Part-DB 2.12.1

Security fixes

• CRITICAL: Fixed issue that users with editing rights could execute arbitary php code in the docker installations by uploading phar files
• MEDIUM: Fixed XSS issue in unsanatized log entry extra. Due to the Content-Security-Policy this has limited impact, as no arbitrary javascript can be executed.
• MEDIUM: The APP_SECRET env must be changed to prevent forgery of REMEMBERME tokens. To be doable an attacker requires to know the secret password hash of a user, which is not obtainable without another security issue. Administrators will see an warning banner on the homepage, asking to change the APP_SECRET.

Generate an new random 32 character string with openssl rand -hex 32 and put the value for APP_SECRET into your .env.local or the environment section of the docker-compose.yaml.

Other changes

• Updated dependencies to fix known security issues in symfony and twig
• Updated KiCad symbol and footprint lists

Bug fixes

• update gomodule imports to /v2(6cb4913 by @kmendell)
• decrypting of notification tokens failing (#2850 by @kmendell)

Dependencies

• bump updater module to new module name(50c0847 by @kmendell)

Full Changelog: v2.0.0...v2.0.1

2.0.1

2.0.1

2.0.1

New features

• use DHI images for base docker image (b73eb4c by @wrycu)
• full rbac permissions (1500646 by @kmendell)
• full background activity tasks (3d2c9ef by @kmendell)
• new account page and small ui tweaks and fixes (526e6d6 by @kmendell)
• better universal dashboard ui tweaks (986333b by @kmendell)
• support for federated credentials for workflow automation (818d306 by @kmendell)
• icon catalog and passthrough (72c6f23 by @kmendell)
• customizable font size per user (#2848 by @kmendell)

Bug fixes

• decouple context for activities (2afd24a by @kmendell)
• add the ability to cancel ongoing activities (fb11a53 by @kmendell)
• show all environment activities (0a6be65 by @kmendell)
• trivy scans not using arcane registries credentials (5d29ce3 by @kmendell)
• make updater service skip swarm containers and make checks more robust (ef0cec6 by @kmendell)
• incorrect paths for activity syncing(9d06074 by @kmendell)
• add global csrf middleware (c922327 by @kmendell)
• better rbac frontend UX for selecting permissions (23e24b6 by @kmendell)
• project auto update not updating container properly (a6a106a by @kmendell)
• diagnostic logs not formatted correctly(eed265c by @kmendell)
• image update checks timeout for no reason (45e229c by @kmendell)
• fix project update order and authentication (793ae89 by @kmendell)
• events create rbac role removed cause its pointless (864a581 by @kmendell)
• validate claim value and role ID in OIDC mapping functions (fa0c147 by @kmendell)
• annotate jwt placeholder secret(bfec449 by @kmendell)
• prune long running stuck jobs (9dbf241 by @kmendell)
• project sync depth not respected during FS sync (09737ce by @kmendell)
• skip checking for updates on pinned digests (760a88d by @kmendell)

Dependencies

• use node version 26.x.x(7b0c9c0 by @kmendell)
• bump pnpm to v11.5.2(d236ee9 by @kmendell)
• upgrade to sveltekit v3 (2709b6b by @kmendell)
• upgrade to tanstack-table v9 (d81c19e by @kmendell)

Other

• remove deprecated services and logic (576865d by @kmendell)
• consolidate frontend types and utils(0d579fa by @kmendell)
• use distroless images over DHI to support all platforms(86b7f60 by @kmendell)
• updated tab bar design(f621fe4 by @kmendell)
• consolidate frontend logic / components (538465a by @kmendell)
• modernize and refactor deduped logic (22e7336 by @kmendell)
• modernize backend code (6e89cff by @kmendell)
• add new go linters and refactor functions (93eefa2 by @kmendell)
• generate services and jobs from google/wire (aa5f767 by @kmendell)
• better RBAC layout filters and catalog (da70b3f by @kmendell)
• use getarcaneapp/updater module (35a0f2b by @kmendell)
• register each gitsync job individually (f1e9f44 by @kmendell)
• enhance updater functionality with restart status and options handling (c8dd0ce by @kmendell)
• migrate from golang-migrate to goose for database (3cdc8a4 by @kmendell)
• cleanup duplicated frontend code (2b68577 by @kmendell)
• update email template design(#2841 by @kmendell)

Full Changelog: v1.20.0...v2.0.0

2.0.0

2.0.0

2.0.0

We're excited to share that we'll be attending the Rock for People 2026 music festival in Hradec Králové, Czech Republic. We've been invited by PlayStation CZ to their gaming hangar at the event with our 4D Motion Simulator, where you'll be able to play our games!

From the 10th to 14th of June, we'll be part of the 31st edition of this iconic festival, taking place at Park 360 in Hradec Králové. You'll find us in the PlayStation Hangar, located near the main entrance, where visitors will have the opportunity to experience our games on our immersive 4D Motion Simulator and meet some of our colleagues.

Rock for People welcomed more than 50,000 visitors last year, and we're thrilled to be part of this incredible event. While you're enjoying the music and atmosphere, make sure to stop by, say hello to our colleagues, and enjoy a ride on our simulator!

You can find more information about the Rock For People festival here. We would also like to send a huge thank you to PlayStation CZ for inviting us to this fantastic event. We can't wait to see you there!

For more news from other events and our games, remember to give our X/Twitter, Instagram, Facebook, Bluesky, and TikTok or subscribe to our newsletter to stay informed! Until next time, keep on truckin'.

A new minor release 0.4.27 of RQuantLib, the first in over a year, arrived on CRAN a couple of minutes ago, has just now been uploaded to Debian, and is being built for r2u as well.

QuantLib is a rather comprehensice free/open-source library for quantitative finance. RQuantLib connects (some parts of) it to the R environment and language, and has been part of CRAN for nearly twenty-three years (!!) as it was one of the first packages I uploaded to CRAN.

This release of RQuantLib brings an update to the interface for all equity options, vanilla and exotics as well as implied volatilities. We now support the option maturity via either an actual maturity date, or the (fractional business-day years) numeric. This uses a clever little Rcpp trick I should discuss in a separate blog post. We also re-ran compileAttributes() to re-create the RcppExports.cpp file now using a slightly improved way of calling Rf_error for an ongoing Rcpp transition, and did some more standard maintenance. The details from the NEWS file follow as usual.

Changes in RQuantLib version 0.4.27 (2026-06-07)

• All equity option functions can now take either a (fractional) time span to expiry or a given date, and accept a daycounter setter.

• Two very old schedule helpers had a superfluous try/catch removed.

• The continuous integration setup received a minor update.

• The RcppExports.cpp file was updated to aid a Rcpp transition.

Courtesy of my CRANberries, there is also a diffstat report for the this release. As always, more detailed information is on the RQuantLib page. Questions, comments etc should go to the rquantlib-devel mailing list. Issue tickets can be filed at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub.

I finally carved out some time today to prepare and release debsecan-mcp v0.1.2 to PyPI. During this release, I integrated PyPI's trusted publisher mechanism, which authenticates directly via GitHub Actions and eliminates the need for manual uploads or static API tokens.

0.5.2 (2026-06-07)

• Improved: [#26322] [Plugin] Add footpath flags to FootpathSurfaceObject in the plugin API.
• Improved: [#26566] Improve the performance of sorting sprites.
• Fix: [#26350] [Plugin] ListViews altered by plugins post their creation are not invalidated.
• Fix: [#26565] Game crashes when switching to another tab in the guest window.
• Fix: [#26583] The default tab is not highlighted when opening a ride window.
• Fix: [#26602] Crash when locating the nearest mechanic for a ride that has not previously been inspected.
• Fix: [#26615] Missing junction path tile in Build your own Six Flags Over Texas.
• Fix: [#26616] Fix gap in buyable land in Build your own Six Flags Magic Mountain.
• Fix: [#26624] Tile elements selected by clicking on them with the tile inspector open do not always redraw correctly.
• Fix: [#26634] Add missing park patch file for Build your own Six Flags Great Adventure.

Release created in https://github.com/OpenRCT2/OpenRCT2/actions/runs/27089751091

SHA256 checksums:

08869f7e5f34b44920a4209a0d81b2fb688b8fabb16fd23d7d486536e2f9e482  ./OpenRCT2-v0.5.2-linux-x86_64.AppImage
162c61e65f4327d3d5406dcfebc0b634ba6a0c8b1d8a71fb12f7a14cebd3a158  ./OpenRCT2-v0.5.2-Linux-trixie-x86_64.tar.gz
73f114744a5f44c63225db7a3897158addc83094797e52069d000b007d63a508  ./OpenRCT2-v0.5.2-windows-installer-win32.exe
f433cffae1cee88f71de0bb4a296d3c63b4802f907e08078c019d10a475bf050  ./OpenRCT2-v0.5.2-windows-installer-x64.exe
54715dacc97370a38f83572d609135a9ef395324ae38fd6ae3864aa6de958d0d  ./OpenRCT2-v0.5.2-Linux-resolute-x86_64.tar.gz
34477e8339107d94ff441c99d00f6e94a26e481ab97727c4b744ab01b38d842a  ./OpenRCT2-v0.5.2-windows-symbols-x64.zip
2d8e436217a2351eeb016715652f205d8c1f21f7467b25e0f9895b8175a1040a  ./OpenRCT2-v0.5.2-windows-symbols-win32.zip
17561e865947ac69394fc21a978102b36b6a3681fd2e22bda45162f223a7d5f4  ./OpenRCT2-v0.5.2-windows-symbols-arm64.zip
3c0ab35a415907c883628a7113a20607041c00c2ef60419da0f2ebffcf0e5c8a  ./OpenRCT2-v0.5.2-windows-installer-arm64.exe
247230c20657d5ae55494a6a5fb80f3050ef573c6be880a782283cf587813585  ./OpenRCT2-v0.5.2-windows-portable-win32.zip
6bc105b4fa9c751e17ffa13af68a6070f8a0956b713d2602fcbf67d3380c945f  ./OpenRCT2-v0.5.2-sha256sums.txt
1e5bea5f11dcd44e803ecf6b51242ac33ae1ce3a5186ed07362c05fba7604892  ./OpenRCT2-v0.5.2-windows-portable-arm64.zip
b80fd9b439fb42d1c4d58245fb9215bbea89813326e3616b72e95181a8d06787  ./OpenRCT2-v0.5.2-macos-universal.zip
e5aea2add0bc140dc1a0b2bde6b02cbf569656ba4e0e4bf1402c99be6540b7d9  ./OpenRCT2-v0.5.2-windows-portable-x64.zip
262f57a8b1859e58b5319e3aee12062d215170868b9ded5d963c67d53dce6b5d  ./OpenRCT2-v0.5.2-Linux-noble-x86_64.tar.gz
1cbe1db375094d64af72df042f291bbc92386fb63970c8260bc3cd1547cd842d  ./OpenRCT2-v0.5.2-android.apk
8f13a7d3a624f2ff56dd55545c6e38691801cb159065e5c56b12eebc818a5a95  ./OpenRCT2-v0.5.2-Linux-bookworm-x86_64.tar.gz

A while back, I got my first subwoofer (a surprisingly nice addition to the movie experience, just like rear speakers were). But I live in an apartment, and I don't want to annoy my neighbors at night (the speaker cone points literally down into the floor, and I have no idea how much my neighbors get to share in my enjoyment). So, what to do?

It turns out my receiver supports a sort-of documented serial protocol; it doesn't have an actual serial port, but you can telnet into it (only one session at a time!) and get the same two-way stream. (It also has a HTTP version which I find less useful.) So this allows me to impose my own policy, and of course, doing it via an existing Home Assistant adapter or something was no fun and also thoroughly frustrating, so I saw it as an opportunity to keep maintaining my low-key Rust skills. (No, no LLM code generation. If I'm going to spend time on this, at least I can learn something myself. I think I asked one for code critique at some point, but I can't remember.)

The policy is roughly: If I'm watching TV after 22:00, then the subwoofer is either turned off (if possible) or turned down -12 dB (the maximum). But if I'm watching a Blu-ray or another input like that, that's presumably a conscious tradeoff I've made and things are left at normal. Everything gets a bit more complicated by the fact that the receiver tends to lose state when doing certain switches, and when it boots, it takes a minute or two before Telnet responds, and when it shuts down, it goes into this weird limbo state where it doesn't respond to anything but the TCP connection seems still up.

And then I figured out I also wanted to dim the display when watching movies (again, only certain inputs), but not for a couple of seconds after making any adjustments. And after doing that, I figured that my access point LED should also be turned off, which happens to be some SNMP writable stuff against the Cisco wireless controller it hangs on.

So, if you have a Denon or Marantz AVR, a Cisco access point on a controller, and my exact preferences about what to do about the subwoofer, then you are free to download and use my software to impose that policy. It is “is distributed in the hope that it will be useful”, as one says. If you have IPv6.

Debian LTS/ELTS

This was my hundred-forty-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

During my allocated time I uploaded or worked on:

• [DLA 4580-1] exim4 security update to fix one CVE related to remote code execution.
• [DLA 4591-1] rsync security update to fix five CVEs related to local root privilege escalation.
• [#1134340] trixie-pu bug for libcoap3 to fix two CVEs in Trixie; the debdiff was confirmed and the upload was accepted to the proposed update queue.
• [#1126167] bookworm-pu upload of zvbi has been flagged for acceptance
• [#1126273] bookworm-pu upload of taglib has been flagged for acceptance
• [#1126370] bookworm-pu upload of libuev has been flagged for acceptance
• [hplip] upload to sid to fix two CVEs.

This was a rather strange month. The details about the embargoed exim4 issue arrived only after I already went to bed and the embargo lift was 18 hours later. Luckily Stretch was not really affected and the uploads for Bullseye and Buster went out on time.

Something similar happened with the embargoed issue of rsync. The info arrived at 8:00 in the morning and the embargo lift was on 2:00 next morning. From an Europeans point of view, the Australians do have strange time zones. But there is more to this than that. Upstream sent more than 50(!) patches for these five CVEs that needed a backport to Bullseye. As things turned out, there is a regression in the upload to Unstable and investigations are ongoing whether this regression is also available in the backported patches for Trixie, Bookworm and Bullseye. So rsync-updates for Buster and Stretch is in the works, but I am afraid they need some more time.

All good things come by threes. Two critical CVEs of hplip appeared and a new upstream version was released by HP. HP is no longer interested in working with distributions and over time more than 80 patches have been accumulated that need a rebase for a new upstream version. For that reason I avoid this package as much as I can, but two critical CVEs did apply some kind of pressure on the maintainer. So I finally managed to do this update and the latest version of hplip is now in Debian. Nevertheless, this feels good :-). Anyway, it is not over yet. HP does not have a public repository nor do they publish patches for these CVEs. So I am still searching for the correct fixes to backport them to Bullseye, Buster and Stretch. The other distributions have the same problem and a silver lining appears on the horizon.

I also prepared an update of gimp for Buster and Stretch, but due to an accident I only managed to release the corresponing ELA in June. The accident was also the reason for only half a week of FD. Thanks to Daniel who took over.

Debian Printing

This month I uploaded a new upstream versions:

• … lprng to unstable.
• … epson-inkjet-printer-escpr to unstable.
• … hplip to unstable.

This work is generously funded by Freexian!

Debian Lomiri

This month I continued to work on unifying packaging on Debian and Ubuntu. This makes it easier to work on those packages independent of the used platform.

This work is generously funded by Fre(i)e Software GmbH!

Debian Astro

This month I uploaded a new upstream version or a bugfix version of:

• … supernovas to unstable (sponsored upload).
• … virtualgps to unstable.
• … nautic to unstable.

Debian IoT

This month I uploaded a new upstream version or a bugfix version of:

• … pyicloud to unstable.

misc

This month I uploaded a new upstream version or a bugfix version of:

• … visam to unstable.
• … tntdb to unstable.
• … ae56 to unstable.
• … texify to unstable.
• … chktex to unstable.
• … ta-lib to unstable.

I also got rid of gypsy, which no longer makes sense to maintain in Debian, as gpsd is way better.