 So, ladies and gentlemen, we're going to get started with the lightning talks now. The first one is Ian McLeod. Thank you. Hello. Can everyone hear me? I hope the demo works. All right, so I'm going to talk about Fedora on the Raspberry Pi Zero. I'm calling this Bootstrapping an old architecture. I'm sure you've seen or heard some talks about bootstrapping new architectures that are fast and interesting like PowerPC 64 or 64-bit ARM, so we're going to go in the opposite direction here. So who has heard of the Raspberry Pi, as if I'm not okay? Who knew about this device, the Raspberry Pi Zero? So most of you. Okay, good. That's probably why you're here. It is a one gigahertz, half a gigabyte, full Linux computer that fits in the palm of at least this hand. How many of you knew that the Raspberry Pi is actually a GPU chip with a CPU put onto it as an afterthought for some of it? It is. That's what it is. I think something like only two or three percent of the die space on these chips is the ARM CPU and the rest of it is actually a GPU that is used in mobile phones. That is one of the reasons why it's able to be manufactured so cheaply, or at least that's my understanding. This invocation or incarnation of it rather has an HDMI connector. It has a single USB OTG connector, a different connector for power, and then it has the same 40 pins for GPIO that the rest of the Pi family have. So the original Raspberry Pi and the Raspberry Pi 2, this duplicates all of that. And it costs five US dollars if you can find one, like a lot of the rest of the Pi's. It's not very easy to find at the moment. If you're willing to buy $55 of other stuff with it, Adafruit in the United States will ship one to you. That is how I managed to get my hands on one right now. So who's heard of the chip? The $9 computer. So if that's too rich for your blood, the Raspberry Pi Zero is the machine for you. It's only five. And it's made in Wales. Who's heard of Wales? I'm just kidding. We'll move on to that. So what? Cheap will run Fedora. Why would we be interested in this? The Raspberry Pi has been a phenomenally successful platform. They shipped five million units through February of last year. I can't find any more recently. I think they just blow away any other platform. This is a check and app that not everybody uses, but it gives you a sense of the geographical extent of their community. There are five Antarctica that have checked in. There are two on the International Space Station. Some other reasons why. Did I mention they have five million units in production out there being used, right? It's a very large community of developers and users, and has a very large focus on education, which I think is always a good place to have a presence. They are not open hardware. They haven't done everything that we would ideally like to see them do as a community, but in my personal opinion, their motivations are good, right? They are not-for-profit foundation. They've been associated with education for a long time. A lot of them were involved in the original BBC microcomputer back in the 1980s. They cut their teeth on it. I think they're a pretty good player in this space. And another reason for me to be interested in personally in doing this Fedora recompile is because there's really no or very minimal Fedora presence in the community. There was a project called PyDora. They did some releases based on Fedora 1819 and 20. They were partial rebuilds, and it for all intents and purposes appears to be pretty much dead. They have not updated since then. It's been difficult getting in touch with them. There's some interest in the Raspberry Pi 2 in Fedora 24. We've talked about this before, and we've talked about this before. That's not going to be quite the same thing, and we'll see why in a minute. Why is it not yet supported? Why is Fedora not yet supported on this? The original Pi and this device, the Pi Zero, are ARM v6 CPUs. It is an older version of the ARM CPU architecture. It is not binary compatible, forward compatible. You can't run v7, basically. You can't run the current Fedora builds are too new to run on it. They also require a forked kernel at the moment, although that is changing. And they require a binary bootloader blob. So what have I done to make this work so far? I have, since early December, done mock, and then mock chain rebuilds of about 3,000 of the core packages in Fedora. And these are the binary packages. Most of Fedora is actually non-arch, no architecture, right? I did use PiDora to bootstrap it. I am mostly unshuffled from that now. An interesting thing to know about this is that the v6 architecture is actually an almost perfect strict subset of v7, which means that I can use newer, faster machines to compile the v6 stuff using mock and mock charoots, right? It has been a very time-consuming process. I was warned about this by many people who have done it before. Many people in Fedora release engineering. But it has been very rewarding and very interesting. I've learned a tremendous amount about what goes into Fedora. A few random thoughts. Don't have a whole lot of time. But if you're going to do this yourself, disable the check section. Be aware that build requires don't always have to work. You can fake them. You can when you're really in a pinch. You can be on the RMV7 architecture, but say that you want to build the RPM for the other target. And it mostly works. Be careful if you do something like that. The other thing I've done with some help from Mike McLean is I have what I think is the smallest Koji cluster in the world, the smallest build system. It sits on top of a little shelf in my office. I have seven builders, and I'm going to be using those to do the work that's next, to do with some help. So I need to complete the first pass of these package builds. I need to do a remix and rebranding, finish up with the updates in Rawhide, and I want to leave myself enough time to try and turn it on. So I won't even mention the rest of these. So let's see if it works. Does anyone want to see if it works? Okay. Let's do a demo. So if I switch this to HDMI, and I plug this power in, we should see, with any luck, I figured if there was any audience for which I could get a round of applause for a boot to text mode on a system, this would be it. So it takes... It's not the fastest machine in the world, just to give a sense of how much is here and how much is left to do. It should eventually say that there's almost 400 packages, and it takes a while... It takes five minutes for the initial DNF command to run, actually, on this device. So... Yeah, and here we'll do Etsy Fedora release. Although I have to remove that and re-brand it with something else, Pete Robinson told me. Go to my Fedora people page. I'm a cloud Fedora people, and in a sub-directory called RMSBCs, the image that is running on this is there, and I'm working on getting the rest of the recompiles up. If you want to be involved in the recompile, if you want access to the Koji system, come talk to me as well. Is there any questions? I think the Pandaboard is another v7 machine. You can, and in fact, the way that the Raspberry Pi people do things right now is they have an ARM v6 user space that runs in everything, even the Raspberry Pi 2, and then they just sort it out with the boot loader. I don't think you would want to run or anything else. I think that... It can run, yeah, upstream Fedora. There's a question in the back. It will, in fact, I tested it on Raspberry Pi original before I got my hands on a zero, so it will. They are the same chip, as a matter of fact. Mike, you had a question. It's not faster. It's definitely not faster than any of the machines you can. It used to be comparable when we had only single-core ARM boards, but it's not fast, because they talked about that. Maybe you can make a build farm out of QMU instances, but no, it's not fast. You can. I don't think there's a way to simulate strict ARM v6 on QMU, as best I can tell. But that could be wrong. Jay, I think I noticed that the Perl package upstream actually does this every time it revs the version. There's a swing version where it pretends that it can support either version of the API. That was about it. There's so many of them. In theory, this should be something that you know how... I'm out of time. Thank you. We've got to do a graceful shutdown, of course, otherwise. No. Okay, so let's move on right to the next speaker. But let's connect the display first. Timer. It's just a timer. Okay. Timer is ticking. That's why I didn't bring my laptop. Yay. Thank you. Okay, let's welcome the next speaker. Just this one here. So that's a lot of things. I'll talk about reproducible builds, what they are in the stages. It's a very quick one. So I'm not doing Debbie and stuff. That's boring. This work is done by all these people. This is one of them. Who are you? That's the question. Who have here to talk about reproducible builds already? So not so many. That's good. Motivation. Why do we do this? This was well described by Mike Perry and Cezern at the last... not the last but one Congress. I'll just summarize it shortly. Really watch this talk. It's really good. You get root exploit in SSH where the difference in the binary was one single bit in a 500 kilobyte binary. If you flip a bit, you get root exploit. They also had a kernel module which modified the source in memory and not on disk. So you look at the file on disk, it's all fine. The source is fine. You compile it. You got vector inside. Then think about the amount of money of Iran is $100 million. Is your infrastructure good enough to sustain attackers which have so many resources? I'll go through it very briefly because it's a long talk and I'll just summarize it here. You leave your computers alone and USB 3 has direct memory access so there's ways to get into your machine and you really don't know what you're running. We try to address this. Another example from real life, the CIA made a paper describing how they put a Trojan into an SDK which developers download and the sources are fine but there's a backdoor in the binaries created and this was found in the wild last year, XcodeGhost which was a thing for Apple iOS and the servers were slow so somebody had said faster servers and these servers were backdoor and if you build applications, you're doomed. Therefore XOS was affected by it 20 million users got rooted so this happens in the real world and our solution is that we promise everybody can recreate the same binary from the same source anybody should be able to do this and we call this reproducible builds so if there's bit by bit identically we call that reproducible builds and I had a demo which I skipped so what I show in the demo I built a Debian package five times and get five times a different checksum and what did I press? You don't know, okay so I skipped the demo because it takes too long but now I go back and so when you build it five times you get five times the depth with the same checksum it's really, really simple it's all the same and you don't have to look inside the Debian archive you just see it on the checksum outside and we think this should really be the norm all free software should be built that way actually we think it should only be called free software it's binary reproducible and there's more benefits than security smaller deltas gives you faster updates if you do binary delta updates in Debian we've seen lots of QA efforts like we found some strange bugs like we found packages which will fail to build in the future because we test building in the future so we can build with different days so we found lots of things Google does reproducible builds for security of course but also they save developer time and developer time is money because developers wait for the builds to finish and they can cash more so what we've done we've set up now, we started with the Debian wiki which Debian wiki still has some good information but three months ago I think we started the reproducible minus build org web page which describes why and has documentation how to address common issues and also lists projects working on it if you haven't gone there please go there lots of issues are described by Luna in his talk at the CCC camp last year where he describes issues and how to fix them so for example gsub minus n is one thing you want sorting depending on the locale which mocks address in the fedora case but in other cases not so this talk really has lots of information if you want to see a video watch this video it has nice things the most common problem is time stamps mostly it's not so much really in binaries though some binaries do have it but it's the documentation tool so pi doc and pun doc and whoever they all put time stamps in the documentation they generate and mostly these time stamps are also changed by time zones or locales which again in the mock case normalizes the environment so that's fine but we look also at the upstream thing and some people don't normalize the environments and there's very few other issues I come to that in a second Debbie and we have identified the issues so there's not these are really the issues time zones, time stamps and locales for the time stamp problem we've invented source date epoch which is defined as the last modification of the source code that can be used instead of the current date it can initialize random seeds Debbie and we set it from the last change log entry you can also use the date of the last git commit and that is deterministic because it doesn't change and many upstream software supported like we have a patch for GCC which we'll get in hopefully in this development cycle of GCC we've patched I think 30 or something software and the NetBSD and FreeBSD use it now Geeks use it Arch Linux we have a patch for RPM build which also uses it I think we've written a spec which is just two kilobytes of text or something it's really short spec defining it and we've set up a test setup where we continuously test Debbie and testing unstable experimental but not by now also core boot openWT NetBSD, FreeBSD, Arch Linux Fedora and soon asteroid and Geeks at the moment we are only building 800 Fedora packages not all and this is running on nice big hardware and you see there's the test with 29 contributors there's about 10 out of these are not Debbie and people but they are from other projects and what we do is we build twice and in between we vary the environment and then we compare the results that is to find issues so we there's something again MOC will normalize some environments but other things not what we're not testing at the moment is the file system we've made a fuser file system which will return a random order and the block sizes are also random so there you find we find artifacts of this we're not changing the CPU yet we don't have the break no time no 8 minutes okay all right I'll just one thing I tested it before but it the status of Fedora we have patches we have a repository but it doesn't work yet we need Fedora people to look into it I'll be here tonight Please talk to me. Thank you Okay, so it's time for the next speaker, so let's Give a round of close to easy Can you hear me? Okay, so I've got ten minutes probably already less to explain you why you should write upstream metadata for your application and plugins and how you can easily make a defense so For the last 20 years Software app discoverability and installation on Minux was mostly about software package Managers so on the on the desktop the experience is something like this. That's that's your max so we pretty much get a list of Packages with the names of the packages and short descriptions if you search for something like instant messaging You get like nothing so I as an experienced user enjoy working with package managers if you know what do you want to install that's like but Usually the the most effective way To get it done on the other hand for new and average users who are now where they used to like app stores and Google play and and such catalogs This is something that completely puzzles them So to stay in the game. We had to come come up with something similar. So One of the apps That this this is from the Gnome project is the Gnome software, which is like as you can see like a classic catalog app So if you if you do the same search Yeah, you actually get some reasonable results some useful results. So but Where does the data come from how it's the catalog is actually created? So this Gnome software and also not not only known but also KDE more on which is a catalog for for KDE and also Ubuntu software center is switching to the standard all those projects are using Distro agnostic upstream XML format so we can you can find the specification on fair desktop.org and the project is About writing metadata not only for desktop apps, but also for add-ons Fonds codecs and so on I'd like to focus on the desktop applications and add-ons So I'll show you right away how such an XML file with metadata looks like this is XML file for Nautilus is that is not the final version now tools actually adds some more stuff When it's built, but I wanted to show this version because it's it's clear There are no translations and stuff like that. So you see the ID that Needs to be the same as the desktop file of that application. That's identifier You need to have a license for that metadata. I used to use GNU documentation GNU free Document license, but apparently some distributions like Debian Have a problem with this license and actually some projects I sent the metadata to had to had to I like sense it So that's why I in the end ended up with creative commons zero Which is preferably like the best the best way to go For this metadata, then you've got like longer description. You can add Kudos, which is actually not defined in the upstream specification, but it's helps to sort the applications like To identify the quality of the application for the user and also like Home page of the project and so on Then the final version looks like this as you can see you can also add localization so you can hook it up to your get text System trans effects, whatever and you can let the translators Translate also the metadata It also adds Is it somewhere here? You can also add screenshots The only thing I don't really like about the screenshots is that there is really no Centralized repository for them. So you actually have to find some place We are to locate those screenshots and the distributions Download them when they built the database of applications So I think this could be actually Improved hopefully in the future. So once once you have this Ideally, you should you should send it to us the upstream project. The upstream project should ship it either like Install it already in the in their built Scape or they can also only include it in the table and then you can take care of it in the spec file in in Fedora case, so I'll show you Such a spec file So this is for example for a plug-in Telegram plug-in for for pigeon you just hear like pretty much just copy the the XML file to Users share app data Path You should also add Check here That validates that the the XML file actually passes the the standard and That's pretty much it and Fedora and I suppose other distribution has the similar thing runs escaped that looks for those XML files in packages once it find it it builds the database connects the package with that metadata and Creates the data for you know software And also I mentioned that you can write metadata for add-ons as well Which are actually much easier to write. That's like fairly short XML file It needs very short description. It doesn't require any screenshot anything So this this takes like five minutes to write and I started an initiative In Fedora to actually cover the add-ons because we've covered the applications pretty well But still we for example have now tillers in the catalog But now tillers has like 10 add-ons and the users don't know about them because the add-ons are not listed in the profile of now tillers So here you can actually contribute you can write the XML file You can submit it upstream or you can submit it downstream as well if the up same doesn't is too is too slow to accept it or Doesn't want to accept it and that's how we can actually build The metadata and the catalog even more. I'll just show you how it looks so one once the application has meta like Plug-ins of that application have metadata then they are listed sorry for the localization. It's in check, but I suppose you understand It's listed in the profile of the application. So the user immediately knows yes this this software actually has Some extensions that can be useful for me Yeah, and that's pretty much it. Thank you for your attention He thinks your car and welcome on a hour less speaker for today actually Kevin I'm going to talk about cute web engine, which I think is the future of web browsing So first let me shortly introduce myself. I'm Kevin Coffra. I've been a Fedora packages since 2007 I'm met in 46 packages currently and my employer is target optimization Technologies game behind and I'm also doing a PhD in mathematics so What is cute web engine? It's a new web engine that is available in cute 5 since version 5.4 It has been reasonably feature complete since 5.6 which is about to be released there is already better available and It's available in Fedora at least in raw head. I will come to that later It's a replacement for cute web kids, but not really it's not a dropping replacement But the way it works is that cute web kit has been deprecated since cute 5.5 It's still available, but it's no longer actively maintained and cute web engine is based on Google's chromium Which is nice because it's modern up to date, but the drawback is that it's hard to package So why cute web engine? Because the old cute web kit was based on an old web kit branch a really really old one which is no longer supported by upstream web Kid it's no longer up to date with the current web standards and most importantly even the security updates are too are to backboard so north there is missing a lot of security updates and Repacing to a newer web kit was not feasible because the cute project just did not have the resources for it and They change from web kit one to web kit two and web kit one is no longer supported and to support web kit two cute web kit would have to change a lot and So they said if we are going to have to change the old API anyway We're going to just pick chromium, which is modern up to date with current web standards and And they also backboard security updates with stable branch Because as you can see cute web engine 5.6 is based on chromium 45 Which is not the latest release, but they have backboarded or the security fixes that are relevant It offers a complete API to build a full browser. There is already one browser, which is called Capsula which uses it It supports all the modern HTML 5 stuff if you care about flash you can drop in the blob But you have to do it yourself. It won't do it for you And in the future the next release which will be in about six months or so will be a cute web engine 5.7 it will be based on a newer chromium at least 47 It will have all the features from above of course But in addition it will also support printing and there will also be an option and support for the blob that provides the EME DRM But there are two you have to install it yourself if you want to use it Now as a developer how you would use it is there are two possibilities either in C++ or in QML and in QML Then you can use it directly or through a wrapper in C++. There is this cute web engine view C++ class It's the most powerful API and that's you what's what for example Capsula 2 uses In QML, you can use QQ web engine directly through a native API. That's the web engine view class We and the it's nice because it's easy to integrate into a QML user interface But the API is more limited than in C++ or then there is also a cross-platform wrapper Which is useful for mobile platforms where where where you don't have cute web engine And it offers a similar API to the web engine view But even more restricted because it's restricted to the lowest common denominator that you have in Also in the native browser that's used on the mobile platforms on the desktop platforms It uses cute web engine at least on Linux And the wrapper is not packaged yet in Fedora, but it's very small so It's easy to package which is just no app that that needs it right now So I Packaged the cute web engine the package is called cute 5 dash cute web engine like all the other cute 5 modules and It was quite somewhere to work to package it Unbundled libraries whenever possible. There is some where cute web engine 5.6 already does it There are some others where chromium supports unbundling, but cute web engine didn't do it. So I I made it do it and yeah, there's some others more stuff I unbundled then What was really annoying is that chromium removed support for x86 without ssc2 in Fedora were supposed to support order x86 machines with only conditional move and no other additional instruction sets and so I restored the runtime detection that was there in all versions of chromium I added some where there was new stuff ssc2 stuff added and The idea is that everything needs to be runtime detected because otherwise we're slowed down the the ssc2 machines Which I don't want to do and this works already I'm now working on on G streamer support Because there is just a streamer backhand for chromium by Samsung and I'm trying to backboard it to cute web engines chromium But it's not done yet Yeah, and the package does not replace cute web kit as I said It's already available in raw at except G streamer which which I'm still working on and For Fedora 22 and 23 if there it will be a cute 5.6 update. It will be included But for now you can get it from from the copper. There is one for cute 5.6 and I also have a dedicated one Then there is capsilla, which is a web browser that uses cute web engine At the the current version which will become capsilla to Uses cute web engines of cute web kit right now. There is a snapshot from git master Which is already in right? It's a modern browser for end users It can be an alternative to firefox and to proprietary browsers like work rom and It has optimal desktop integration unlike firefox for example just like the old capsilla one Which was cute web kit based For example, it has native icons native file dialogues it Uses cute so it adapts to the style or soft for to that right the styling norm Of course to the plasma one because it's cute It supports native notifications and so on You can also use k-wallet or normal key ring which is supported through plugins And as I said, it's already in right and I have a cute web engine copper repository where you can get it for Fedora 22 and 23 It will not be in the official Fedora 22 and 23 updates because it replaces capsilla one So it's a new major version and so these are the links where you can find more information this the change page and Then this is the copper where you can get it and there are sort of links to On the change page to our upstream resources So I think there is one minute and a half or so for questions So are there any questions? Looks like not then Thank you for your applause and Enjoy the evening