DistroWatch Weekly, Issue 704, 20 March 2017

Feature Story (by Jesse Smith)

ToaruOS 1.0.4



Most of the projects we talk about on DistroWatch are variants of Linux or, occasionally, one of the BSDs. However, there are other open source operating systems out there, smaller projects which rarely get attention because they have fewer developers or are not as rich in features. This week I would like to discuss a project that has been put together as a hobby, but which has a surprisingly rich feature set, especially when we consider the operating system appears to be mostly the work of one developer. The operating system is called ToaruOS and the project's website describes it as follows: ToaruOS is a complete hobby operating system, including a kernel and userspace with many graphical applications. This is the first release considered to be "user-ready", but please keep in mind that ToaruOS is a hobby project and it may not be stable or suitable for any purpose you might have for an operating system. This release represents the culmination of many years of development, research, and learning. The ToaruOS project is relatively young, about five years old at the time of writing, but offers a surprising large list of features. The operating system supports running a graphical desktop environment, running multiple processes, threaded applications, basic networking, a virtual terminal and using the ext2 file system. ToaruOS's kernel in its current form is 32-bit, non-SMP, monolithic (but modular), and Unix-like. It supports processes, threads, shared memory, files, pipes, TTYs, packet-based IPC, and basic IPv4 networking. Driver modules allow for access to ext2 and ISO9660 file systems, ToaruOS can even run Python and the GNU C compiler. The operating system is open source and available under the NCSA/University of Illinois software license.



Version 1.0.4 of ToaruOS is a mere 25MB download for x86 computers. The ISO file we download can be burned to a CD/DVD, copied to a USB thumb drive or mounted and used in a virtual machine. I spent most of my time experimenting with ToaruOS in a VirtualBox virtual machine, but also booted the operating system on a desktop computer to confirm it would run. I will talk about how ToaruOS worked with my desktop computer's hardware later, but for now I'd like to focus on how the operating system worked inside VirtualBox.





ToaruOS 1.0.4 -- The welcome screen desktop tour

(full image size: 1.4MB, resolution: 1280x1024 pixels)



Booting from the ToaruOS media brings up a menu offering to boot the operating system into a live desktop environment, boot to a graphical login screen or boot to a text mode terminal. The default login credentials for the live disc are displayed at the bottom of the screen. Choosing to boot into graphical mode almost immediately brings up a desktop environment that I think somewhat resembles the Xfce desktop. There is a panel across the top of the display, playing host to the application menu, task switcher and system tray. There are a few icons on the desktop for launching a virtual terminal, accessing the file system and launching a package manager. The wallpaper displays a lovely, outdoor landscape. Shortly after the desktop loads, a welcome window appears and offers to give us a tour of the desktop. The welcome window shows us how to launch applications as well as manipulate windows.





ToaruOS 1.0.4 -- Running a collection of desktop applications

(full image size: 997kB, resolution: 1280x1024 pixels)



ToaruOS automatically detected my local network and set up an Internet connection. The desktop was attractive and responsive. Controls responded to input right away and applications launched quickly. One of the few features I missed while exploring the desktop was the ability to minimize/maximize windows. I could resize windows by dragging their corners and close them by clicking an X in the corner of the window, but ToaruOS does not offer minimize/maximize window controls.



Looking through the operating system's application menu, I found a small collection of demo programs. There is a simple drawing program, a desktop clock widget, a program for displaying fractal images and a few programs which draw lines or gears on the screen to show off the operating system's graphic capabilities. There is a virtual terminal program, a graphical file manager and a documentation viewer which shows us an introduction to ToaruOS.





ToaruOS 1.0.4 -- Displaying the help documentation

(full image size: 1.3MB, resolution: 1280x1024 pixels)



Opening up the virtual terminal program I discovered ToaruOS offers its users a Unix-like command line environment. From the command line we can run Python 3 and Python applications, get a list of running processes and kill misbehaving applications (via the ps and kill commands). ToaruOS does not include many of the common Unix or GNU command line programs, nor do we have access to man pages. However, it is possible to install the GNU C compiler, so it may be possible to adapt and build additional command line programs for ToaruOS.





ToaruOS 1.0.4 -- Running Python and a clock widget

(full image size: 1.7MB, resolution: 1280x1024 pixels)



If we want to install additional applications, we can visit ToaruOS's package manager. The package manager has a simple layout. We are presented with a short list of available programs, each one is listed with a version number, but no description. There are around 30 packages in total and we can check a box next to any package we wish to install. So far as I could tell, there was no way to remove programs once they had been installed. Some of the available programs include an mp3 player, the Vim text editor, the GNU C compiler, development packages and header files. For the most part, these add-ons worked for me, but I was unable to get the Vim text editor to work, it would crash at start-up.





ToaruOS 1.0.4 -- The package manager

(full image size: 1.5MB, resolution: 1280x1024 pixels)



One category of applications I missed while running the operating system was Internet-related programs. We do not have access to a web browser, FTP client or the OpenSSH secure shell and file transfer programs. We may be able to add these features with some work, but they are not available by default.



I was impressed with how smoothly ToaruOS worked inside the VirtualBox environment. The operating system booted almost instantly and responded quickly to input. The operating system integrates into the VirtualBox environment, allowing full use of the host's screen resolution. The operating system is fairly light, using around 100-150MB of RAM while I was exploring the graphical environment. When I tried running ToaruOS on a desktop computer the experience started out well. The operating system booted within three seconds and presented me with the desktop environment. Unfortunately, my experiment was stopped short because ToaruOS could not recognize my USB mouse or keyboard. This made it impossible to interact with the operating system when running it on physical hardware.



Conclusions



As the project's website states, ToaruOS is not a good platform for day-to-day use. This is a small, one-person project and not developed with typical desktop usage in mind. It is more of a learning and research project, an exploration of how a modern operating system can be created. ToaruOS is very minimal and does not yet have much hardware support.



What ToaruOS does have though -- a desktop environment, package manager, Python support, super fast boot times and working command line -- make this an impressive hobbyist operating system. I played with ToaruOS for a few days and found the system to be stable and very fast. There are not many features in place, but what is there works well. ToaruOS is a very young project and mostly a one-person effort and yet the system has a working desktop, some command line tools and a package manager, that puts ToaruOS almost on a level with some more mature projects such as Haiku or MINIX.



I wouldn't recommend running ToaruOS as a primary operating system, but for people who want to explore how operating systems work, or who are just curious as to what a small development team can accomplish in a short time, ToaruOS is an interesting project to explore. * * * * * Hardware used in this review



My physical test equipment for this review was a desktop HP Pavilon p6 Series with the following specifications: Processor: Dual-core 2.8GHz AMD A4-3420 APU

Storage: 500GB Hitachi hard drive

Memory: 6GB of RAM

Networking: Realtek RTL8111 wired network card

Display: AMD Radeon HD 6410D video card

Miscellaneous News (by Jesse Smith)

Mint publishes updated install media, Debian packages Android SDK and starts Project Leader election, Ubuntu 12.04 reaches its end of life, fixing an expired MX Linux signature



The Linux Mint project has published updated installation media for the distribution's Linux Mint Debian Edition (LMDE), version 2. The new ISO files contain updated packages and security fixes for LMDE 2, but do not represent a new version of the distribution. People who already run Linux Mint's Debian Edition can get the latest packages and security fixes through the distribution's package manager. " LMDE 2 received many updates in the last two years, including many improvements which were ported from Linux Mint as well as all the new versions of MATE, Cinnamon and the Xapps. This release provides a new set of installation images for LMDE 2 which includes all these updates. " Mint's Debian Edition is available in two editions, Cinnamon and MATE. Further information can be found in the project's announcement. * * * * * The Debian project is one of the largest Linux distributions and one of the oldest. Debian is also perhaps the most democratic, with the distribution's Project Leader voted in through elections participated in by Debian Developers. This year the Debian project has two candidates for the coveted title of Project Leader: Mehdi Dogguy and Chris Lamb. Both candidates have posted platforms (Mehdi Dogguy, Chris Lamb) in which the developers share their views on Debian and how they hope to lead and improve the venerable project.



People who wish to build Android applications on Debian will soon be able to install Android development packages directly from Debian's software repositories. Android SDK support is available in the upcoming version of the distribution, Debian 9 "Stretch". " In Debian Stretch, the upcoming new release, it is now possible to build Android apps using only packages from Debian. This will provide all of the tools needed to build an Android app targeting the platform android-23 using the SDK build-tools 24.0.0. Those two are the only versions of platform and build-tools currently in Debian, but it is possible to use the Google binaries by installing them into /usr/lib/android-sdk. " Information on how to set up the Android development packages can be found in this announcement. * * * * * Version 12.04 of the Ubuntu distribution was a long term support (LTS) release and received five years of support and security fixes. Adam Conrad has sent out a reminder that Ubuntu 12.04 will reach the end of its supported life on April 28, 2017. People still running Ubuntu 12.04 are encouraged to either perform live upgrades to version 14.04 or install Ubuntu 16.04, both of which are also long term support releases. " Ubuntu announced its 12.04 (Precise Pangolin) release almost 5 years ago, on April 26, 2012. As with the earlier LTS releases, Ubuntu committed to ongoing security and critical fixes for a period of 5 years. The support period is now nearing its end and Ubuntu 12.04 will reach end of life on Friday, April 28th. At that time, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 12.04. The supported upgrade path from Ubuntu 12.04 is via Ubuntu 14.04. Users are encouraged to evaluate and upgrade to our latest 16.04 LTS release via 14.04. " People who wish to continue receiving security updates for Ubuntu 12.04 can purchase a extended security maintenance (ESM) package from Canonical. Dustin Kirkland provides more information on the ESM offer in a mailing list post. * * * * * The MX Linux team has reported that one of the GPG digital signatures on a repository expired before it was caught and renewed. The signature is used to verify package downloads to insure software packages are not corrupted or tampered with prior to the package arriving on the user's system. The MX Linux blog has tips for MX users impacted by the expired signature. " Recently the GPG signatures on one of the upstream repositories expired before it could be renewed. A fix should have propagated to all mirrors by now, and may require action on your part to correct. For unknown reasons, the correct solution appears to vary somewhat by user, so multiple methods are given here that have proved to be successful... " The four methods for dealing with the signature can be found in the project's blog post. * * * * * These and other news stories can be found on our Headlines page.





Myths and Misunderstandings (by Jesse Smith)

Linux Mint's security record



Some of the more common misunderstandings I have encountered recently have involved the Linux Mint distribution. Mint has been a popular project in recent years and, with many people using the distribution and talking about the project, there is bound to be some mis-communication. In particular, most of the rumours and misunderstandings I have encountered have revolved around Mint's security practises and history. I would like to clear up a few of the more common rumours.



Linux Mint blocks security updates



Perhaps the most common misconception I run into is that Linux Mint's update manager blocks access to security updates. This is not entirely accurate, but it is easy to understand where the idea came from. In the past, Mint's update manager would display a full list of available security updates with each update assigned a safety rating. A rating of one or two indicated the software was safe to install. A rating of three was the default and considered mostly safe, if untested. A rating of four or five indicated the update was likely to cause stability issues. Installing a poorly rated update might prevent the system from booting or cause the desktop to stop working properly.



Under older versions of Mint, the update manager would let the user see available updates, but would only automatically select packages with good ratings (1 through 3) to be installed. The user could select the remaining packages to be downloaded if they wished to take the risk. Users could also adjust the update manager's default behaviour, causing it to install packages in any or all rating levels.





Mint's update manager -- Adjusting update settings

(full image size: 66kB, resolution: 792x688 pixels)



In short, older versions of Mint would hold back updates known to cause problems unless the user selected them. This was the default behaviour, but the user could adjust the update manager to suit their needs.



Modern versions of Linux Mint do things a little differently. The old method caused some confusion and now Mint's update manager will display an information screen the first time it is run. The update manager will ask the user if all updates should be installed, only updates known to be stable should be installed or if the old default of striking a balance between the two extremes should be used. The user can, as before, change the update manager's behaviour later if need be.



In no case has Mint been blocking users from installing updates. Under the old method users were shown available updates and could check a box next to the ones they wanted. The current version of Mint tries to make this process more clear to avoid situations where people might not know they need to manually select updates considered to be unstable.



Security updates are delayed



Another common rumour is that Mint delays security updates, causing fixes to arrive in Mint later than on other distributions such as Debian or Ubuntu. This rumour is entirely untrue and I have so far been unable to find a cause for the claim. Mint has two upstream distributions, Ubuntu for the main editions of Linux Mint and Debian for Linux Mint Debian Edition. Both flavours of Mint pull in security updates directly from their respective upstream distributions. The updates are not filtered. This means that as soon as security updates appear in Debian's repositories, the updates are available to Linux Mint Debian Edition users. Likewise, when Ubuntu publishes a security fix, it can be instantly downloaded by Linux Mint users. There is no delay or hold placed on packages before they become available to Mint users.



People who would like to confirm Linux Mint is pulling in software directly from upstream sources without a speed bump can check Mint's APT repository settings, specifically those found in /etc/apt/sources.list.d/official-package-repositories.list. The Debian Edition pulls in security updates from debian.org servers and Mint's main editions pull in software from a ubuntu.com sub-domain.



Mint's website was hacked and their installation media replaced



This rumour is half true and perhaps all the more powerful for it. It's true that about a year ago Linux Mint's website was broken into. The attacker was able to place a link on the Mint website to their own, compromised copy of the Linux Mint install media. The issue was soon noticed and the security hole plugged.



The part of the rumour which is not true is that Mint's own ISO files were compromised. This may seem a small distinction, but it is important for a few reasons. The first is that existing links and torrents would continue to work as before. People downloading Mint from, for example, DistroWatch or Linux Tracker would be safe. Only people who stumbled across the bad link on Mint's site on the day it was visible would be affected. The second reason the link replacement is important is the attackers were unable to do anything about Mint's checksum or signature information. Anyone who checked the MD5 hash or publisher signature of the ISO file they downloaded would have immediately known they had the wrong ISO.



On a side note, it is always a good idea to verify the hash and signature of installation media before using it. Not just to avoid compromised ISO files, but also to avoid complications from corrupted downloads due to network problems. We have a tutorial on confirming the validity of download media.



The rumour about Mint's website being hacked, while it has some truth in it, tends to snowball. People start to assume that a security flaw in the website means the operating system provided by the website is also vulnerable. This is a leap in logic similar to suggesting that because you can break the window at a car dealership that the cars inside are unsafe to drive. One does not relate to the other. And, as noted above, most of Mint's packages and security fixes come from upstream sources.



Another side effect to the website compromise is that people tend, in my estimation, to act as though Mint is somehow more vulnerable than other popular Linux distributions. This is a pattern which seems to get repeated a lot in the open source community. A project's website is compromised or a problem is reported, the project fixes the problem and then the community avoids them. The problem is fixed, but people's confidences have been shaken. The truth is though that most of the major Linux and BSD projects have gone through similar events. Digging back through archives will turn up reports of website or package repository compromises or other unpleasant events which shake the confidence of the project's users. It is a part of doing business in the digital age. I think it is unfortunate that people tend to focus on the "This project had a problem," part of events rather than the more complete picture of: "This project had a problem and now it is fixed."



As it stands, Linux Mint's security record is about the same as other popular Linux distributions. There have been a few minor problems, but nothing out of the ordinary. For the most part, Mint's reputation concerning software security mostly seems to grow out of misunderstandings about how the distribution's update manager works.



* * * * * We have more myth-filled topics in our Myths and Misunderstandings archive.





Released Last Week

Porteus Kiosk 4.3.0



Tomasz Jokiel has announced the availability of a new version of Porteus Kiosk, a lightweight Gentoo-based Linux operating system which has been downscaled and confined to allow the use of one application only - a web browser. The new release, Porteus Kiosk 4.3.0, features Firefox 45 ESR, Google Chrome 55, Adobe Flash 24 and version 4.9.14 of the Linux kernel. " I'm pleased to announce that Porteus Kiosk 4.3.0 is now available for download. Major software upgrades in this release include: Linux kernel 4.9.14, Xorg Server 1.19.2 Mozilla Firefox 45.8.0 ESR, Adobe Flash 24.0.0.221 and Google Chrome 55.0.2883.87. Packages from the userland are upgraded to portage snapshot tagged on 20170311. Short changelog for 4.3.0 release: Configuration parameter 'client_id=automatic' will automatically assign client ID to the kiosk - no need for manual configuration per device. This parameter makes client installation easier and faster especially for large deployments. Serial backend for the CUPS printing service has been enabled by default. Some usb printers still require it for direct USB connection. If system installation fails then debug info will be displayed in order to help identifying the problem, e.g. I/O errors on target device. OpenDNS is used as a secondary DNS server in the installation wizard for static IP configurations... " Further details can be found on the project's news page.



Chakra GNU/Linux 2017.03



The Chakra GNU/Linux project, a semi-rolling desktop distribution, has received an update. The developers have announced a new version, Chakra 2017.03, which carries the code name "Goedel". The new snapshot features the Calamares 3.0.1.91 system installer which includes support for installing the distribution on Btrfs and LUKS encrypted partitions. " We are excited to announce the first Chakra release of 2017, codenamed Goedel, to honour the logician, mathematician and philosopher Kurt Goedel. The 2017.03 release introduces two noteworthy changes: 1. The installer, Calamares, has been updated to version 3.0.1.91. As a result, users are now able to install Chakra on Btrfs and LUKS encrypted partitions. Calamares has received lots of partitioning enhancements and bug fixes since our previous ISO release and the installation process should be smoother than ever. 2. Our homegrown Heritage theme for Plasma got a refreshing face-lift that we hope you will enjoy. " Further details and version information for key components can be found in the project's release announcement.





Chakra GNU/Linux 2017.03 -- Running the Plasma desktop

(full image size: 1.2MB, resolution: 1280x1024 pixels)



NetBSD 7.1



The NetBSD project develops a lightweight operating system which runs on a wide range of hardware architectures. The project's latest release, NetBSD 7.1, features support for running on the minimal Raspberry Pi Zero computer and includes initial KMS support for NVIDIA video cards with the nouveau open source driver. NetBSD's Linux compatibility layer has been updated and can now run the Linux version of Adobe Flash Player. " The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are: Support for Raspberry Pi Zero. Initial DRM/KMS support for NVIDIA graphics cards via nouveau (Disabled by default. Uncomment nouveau and nouveaufb in your kernel config to test). The addition of vioscsi, a driver for the Google Compute Engine disk. Linux compatibility improvements, allowing, e.g., the use of Adobe Flash Player 24. " Additional information can be found in the project's release announcement.



FreeNAS Corral



The developers of FreeNAS, a FreeBSD-based operating system for network attached storage devices, have announced the release of FreeNAS Corral. The new release (which previously carried the version label 10 during the development phase) provides users with a friendly web-based interface for managing storage, includes ZFS support out of the box and allows the administrator to run containerized applications. " The FreeNAS Development team is very happy to announce the launch of FreeNAS 10 RELEASE and, at the same time, the renaming of 10 to Corral, a new name befitting what is also a radically new version of FreeNAS! With all of the new features in FreeNAS 10, as well as its entirely new look, we decided that just slapping a "10" into the release string simply didn't do justice to the giant evolutionary step we took with this release, nor has the version numbering scheme we've been using been increasingly accurate, since we stopped basing our release numbers on that of the underlying FreeBSD OS. "FreeNAS Corral" provides a more holistic description of this release and sets it apart from previous FreeNAS versions: It manages storage, containers, and VM services through one unified interface, making it the most powerful FreeNAS release yet. So, what you knew as FreeNAS 10 is now FreeNAS Corral! " The project's release notes contain further information on FreeNAS Corral and the life cycle of FreeNAS 9. * * * * * Development, unannounced and minor bug-fix releases

DragonFly BSD 4.8.0-RC

SolydXK 9-201703

RancherOS 0.9.0-rc2

Clonezilla Live 2.5.0-29

Parted Magic 2017_03_14

Container Linux 1298.6.0

SmartOS 20170315

PCLinuxOS 2017.03 "MATE"

Zorin OS 12.1 "Education"

RancherOS 0.9.0

NAS4Free 11.0.0.4.4067

4MLinux 22.0

Super Grub2 Disk 2.02s8

SystemRescueCd 4.9.4

antiX 17-alpha2

Torrent Corner

Upcoming Releases and Announcements

Opinion Poll

Changing the look of our header



One of our readers, Antony, wrote in with suggestions on how we could improve the look of the header which appears at the top of every DistroWatch page. The proposed layout design keeps all of the same elements and links we have now, but rearranges them to make the name of the site more central.



This week we would like to find out how many of our readers like the new design compared to the one we have been using. The mock-up can be seen here:





Proposed new header layout

(full image size: 42kB, resolution: 1132x97 pixels)





You can see the results of our previous poll on running a personal server here. All previous poll results can be found in our poll archives.



Changing the look of our header



I like the new mock-up design: 419 (28%) I prefer the existing header: 610 (41%) I have no preference: 459 (31%)

DistroWatch.com News