My thoughts on Slackware, life and everything

Month: March 2020

Chromium and LibreOffice updates

Due to the Corona (COVID-19) crisis, Google decided to postpone the introduction of Chromium 81 to the stable channel. Understandably due to the challenges created by sending most developers home for their own safety and protection, which is a cause for less efficient work schedules.
Instead, there is an increased focus on addressing security related issues in Chromium 80 and releasing those in rapid succession. After all, any crisis attracts the worst of humankind to mess with the more gullible part of the population and browser based phishing and hack attempts are on the rise.

And so, yesterday there was another version upgrade, and I built the new chromium packages for Slackware 14.2 and -current already. The chromium-80.0.3987.149 release can be downloaded from any mirror – or upgraded using slackpkg/slackpkg+ if you use that.

In addition, new LibreOffice packages are available for Slackware -current.

You’ll get the latest and greatest ‘fresh’ release of 6.4.2 and unfortunately, no new packages for Slackware 14.2. I am unable to compile the 6.3 or 6.4 releases on the stable version of Slackware due to outdated/obsoleted libraries.

Note: among the packages for LibreOffice that are targeting Slackware-current, you will find a “libreoffice-kde-integration” package which adds Qt5 and KDE5 (aka Plasma5) support to the LibreOffice suite.
If you run Slackware-current but do not have KDE5 packages installed at all, don’t worry. LibreOffice will work great – the KDE integration package just will not add anything useful for you. On the other hand, if you have Plasma5 installed you will benefit from native file selection dialog windows and other integration features. And even if you do not have Plasma5 but you do have Qt5 installed, then you will be able to run LibreOffice with Qt5 User Interface elements instead of defaulting to GTK3.

If you want to compile LibreOffice 6.4.2 packages yourself using my SlackBuild script, then be aware that by default the KDE5 support is disabled. You will have to set the value of the script parameter “ADD_KDE5” to “YES”. Additionally you will have to install the packages that this functionality depends on otherwise the compilation will fail.
Read the ‘README.kde5‘ file in the source directory for the list of packages you’ll need. All of the required packages can be  found in my ‘ktown’ repository: https://slackware.nl/alien-kde/current/latest/

Enjoy! Eric

Updated packages in the past weeks: Plasma5, gcc_multilib, openjdk7 and more

I do regular updates of packages in my repository. I focus on the software that is popular, or relevant to Slackware. For the software with a high visibility I usually write a blog post to alert people to the new stuff.
During the last couple of weeks I have not been writing so much about updates due to personal circumstances, some of it has to do with the Corona outbreak.

I was also affected the death of Erik Jan Tromp (Slackware’s alphageek) early March just after I visited him for a final time in his apartment in Leeuwarden.


Anyway, here is a summary of what was refreshed during these weeks.

The new KDE-5_20.03 batch is now available for download from my ‘ktown‘ repository. As always, please remove KDE4 first (check the README for instructions if you still need those). These packages will not work on Slackware 14.2.
This March release contains the KDE Frameworks 5.68.0, Plasma 5.18.3 and Applications 19.12.3. All this on top of Qt 5.13.2.

Deps:
The most interesting event this month is of course the addition of qt5 and its dependencies to Slackware-current itself. I could remove several packages from my own ktown ‘deps’ section: OpenAL (renamed to openal-soft in Slackware), SDL_sound (integrated to Slackware’s sdl package), brotli, hyphen, libxkbcommon, socat, qt5, qt5-webkit, wayland, wayland-protocols and woff2.
I also updated the sip package so its version matches again with that in Slackware (the ktown version has Qt5 support which the Slackware version still needs to pick up). The qca-qt5 package was updated to the latest version.

Frameworks:
Frameworks 5.68.0 is an incremental stability release, see: https://www.kde.org/announcements/kde-frameworks-5.68.0.php.

Plasma:
Plasma 5.18.3 is the fourth incremental release of 5.18 LTS (Long Term Support). See https://www.kde.org/announcements/plasma-5.18.0.php for the full announcement including several video’s portraying the strong points of KDE’s desktop environment and https://www.kde.org/announcements/plasma-5.18.3.php for information on these latest updates.

Plasma-extra;
In plasma-extra I updated latte-dock.

Applications;
Applications 19.12.3 is a stability and bugfix update for the 19.12 cycle. Remember that I still call this ‘Applications‘ but KDE folk prefer the new name ‘Releases‘. See https://kde.org/announcements/releases/2020-03-apps-update/

Applications-extra:
In applications-extra I updated kstars and added a new package: labplot.

Telepathy:
KDE Telepathy is no longer part of my ‘ktown’ distribution of KDE Plasma5.

PAM support

My ‘ktown’ has two sub-repositories. The ‘latest‘ sub-repository is always meant to be used with the official Slackware-current packages. and the ‘testing‘ sub-repository is where I test stuff that is not yet ready to be adopted by the larger population.

Since last month, Slackware’s own ‘/testing’ area contains a set of packages that add PAM support to Slackware. My regular ktown aka ‘latest’ repository content is meant for an up-to-date Slackware-current without PAM. The ‘testing’ repository on the other hand is compiled against a pam-ified Slackware and can be used if you have added the new ‘testing’ PAM packages of Slackware-current to your system.
The packages that picked up PAM support are: kscreenlocker and plasma-workspace (in the ‘plasma’ directory),  and sddm-qt5 (in ‘plasma-extra’). A new package has been introduced as well: kwallet-pam (in the ‘plasma’ directory).

Where to get KDE Plasma5 for Slackware

Download the KDE-5_20.03 from the usual location at https://slackware.nl/alien-kde/current/ or one of its mirrors like http://slackware.uk/people/alien-kde/current/ .
Check out the README file in the root of the repository for detailed installation or upgrade instructions.

Development of Plasma5 is tracked in git: https://git.slackware.nl/ktown/ .

A new Plasma5 Live ISO is available at https://slackware.nl/slackware-live/latest/ (rsync://slackware.nl/mirrors/slackware-live/latest/) with user/pass being “live/live” as always.

While I was working on new Plasma5 packages, Pat Volkerding released packages for gcc 9.3.0 for Slackware-current. When I told him I did not have the time to compile multilib versions for the new gcc because I was busy, Pat responded by updating the gcc-multilib.SlackBuild script and compiling a set of multilib gcc packages for me. So what you download from my multilib repository was actually built by Pat this time.

For those who still use the older Java7, I updated my openjdk7/openjre7 packages to 7u251_b02 with the help of IcedTea 2.6.21 release. This is a security bugfix release, as these Java releases always are I guess.
I get questions from time to time why I do not release packages for Java 11, and my answer always is: I do not see the need. I build my packages using IcedTea framework and when they add support for newer Java versions than 8, I will release packages for that too.

There were several Chromium 80 updates in rapid succession during the last month, and the most recent version you can get from my repository now is 80.0.3987.132. I realize that there’s even a slightly newer release available but there’s only so much time to work on Slackware.

The advantage of having Qt5 in Slackware nowadays, is that it becomes a lot easier to compile a Calibre package for slackware-current. Nevertheless, the calibre package for Slackware 14.2 is still big because my Calibre packages contain all the dependencies inside and the version for Slackware 14.2 includes qt5 libraries.

I am regularly updating packages that are part of my ‘Digital Audio Workstation’ collection.
During the past weeks I updated the MuseScore package (Musescore can create, playback and print music scores) and along with that I updated the Qt5 based JackQtl graphical interface to the Jack2 audio server.
For my own laptop and desktop, I am now starting qjackctl in Plasma5 on login and all my ALSA and Pulseaudio sound pipes through Jack into my speakers now, without the need to change anything to Slackware’s default ALSA and Pulseaudio configurations.

Have fun! Eric

Setting up an Outline server to bypass state firewalls

If you live or work (as a journalist for example) in a country which limits free access to information, and you have difficulties penetrating the state firewalls for access to the outside world, you may want to read on. In this article I will inform you about an interesting Open Source VPN solution called Outline which puts you (or your company) in full control. I will also show in great detail how to setup such a VPN server yourself.
One caveat though – you’ll have to rent an online Linux server in a ‘free country’.
Luckily, the cost can be fairly low especially if you share your VPN server with friends or colleagues.

What is Outline

Jigsaw is a daughter company of Alphabet, which is also Google’s parent company. It’s mission: “Jigsaw is a unit within Google that forecasts and confronts emerging threats, creating future-defining research and technology to keep our world safer.”

Jigsaw created the Open Source program “Outline” specifically to enable journalists and news organizations to work in adverse and hostile environments such as dictatorships with state-controlled and censored access to information. Access to information should always be free, uncensored and uncontrolled!

Outline is a client-server solution which uses the VPN capabilities of your device’s Operating System to encrypt and tunnel all your device’s traffic (like web searches, DNS queries) through a SOCKS proxy running on a remote server that you, or your organization, controls.
Outline is able to bypass the Great Firewall for instance. Note that Outline does not provide anonymity; all your traffic will exit from your Outline server. Your online activity will appear to originate there and not from the location you are actually in. Once you have installed an Outline client on your device (an Android phone, a Windows/Linux/Mac computer) you can try sites like dnsleak.com and ipv6leak.com to verify that your network communication is indeed not leaking data that may be snooped by your country’s enforcers. The pixelprivacy website provides a guide to help you understand, find and fix DNS leaks: https://pixelprivacy.com/resources/dns-leak/

The Outline Server runs on a Linux server. You use Outline’s Server Manager program to create the Outline Server configuration. The Manager application comes with pre-configured setups for Google Cloud Platform, Azure Web Services and DigitalOcean. While that’s nice, I will focus in this article on installing Outline on an online Linux machine that you yourself manage – any Linux cloud server, VPS or even your machine at home will do.
No commercial VPN offering will be as secure as the one that you run and control yourself! And if you wonder about the quality of the Outline source code – Jigsaw had their code audited twice, by Radically Open Security (in 2017) and Cure53 (in 2018) and you can read their reports online.

Outline Clients are available for Windows, Android, Linux, macOS and iOS. The client is what sets up the VPN connection to an Outline Server.

Use your own online VPS

Or any other kind of online subscription really. I am happy with the price, feature set and performance of the small dedicated servers offered by online.net aka scaleway. Especially the unmetered 1 Gbps connectivity is important when you want to offer a proxy server to accommodate your users’ secure internet access.
Your linux server needs to be able to run Docker, the light-weight containerization program. For obvious reasons, I will assume that your server is running Slackware, and you’ll have to install a couple of packages first through slackbuilds.org.

Setting up your Slackware server

The Outline Server runs as a docker container. We need to install docker first because it is not a standard offering in the Slackware distro.
Docker has a set of dependencies which we also need to install first: tini, google-go-lang, docker-proxy, libseccomp, runc and containerd.

To make our life easier, we will use sbopkg to manage building and installing these packages from the slackbuilds.org scripts.
If you did not yet install sbopkg, download and install it now (the current version of sbopkg may differ from the package version in the example below):

# wget https://github.com/sbopkg/sbopkg/releases/download/0.38.1/sbopkg-0.38.1-noarch-1_wsr.tgz
# installpkg sbopkg-0.38.1-noarch-1_wsr.tgz

If you are running Slackware-current instead of a stable release like 14.2, then you need to edit the following two files before you run sbopkg for the first time:

# vi /etc/sbopkg/sbopkg.conf
# vi /usr/sbin/sqg

… and change the lines:

REPO_NAME=${REPO_NAME:-SBo}
REPO_BRANCH=${REPO_BRANCH:-14.2}

to:

REPO_NAME=${REPO_NAME:-SBo-git}
REPO_BRANCH=${REPO_BRANCH:-current}

When that’s been taken care of, we need to initialize the local sbopkg database by letting it clone the git repository of slackbuilds.org. Next we run the SlackBuild Queuefile Generator (sqg) script which is part of the sbopkg package. The sqg script examines the “.info” files of the complete slackbuilds.org locally downloaded copy. It uses the dependency information inside these info files to generate “queue files”. A queue file contains the list of packages which have to be built before the actual program you are interested in… aka “the dependencies”. This saves us from reading these info files ourselves to find out what it is that we need to build and in what order.

# sbopkg -r
# sqg -a

After you have initialized the sbopkg program this way, you could now simply run:

# sbopkg -k -i docker

And that should compile and install all the docker dependencies (skipping those packages that are already installed to avoid duplicate effort) and finally, also the docker package.
There’s a snag however… when you install the “google-go-lang” package, it is not ready for use yet. The google-go-lang package installs a profile script “/etc/profile.d/go.sh” which is essential to compile the “runc” and “containerd” packages. So, we cut the compilation in two halves and run the “go.sh” script in between:

# sbopkg -k -i google-go-lang
# source /etc/profile.d/go.sh
# sbopkg -k -i docker

Note that sbopkg checks whether a queuefile exists with the name of the program you attempt to compile. Therefore you will be asked the question whether you want to compile just the “docker” SlackBuild script or the “docker” queuefile. You must select “Queuefile (Q)”.

Assuming the compilation runs error-free you end up with a batch of packages which sbopkg will automatically have installed for you. If you want to save these packages for re-use, you will find them in the “/tmp” directory or whatever your $TMP variable points to. Save them to a less volatile location.

When the packages are installed, we still do not have a system which runs Docker containers automatically. So we add the following block of script code to the file “/etc/rc.d/rc.local” – this causes the Docker daemon to start automatically on every boot:

if [ -x /etc/rc.d/rc.docker ]; then
  # Start Docker daemon
  echo "Starting Docker Daemon: /etc/rc.d/rc.docker start"
  /etc/rc.d/rc.docker start
fi

And to achieve a proper shutdown of your Docker containers when you want to shutdown your server, add the following code block to the file “/etc/rc.d/rc.local_shutdown” – note that this file does not exist by default on a Slackware server, so you may have to create the file “/etc/rc.d/rc.local_shutdown” first, and make it executable:

if [ -x /etc/rc.d/rc.docker ]; then
  # Stop Docker daemon
  echo "Stopping Docker Daemon: /etc/rc.d/rc.docker stop"
  /etc/rc.d/rc.docker stop
fi

We will start docker manually this one time, because I do not want to reboot:

 # /etc/rc.d/rc.docker start

This ends the Slackware server preparation for Outline.

Setting up the Outline server

The Outline website offers downloads for the Outline Manager. This software sets up and manages your Outline VPN server and it also generates the access keys that a computer or smartphone needs in order to connect with your Outline Server. You’ll generate separate access keys for every user of your Outline server. Never share a key with more than one user or they will be able to see the other’s online activity and all data!
Outline Manager is available as a Windows or MacOS binary and a Linux AppImage. We’ll proceed to download the variant which suits our OS:

Again, I guess it is logical that I downloaded the Linux AppImage because my laptop runs Slackware 🙂
Start the binary after making it executable:

alien@hogan:~$ chmod +x ~/Downloads/Outline-Manager.AppImage
alien@hogan:~$ ~/Downloads/Outline-Manager.AppImage
(electron) 'getName function' is deprecated and will be removed. Please use 'name property' instead.
Outline Manager is starting
Launching web app from outline://web_app/index.html?version=1.3.0&sentryDsn=https%3A%2F%2F533e56d1b2d64314bd6092a574e6d0f1%40sentry.io%2F215496
(node:13952) ProtocolDeprecateCallback: The callback argument of protocol module APIs is no longer needed.
(node:13952) ProtocolDeprecateCallback: The callback argument of protocol module APIs is no longer needed.
Checking for update
Generated new staging user ID: 7d7c2930-c574-5d3f-afd9-20401310d20f
Update for version 1.3.0 is not available (latest version: 1.3.0, downgrade is disallowed).

.. and the GUI appears:

The first screen in the Outline Manager offers four choices in setting up an Outline Server. If you already have a paid account with DigitalOcean, Google Cloud Platform or Azure Web Services, you can click the corresponding square and you’ll have a server setup in no time. As I saiod before, I am more interested in a self-hosted VPN on a server which I control. So click the fourth square labeled “Set up Ouline anywhere”  and this brings us to the second screen:

This shows a two-stage approach: the first box shows a command we need to run on a server we control; the command will download and prep an Outline Docker container. You’ll notice below that “Shadowbox” is started, this is the ShadowSocks server which is the actual proxy implementation. Additionally a “Watchtower” is started, this is a service which will keep your Outline Docker container updated automatically with security/bugfixes and new features.

At the end of the setup, a unique configuration string will be emitted which we then have to enter in the Manager‘s input field as proof that we control the server. This is what that looks like:

alien@server:~$ sudo bash -c "$(wget -qO- https://raw.githubusercontent.com/Jigsaw-Code/outline-server/master/src/server_manager/install_scripts/install_server.sh)"
> Verifying that Docker is installed .......... OK
> Verifying that Docker daemon is running ..... OK
> Creating persistent state dir ............... OK
> Generating secret key ....................... OK
> Generating TLS certificate .................. OK
> Generating SHA-256 certificate fingerprint .. OK
> Writing config .............................. OK
> Starting Shadowbox .......................... OK
> Starting Watchtower ......................... OK
> Waiting for Outline server to be healthy .... OK
> Creating first user ......................... OK
> Adding API URL to config .................... OK
> Checking host firewall ...................... OK

CONGRATULATIONS! Your Outline server is up and running.

To manage your Outline server, please copy the following line (including curly
brackets) into Step 2 of the Outline Manager interface:

{"apiUrl":"https://xx.xx.xx.xx:yyyyy/zzzzzzzzzzzzzzzzzz","certSha256":"e4888ec20b2302bcec440655e515625de7a9b6dfe180d7ecd54791a644a6ae32"}

If you have connection problems, it may be that your router or cloud provider
blocks inbound connections, even though your machine seems to allow them.

Make sure to open the following ports on your firewall, router or cloud provider:
- Management port yyyyy, for TCP
- Access key port bbbbb, for TCP and UDP

These last two lines mention the (randomly chosen during installation) TCP and UDP ports which are used by the Outline Server. If your online server is firewalled (and it should be… if not, go to http://www.slackware.com/~alien/efg and generate a firewall configuration stat) you need to open these TCP & UDP ports in your firewall before pasting the red line into your Outline Manager window.

If the firewall is OK, and you enter the above red line, then the Manager will contact the Server to validate the setup. And once that succeeds, you’re all set!

The Outline Manager window will look like below with a configured Outline Server. One single access key has already been generated for you as part of the server installation, and you can add more. You can also revoke keys that you shared and that are in use by people you don’t trust, and you see the amounts of data traffic each user consumes (but you can not see the actual content):

Install an Outline Client

On your computer you can download and install an Outline Client from the getoutline.org web site, for your phone you can get the Outline app from the respective Store. The Linux Outline Client is offered as an AppImage similar to the Manager application, and it runs on Slackware:

   
The client needs an access key so it knows where to connect and how to authenticate. An access key is nothing more than a URI which starts with “ss://

As a server administrator, you use the Outline Manager application to create and share these access keys with your prospective users in a secure manner – by using a chat app with end-to-end encryption or encrypted emails for instance. The Access key contains the IP address of your server, not a hostname, so that DNS lookups are not needed to make the initial connection.

After connecting the Client to the Server and establishing a VPN tunnel (or rather a sophisticated encrypted proxy setup), all subsequent DNS queries (and the rest of your online requests) are tunneled to the Outline Server.
And once the access key is loaded into the Client, all you need to setup a VPN at any time is just to open the application and press the big “Connect” button.

Summarizing

I hope this article helps some groups of people or organizations in non-free countries to re-gain their access to sources of uncensored information. The Outline VPN software is Open Source, free to use and security-audited. There’s a (small) cost involved to run an online Linux server – either a cheap Virtual Private Server (VPS) or a real server in a network you control. Take good care to rent a server with a generous monthly bandwidth plan to avoid unexpected high cost afterwards. Online.net offers servers with unlimited bandwidth for instance.

Good luck out there!
Eric

 

© 2024 Alien Pastures

Theme by Anders NorenUp ↑