My second release of the day: Kirigami Addons 0.8.0. This release contains a few new components.

AbstractMaximizeComponent

This is part of the org.kde.kirigamiaddons.labs.components module and is a popup that covers the entire window to show some items. This is already used in NeoChat and Tokodon to magnify image and videos.

Thanks James Graham for developing the initial version and upstreaming it to Kirigami-addons.

Convergent SpinBox

Another new component is the convergent SpinBox from the org.kde.kirigamiaddons.labs.mobileform module.

This is just a normal spinbox on desktop.

But on Plasma Mobile/Android the touch target becomes bigger.

Others

Aside from this two components this release contains some small bugfixes and other minor API improvememts.

Get Involved

If you are interested in helping, don’t hesitate to reach out in the Plasma Mobile matrix channel (#plasmamobile:kde.org) and I will be happy to guide you.

And in case, you missed it, as a member of KDE’s fundraising working group, I need to remind you that KDE e.V., the non-profit behind the KDE community accepts donations.

Packager section

You can find the package on download.kde.org and it has been signed with my GPG key.

I’m happy to announce the initial release of Arianna. Arianna is a small ePub reader application I started with Niccolo a few months ago. Like most of my open source applications, it is built on top of Qt and Kirigami.

Arianna is both an ePub viewer and a library management app. Internally, Arianna uses Baloo to find your existing ePub files in your device and categorize them.

The library view will keep track of your reading progress and find new books as soon as you download them.

If your book library is particularly big, you can either use the internal search functionality, or look through the various categories and find books grouped by genre, publisher or author.

The actual reader is quite basic as its only function is to show the content of the book. That said, it does have features like a progress bar to keep track of your reading progress and also lets you navigate within the book.

It is also fully navigable with the keyboard.

Another feature allows you to search within a book for a specific word.

Get it

Arianna will soon be available in Flathub (once the submittion is accepted). Please also ask your distribution to package Arianna.

Credits

This application would have not been possible without the previous work carried out by Foliate, from whom I copied and adapted the epub.js integration, and Peruse from whom I copied and adapted the library management code. Finally I would like to thank Šimon Rataj who made numerous contribution and fixed multiple bugs.

Arianna is also translated in multiple languages, thanks to some wonderful translators. Here is the alphabethically sorted list: Basque, British English, Catalan, Czech, Dutsch, Finish, French, German, Georgian, Hungarian, Interlingua, Mandarin, Portuguese, Slovak, Spanish, Turkish, Ukrainian and Valencian.

Get Involved

If you are interested in helping, don’t hesitate to reach out in the Arianna matrix channel (#arianna:kde.org) and I will be happy to guide you.

I also regularly post about my progress on Arianna (and other KDE apps) on my Mastodon account, so don’t hesitate to follow me there ;)

And in case, you missed it, as a member of KDE’s fundraising working group, I need to remind you that KDE e.V., the non-profit behind the KDE community accepts donations.

Packager section

You can find the package on download.kde.org and it has been signed with my GPG key.

After a very long pause, I am happy to announce the release of Nanonote 1.4.0.

Nanonote is a minimalist note-taking application. It consists of a text area, a context menu and... that's about it!

It's handy to jot down short term notes, as a temporary place to collect copy'n'paste blocks, to draft a long response for an instant messaging app without having to fear pressing Enter too soon or any other use you can come up with!

TODO lists

Nanonote can also be used to write TODO lists. This is even better now in 1.4.0 thanks to the new task feature from Daniel Laidig, which lets you quickly create and toggle checkable tasks with Ctrl+Enter.

tasks.webm

Markdown-like headings

Nanonote is not a Markdown editor, but I often found myself separating notes with Markdown-like headings. Issue #43, convinced me to add some light styling for headings:

More changes

For a complete list of changes, have a look at the CHANGELOG.

Get it!

You can find .deb, .rpm, macOS dmg and Windows installers on the release page.

For Linux users, Nanonote is now also available on Flathub.

KDE Connect was designed 10 years ago (!) with Android smartphones as one of our first supported platforms. Because of that, when designing the KDE Connect protocol we had to work around many technical limitations that Android had back in its infancy.

This year I will be working on a project named “KDE Connect discovery and transport protocol improvements” that received a grant from the NLnet foundation as part of the NGI Assure fund. This grant will allow me to work full time in KDE Connect, with the goal of updating the protocol and apps to modern standards.

Below are the 3 main areas that will improve thanks to this and become KDE Connect 2.0 (even though some changes will show up sooner, because we release early, release often).

Reliability

The strength of KDE Connect (compared to some of the non-free alternatives that popped up in these last 10 years) is that KDE Connect only uses your local network for communication and doesn’t need intermediary servers in “the cloud“. This adds a challenge: devices running KDE Connect have to discover each other in the network before they can talk to each other.

Discovery is possible in the current protocol using UDP broadcasts, but the state of the art nowadays is to use multicast DNS (mDNS) instead, which is more reliable and less often blocked by the network configuration. We wanted (and tried) to adopt mDNS for a while, but it was a a bigger endeavour than what we could tackle.

By focussing full time on this, my goal is to implement an mDNS backend for KDE Connect on all supported platforms (Linux, Windows, MacOS, Android and iOS) before fall this year. Wish me luck!

Security

Before Android 5, only TLSv1 and a limited set of cipher suites could be used. We always try to stay compatible with old devices and to fight the programmed obsolescence that plagues modern technology, but that meant keeping the KDE Connect protocol compatible with insecure encryption protocols.

Starting with KDE Connect v1.22 for Android, we now require Android 5 or later so we can drop compatibility with insecure encryption in all the KDE Connect implementations (and not only Android). In addition to that, we are reviewing and updating the dependencies we bundle as part of the app to make sure we have the latest security patches.

Later this year, and also thanks to NLnet, we will get a security audit by Radically Open Security. This will be the second time KDE Connect is audited, after the openSUSE security team did so in 2020.

Accessibility

We recently adopted Material 3 in the Android app (thanks Dmitry Yudin for doing most of the work!) and KDE as a whole is getting ready to migrate our desktop apps to Qt6. These times are a perfect opportunity to review the accessibility of our user interfaces, and for that NLnet is helping us get an accessibility audit by the HAN University also later this year.

All in all, exciting times for the KDE Connect project! Stay tuned for future updates :)

Testing various functionalities of Tokodon’s Main Timeline.

This is a continuation of my previous blog post where I shared my mid-journey experience while being a Season of KDE mentee.

Week 7-8:

These weeks were spent testing interaction buttons and different types of statuses.

My first task was to write a test for boost, favourite, and bookmark interaction buttons in Tokodon to see if they worked as intended. For this, I identified the behaviour of different buttons using accerciser and then added the missing accessibility description for the respective buttons. I then wrote an appium test as part of TimelineTest to assert if the buttons worked as intended.

Next was testing the different types of statuses, Tokodon has support for two types of statuses normal and spoiler status, spoiler status is just a normal status with a spoiler text and an option to hide or unhide the spoiler text. To check whether the status had a spoiler, I checked if the length of the spoiler text is equal to zero (root.spoilerText.length == 0) if the conditional gave a True value, I assigned the accessibility description(Accessible.description) as Normal Status else a Spoiler Status. The final code for setting the accessibility description was Accessible.description: root.spoilerText.length == 0 ? i18n("Normal Status") : i18n("Spoiler Status");, which I then verified using accerciser if it pointed to the correct place. Once I had the accessibility description set for the respective status, I expanded the TimelineTest to include a new test for asserting the accessible description of the statuses in the Main Timeline, We consider the test as passed if we find the two status types.

Week 9-10:

These weeks were spent fixing the build errors after rebase and checking different types of media-attachments in timelinetest.

My mentor Carl Schwan helped me rebase work/sok/offline-tokodon to the latest master so that I could work on the latest changes, which led Tokodon to stop building due to some build and dependencies error, so the subsequent week was spent on fixing various errors which I tackled by comparing the work/sok/offline-tokodon branch with the master branch and with previous commits, my mentor Carl was always available to give me clues whenever I felt stuck.

Once all the build errors were fixed and Tokodon was able to build successfully, I worked on adding tests for testing different types of media attachments on statuses, for which I referred to mastodon’s documentation to see what response is received while requesting different kinds of media attachment, which I then integrated into the already present statuses.json file, after which I was successful in displaying different kinds of media attachment.

Once all the different types of media attachments were visible, I expanded the TimelineTest test to include testing of media attachments by asserting whether the different types of media attachments were visible.

The final TimelineTest after implementing the above tasks can be seen in the gif below.

This is a call for people out there to help us test the major version upgrades on Fedora KDE via Discover.

In short: no more Dnf System Upgrade for us!

A bit of context/history: for those of you who follow Nate’s blog you might already know what I am talking about. Thanks to the awesome work done by aleasto on this MR, we closed this bug.

There are, of course, a few quirks to solve but essentially it works.

The @kdesig team has enabled a COPR repository for those who want to help us test the upgrades from F37 to F38.

BIG FAT WARNING: Fedora 38 is still in BETA

I will now explain shorty what are the steps you need to follow to perform the upgrade via Discover:

First enable our COPR:

Now open Discover, go to the Update tab, click on Refresh and eventually on Update All:

Click on Restart Now to trigger the installation of our patched discover

Once you reboot, open Discover again and after a few seconds click on Upgrade to Fedora Linux 38:

Switch to the Update tab and wait until the progress bar finishes. Finally click on Update All:

Now be patient as many packages will need to be downloaded. When it finishes, you will be asked for your password:

Important note: there is a known bug which might trigger an error message at this point. If you see it, don’t panic, just close the message and click on Update All again. This time everything should work.

Time to Reboot, grab a coffee and after a few minutes… you shall boot into Fedora 38!!!

Please try it out and give us feedback on our Matrix room

Looking forward to your feedback!

It’s been a month since my first post about my work as KDE Software Platform Engineer, so let’s have a look at what I have been doing since then.

The scope of what falls under “Software Platform” work is arguably quite wide. I like to describe it as “Taking care of everything needed so that people can build and enjoy awesome software”. Of course that often means hacking on source code, but that is by no means the only thing I do. A significant part of what I do is talking to other people, discussing ideas, reviewing code, making architecture decisions, documenting things, triaging bugreports, and just generally being useful to others. A lot of this work is strategic in nature and the benefits will only show in the long term, but some short-term improvements happend this month also.

My main area of focus was working on polishing the Plasma 6 and Frameworks 6 stability. This means staying on top of things that happen throughout the stack as well as squashing remaining issues. As a result several more projects now have CI builds against the latest development branches of frameworks. Furthermore, I fixed several places where coexistence of Qt5/KF5-based and Qt6/KF6-based software was causing issues.

Qt is an vital part of our software stack, so an important part of being KDE Software Platform Engineer is being involved in its development. Last month I submitted a patch to Qt, fixing a build issues affecting our code. Besides that I have also reported some bugs that were affecting KDE and participated in code review. Another important piece of our stack is our Qt5 Patch Collection that collects bugfix patches for Qt5. I contributed two such patches by backporting them from upstream.

In terms of documentation I have published two blog posts recently. The first explains how to build the development version of Plasma using kdesrc-build. While doing that I have also fixed some related issues in kdesrc-build to make sure building things is as smooth as possible. The second one is explaining some technical details about how theming and platform integration works in Qt/KDE apps. I hope this helps with some of the discussions around this topic that are coming up once in a while.

Besides these “Bigger Picture” topics I have also worked on some concrete enhancements for KDE software. With a series of changes various system windows no longer display an internal and technical application name like “Portal” or “KDE Daemon” in their window title. I have also restored the ability to configure the time interval for determining whether two mouse clicks should be interpreted as a double click. This was present in the legacy mouse settings, but got lost in the transition to libinput. Another thing that got improved was the VPN support in our network settings. When importing a VPN configuration fails Plasma now shows the relevant error message, giving you at least some indication about what’s wrong. Futhermore I fixed a crash when importing VPN configurations when the relevant NetworkManager plugin is missing.

Another area I was working on is our powermanagement settings. Currently they are quite complex, both in terms of UX and implementation. We are working on improving this, which involves quite a bit of technical ground work.

A month from now the Plasma team will meet in Augsburg, Germany for the first in-person Plasma Sprint since 2019. I have been planning and organizing this event. This will be an important opportunity to plan for an awesome Plasma future. However, such meetings are not cheap, so please consider donating to KDE e.V. to support it.

Commit: https://invent.kde.org/qt/qt/qt5/-/commit/4c0d35b0991216766ca301de205599d1daa72057

Commercial release announcement: https://www.qt.io/blog/commercial-lts-qt-5.15.9-released

OpenSource release announcement: https://lists.qt-project.org/pipermail/announce/2023-April/000406.html

As usual I want to personally extend my gratitude to the Commercial users of Qt for beta testing Qt 5.15.9 for the rest of us.

The Commercial Qt 5.15.9 release introduced one bug that have later been fixed. Thanks to that, our Patchset Collection has been able to incorporate the fix for the issue [1] and the Free Software users will never be affected by it! 

Let’s go for my web review for the week 2023-14.

If we lose the Internet Archive, we’re screwed – The Statesman

Tags: tech, copyright, law, history

This lawsuit and the first ruling are indeed very concerning. Let’s hope we keep the Internet Archive alive, their work is invaluable.

https://www.sbstatesman.com/2023/04/04/if-we-lose-the-internet-archive-were-screwed/

Chrome ships WebGPU - Chrome Developers

Tags: tech, gpu, 3d, browser, web

This is a big milestone for 3D and computation on GPUs from the browser. I suspect it will have interesting security implications though, we’ll see.

https://developer.chrome.com/blog/webgpu-release/

Safari releases are development hell - Ashley’s blog

Tags: tech, apple, web, criticism

This ecosystem suffers from the same warts and doesn’t seem to make any progress… lack of transparency, “we know better” mentality, tight coupling, lack of communication. This is especially problematic for something like a browser.

https://www.construct.net/en/blogs/ashleys-blog-2/safari-releases-development-1616

Saying Goodbye to GitHub | Ersei ‘n Stuff

Tags: tech, github, ethics, gpt

Good reasons to leave indeed. Better host your projects somewhere else.

https://ersei.net/en/blog/bye-bye-github

Own Your Work | Jose M.

Tags: tech, self-hosting

Indeed, it’s important. You should own your content, you can eventually syndicate on trendy platforms but keep your own base for your own content.

https://josem.co/own-your-work/

Catch-23: The New C Standard Sets the World on Fire - ACM Queue

Tags: tech, c, c++, standard, criticism

This is a very concerning for C… and it drifts apart from C++ further. The old “C as a subset of C++” position is less and less valid. Very unfortunate.

https://queue.acm.org/detail.cfm?id=3588242

C++17 creates a practical use of the backward array index operator - The Old New Thing

Tags: tech, c++, programming, funny

Well, this is a bit obscure but we have to know it’s there somehow. Better not rely on it too much though.

https://devblogs.microsoft.com/oldnewthing/20230403-00/?p=108005

mockneat home - mockneat

Tags: tech, java, tests

Looks like a nice Faker alternative for Java projects. Turns out I was looking for something like that.

https://www.mockneat.com/

Writing a Fast C# Code-Search Tool in Rust — John Austin

Tags: tech, parsing, static-analyzer, rust

Really nice little tool, this is indeed surprising how little code is needed for something like this. Treesitter is definitely a huge help there.

https://johnaustin.io/articles/2022/blazing-fast-structural-search-for-c-sharp-in-rust

Slint 1.0: The Next-Generation Native GUI Toolkit Matures — Slint Blog

Tags: tech, rust, gui

Very nice milestone and interesting tech for sure. Congrats to them!

https://slint-ui.com/blog/announcing-slint-1.0.html

GraphQL: From Excitement to Deception | by Raphael Moutard | Mar, 2023 | Better Programming

Tags: tech, graphql, api, web

Nice balanced post on the pros and cons of GraphQL.

https://betterprogramming.pub/graphql-from-excitement-to-deception-f81f7c95b7cf

Is your Postgres ready for production?

Tags: tech, production, databases, postgresql

A sound list of advises, applicable to most database systems of course.

https://www.crunchydata.com/blog/is-your-postgres-ready-for-production

Pipes-and-Filters - ModernesCpp.com

Tags: tech, design, architecture, pattern, c++

A nice pattern to know and master in my opinion. At least I turn to it on a regular basis.

https://www.modernescpp.com/index.php/pipes-and-filters

Polars for initial data analysis, Polars for production

Tags: tech, data-science, pandas, polars, performance

Polars really looks like a nice alternative to Pandas with a nice upgrade path from data exploration to production.

https://pythonspeed.com/articles/polars-exploratory-data-analysis-vs-production/

Datapane - Build data products in 100% Python

Tags: tech, python, data-visualization

Looks like an interesting new building block to publish data visualizations.

https://datapane.com/

An On-Ramp to Flow

Tags: tech, programming, productivity

I definitely used this trick from time to time. In the right context it definitely work. Leaving some easy mess on purpose is a good way to get back into a task the next day.

https://census.dev/blog/an-on-ramp-to-flow

Follow-ups to “Incompetent but Nice” - Jacob Kaplan-Moss

Tags: management

Lots of nice advices in the followups. The previous article clearly lead to a good conversation around it.

https://jacobian.org/2023/mar/31/incompetent-but-nice-follow-ups/

Bye for now!

Flatpaks are amazing and all that. But application sandboxing, so an application cannot do anything it wants, is a challenge - even more so when you have two applications that need to talk to each other. Perhaps it shouldn’t come as a surprise that native-messaging sandboxing support for Flatpak has been in development for over a year. To celebrate its anniversary I thought I’d write down how to drill a native-messaging sized hole into the sandbox. This enables the use of native messaging even without portal integration, albeit also without sane degrees of sandboxing.

First off, please understand that this undermines the sandbox on a fairly fundamental level. So, don’t do this if you don’t keep your Firefox updated or visit particularly dodgy websites.

For the purposes of this post I’m assuming Firefox and KeePassXC are installed as Flatpaks in user scope.

First order of business is setting up KeePassXC so it writes its definition file in a place where Firefox can read it. Fortunately it has a setting for this:

~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/ is the path inside Firefox’ home where the defintion file will be written. Naturally we’ll also need to adjust the Flatpak permissions so KeePassXC can write to this path.

flatpak override --user --filesystem=~/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts org.keepassxc.KeePassXC

At this point Firefox knows about the native messaging host but it won’t be able to run it. Alas. We need some rigging here. The problem is that Firefox can’t simply flatpak run the native messaging host, it needs to spawn a host process (i.e. a process outside its sandbox) to then run the KeePassXC Flatpak and that then runs the NMH.

Fortunately the NMH definition files are fairly straight forward:

{"allowed_extensions":["keepassxc-browser@keepassxc.org"],
"description":"KeePassXC integration with native messaging support",
"name":"org.keepassxc.keepassxc_browser",
"path":"/home/me/.local/share/flatpak/exports/bin/org.keepassxc.KeePassXC",
"type":"stdio"}

The problem of course is that we cannot directly use that Flatpak bin but need the extra spawn step in between. What we need is a way to manipulate the definition file such that we can switch in a different path. systemd to the rescue!

systemctl edit --user --full --force keepassxc-native-messaging-mangler.path

# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>

[Path]
PathChanged=/home/me/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json

[Install]
WantedBy=default.target

and the associated service file…

systemctl edit --user --full --force keepassxc-native-messaging-mangler.service

# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>

[Unit]
Description=keepassxc mangler

[Service]
ExecStart=/home/me/keepassxc-native-messaging-mangler

lastly, enable the path unit.

systemctl --user enable --now keepassxc-native-messaging-mangler.path

Alright, there’s some stuff to unpack here. KeePassXC on startup writes the aforementioned definition file into Firefox’ NMH path. What we do with the help of systemd is monitor the file for changes and whenever it changes we’ll trigger our service, the service runs a mangler to modify the file so we can run another command instead. It’s basically an inotify watch.

Here’s the mangler (~/keepassxc-native-messaging-mangler):

#!/usr/bin/env ruby
# frozen_string_literal: true

# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>

require 'json'

file = "#{Dir.home}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json"
blob = JSON.parse(File.read(file))
blob['path'] = "#{Dir.home}/Downloads/keepassxc"
File.write(file, JSON.generate(blob))

It simply replaces the path of the executable with a wrapper script. Here’s the wrapper script (~/Downloads/keepassxc):

#!/bin/sh

# SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only OR LicenseRef-KDE-Accepted-GPL
# SPDX-FileCopyrightText: 2023 Harald Sitter <sitter@kde.org>

exec /usr/bin/flatpak-spawn --host --watch-bus "$HOME/.local/share/flatpak/exports/bin/org.keepassxc.KeePassXC" "$@"

flatpak-spawn is a special command that allows us to spawn processes outside the sandbox. To gain access we’ll have to allow Firefox to talk with the org.freedesktop.Flatpak DBus session service.

flatpak override --user --talk-name=org.freedesktop.Flatpak org.mozilla.firefox

And that’s it!

➡️ KeePassXC writes its NMH definition to Flatpak specific path ➡️ systemd acts on changes and starts mangler ➡️ mangler changes the path inside the definition to our wrapper ➡️ Firefox reads the definition and calls our wrapper ➡️ wrapper flatpak-spawns KeePassXC flatpak ➡️ Firefox (flatpak) talks to KeePassXC (flatpak)