How Desktop Grid brought back SystemSettings

One of my personal adjustments to KWin is using the top right screen edge as a trigger for the Desktop Grid effect. With the switch to KWin on 5 this hasn’t worked for me any more as we don’t have code in place to transfer the old configuration to the new system.

Last week I had enough of it. It was breaking my workflow. So I had to do something about it and had the following possible options:

  • Change the default: bad idea as we don’t want to use the upper right corner as that’s where maximized windows have their close button
  • Carry a patch to change the default on my system: bad idea as that breaks my git workflow
  • Just change the value in kwinrc
  • Bring back the configuration module

As I considered just modifying the config value in kwinrc as not a durable solution I decided to go for bringing back the configuration module (KCM).

After a little bit of hacking and facing the problem that it used some not-yet ported library inside kde-workspace I got the code compiled and installed. But when I started it using kcmshell5 from kde-runtime I hit an assert.

So either my code was broken or kcmshell5. I didn’t really want to investigate the issue of the assert and decided to try the most obvious thing to me: use another implementation to test the kcm. And so I started to port systemsettings.

After about one hour of work I had systemsettings compiled, linked and installed and could start it, but alas my KCM was still hitting an assert. So what to do? Is it my KCM or is something more fundamentally broken which needs fixing in a different layer? How to test (I still didn’t want to investigate) so I started to port a few very simple KCMs from kde-workspace as systemsettings is at the moment still rather empty. And look there, they worked in both kcmshell5 and in systemsettings.

So I started to port another KWin module and that one also hit the same assert. After some discussion on IRC with Marco I learnt that he also hit the same assert in another KCM which means that there was a pattern. And finally I started to investigate. Very soon I had a testcase with a slightly reduced KCM which I could get to hit the assert with adding one additional element to the ui file. A good start to find a workaround and now my KCM loads in systemsettings and I have my screenedge back:

Screenshot is featuring both systemsettings and KWin using Qt 5 and KDE Frameworks 5!

Now all I need to do is to extract my minimum “make it crash” code as a testcase and submit a bug report to Qt.

kde-workspace: frameworks-scratch is dead, long live master

This is a public service announcement: the frameworks-scratch branch in kde-workspace is no more and has been merged into master. This means master depends on Qt 5 and KDE Frameworks 5!

If you used to build from master you will need these dependencies now. In case you don’t have Qt 5 or KF 5, it will obviously end in a CMake error. Please be aware that kde-workspace on Qt 5 is still pre-alpha quality and probably not suited for everyday usage. If you used to build kde-workspace from master for everyday usage, you want to switch to KDE/4.11 branch, which is kept alive for a longer time.

We are sorry for any inconvenience this change might cause you. Happy Hacking!

Generating test coverage for a framework

Over the last week I was trying to add unit tests to some rather old piece of code in frameworks. Of course I wanted to know how good this test is and looked into how one can generate test coverage for our tests. As I consider this as rather useful I thought to share the steps.

For generating the test coverage I used gcov which is part of gcc. So nothing to do there. As a frontend I decided for lcov as that can generate some nice html views. On debian based systems it is proved by package lcov.

Let’s assume that we have a standard framework with:

  • framework/autotests
  • framework/src
  • framework/tests

The first step to enable test coverage is to modify the CMakeLists.txt. There is the possibility to switch to CMAKE_BUILD_TYPE “Coverage”, but that would require building all of frameworks with it. Interesting for the CI system, but maybe not for just developing one unit test.

In your framework toplevel CMakeLists.txt add the following definition:

add_definitions(-fprofile-arcs -ftest-coverage)

And also adjust the linking of each of your targets:

target_link_libraries(targetName -fprofile-arcs -ftest-coverage)

Remember to not commit those changes ;-)

Now recompile the framework, go the build directory of your framework and run:

make test

This generates the basic coverage data which you can now process with lcov run from your build directory:

lcov --capture --directory ./ --output-file coverage.info

And last step is to generate the html output:

genhtml coverage.info --output-directory /path/to/generated/pages

Open your favorite web browser and load index.html in the specified path and enjoy.

Generating a private key I can trust

Given last weeks news about the state of cryptography and the influence of the NSA on standards I decided to enter paranoid/tinfoil-hat mode. The result is that I do no longer consider my asymmetric keys as long enough. So I need to regenerate them. This should be an easy task, but I’m in paranoid mode.

The big problem is “can I trust my systems to generate a safe key”? I decided no, I cannot. Not without investing some time. Normally I would trust my distribution, but I had once to regenerate my SSH key because they got random numbers wrong:
Random Number by Randall Munroe (Creative Commons Attribution-NonCommercial 2.5 License)

So whom do I actually trust? This list is short: the Linux kernel (Linus tree) and FSF/GNU.

Whom do I not trust? That gets more complicated. First of all I do not trust any hardware. It’s impossible to verify that the hardware doesn’t have a backdoor and randomness looks random even if tampered with.

Of course I do not trust the US and any US-based company or company which has interactions with the US. As we had to learn the NSA is putting backdoors into products of US companies and the companies are not allowed to talk about it. This means I do not trust the Linux kernel of any distribution placed in the US or relations with the US. Obviously I extend this on all distributions of companies based in other spy countries (e.g. Five Eyes). This makes the list rather short.

I also do not trust binaries as there is no way to ensure that the binary reflects the source code of the package[1]. This further reduces the list. I’m basically left with Linux From Scratch or Gentoo – two distributions I do not have any experience with. Or use a binary distribution and create the required packages by myself (Linux kernel, GPG). Obviously there is still the risk of a tampered compiler but I consider this risk as rather academic.

Last but not least I do not trust my systems and myself. If I keep the key on the hard disk the security is basically reduced to the strength of the chosen passphrase. Hard disk encryption can add some security to it, but I prefer to have my system in suspend so the key might be in memory and there is always the risk of cold boot attacks. In summary I do not think that hard disk encryption is a solution for protecting the key. Also there is always the risk of an application attacking the system. Getting passphrase through an X11 keyboard logger is unfortunately trivial.

A solution to this problem is getting the key on an external dedicated device. But this is of course conflicting with my “I do not trust hardware” requirement. If hardware random number generators are involved in creating the keys or doing the encryption this would be problematic.

The requirement would therefore be a hardware device which keeps the key secure but does not generate it and is not involved in the session encryption. Today I ordered an OpenPGP Smartcard. This fulfills most of my requirements. It’s trusted by FSFE (Fellowship card), developed by a company which also develops GnuPG and is Germany based. Still I do not trust hardware, but one can upload an externally created key.

So sometime soon I will blog the public key of my new key pair.

[1] I am aware that bitcoin is experimenting in that direction. But this doesn’t help me with the problem to verify the Linux kernel.

Next step: dogfooding

Almost a month since my last blog post. And of course lots of work in KWin in the frameworks-scratch branch since then – about 160 commits. Today I finally reached the next milestone: dogfooding. I dared to replace the KWin of my working session by the new version based on Qt 5 and it’s useable. Of course it’s not yet in a fully functional state, but there’s still quite some time till our release and being able to dogfood will make the work much easier as I can see the regressions better than in the restricted Xephyr session.

The main remaining problem I was facing were regressions in the window decoration. The problem was that once you resized a window, the decoration was broken. I spent quite some time in the debugger to figure out what is going wrong. As Qt switched from XLib to XCB some of the assumptions inside KWin didn’t hold anymore. These were fun debug sessions. In the end a one line change after each window resize step fixed this issue.

With that done the most important functionality is present. I would share a screenshot, but it doesn’t make much sense as there is visually no difference to notice at all. Hugo did an awesome job with Oxygen and that means everything looks the same.

As compositor I’m currently using the OpenGL 2 on egl backend as the glx one is rather broken. I haven’t investigated yet and won’t do anytime soon. So if you want to test better use the environment variable to force to egl or just fix it ;-) I still hope that egl drivers will be present in all major driver implementations till our next release and that would allow to just drop the glx backend.

Of course there is still lots of work needed and your help is always appreciated. And of course there is the chance to get a sneak preview and a development setup by using for example Project Neon.

KWin enters the world of QtQuick 2

Since my last blog post there has been lots of progress on the KWin on 5 effort. First of all a big thank you to everybody who has picked up some of the tasks on the trello board. Thanks to that the compile output is starting to look better and better – the number of deprecated warnings is starting to go down and by that also some areas are closer to be working again.

Talking of working again: the important changes are merged into Qt with the result that KWin from framework-scratch branch starts again. One should still be careful and not replace the KWin 4 – the most important steps are outlined in the wiki.

Lately my work focused on porting from QtQuick 1 to QtQuick 2. This is a change which needs to happen as all our user interfaces are using Plasma Components which do not exist for QtQuick 1 anymore in the frameworks 5 world. Of course we also want to make use of the new goodies of QtQuick 2 :-)

This required not only to adjust our QML files, but also to change the C++ side from QtDeclarative to QtQuick. I was a little bit afraid of these changes as our window thumbnail rendering used quite some hacks around the underlying QGraphicsScene to make it work. My fear was that this won’t be possible with QtQuick 2 anymore.

To my surprise I was even able to remove a large part of our hacks because QtQuick 2 exposes information which we need and which isn’t exposed in the old world. Other parts are still hacky and I fear that we even have some regressions concerning clipping.

Our QtScript and QML bindings shared a lot of code as both are based on QScriptEngine. With QtQuick 2 it’s no longer based on the QScriptEngine and by that our implementations start to diverge. As far as my testing showed we can no longer inject properties on the JavaScript global object in the QtQuick bindings which means that our API slightly breaks and cannot be identical to the QtScript API any more.

While this is of course a disadvantage it also brings advantages as I am forced to implement proper QML replacements. For example interaction with a screen edge can now be done in a nice QML syntax:

ScreenEdgeItem {
    edge: ScreenEdgeItem.LeftEdge
    onActivated: doSomething()
}

Right now all usages of QtQuick in KWin core and KWin effects have been ported to QtQuick 2. Still remaining is Aurorae – this needs some more work as the window decoration API needs adjustments anyway given that right now rendering of decorations in non-compositing is broken.

FLOSS after Prism: Anonymity by default

In my last blog post I discussed that we have to protect the user’s privacy better by giving the user the choice to decide which data gets submitted to services. In this blog post I want to share some thoughts about the case that the data is submitted and how to protect the user in such a case.

There are of course many legit online communications done by our systems. They should check for security updates, a weather applet might want to check the latest weather for the place you live in and so on and on. While this is obviously data the user wants to be submitted, the process of submitting the data is concerning from a privacy point of view. While it is in fact just meta data, it is telling a lot about the person.

Let’s just look at system updates and what they tell us:

  • Unique identification of the user through IPv6
  • Location of the user through the IP address
  • Identification of the used operating system (e.g. asking debian for updates implies you use Debian)
  • Interval in which the system is used (e.g. daily updates)

This is a rather threatening set of data especially if I think about that some proprietary software installed additional sources.list entries on my system (Google and Steam) without ever asking me.

But there is an easy way to protect the user’s privacy in such cases through anonymity. With the help of the Tor project it is possible to completely hide the information listed above. If the user cannot be uniquely identified any more, the information which can be derived from that gets lost. And that is a good thing.

Of course any user could just install Tor. But let’s face it: it’s difficult and complex and the user needs to know that Tor exists in the first place. It’s a nice solution for informed people like me, but certainly not for the vast majority of people for whom we develop free software.

So it is up to us to improve the situation. Why not integrate Tor (or similar services) directly in our products? For data like the weather applet it could just sent all requests through Tor and by that help to protect the users. Yes it requires more work from us developers, but in the end we are the only ones who really can decide whether it’s useful to use Tor for a given service or not. Let’s face it: for a Facebook status update applet using Tor is rather pointless. So let’s use anonymity where it is possible, where it makes sense and let’s integrate this information into the privacy center I proposed in my last blog post.

FLOSS after Prism: Privacy by Default

The disclosures by Edward Snowden will have a huge impact on our society and by that also on free software. I do not think that we can continue as we used to do, but that we have to adjust our software to fit the new reality, to make our software a true opponent to the surveillance state we live in and to return to 1983.

I have been thinking about what floss can do to protect the people and I want to share my thoughts in a few blog posts. Today I want with this first blog post talk about the fifth freedom:

“The freedom to decide which data is sent to which service”.

As we all know free software offers us the four freedoms. Those are important but they cannot protect the user’s privacy. Unfortunately there is free software out there, which is violating the above fifth freedom. There is software out there which is able to track you, there is software out there which sends all your local search queries to third parties like Amazon, there is software out there which allows to turn your smartphone into a surveillance utility. Thanks to the four freedoms we are able to see that software is doing this but the user has no chance to change it. Yes the four freedoms allow a user to modify the source code, but in practice a user normally cannot do that. Even users who are skilled can only protest.

I know that many users think that it doesn’t matter, because they have “nothing to hide”. But I disagree – I have lots to hide and I am sure that everyone has things to hide. And even if it is not about our private life there are lots of occupation with privacy being a central part. Yes, it’s the job of a lawyer to hide. If a lawyer is not able to use floss software because he cannot even open a client’s file without Amazon and any connected third party (e.g. Tempora) knowing about it, this is a clear violation of the first freedom which forbids discrimination of users.

Given that we have the above fifth freedom which is directly derived from the four freedoms and highly inspired by Germany’s right for informational self-determination:

… in the context of modern data processing, the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights of the [German Constitution]. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data.

With informational self-determination every user has to be always aware of which data is sent to where. By default no application may send data to any service without the users consent. Of course it doesn’t make sense to ask the user each time a software wants to connect to the Internet. We need to find a balance between a good usability and still protecting the most important private data.

Therefore I suggest that the FLOSS community designs a new specification which applications can use to tell in machine readable way with which services they interact and which data is submitted to the service. Also such a specification should include ways on how users can easily tell that they don’t want to use this service any more.

With this information provided applications can start to add first run information to tell the users how they interact with services and how the users can configure this.

Furthermore a complete database of all the services would allow to introduce a privacy center directly in the user’s desktop. A center listing all the applications which interact with remote services, a center where the user can directly disable certain services.

Of course there is still one problem: how to force applications to make use of it and to provide all the data. Such a center becomes useless if some applications do not implement it, because it thinks its user are a product which they need to sell. But this is a social problem and we cannot solve social problems with technical merits. If a FLOSS product is violating the user’s privacy we all have to call out and convince the project that this is a bad idea. It’s up to the users to not use software which is violating the user’s privacy and by that force the project to change.

Update: See also the follow-up post FLOSS after Prism: Anonymity by default

Thoughts about Internet Surveillance

This blog post is not directly KDE related, but is about freedom in the broader scope. Obviously like all my blog posts this post only represents my personal opinion and not of any organization I am a member of.

Privacy has a long tradition in modern Germany. In 1983 the German government wanted to organize a census and drafted a law for this census. People protested against this law in front of Germany’s highest court Bundesverfassungsgericht (“federal constitutional court”). The court did not only stop the census but went much further and did something which has never happened before in German history: the court created a new civil right directly derived from the other civil rights. The civil right on “informationelle Selbstbestimmung” (“informational self-determination”). I quote verbatim the new civil right directly from the verdict:

Das Grundrecht gewährleistet insoweit die Befugnis des Einzelnen, grundsätzlich selbst über die Preisgabe und Verwendung seiner persönlichen Daten zu bestimmen. (in English: “This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data.”)

Furthermore I want to quote one part of the verdict as it’s rather important in the current discussion about governmental surveillance:

Wer nicht mit hinreichender Sicherheit überschauen kann, welche ihn betreffende Informationen in bestimmten Bereichen seiner sozialen Umwelt bekannt sind, und wer das Wissen möglicher Kommunikationspartner nicht einigermaßen abzuschätzen vermag, kann in seiner Freiheit wesentlich gehemmt werden, aus eigener Selbstbestimmung zu planen oder zu entscheiden. Mit dem Recht auf informationelle Selbstbestimmung wären eine Gesellschaftsordnung und eine diese ermöglichende Rechtsordnung nicht vereinbar, in der Bürger nicht mehr wissen können, wer was wann und bei welcher Gelegenheit über sie weiß. Wer unsicher ist, ob abweichende Verhaltensweisen jederzeit notiert und als Information dauerhaft gespeichert, verwendet oder weitergegeben werden, wird versuchen, nicht durch solche Verhaltensweisen aufzufallen. Wer damit rechnet, daß etwa die Teilnahme an einer Versammlung oder einer Bürgerinitiative behördlich registriert wird und daß ihm dadurch Risiken entstehen können, wird möglicherweise auf eine Ausübung seiner entsprechenden Grundrechte (Art 8, 9 GG) verzichten. Dies würde nicht nur die individuellen Entfaltungschancen des Einzelnen beeinträchtigen, sondern auch das Gemeinwohl, weil Selbstbestimmung eine elementare Funktionsbedingung eines auf Handlungsfähigkeit und Mitwirkungsfähigkeit seiner Bürger begründeten freiheitlichen demokratischen Gemeinwesens ist.

I am sorry that I cannot translate this into English. To paraphrase it says that if you don’t know who has which data and whether the government will gather data about you, you will stop to do certain actions and you will no longer go to demonstrations for example – it describes the chilling effect. The court acknowledges that this renders a high threat for overall democracy. To put it in the context of our current global surveillance situation: I did consider whether it is safe to click links to the guardian as I can be sure that this will be registered and by that I render the risk that I might not be allowed to enter the US the next time I want to travel to the US.

Although this civil right never entered the “Grundgesetz” (Basic Laws – the German “constitution”) it is very important and clearly influenced the German society over the last three decades. For example if you sign up to a new service you always have to sign a privacy policy telling you how the service is going to make use of your private data. You always have to opt-in to newsletters, etc. – it’s never an opt-out. My major during my studies was IT security and this was not just about how to protect data, it was also about how to protect the privacy of your users. The main idea is that you don’t gather private data you don’t need in the first place (“Datensparsamkeit” and “Datenvermeidung” – “data reduction and data economy”). During my studies we once had a lecture in which the (non German) tutor wanted us to implement an e-shop which tracks where the user clicked and store it per user. The complete class protested because that would violate the user’s right of informational self-determination.

To make another bridge to the current surveillance discussion I want to fast forward to the year 2010 and again the Bundesverfassungsgericht has an important role. Germany had established as demanded by the European Union a data retention system which stored for half a year meta data about telephone calls and internet communications (ip addresses, email headers, etc.). As it’s rather obvious this conflicts with the right for informational self-determination and people protested against this law at the Bundesverfassungsgericht. For the first time it was not just one or a few persons but 34,939 people protested against this law in front of Germany’s highest court. The reader of this blog post might not be surprised, that I was one of those. The verdict was very clear: the law is violating Germany’s constitution and is void. The telcos had to delete all data gathered up to this point immediatelly. In the tradition of the ruling of this court this was a rather strict verdict – normally the government gets some time to improve the law and it only becomes void after some time passed if the government doesn’t improve the law to make it suit the constitution. Although the EU demands that we have the data retention no new law got drafted – after the current NSA scandal, I do not see a chance even after the elections.

Again I want to quote the verdict verbatim:

Die Vorratsdatenspeicherung ermögliche Persönlichkeitsbilder mit einer noch nie dagewesenen Genauigkeit. Die Kommunikationsdaten seien inhaltlich äußerst aussagekräftig. Der Zugriff auf die näheren Umstände der Telekommunikation wiege nicht weniger schwer als der auf den Kommunikationsinhalt. Er ermögliche umfassende Persönlichkeits- und Verhaltensprofile. Verkehrsdaten lieferten eine Vielzahl von Informationen über soziale Beziehungen.

Die Vorratsdatenspeicherung erhöhe außerdem das Risiko, zu Unrecht Ermittlungsmaßnahmen ausgesetzt oder unschuldig verurteilt zu werden, und die Gefahr des Datenmissbrauchs. Verkehrsdaten könnten gezielt gegen missliebige Personen eingesetzt werden und eigneten sich zur Kontrolle von Personen und Gruppierungen ebenso wie zur Wirtschaftsspionage. Nur das Absehen von der Datenspeicherung schütze wirksam vor Missbrauch.

An attempt for translating to English (German readers are encouraged to provide improvements to the tranlation in the comment section):

Data preservation allows to create a picture about a personality with a precision which has never been possible before. The data about communication is with regards to content very significant. The access to the meta data about communication is not less severe than the direct access to the content of the communication. This access allows to create broad profiles about personality and behaviour. Telecommunication meta data provides lots of information about social relations.

Data retention also creates the risk to wrongly become a suspect of preliminary proceedings and to be innocently convicted as well as the risk of abuse of data. Meta data can be used directly against personas non grata and can be used to control persons and groups as well as be used for economic espionage. Only not storing the data in the first place protects effectively against abuse.

I have huge respect for the wise decisions of our highest court and how they are able to see the dangers of governmental surveillance for the people and the democracy. Also the court appoints great experts like for example the German Chaos Computer Club. One of the experts appointed by the court was the superviser of my master thesis and I attended a few lectures (e.g. Operating Systems, IT security, IT forensic) at his institute.

The discussion about the verdicts of the Bundesverfassungsgericht needs to include one further verdict from 2008. People protested against a law in the German state North Rhine-Westphalia. This law allowed the secret service of the state to secretly observe the Internet (it sounds quite like what we are currently discussing). Like 1983 the court did not just dismiss the law but also drafted for the second time a new civil right in its verdict: the civil right for “Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme” (“Warranty for confidentiality and integrity of IT systems”). The court made it quite clear when the government is allowed to do Internet surveillance. There must be an actual evidence for a concrete danger against a protected interest of paramount importance. With other words just saying “but the terrorists” is not a concrete danger to spy on all your people. Also any violation of this civil right must be signed by a judge. The verdict also makes clear that the Internet as such is considered as an IT system and that it is a central part of the life of many citizens.

As you see the protection of private data in the Internet is protected by several civil rights in Germany. Two of them have been crafted by the German constitutional court – so to say the German people had to fight for these rights. I personally consider these rights as to be of paramount importance because we had to earn them first. Also this discussion should show that the German government also tried to limit our rights and to establish Internet surveillance but that we as the people are able to fight against such illegal laws and forbid the state to do so.

I am not willing to surrender and give up these essential freedoms. I do not tolerate that foreign governments are limiting my civil rights in Germany with Internet surveillance in a way or even more severe than what our constitutional court forbid our government – I fought against data retention a few years ago after all. Given the latest discussion it seems like Level 3 Communications is doing the espionage in Germany for the US government (given some reactions by Level 3 it is considered that they already claimed guilty – they do not permit access to foreign governments). This is not just violating our civil rights, it is also forbidden given German penal law. We have the so-called “hacker laws” which forbid to access third party data. While writing this blog post I am listening to radio and the news told me that the German federal prosecutor office is considering to start preliminary proceedings in the case NSA. I do hope that this will end up in convictions against the persons responsible for this in Germany and if possible even in the UK, USA and any other affected state.

I hope that everybody fights for their freedom. We should not tollerate that in the name of terrorismn our civil rights are limited. I am not a terrorist and there is no reason to track all my online communication in the fight of terrorismn:

They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.

Especially to my readers in UK and USA: fight for our rights. Do not tollerate that your government is spying on people of other countries. We are not second class humans! Help us! Fight for us! Protest against your government! Fight for our freedom, fight for your freedom! Not even 23 years ago part of the German people had to live in an Unrechtsstaat with strong surveillance of the people by the Ministry of State Security. Former members of the Stasi say today that they would have loved to have the capabilities the NSA has today – it’s some food for thoughts. If you want to get a feeling about what surveillance means I highly recommend to watch the excellent Academy Award winning movie The Lives of the Others.