DistroWatch Weekly, Issue 649, 22 February 2016

Feature Story (by Joshua Allen Holm)

A review of Zorin OS 11 Core



Zorin OS is an Ubuntu-based distribution designed to provide a familiar desktop experience to Windows users. Normally, there are four different versions of Zorin OS for each release: Core, Lite, Business, and Ultimate. The Core and Lite versions are free, while the Business and Ultimate versions cost €8.99 and €9.99 respectively. The paid versions come with support and a few extra features. For Zorin OS 11, only Core and Ultimate are available at I write this. For this review, I will be looking at the Core release, but I will touch upon some of the extra features available in the paid versions.



Zorin OS 11 is based on Ubuntu 15.10 and uses version 4.2 of the Linux kernel. Zorin OS 11 Core and Zorin OS 11 Ultimate are both available in 32-bit and 64-bit versions. The 64-bit Zorin OS 11 Core ISO I downloaded for this review was 1.6GB. Version 11 will be supported until July 2016. Users interested in what Zorin OS offers, but in need of a distribution with a longer support period can use Zorin OS 9, which is based on Ubuntu 14.04 LTS and is supported until April 2019. In addition, the LTS release also has free Educational and Educational Lite versions along with the four editions listed above.



Because Zorin OS 11 is Ubuntu 15.10 with added packages, the installation experience will seem familiar to anyone who has ever used Ubuntu or one of its other derivatives. Create a bootable flash drive using the ISO, boot computer using the flash drive, and Zorin OS starts up. Very quickly, the user is presented with the option to try Zorin OS or install Zorin OS. The Try option loads the desktop environment and lets the user play around with a fully functional system, and the Install option runs a slightly customized version of Ubuntu's familiar Ubiquity installer.



Being based on Ubuntu does provides Zorin OS with the benefits of a familiar installer and a large selection of software packages, but it is what Zorin OS adds and changes that makes it stand apart. Instead of using Ubuntu's Unity desktop and changing the window decorations and other artwork, or doing the same with some other desktop environment, Zorin OS uses a combination of components in a unique desktop experience. Most of the applications used are from GNOME 3.16, but instead of GNOME Shell, Avant Window Navigator, Compiz, and a custom Zorin Start menu/launcher create a desktop experience that behaves a lot like Windows.





Zorin OS 11 -- The default desktop environment

(full image size: 894kB, resolution: 1366x768 pixels)



The default desktop is designed to work like Windows 7. It is not a perfect clone, but it does behave similarly enough that it should provide a comfortable experience for users who only have experience with using Windows. What is really nice about this Windows 7 clone is that it behaves like Windows 7, but it does have its own unique look. Zorin OS's look and feel is visually distinct and provides an attractive and consistent user experience. At least among the bundled applications, nothing ever looked out of place.





Zorin OS 11 -- Custom Firefox start page

(full image size: 154kB, resolution: 1366x768 pixels)



For users that want something a little different, two other desktop styles are available in Zorin OS Core. The desktop can work like Windows XP or GNOME 2. Switching to Windows XP mode changes the layout of the application menu to one that closely matches the Windows XP Start menu and makes other changes to make the system behave more like Windows XP. Switching to GNOME 2 mode uses the traditional, two-panel GNOME layout. Users of the paid versions also have the option of using Mac OS X, Unity, and Windows 2000 layouts. In addition to being able to change the behaviour of the desktop, Zorin OS comes with three color themes (White, Black, and Dark), each of which can be customized with five different highlight colours (Blue, Green, Orange, Red, and Grey).





Zorin OS 11 -- Look and theme changers

(full image size: 720kB, resolution: 1366x768 pixels)



Of the three desktop layouts available in Zorin OS 11 Core, I much prefer the Windows 7 mode. It seems to be the most polished of the three. When I tried to use Windows XP mode on my test machine, I found the right-click menu for items in the application menu to be completely unusable; it required me to hold down the right click button to keep the menu open, making it impossible to left-click on the items in the menu with my laptop's touchpad. I had no problem right-clicking in other places in Windows XP mode, only the Zorin application menu had problems. If my touchpad had two physical mouse buttons, it would probably work better. When I tried out Zorin OS in a virtual machine, the differences in how mouse/touchpad events were handled were enough for me to be able to use the right-click menus like I should be able to. GNOME 2 mode was nice, but oddly used monochrome icons in the application menu, which looked strange because only some of the applications had monochrome icons available, making the menu look very inconsistent.



Truthfully, I do not understand the logic behind making only half of the desktop layouts available to users of the free versions of the distribution. I can understand having a paid version, and I can understand having premium features. I just do not understand the reasoning behind the premium features the Zorin OS developers have selected. In addition to the three extra desktop layouts mentioned above, the paid versions also come with a utility to change the splash screen displayed during the boot process and a utility for using video as the desktop wallpaper. None of the premium features are ones that would entice me to move up to the paid versions.



Aside from the work done creating the multiple desktop layouts, the distribution is not much different than any other Debian style Linux running the GNOME desktop environment. The core bundled applications are largely what one would expect: Firefox, LibreOffice, and the usual GNOME applications and utilities. However there are some notable differences. The default e-mail client is Geary and the OpenShot video editor is installed by default. Even though Firefox is the default browser, a utility is included to help the user install Google Chrome, GNOME Web, and Midori, should they wish to use one of those browsers instead. Zorin OS also includes WINE, WineTricks and PlayOnLinux by default, making it easier for Windows users to make the transition to Linux. Like Ubuntu, Zorin OS does come with "restricted extras" like mp3 support and Adobe's Flash Player.





Zorin OS 11 -- Installing alternative web browsers

(full image size: 1.0MB, resolution: 1366x768 pixels)



If the bundled applications are not enough, Software Centre and Synaptic Package Manager are available for users to add whatever software they want. Everything that is available in the Ubuntu 15.10 repositories is there, so there is plenty of software to choose from. For hardware support, Zorin OS can install proprietary drivers just like Ubuntu and it even includes a graphical tool for using ndiswrapper to install Windows wireless networking card drivers.



On my test machine, Zorin OS 11 Core performed nicely. With no applications running, the system used approximately 950MB of RAM and switching between the different desktop layouts did not seem to alter the memory usage. Minor issues with the Windows XP and GNOME 2 desktop modes aside, Zorin OS 11 Core is a very solid release. It makes good use of its Ubuntu core while developing its own identity. It just is not a very exciting release.



My experience with Zorin OS 11 Core was positive. I liked it well enough, I am just not sure I would recommend this particular release of Zorin OS to Windows users looking to make the switch to Linux. The current Long Term Support release, sure. A future version based on Ubuntu 16.04 LTS, almost certainly. Do not get me wrong, Zorin OS 11 is very good, but it will only be supported for six months, making it a hard sell to Windows users used to longer time periods between releases. That said, I do encourage Linux users with an interest in user interface design to give Zorin OS a test drive. A user interface that can transition between three different desktop styles (six in the paid versions) on the fly is worth exploring if only just to learn from it. * * * * * Hardware used in this review



My physical test equipment for this review was an Acer TravelMate X483 laptop with the following specifications: Processor: Quad-core 1.5GHz Intel Core i3-2375M CPU

Storage: Seagate 500GB 5400 RPM hard drive

Memory: 4GB of RAM

Networking: Qualcomm Atheros AR9462 Wireless Network Adapter

Display: Intel HD Graphics 3000

Miscellaneous News (by Jesse Smith)

Tumbleweed hits a speed bump, openSUSE launches two new editions, Ubuntu 16.04 to ship with ZFS support and GNOME Software, Antergos gains ZFS support, Debian's Iceweasel might be renamed to Firefox, Linux Mint's web server compromised



Tumbleweed is the openSUSE project's rolling release edition. Tumbleweed receives regular updates and snapshots which showcase the latest versions of open source packages. Last week the openSUSE project announced Tumbleweed has hit a speed bump as their testing systems (called workers) are overloaded. " The automated testing of openQA is currently running with only two workers left instead of the usual ten. The remaining workers are largely overloaded and can't cope with the workload to produce new snapshots. Various solutions are being evaluated to get new workers for openQA, which includes borrowing machines from other SUSE owned instances. Thank you SUSE! The team has opted to hold back creating new snapshots until more workers for openQA become available. " This blog post provides a list of pending updates to Tumbleweed.



In other openSUSE news, the project has announced two new editions for people who want to experience the latest software coming out of the KDE project. " The release of Argon, which is a live installable image based on openSUSE Leap, and Krypton, which is a live installable image based on openSUSE Tumbleweed, offer packages built for KDE Git using stable and tested openSUSE technologies to track the latest development state of KDE software. Users have a choice on how they get up-to-date packages of Qt and other additional cutting-edge offerings from KDE through the Argon and Krypton live installable images, built directly from the latest sources in KDE Git through the Open Build Service. " More information on the Argon and Krypton editions can be found on the project's news page. * * * * * Last week Dustin Kirkland, a member of the Ubuntu Product and Strategy Team, reported that Ubuntu 16.04 will be shipping with support for ZFS, an advanced storage pool and file system technology. ZFS has been popular in the Solaris and FreeBSD communities and provides such useful features as file system snapshots, copy-on-write and automatic repair. " What does `support' mean? You'll find [the] zfs.ko [kernel module] automatically built and installed on your Ubuntu systems. No more DKMS-built modules! The user space zfsutils-linux package will be included in Ubuntu Main, with security updates provided by Canonical (as soon as this MIR is completed). As always, industry leading, enterprise class technical support is available from Canonical with Ubuntu Advantage services. " This news follows Debian's announcement stating ZFS will soon be an optional add-on through Debian's software repositories. Documentation for using ZFS storage pools on Ubuntu can be found on the distribution's wiki.



In related news, Ubuntu 16.04 is expected to drop the Ubuntu Software Centre as the primary package manager. In its place, the distribution will ship with GNOME Software, a more streamlined package manager. Iain Lane posted to the Ubuntu developer mailing list: " We're switching from Ubuntu Software Center to GNOME Software, and many packages need fixing in order to show up there. As you might know, we will be moving to GNOME Software for our default software management application for the 16.04 release. " * * * * * The Antergos developers have updated their distribution's system installer, Cnchi. Among the changes and bug fixes, one feature in particular stands out: " The most notable change in Cnchi 0.14 is beta support for ZFS (in Automatic Installation Mode). It is now possible to install Antergos with ZFS as your chosen file system. You simply tell Cnchi which drive to use and it will take care of formatting the drive and configuring ZFS for you. " Further details on Cnchi's ZFS support and other changes can be found in the project's announcement. * * * * * Years ago the Debian project renamed their Firefox package to Iceweasel. This change in brand was brought about due to a complex situation where Debian was patching the Firefox software and therefore running into conflict with Mozilla's trademark agreement. In short, Debian's copy of Firefox was different from Mozilla's version of Firefox and therefore Debian could no longer call their web browser Firefox. The Debian project named their patched version of Mozilla's web browser Iceweasel. Times change and it looks as though there may no longer be a conflict between Mozilla and the Debian project, meaning Debian may be able to call their copy of the Mozilla browser Firefox again. Sylvestre Ledru has suggested Debian resume using the name Firefox in order to avoid confusion and reduce the effort to maintain the web browser package. " Mozilla & Debian both acknowledge that the branding issue mentioned in bug 354622 is no longer relevant. The Firefox logo was released under a free copyright license which matches the DFSG . To simplify the maintenance of the current stable Debian release, the name Iceweasel will remain. Debian Stretch, the next release, will have Firefox as package name. * * * * * Linux Mint's lead developer, Clement Lefebvre, announced over the weekend that an attacker had broken into one of the project's servers and replaced a link to an ISO file with a link to a compromised version of the distribution. " What happened? Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it. Does this affect you? As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either. Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th. " The Linux Mint blog has additional details and checksums for the project's media so Mint users can verify the status of their installation media. Since the original post, the Linux Mint team has asked members of their support forum to change their passwords on other websites if people have been using the same password for multiple accounts.





Tips and Tricks (by Jesse Smith)

The Firejail security sandbox



Sandboxing is a term which describes isolating programs from each other (or from specific system resources) by limiting their scope or access to parts of the operating system. There are many forms sandboxing can take, from virtual machines to Docker containers. Other mechanisms we can use to isolate processes from resources include SELinux, AppArmor and control groups. These tools are lightweight and powerful, but they can be quite tricky to set up, especially for inexperienced users. SELinux in particular uses a cryptic syntax which people find difficult to master.



Luckily, for those of us who want lightweight, powerful security that is easy to use there is Firejail. The Firejail project describes its software as follows: Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux control groups. Firejail allows us to quickly and easily prevent a process from accessing certain files or directories, disable a process's ability to gain access to the root account, block or limit networking access and set up temporary file systems for an application to use which will later be discarded. We will get to Firejail's long list of powerful features in a moment. First, we need to actually download and install Firejail.



The Firejail software is available in the repositories of Debian, Ubuntu and their derivative distributions. The Firejail project also maintains packages and installation instructions for a variety of Linux distributions, including Fedora, CentOS, openSUSE, Gentoo and Arch Linux. Apart from the Firejail command line software, the project also maintains a desktop application which can be used to sandbox some popular applications with a base level of security. I will come back to the desktop application later, first I would like to start with the command line program.



Before getting into my hands-on experiences with Firejail, I want to acknowledge Firejail has excellent documentation. The Firejail manual page clearly explains what Firejail does, covers the available options and provides a lot of practical examples we can try. It is not often I encounter a piece of software with such clear documentation and it really gave me a good first impression of Firejail.



Typically, when we want to run an application inside a Firejail sandbox, we can simply run the firejail command and pass it the name of the program we want to run. For example, we can launch Firefox using firejail firefox The above command sets up a sandbox and launches Firefox. The web browser will have limited access to our file system and only be able to save files in a few locations, such as our Downloads directory. This means that if a website hijacks our web browser, it will only be able to save files to designated places, like Downloads, but will not be able to over-write files in our Documents folder, protecting us from threats like randsomware.



When we run Firejail, the sandboxing software looks at the name of the application we want to run in the sandbox -- Firefox in the above example. Firejail then looks through a list of known profiles which are stored in the /etc/firejail/ directory. When a matching profile is found, that profile's rules are loaded and enforced. Firejail ships with a default set of profiles for around 50 applications, including Chrome, Firefox, Opera, Thunderbird, the VLC media player, XChat, Filezilla and Transmission. If we try to run an application inside a sandbox and Firejail has no existing profile for the application, a generic profile will be used. The generic profile blocks access to most sensitive files, including common virtual machine locations. Much of our home directory becomes read-only as do important configuration files. Access to the root user account is also blocked to prevent programs run with a generic profile from causing too much trouble on our operating system.



The profiles Firejail uses are written in a clear syntax with one rule on each line of the file. This makes it quite straight forward to modify existing rules or to create new ones. For instance, to block access to the /etc/ directory we could use the line blacklist /etc To grant read-only access to our personal collection of programs, stored in the bin directory of our home, we can use the rule read-only ${HOME}/bin To make sure our sandboxed program will always have access to our Downloads directory so it can save files, we can use the instruction whitelist ${DOWNLOADS} What I like about this fairly simple style of syntax is that it tends to be easier to read than AppArmor's profile files. Plus, it is much more clear what Firejail's instructions are doing when we compare them against SELinux's often cryptic rules.



Firejail does not just allow or block access to specific files and directories, the sandboxing software provides a number of other useful features. One of the options I explored was limiting upload and download bandwidth. Many programs include this feature built in, but bandwidth is usually a set-and-forget setting, meaning we cannot change it later. Firejail allows us to dynamically adjust bandwidth usage. This means we could start downloading a file at full speed, then limit its bandwidth with Firejail later, perhaps to allow us to stream a video. Then we can resume the download at full speed later on.



The Firejail software allows us to turn off some features. For example, we can disable sound using the "--nosound" command line parameter. Let's say we want to run a game with the sound disabled, we can use Firejail like this: firejail --nosound supertuxkart Another feature of Firejail I liked was the ability to disable access to the root account. Firejail can block access to the root user's account, preventing many types of local exploits. Access to networking features that require root access (like the ping command) is then unavailable. Sandboxes also disable access to tools used to become root, such as sudo and the su command.



Yet another aspect of Firejail I like is if we run the sandbox without any application specified, Firejail runs a command line shell in its sandbox. This allows us to run most command line programs is a very clean environment (there are just two processes visible to the sandboxed shell: Firejail and the shell itself). With access to most commands and features, but with access to root blocked and other users' processes rendered invisible, this gives us a relatively safe environment in which to experiment. (Though, by default, we can still delete many of our own files, so care should still be taken.)



We can use Firejail to open a command line shell that runs in a sandbox we have already opened. This means we can manipulate the process we are running in the sandbox via the command line shell after the sandbox has been created. This can be accomplished by listing the sandboxes we are currently running and then running Firejail with the "--join" flag. For example: firejail vlc &

firejail --list

12733:jesse:firejail vlc

firejail --join=12733 In the above example, we launch a sandbox with the VLC multimedia player. The next command lists all running sandboxes with their identification numbers in the first field. We can then open a shell in the existing sandbox using the "firejail --join" command. When we are done exploring the sandbox, typing "exit" returns us to the normal, non-sandboxed environment while VLC continues to run in its sandbox.



One last feature of Firejail that I enjoyed was the ability to create a file system over top of the existing file system. This basically gives us an empty file system in which to work. Any files we create or destroy are temporary as the sandboxed file system is destroyed when our application is closed. This is a useful feature to have when we are dealing with a potentially destructive program or we need to set up a very specific test environment. The only downside I found to this feature is it requires relatively modern kernels, the system needs to be running Linux 3.18 (or newer) for the temporary file system to work.





Firetools 0.9.30 -- Running Firefox in a sandbox

(full image size: 383kB, resolution: 1280x1024 pixels)



Most of the powerful features of Firejail are accessible through its command line program, but the project does offer a desktop front-end that will provide the necessary features most people will want. The desktop sandbox launcher is called Firetools. The Firetools program displays a red launch bar on our desktop with a list of popular program icons. Double-clicking on a program's icon launches the selected application in a sandbox. Right-clicking on an icon gives us the option of changing the parameters the application runs with. There is an empty section of the Firetools launcher and right-clicking on it gives us the chance to add a new program to the launch bar. Right-clicking on the launcher and selecting "Tools" brings up an information screen where we can see a list of running applications and resource statistics. Clicking a button labelled "Join" opens a terminal window inside the selected sandbox. This is about the extent to which we can use Firetools, but it is what I think most people will find useful. People who want to run Firefox or Thunderbird without digging down to the command line will benefit from this point-n-click interface that requires no configuration on their part.





Firetools 0.9.30 -- Monitoring a sandbox

(full image size: 365kB, resolution: 1280x1024 pixels)



I am far from the first person to review Firejail and I peeked at some of the comments other people have made about the Firejail software. I was a bit disappointed to see many have a lukewarm opinion of the sandboxing software. Not because it lacks features or fails to produce the desired results: everyone seems to agree Firejail works as advertised. But some other reviewers have suggested that Linux is secure enough on its own. They seem to feel we have sane file permissions, SELinux, AppArmor and Docker containers, why do we need a new security tool? Open source software usually behaves itself so why do we even need to sandbox it?



I have a few thoughts to share on the nature of Firejail and its usefulness, some of which are in response to these sceptics. One point I would like to make is that SELinux and AppArmor are relatively cryptic to work with. SELinux in particular has a reputation for being hard to troubleshoot. Docker, while relatively easy to set up, still takes some command line know-how to get working properly and is not designed with end-users in mind. These tools are intended to be used by developers and system administrators. An end user will rarely fiddle with their features or even be aware if these technologies are working. In comparison, Firejail is end-user friendly. It has a nice graphical interface, so one need not drop to a command line shell. Even if we do end up exploring the command line options, Firejail has a simple, clear syntax and the documentation provides practical examples to follow.



Firejail may not be the best technical solution, but it is much more likely to be used by a wide audience because Firejail provides good security with virtually no effort on the part of the user. Firejail also makes it easier to set up profiles for new applications so the list of programs Firejail can work with can be expanded quickly.



On Linux our software is usually open source and comes from vetted repositories so there is less chance we will be hit by malware or misbehaving software. However, there are unknown bugs and exceptions to be considered. Many Linux users install non-open applications such as Steam or the Chrome web browser. Some of us might have other non-open programs on our systems and it is nice to have these locked down to prevent any unexpected behaviour. Firejail does this in a simple manner. All programs, even audited open source applications, can have exploitable bugs and Firejail limits the damage an attacker can do by hijacking our web browser or media player.



In brief, Firejail provides a useful layer of protection, is easy to set up and requires virtually no knowledge to use. This means Firejail can be used with very little effort and no understanding of the underlying technologies being leveraged. At first I was a little worried Firejail might gobble up resources or result in poor performance. However, I found Firejail had no visible impact on the performance of applications like Firefox, VLC and Steam. There was no increase in CPU usage when using Firejail. Running the Firefox web browser inside a sandbox used less than 50MB more memory than running Firefox without the sandbox. The Firejail software isolates processes, increases our security, uses very few resources and requires almost no effort to use. In today's world of security breaches and privacy concerns, my opinion is: Why wouldn't someone use Firejail?

Torrent Corner

Weekly Torrents



Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.



Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.



With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files. For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed. To help us maintain and grow this free service, please consider making a donation.



The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.



Operating System Torrent MD5 checksum DragonFly BSD 4.4.2 dfly-x86_64-4.4.2_REL.iso.bz2 701bfe6fa154127a86c443462a2d42ec Parsix GNU/Linux 8.5r0 parsix_8.5r0-amd64.iso 86421b45ad25cdcbcc9864ab4756a95d



Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.



Torrent Corner statistics:

Total torrents seeded: 165

Total data uploaded: 29.4TB

Released Last Week

Upcoming Releases and Announcements

Opinion Poll

Package managers



The open source ecosystem is home to many different package managers. Some of the more popular methods for working with software packages include the APT utilities on Debian-based distributions and YUM/DNF in the Red Hat family of distributions.



Of course, there are many other package managers and this week we would like to know which one you use. If your package manager is not on our list, please let us know which one you use in the comments.



You can see the results of our previous poll on customizing desktop environments here. All previous poll results can be found in our poll archives. Package manager



APT: 1460 (56%) DNF/YUM: 198 (8%) Nix: 18 (1%) Pacman: 556 (21%) Portage: 80 (3%) Urpmi: 39 (1%) Zypper: 113 (4%) Other: 156 (6%)