADEC 2021

In my recent blog post I shared that GNOME’s GUADEC 2021 is going to be online due Covid19-pandemic. Nevertheless, I am pleased to let you know that my workshop about Mageia GNOME has been accepted!

This workshop will give an introduction to Mageia GNOME and you will learn about the distribution itself on the 23rd of July at 18h30 UTC (at 19:30 British Summer Time (BST), 20h30 central europe time (CEST, Paris, Berlin, Rome…)) for about an hour.

I believe that this will be a fun time for all of us.
Here is the link: https://events.gnome.org/event/9/contributions/244/
If you don’t want to miss this event, please add it to your calendar.
See you there and stay healthy!

Cheers

Andi

Posted in Uncategorized | Tagged | 2 Comments