PureOS 10 is going to be our new release for the Librem 14, Librem 5, and Librem Mini. You may already be familiar with its code name “Byzantium” but what happens next is that it moves to our stable release and stops being our rolling release. This means that the character of updates changes from drinking from the firehose to a steady drumbeat of security and stability updates. It also means that it will have had some testing on our hardware and working with other Purism innovations like PureBoot. I’m writing this on my Purism Mini running PureOS 10 and I’ve never been so happy to eat my own dog food.
Aside from the myriad small changes in the various packages in PureOS, a number of rather large changes are worth mention. The most important is the way that GNOME applications have learned to adapt to multiple window sizes. The software library libhandy was built for our Librem 5 phone but works on all our devices. It enables the various chat, email, and other application windows to resize their contents to elegantly present the information inside them. While this has obvious uses on our phone, it can be useful on any device including your car or TV. Simply resize your libhandy enabled app and you’ll find you can use your laptop screen real estate efficiently without important info scrolling off the sides. All this magic is called “convergence”.
Convergence really means putting users back in control; it means that the time and effort a user invests in all the different metaphors and interfaces that operating systems have created over the last few decades will not be wasted. In addition, it can adapt and extend the metaphors that we use in “desktop” computing to the ubiquitous computing that we’re bound to see in the near future. In fact, convergence is appropriate wherever computing is going to be consumed by a user. After all, the concept of a speedometer is convergent. Yes, the colors change, but the idea that there is an indicator that travels a grid of some kind is universal, the metaphor of a speedometer is universal. As we keep those useful metaphors alive in PureOS we’ll help our users continue to leverage computing devices to do their bidding and not just be a set of fingers in the endless scroll.
PureOS 10 has become an awesome software development system. The popular saying is “use GNU/Linux to develop GNU/Linux”, but we take that step further. We include and modify tools to flash a wide variety of chips and PureOS 10 serves the entire Software Development Kit for our Librem 5. This is kind of a big deal as this is not usually the way SDK’s are built or delivered. Typically in embedded environments you build a separate toolkit that you have received from a vendor which targets your device and your device only. That’s not our approach. Instead we upstream as much as possible to other projects so any device might take advantage of our software changes. We continue to add support for various firmware in PureOS and plan to expand the hardware that we target in the coming years. PureOS 10 is an easy to use and quick to get started OS for developing applications on the Librem 5 and we’ll continue to make it better. You can get started with adaptive development in PureOS now.
Containerization is a hot topic for software development both for isolation and for cloud usage. We’ve worked recently in bringing our PureOS container images into shape so that they’re easy to use for both software development but are as trustworthy as our OS. We now make reproducible images which we use in software development but are suitable for wherever you need a free software, privacy protecting, up-to-date container. The provenance comes from PureOS and we follow the best practice processes of upstream projects. Currently we target PureOS 9 and 10 and we have instructions on how to independently verify the reproducibility of the container. We also are building packages reproducibly as well. Using tools like repro test we build, or rebuild, the atomic units of PureOS and then reproducibly build the whole in our quest to build reproducibly all the things. This provides additional supply chain assurance as well as the opportunity to audit both a the individual package level as well as the image as a whole. Full ISO images are the next milestone in the reproducible build quest.
Another key element in our goal of having a phone that is on your side is our work in making apps not just fit beautifully on the Librem 5 but to have apps that are clear on what they do. Again, because we focus on user-centric convergence, we need to make sure that any infrastructure changes we make for apps are available for all our devices. This means we have to drive a broad consensus in various projects to determine what metadata is needed to understand what an “app” is and does. The implementation of this idea is in “AppStream”. As a Freedesktop project it can influence any UI framework or desktop bringing greater transparency to the entire ecosystem. The implementation is described as “a cross-distro effort for enhancing the metadata available about software components in the Linux and free-software ecosystem.” Purism has also developed an AppStream metadata generator as a server side solution. This type of tool will be very handy for people wanting to build their own software centers, as PureOS is doing. Independent software centers like our PureOS store, will help anyone interested to discover new software and tools unencumbered by specific vendors or proprietary licenses. The set of metadata is flexible and we intend to ensure it is a robust and user friendly system that provides real transparency.
We have a new mirror as well in North America bringing our total repository mirrors to five, including two onion sites. The plan is to have a write-up for the onion sites for those who’re new to using Tor and onion sites. This provides an additional layer of obfuscation to the repositories for those who want an extra helping of security.
There are a lot of updates to our stable release, here’s some highlights in visual form. Our installer is updated which makes for a smoother install experience.
The installer new has a number of cool features – it can now properly configure autologin, there’s now a facility to send logs to an online pastebin-like service which can be very handy in fixing installation issues. There have been UX improvements with the network installation as well as the “back” and “next” buttons. The upstream community is quite active and aims to be a universal installer for numerous distros.
Additionally there have been some changes to any GNOME software that uses libhandy. Right out of the box there’s a number of things you’ll notice on your upgrade or new install. Many GNOME apps “just work” as adaptive apps and make the user experience that much more polished.
Along with the new OS comes some new capabilities. Here’s the short list;
Wireguard – Designed to be easy to configure as well as fast, Wireguard provides a new model for VPNs. It “securely encapsulates IP packets over UDP” which is to say that it skips some of the configuration of other VPNs. It works in similar fashion to SSH in that you create and manage keys for Wireguard and once that’s done, as soon as you have peer’s keys, you’re pretty much ready to send encrypted bits down the wire.
Pass – Another new tool for the security minded, pass is “a very simple password store that keeps passwords inside gpg2 encrypted files inside a simple directory tree residing at ~/.password-store.” The password store also uses git behind the scenes to keep a record of the encrypted passwords. Pass is ideal for those who want command line tools at their fingertips.
Librem EC ACPI DKMS – Linux kernel ACPI platform driver for the Librem EC firmware. Necessary to provide user space control for notification LEDs, battery charging thresholds, keyboard backlight, WiFi/BT LED
cgroups2 – cgroups, or control groups, are an integral part of the various kernel functionality that enables containers. This new version of cgroups brings “rootless containers” which provide an ” added security layer – if a container is compromised, the attacker won’t be able to gain root privileges on the host. Rootless containers also allow isolation between nested containers.” Nesting containers safely is a key enablement for software that needs to run as root, this allows that but also prevents disabling the isolation.
There are some truly exciting developments under way as well. As GNOME moves to version 40 and later, we’re seeing new tooling and new functionality in the underlying libraries. Some of the changes are related to adaptive but many are more fundamental, targeting Vulkan and GL instead of Cairo for example or making animation easier to incorporate. It will take a while for these changes to bubble up into PureOS 10 of course but for now, we’re thrilled with our new stable release and the polish, flexibility, and performance improvements that have arrived, we hope you are too. Happy hacking.