Hi all,
I've virtually attended OpenPrinting Micro Conference on Linux Plumbers
2022 and took notes about our latest development - the notes are in
attachment.
From the development field the highlight is that *we don't release CUPS
2.5 (and 3.0) until we have full OAuth support*, which will replace
Kerberos support in CUPS 3.0. Currently we have OAuth requests
implemented, but we are missing several fundamental internals to make it
properly working.
But the biggest highlight is that *all printer driver packages**from
Debian* (we don't have any additional printer driver packages in Fedora
in comparison to Debian, so Fedora printer drivers should be covered by
them as well) *are now covered by printer applications*, so you can test
how your printer will work with printer application (in case your
printer doesn't support driverless standards or driverless standard has
missing functionality you need).
Unfortunately there are currently only printer applications in SNAP,
because I'm waiting on cups-filters 2.0, which is required for printer
applications, but the code base is the same as it will be in RPMs, so it
would be great to test the printer applications as soon as possible.
*HOW TO TEST:*
*A) HOW TO TEST A PRINTER via PRINTER APPLICATION*
1. install snapd
$ sudo dnf -y install snapd
$ sudo ln -s /var/lib/snapd/snap /snap
2. install the SNAP of printer application and run it - right now you
have to choose it by yourself according the driver package you use
(ps-printer-app is for postscript printers, which usually live in
foomatic and hplip packages, hplip-printer-app is for all printers from
hplip package, gutenprint-printer-app for gutenprint, and all others
probably by ghostscript-printer-app), but GNOME control center is
working on their automatic installation based on your model:
$ sudo snapd install --edge ps-printer-app
$ sudo snapd run ps-printer-app
Then go to its web interface at http://localhost:8000 (https is
available as well, but Firefox complains about self signed cert, which
is IMO harmless on localhost service)
3. click on 'Add Printer' on the main page,
4. choose the printer's name,
5. select the found device or choose 'Network printer' from 'Device'
scroll menu and provide hostname or IP of the device,
6. choose to auto-detect driver or select the driver by yourself,
7. click on 'Add Printer',
8. now the printer should be available at 'avahi-browse -avrt' and
'lpstat -e', but not in 'lpstat -a'
9. check its provided options by 'lpoptions -p <printer_name> -l'
*IN CASE OF BUGS/MISSING OPTIONS SO FAR* - report to the specific
*printer application* at *https://github.com/OpenPrinting*
10. try to print via 'lp' command using this new printer and try options
you frequently use - the correct option names and values are seen in
'lpoptions' output and you can use it in 'lp' command like this:
```
$ lpoptions -p HP_Laserjet_M1536 -l
PageSize/Media Size: 184.15x260mm 195.09x269.88mm A4 A5 B5
DoublePostcardRotated Env10 EnvC5 EnvDL EnvMonarch Executive
-------- --
Duplex/Duplex: *None DuplexNoTumble DuplexTumble
------ --------------
OutputBin/OutputBin: *FaceDown
```
$ lp -d HP_Laserjet_M1536 -o PageSize=A4 -o Duplex=DuplexNoTumble ... <file>
*IN CASE OF BUGS/BROKEN FUNCTIONALITY DURING PRINTING VIA LP* - report
the issue into Fedora bugzilla to *cups *component
11. try to print via your favorite document viewer or browser using this
new printer - choose this new printer which shared from printer
application and check the options you use
*IN CASE OF BUGS/BROKEN FUNCTIONALITY/MISSING OPTIONS DURING THIS STEP*
- report issues to the component in bugzilla representing *your chosen
application*
*B) HOW TO TEST A DRIVERLESS PRINTER*
1. check whether your printer is capable of driverless printing by
'ipptool' for network printers (once you enable IPP on the printer's web
interface):
$ ipptool -tv ipp://printer.example.com/ipp/print
get-printer-attributes.test
or by 'lsusb -v' - check
https://docs.fedoraproject.org/en-US/quick-docs/cups-useful-tricks/#_how_to_find_out_if_my_usb_device_supports_ipp_over_usb
for more information
2.*if your printer support driverless standard* - you know from the
previous step, setup your environment according
https://docs.fedoraproject.org/en-US/quick-docs/cups-useful-tricks/#_how_to_setup_cups_temporary_queues_with_network_printer
for network printer or according
https://docs.fedoraproject.org/en-US/quick-docs/cups-useful-tricks/#_how_to_setup_cups_temporary_queues_with_usb_printer
for USB printer. *Otherwise try the steps for printer applications above*.
3. check whether you see the printer in 'avahi-browse -avrt', in 'lpstat
-e', but not in 'lpstat -a'
4. check what options are provided by 'lpoptions -p <printer> -l'
5. try to print to the printer via 'lp' command, using the options you
frequently use, f.e.
$ lp -d <printer> -o PageSize=A4 -o Duplex=DuplexNoTumble <file>
*IN CASE OF BUGS/MISSING IMPORTANT OPTIONS/OTHER PROBLEMS *- report the
issue to the Fedora bugzilla to component *cups *- driverless standards
sometimes provide less options than classic drivers, because they focus
on common options and many users are not aware of driverless printing
and use the classic drivers, so I would like to track such models.
6. try to print to found printer via your favorite viewer or browser -
check whether the printer is seen and has all the options shown by
'lpoptions'
*IN CASE OF BUGS/BROKEN FUNCTIONALITY/MISSING OPTIONS DURING THIS STEP*
- report issues to the component in bugzilla representing *your chosen
application*
*
*
*_KNOWN BUGS:_*
Several printer configuration tools (GNOME Control Center,
system-config-printer at least, I'm not sure about others) is not able
to see temporary queues or they're seen as 'ghost printers' and don't
communicate with printer applications (by communication I mean their
installation based on your printer model and providing the link to the
printer application Web UI). GNOME Control Center is working on
improving IPP support and adding printer application support right now.
Thank you for reading this far and if you are able to test, thank you in
advance!
Zdenek
--
Zdenek Dohnal
Software Engineer
Red Hat, BRQ-TPBC
Open Printing Mini-conference 2022
==================================
CUPS 2.5 and 3.0 development
-----------------------------
- 2.4.x and printer applications
- manager Zdenek Dohnal
- currently on the way for 2.4.3 - color fixes, OpenSSL fixes (cert issues
will be fixed soon)
- printer apps - check OpenPrinting and michaelrsweet repos at Github
- 2.5 and OAuth
- Till Kamppeter will be the release manager
- QAuth support will be finished there and tested
- localization improvements going to happen
- first beta in March 2023, GA in May 2023
- OAuth support:
- protocol work being done in IPP PWG group
- the current 2.4.x has a WIP OAuth implementation, but it is missing
internals of OAuth support
- we have to implement OAuth callback and Bearer auth method for the cupsd
daemon
- json tickets being added to libcups project
- we need desktop developer for OAuth UI - synch up with GNOME
- if they have some OAuth, see if we can use it
- do we need a separate project for UI and DBUS service?
- coordinate X509/OAuth functionality with CUPS 3.0 development and
provide a clear migration path for the functionality
- we won't release 2.5 without OAuth support
- don't be afraid of 3.0 and printer applications - we have covered all printer
drivers from Debian distro - the schedule is optimistic and you still have 2.5
in the meantime
- new Ubuntu version will include only CUPS SNAP with printer applications,
since Ubuntu moves towards SNAP-only distro
- GNOME control center will have support for printer applications - can
download the printer app from SNAP and open its web UI
- 3.0
- manager Michael Sweet
- mover away from PPD files
- split between local and sharing servers + libcups + tools
- splitted projects are getting to beta state - available on OpenPrinting and
Mike's github
- libcups
- OpenPrinting/libcups
- removed PPD API and other deprecations
- using bool and size_t
- MIGRATING.md and CUPS programming manuals created/updated
- threading APIs, IPP data file, portable DNS-SD
- we still have to add DBUS interface, JSON support on the way, ipptool
fixes
- cups-commands
- lpinfo removed, lpadmin updated for PPD free world
- cups-local
- OpenPrinting/cups-local
- baseline code commited and rebuilt
- pre-beta - test on your own risk, but any test help is welcome
- communication with printers, convert to PDF/raster as needed for printer,
job his
- configuration limited to profiles
- cups-sharing
- OpenPrinting/cups-sharing
- rebuilt and base code line in it
- waiting for OAuth from 2.5
- printing after swiping the card will be supported,
What we need:
- UI
- we have to get rid of PPD API in print dialogs, auth via OAuth in UI
and consent for accounting/privacy
(we have a list of needed info for printer and if user doesn't provide
them, the printing won't happen - we need UI for this)
- CLI auth and API key support
- profiles in enterprise networks
- printing via IPPEve/AirPrint/Mopria, Windows/SMB (Postscript/PCL),
Printing to file (PDF)
- we need something else for transformations - PDFio for PDF, Poppler/Xpdf on
Linux, CoreGraphics on macOS (Google has a possible candidate, but needs Google
buildsystem/looking to Cairo)
- looking for common graphics library
Testing and CI for OpenPrinting projects
----------------------------------------
- we're moving to CI :)
- mostly via Github Actions - "Build" workflow (classic build on different
archs with 'make test'),
static analyzers ("CodeQL", "Coverity", "LGTM" - lgtm is moved to GitHub
default checks), "Docker" (tries to create Docker image)
- we're not doing distro-dependent package testing like DEB or RPM
- defined in yaml under .github/workflows
- if tests require password/cert, it can be passed via environment defined in
workflows
- currently projects using CI - CUPS, ippeveselfcert, ippsample, libcups,
LPrint, PAPPL, PDFio
- it would be great to add regression testing, possibly private CVE testing,
filter testing via huge amount of files
Restricting access to IPP printers with Oauth2 framework
--------------------------------------------------------
- common OAuth2 use case - browser asks auth.server for code, and then OAuth
client asks Authorization server with authorization code, client then work with
authorization server until
client get access token and gets data from resource server
- IPP case - IPP printer as resource server, OAuth client == IPP client,
Authorization server and Browser
- assumptions:
- IPP printer has only one authorization server and knows URL of author.
server
- IPP client doesn't know of implementation of IPP printer Author. server
- all communication via https (required by OAuth2 standard)
- security implications:
- needed for security:
- protect user data between client and server
- protect printer resources - have an access list of users for printers
- IPP clients:
- IPP printers can be found by mDNS, defined by user or queried from print
server
- author. server can be get from IPP Printer or predefined by users (the
latter highly preferred)
- TLS pros/cons - protected against man-in-the-middle, encryption, but we don't
know what the hostname really is
- we need to know the other side is really IPP printer
- Authorization server
- its URL has to be verified
- IPP printer verification
- verifying its URL
- we need to ask Authorization server for this information - extending OAuth
protocol via Token Exchange (RFC 8693)
- client sends token exchange to auth. server - has access token and URL,
auth. server responds
- not yet implemented
- other means? obtaining IPP Printer URLs from trusted source only, different
rules for IPP Printers
- current status - ongoing work on protocol in IPP PWG group, OAuth 2.0
requests in CUPS 2.4.x, working on IPP OAuth client in Chrome OS
- TLS minimal version - probably the latest ones, which can be a problem in the
future when older printers which can do OAuth now won't be
to do it due low TLS support - now OAuth2 requires TLS 1.2+ since RFC 6749
- IPP Everywhere 2.0 standard will require TLS1.2 or TLS1.3 or higher - all IPP
printers must support TLS and only support TLS1.2 or higher
- tested in ippeveselfcert
Documentation for OpenPrinting projects
---------------------------------------
- we need 3 kinds of docs:
- user
- admin
- developer
- you can automate the dev docs, but user/admin has to be by 'hand'
- usually write good code and you don't need much docs :) - autoconfiguration,
intuitive, readable
- docs has to be easy to access and read as well, but trying to limit this
- CUPS
- we have html docs generated from man pages, markdown files. Dev docs are
generated from API
via CodeDoc and includes handwritten CUPS Programming Manual
- docs source format - asciidoc, markdowns (github one, original)
- tools - doxygen, sphinx, codedoc
- OpenPrinting docs:
- printer application docs available on OpenPrinting webpage -
https://openprinting.github.io
- docs for wsl-printer-app - printer application for legacy printers on
Windows
- news on our OpenPrinting web site
- what we need?:
- we can't follow Google Season of Docs due additional bureucracy...
- follow CUPS DEVELOPING.md in our projects, not just in Mike's projects :)
- debugging docs - synch with Brian Potkin from Debian
Sandboxing/Containerizing alternatives to Snap for Printer Application and CUPS
-------------------------------------------------------------------------------
- flatpak is not for daemons, appimage is not secure
- maybe docker/podman containers?
- can be run with 'quadlet'
- containers in Ubuntu
- making a container doesn't solve all security
- there were several distroless containers - Google Distroless
- now we have Ubuntu distroless base - no package manager, no shell
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
