Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Jonas Smedegaard]

Quoting Samuel Greenfeld (2016-01-05 17:34:18)
> In general, many widely used Sugar distributions are based on 
> Operating Systems that are at least a few years old and full of 
> security holes.
>
> Bringing them up to date for computers like XOs that need updated 
> hardware drivers would require a fair amount of effort.  (Hence the 
> move by some groups to standardized hardware and Ubuntu for long-term 
> support.)
>
> The primary mitigating factors {if you could count them as such} are 
> that (1) many Sugar users are offline or barely online, and (2) the 
> obscurity of someone trying to hack telepathy versus using a wider 
> exploit against something like libjpeg or OpenSSL.
>
> But I wouldn't rely on obscurity as your sole protection.

The security flaws I suspect exist in legacy Gabble is indeed OpenSSL 
flaws.

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Samuel Greenfeld]

In general, many widely used Sugar distributions are based on Operating
Systems that are at least a few years old and full of security holes.

Bringing them up to date for computers like XOs that need updated hardware
drivers would require a fair amount of effort.   (Hence the move by some
groups to standardized hardware and Ubuntu for long-term support.)

The primary mitigating factors {if you could count them as such} are that
(1) many Sugar users are offline or barely online, and (2) the obscurity of
someone trying to hack telepathy versus using a wider exploit against
something like libjpeg or OpenSSL.

But I wouldn't rely on obscurity as your sole protection.


On Tue, Jan 5, 2016 at 5:37 AM, Jonas Smedegaard  wrote:

> Quoting Sam P. (2016-01-04 16:34:33)
> > This is serious.  If an activity wants to work in collaboration mode
> > on a NEW version of telepathy gabble, it needs to be ported not to use
> > tubes.
> >
> > However, your activity will still work on OLPC OS 13/14, Fedora 21 and
> > before and on the current Debian (???).  Your activity will still work
> > everywhere in single user mode.
>
> Unchanged activities will *not* work on current Debian.  Not stable, not
> testing, and not unstable.  Nor will they work with Ubuntu.
>
> You might get them to work by adding "telepathy-gabble-legacy", but
> beware that that package is *old* and *unsupported* and *insecure*!
>
> Likewise, support for conventional tubes-based collaboration on other
> systems - OLPC OS and Fedora - makes use of an outdated version of
> telepathy Gabble, which potentially is highly insecure to use.
>
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private
>
> ___
> Sugar-devel mailing list
> Sugar-devel@lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
>
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Jonas Smedegaard]

Quoting Sam P. (2016-01-04 16:34:33)
> This is serious.  If an activity wants to work in collaboration mode 
> on a NEW version of telepathy gabble, it needs to be ported not to use 
> tubes.
>
> However, your activity will still work on OLPC OS 13/14, Fedora 21 and 
> before and on the current Debian (???).  Your activity will still work 
> everywhere in single user mode.

Unchanged activities will *not* work on current Debian.  Not stable, not 
testing, and not unstable.  Nor will they work with Ubuntu.

You might get them to work by adding "telepathy-gabble-legacy", but 
beware that that package is *old* and *unsupported* and *insecure*!

Likewise, support for conventional tubes-based collaboration on other 
systems - OLPC OS and Fedora - makes use of an outdated version of 
telepathy Gabble, which potentially is highly insecure to use.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[James Cameron]

This is the situation our poor cousin SoaS has been in for some time,
where activities that support collaboration normally; had ceased to
collaborate in the context of SoaS.

On Mon, Jan 04, 2016 at 10:04:38PM +0200, Tony Anderson wrote:
> Hi, Sam
> 
> If I understand you, the problem is only with activities that support
> collaboration.
> 
> Tony
> 
> On 01/04/2016 01:04 PM, Sam P. wrote:
> 
> Hi Tony,
> 
> This is serious.  If an activity wants to work in collaboration mode on a
> NEW version of telepathy gabble, it needs to be ported not to use tubes.
> 
> However, your activity will still work on OLPC OS 13/14, Fedora 21 and
> before and on the current Debian (???).  Your activity will still work
> everywhere in single user mode.
> 
> Thanks,
> Sam
> 
> On Mon, Jan 4, 2016 at 9:40 PM, Tony Anderson <[1]tony_ander...@usa.net>
> wrote:
> 
> Hi,
> 
> Is this serious? No current activities will run on 0.107.
> 
> Tony
> 
> On 01/04/2016 04:55 AM, Peter Robinson wrote:
> 
> TL;DR  All activities need to be ported, and there will be a very
> small
> >toolkit change.  The toolkit change has not yet landed.
> 
> ___
> Sugar-devel mailing list
> [2]Sugar-devel@lists.sugarlabs.org
> [3]http://lists.sugarlabs.org/listinfo/sugar-devel
> 
> References:
> 
> [1] mailto:tony_ander...@usa.net
> [2] mailto:Sugar-devel@lists.sugarlabs.org
> [3] http://lists.sugarlabs.org/listinfo/sugar-devel

> ___
> Sugar-devel mailing list
> Sugar-devel@lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel


-- 
James Cameron
http://quozl.netrek.org/
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Tony Anderson]

Hi, Sam

If I understand you, the problem is only with activities that support 
collaboration.


Tony

On 01/04/2016 01:04 PM, Sam P. wrote:

Hi Tony,

This is serious.  If an activity wants to work in collaboration mode 
on a NEW version of telepathy gabble, it needs to be ported not to use 
tubes.


However, your activity will still work on OLPC OS 13/14, Fedora 21 and 
before and on the current Debian (???).  Your activity will still work 
everywhere in single user mode.


Thanks,
Sam

On Mon, Jan 4, 2016 at 9:40 PM, Tony Anderson > wrote:


Hi,

Is this serious? No current activities will run on 0.107.

Tony

On 01/04/2016 04:55 AM, Peter Robinson wrote:

TL;DR  All activities need to be ported, and there will be a
very small
>toolkit change.  The toolkit change has not yet landed.


___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org

http://lists.sugarlabs.org/listinfo/sugar-devel




___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Martin Abente]

@peter: the plan is to disable tubes channel by default so collaboration
does not break in newer systems (with newer telepathy-gabble), but allow
older systems to re-enable it if they still use older telepathy-gabble.
Also, we plan to include this for the next release of 0.107 so we can test
it properly before the stable 0.108 release.

On Mon, Jan 4, 2016 at 8:04 AM, Sam P.  wrote:

> Hi Tony,
>
> This is serious.  If an activity wants to work in collaboration mode on a
> NEW version of telepathy gabble, it needs to be ported not to use tubes.
>
> However, your activity will still work on OLPC OS 13/14, Fedora 21 and
> before and on the current Debian (???).  Your activity will still work
> everywhere in single user mode.
>
> Thanks,
> Sam
>
> On Mon, Jan 4, 2016 at 9:40 PM, Tony Anderson 
> wrote:
>
>> Hi,
>>
>> Is this serious? No current activities will run on 0.107.
>>
>> Tony
>>
>> On 01/04/2016 04:55 AM, Peter Robinson wrote:
>>
>>> TL;DR  All activities need to be ported, and there will be a very small
>>> >toolkit change.  The toolkit change has not yet landed.
>>>
>>
>> ___
>> Sugar-devel mailing list
>> Sugar-devel@lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/sugar-devel
>>
>
>
> ___
> Sugar-devel mailing list
> Sugar-devel@lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
>
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Sam P.]

Hi Tony,

This is serious.  If an activity wants to work in collaboration mode on a
NEW version of telepathy gabble, it needs to be ported not to use tubes.

However, your activity will still work on OLPC OS 13/14, Fedora 21 and
before and on the current Debian (???).  Your activity will still work
everywhere in single user mode.

Thanks,
Sam

On Mon, Jan 4, 2016 at 9:40 PM, Tony Anderson  wrote:

> Hi,
>
> Is this serious? No current activities will run on 0.107.
>
> Tony
>
> On 01/04/2016 04:55 AM, Peter Robinson wrote:
>
>> TL;DR  All activities need to be ported, and there will be a very small
>> >toolkit change.  The toolkit change has not yet landed.
>>
>
> ___
> Sugar-devel mailing list
> Sugar-devel@lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Tony Anderson]

Hi,

Is this serious? No current activities will run on 0.107.

Tony

On 01/04/2016 04:55 AM, Peter Robinson wrote:

TL;DR  All activities need to be ported, and there will be a very small
>toolkit change.  The toolkit change has not yet landed.


___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Peter Robinson]

On Mon, Dec 28, 2015 at 5:35 PM, Martin Abente
 wrote:
> Hello everyone,
>
> Moving forward with our current development cycle, I am pleased to announce
> the release of Sugar 0.107.1 (unstable). This release means that we have
> officially passed the time [1] for including new features and that we must
> start focusing on stability and bug fixing.
>
> This release comes with many improvements that are worth mentioning:
>
> Changing the Frame settings in the control panel no longer requires to
> restart Sugar.
> Added new keyboard controls to access and navigate the control panel.
> The control panel can display the serial number for commodity hardware.
> Multiple bundles can be installed at once using good old
> sugar-install-bundle script.
> The shell now claims file transfer channels so Empathy won't interfere
> anymore.
> Home views names can be changed now.
> Neighborhood icons are no longer placed randomly.
> Sugar can now start even when the disk is full.
> More documentation for our gtk3 toolkit.
> More fixes for the Sugar theme.
> and even more [2].
>
> Kudos to James Cameron, Sam Parkinson, Ezequiel Pereira, Batchu Venkat
> Vishal and our Google Code-In students who are responsible for these
> contributions, and to Gonzalo Odiard, Ignacio Rodriguez and Julio Reyes for
> the reviewing work.
>
> The tarballs for this release can be downloaded from:
>
> http://download.sugarlabs.org/sources/sucrose/glucose/sugar/sugar-0.107.1.tar.xz
> http://download.sugarlabs.org/sources/sucrose/glucose/sugar-toolkit-gtk3/sugar-toolkit-gtk3-0.107.1.tar.xz
> http://download.sugarlabs.org/sources/sucrose/glucose/sugar-artwork/sugar-artwork-0.107.1.tar.xz
> http://download.sugarlabs.org/sources/sucrose/glucose/sugar-datastore/sugar-datastore-0.107.1.tar.xz
> http://download.sugarlabs.org/sources/sucrose/glucose/sugar-runner/sugar-runner-0.107.1.tar.xz
>
>
> Please help us testing it!

This will be in rawhide/F-24 as of today's compose.

Peter
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Peter Robinson]

On Mon, Jan 4, 2016 at 2:47 AM, Sam P.  wrote:
> Hi Peter,
>
> There was an email thread going around on the status of the collab work on
> sugar-devel.  That may be of interest to you.

I'm not sure how I missed that, or maybe I didn't but not remember it.

> TL;DR  All activities need to be ported, and there will be a very small
> toolkit change.  The toolkit change has not yet landed.

Is it still planned for 0.107?

> Thanks,
> Sam
>
> On Mon, Jan 4, 2016 at 1:08 PM, Peter Robinson  wrote:
>>
>> Hi Martin,
>>
>> > Moving forward with our current development cycle, I am pleased to
>> > announce
>> > the release of Sugar 0.107.1 (unstable). This release means that we have
>> > officially passed the time [1] for including new features and that we
>> > must
>> > start focusing on stability and bug fixing.
>> >
>> > This release comes with many improvements that are worth mentioning:
>> >
>> > Changing the Frame settings in the control panel no longer requires to
>> > restart Sugar.
>> > Added new keyboard controls to access and navigate the control panel.
>> > The control panel can display the serial number for commodity hardware.
>> > Multiple bundles can be installed at once using good old
>> > sugar-install-bundle script.
>> > The shell now claims file transfer channels so Empathy won't interfere
>> > anymore.
>> > Home views names can be changed now.
>> > Neighborhood icons are no longer placed randomly.
>> > Sugar can now start even when the disk is full.
>> > More documentation for our gtk3 toolkit.
>> > More fixes for the Sugar theme.
>> > and even more [2].
>>
>> Does the even more include the fixing of collaboration? If not what is
>> the status of that?
>>
>> Peter
>> ___
>> Sugar-devel mailing list
>> Sugar-devel@lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/sugar-devel
>
>
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Sam P.]

Hi Peter,

There was an email thread going around on the status of the collab work on
sugar-devel.  That may be of interest to you.

TL;DR  All activities need to be ported, and there will be a very small
toolkit change.  The toolkit change has not yet landed.

Thanks,
Sam

On Mon, Jan 4, 2016 at 1:08 PM, Peter Robinson  wrote:

> Hi Martin,
>
> > Moving forward with our current development cycle, I am pleased to
> announce
> > the release of Sugar 0.107.1 (unstable). This release means that we have
> > officially passed the time [1] for including new features and that we
> must
> > start focusing on stability and bug fixing.
> >
> > This release comes with many improvements that are worth mentioning:
> >
> > Changing the Frame settings in the control panel no longer requires to
> > restart Sugar.
> > Added new keyboard controls to access and navigate the control panel.
> > The control panel can display the serial number for commodity hardware.
> > Multiple bundles can be installed at once using good old
> > sugar-install-bundle script.
> > The shell now claims file transfer channels so Empathy won't interfere
> > anymore.
> > Home views names can be changed now.
> > Neighborhood icons are no longer placed randomly.
> > Sugar can now start even when the disk is full.
> > More documentation for our gtk3 toolkit.
> > More fixes for the Sugar theme.
> > and even more [2].
>
> Does the even more include the fixing of collaboration? If not what is
> the status of that?
>
> Peter
> ___
> Sugar-devel mailing list
> Sugar-devel@lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/sugar-devel
>
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

Re: [Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Peter Robinson]

Hi Martin,

> Moving forward with our current development cycle, I am pleased to announce
> the release of Sugar 0.107.1 (unstable). This release means that we have
> officially passed the time [1] for including new features and that we must
> start focusing on stability and bug fixing.
>
> This release comes with many improvements that are worth mentioning:
>
> Changing the Frame settings in the control panel no longer requires to
> restart Sugar.
> Added new keyboard controls to access and navigate the control panel.
> The control panel can display the serial number for commodity hardware.
> Multiple bundles can be installed at once using good old
> sugar-install-bundle script.
> The shell now claims file transfer channels so Empathy won't interfere
> anymore.
> Home views names can be changed now.
> Neighborhood icons are no longer placed randomly.
> Sugar can now start even when the disk is full.
> More documentation for our gtk3 toolkit.
> More fixes for the Sugar theme.
> and even more [2].

Does the even more include the fixing of collaboration? If not what is
the status of that?

Peter
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel

[Sugar-devel] [Announcing] UNSTABLE 0.107.1 release (feature freeze)

[Martin Abente]

Hello everyone,

Moving forward with our current development cycle, I am pleased to announce
the release of Sugar 0.107.1 (unstable). This release means that we have
officially passed the time [1] for including new features and that we must
start focusing on stability and bug fixing.

This release comes with many improvements that are worth mentioning:

   - Changing the Frame settings in the control panel no longer requires to
   restart Sugar.
   - Added new keyboard controls to access and navigate the control panel.
   - The control panel can display the serial number for commodity
   hardware.
   - Multiple bundles can be installed at once using good old
   sugar-install-bundle script.
   - The shell now claims file transfer channels so Empathy won't interfere
   anymore.
   - Home views names can be changed now.
   - Neighborhood icons are no longer placed randomly.
   - Sugar can now start even when the disk is full.
   - More documentation for our gtk3 toolkit.
   - More fixes for the Sugar theme.
   - and even more [2].

Kudos to James Cameron, Sam Parkinson, Ezequiel Pereira, Batchu Venkat
Vishal and our Google Code-In students who are responsible for these
contributions, and to Gonzalo Odiard, Ignacio Rodriguez and Julio Reyes for
the reviewing work.

The tarballs for this release can be downloaded from:

   -
   
http://download.sugarlabs.org/sources/sucrose/glucose/sugar/sugar-0.107.1.tar.xz
   -
   
http://download.sugarlabs.org/sources/sucrose/glucose/sugar-toolkit-gtk3/sugar-toolkit-gtk3-0.107.1.tar.xz
   -
   
http://download.sugarlabs.org/sources/sucrose/glucose/sugar-artwork/sugar-artwork-0.107.1.tar.xz
   -
   
http://download.sugarlabs.org/sources/sucrose/glucose/sugar-datastore/sugar-datastore-0.107.1.tar.xz
   -
   
http://download.sugarlabs.org/sources/sucrose/glucose/sugar-runner/sugar-runner-0.107.1.tar.xz


*Please help us testing it!*

Regards,
Martin.

Refs:
[1] http://wiki.sugarlabs.org/go/0.108/Roadmap
[2] http://wiki.sugarlabs.org/go/0.108/Feature_List
___
Sugar-devel mailing list
Sugar-devel@lists.sugarlabs.org
http://lists.sugarlabs.org/listinfo/sugar-devel