Aigarius Blog

With the cost of plane tickets approaching 2000 USD it is rather hard to sell me going to the Debconf 8 as that can be approximated as 3-4 months of my income. I did apply for travel sponsorship, but due to some kind of brainfart I misread “Amount I am unable to fund myself” as “Amount I am able to fund myself” and thus asked for far less money than I actually need. Therefore, after the Debconf team strictly stated that the requested amount can not be changed at this point, it has become clear that I cann’t come to Debconf 8.

/sadpanda

I would still love to come if there was sponsorship money to cover my fare and even suggested putting me to the end of the sponsorship priority list, but apparently that is not happening. Have fun, and see you all in Spain in 2009.

Popularity: 15% [?]

After catching a glimpse of John McCain on Saturday Night Live (SNL) I decided to watch a full show to see if is good enough to add to my daily US news lineup (which currently consists of The Daily Show, The Colbert Report and NBC Daily News).

From the very start the comedy level is pathetic with fake laughter gushing out over something that is apparently was supposed to be funny. Combined with the pretense of “smart comedy” that says - “If you don’t laugh when we laugh, you just don’t get it.” which is pure old brainwashing aimed to make people stop thinking. Very far from anything I would call good TV.

BIG INTRO WITH BIG VOICE. Useless Americanisms. And then Steve Carell does the most stupid and idiotic ‘6 RedBulls’ routine that I’ve ever seen. Are the writers still on strike? “There can be only one Democratic nominee” was a bit better, bit still rather simplistic. “Deal or no deal” was an even dumber one. “Two assholes do karaoke” actually was even worse. “Japanese Office” was nothing but a cheap pun of the *American* version of the Office with a few Japanese words. I think it went on for 5 minutes, which was 4 minutes and 55 seconds too long for something of such horrible production value. Another John McCain appearance, while misreading the teleprompter (not on purpose), was actually the highlight of the show.

That shows two things: John McCain is so desperate that he feels it is acceptable to appear on such a low quality show and that SNL is overrated - even a politician can do a better job at comedy then the SNL staff.

That Usher guy song was on the same level as the jokes of the show, so no hard done there.

News were almost ok. Not nearly as good as The Daily Show, but better then the rest of the show. Not a single item was chosen to make people think, just the opposite. “FitTV” bit was .. well .. pointless. So was CPR bit. And the ‘Bless this child’ bit.

In summary, I’ve never seen a more pointless and badly made show. That thing could pass for good in 60s or maybe even 70s, but to consider that show good nowadays in any country with reasonably developed TV would be just insanely dumb.

Popularity: 13% [?]

“… Today is the first day in office for President Barack Obama … In other news, Hillary Clinton is still on the campaign trail and is not giving up …” - best ever joke about the current US election. I think it was from The Daily Show, but I cannot be certain.

Popularity: 17% [?]

Eric, I cann’t claim to 100% understand the situation but after glancing trough the logs of the discussions and of the patches the conclusion I came to was this - OpenSSL used supposed randomness of the uninitialized memory as an added source of entropy (interesting hack, but not an example of good coding as such). Valgring caught that problem and the Debian maintainer during a cleanup fixed it. Making such a fix can be considered a preventive step against possible attack vectors by poisoning the uninitialized memory. He took it up to upstream, they did not raise red flags, but did not quite merge the ‘clean up’ patch either. It fell through the cracks.

The problem is that in the same file, in another function all other sources of entropy were being merged into the pool of randomness using exactly the same code line as the one code line flagged by Valgrind. The maintainer assumed that the second code line has a similar function to the first and commented that one as well. AFAIK that also did not show up in the emails to the upstream list.

So we have:

• Upstream using clever hacks that rely on uninitialized memory having some randomness to it
• Upstream using same code and same variable names to describe different things
• Upstream having no comments in the code explaining the two things above
• Maintainer slightly over-generalizing a change
• A bug slipping trough the cracks in the review processes
• Another Debian Developer discovering the bug and recognizing its significance despite all of the above
• Debian project coming out and admitting all of the above and scrambling to get fixes out to its users ASAP

I am impressed by the swift action of the people involved in fixing this. And while I think everyone can find some lesson be learned here, I think this is another good example of free software in action. And I hope that in the aftermath of this we will find ways to prevent this from happening in the future without stifling our progress.

Popularity: 59% [?]

http://www.debian.org/security/2008/dsa-1571

Īsumā - visas pēdējos divos gados uz Debian sistēmām (ieskaitot Ubuntu, Knoppix, …) ģenerētās SSH atslēgas, SSH serveru sertifikāti, SSL sertifikāti, x509 sertifikāti, OpenVPN atslēgas un DNSSEC atslēgas ir uzskatāmas par nedrošām. Nekavējoties atjaunojiet libssl-dev, libssl0.9.8-dbg, openssl un libssl0.9.8 pakas uz jaunākajām versijām un uzģenerējat jaunas atslēgas.

Sīkāk:

• http://wiki.debian.org/SSLkeys
• http://www.debian.org/security/key-rollover/

Serveru administrātoru darāmais:

• sudo apt-get update && sudo apt-get upgrade
• Servera SSH atslēgas pārģenerācija:
  sudo rm /etc/ssh/ssh_host*
sudo dpkg-reconfigure openssh-server
• Lietotāju atslēgu dzēšana:sudo rm /home/*/.ssh/authorized_keys
• Informēt SSH lietotājus par nepieciešamību atjaunot viņu sistēmas un tikai tad uzģenerēt jaunu atslēgu un augšupielādēt to
• Dabūt jaunu SSL sertifikātu HTTPS darbībai
• Uzlikt jaunās ‘open*-blacklist’ pakas, kas neļaus pieslēgties izmantojot nedrošas atslēgas

Popularity: 15% [?]

I am having a problem of my tiny Fonera router restart on me endlessly whenever I have two laptops with Azureus running connect to the network, so I started to investigate. I could not get any meaningful error messages from the router before it reboots and the only weird thing I could find in the statistics was the huge number of active connections. When I have one laptop with Skype running, Firefox browsing a few pages and Internet radio playing the number of active connections was around 200. Starting Liferea for RSS bumps that to 300. Nothing serious. However, as soon as I start Azureus (with no active downloads!) the number of active connections jumps by 400-500, starting one download adds another 300 connections. That is despite setting a maximum global limit of active connections to 100 in Azureus preferences. After 5-10 minutes the number of connections goes down to 500 (with one download active), but with two laptops with Azureus in the same wireless network the initial spike is high enough to kill the router in 2-3 minutes, force it to reboot and then do it all over again, and again, and again …

No I am thinking whether to spend around 50€ for another router or try to work with Azureus folks to try to fix this.

Popularity: 27% [?]

From http://159.18.52.69/raw/983493

Error:

Traceback (most recent call last):
  File "test.py", line 12, in module
    from xml.dom.ext.reader import HtmlLib
ImportError: No module named ext.reader

Fix/workaround:

+        sys.path.append('/usr/lib/python%s/site-packages/oldxml' % sys.version[:3])
        from xml.dom.ext.reader import HtmlLib

I had an old Python script doing some XML work and after upgrade to Ubuntu 8.04 I started getting the above error message and had to use the above fix because the Ubuntu packages of python-xml moved the xml.dom.ext.* to /usr/lib/python2.5/site-packages/oldxml for some reason. Have not looked at the latest Debian packages. Does anyone know why such back-compatibility breaking change was introduced? All I find on Google are the people getting bitten by this bug and no reasoning or even discussion behind the change.

Popularity: 27% [?]

Apparently it is a political suicide in USA to make people think. Obama’s ex-preacher Jeremiah Wright is the most sane US preacher that I’ve ever heard. If you read or listen to his sermons in full length and go beyond the Fox News presented soundbites, he is 99% right. The US has long been doing extreme violence to countries around the world, so it is no wonder that such violence came back to US. Russia had the same problem with Afghanistan and Chechnya. If you try to put yourself up as ‘world police’, some people will disagree. Then he damned America’s _government_ for letting Americans down by not caring enough about the people. The only thing that I would smile and shake my head at was the statement that American government invented HIV. I doubt even they have such resources. Read this transcript for example, the sermon is just a great sermon that urges the people think for themselves. And what people put this sermon down for? Using a word ‘Negro’? Having an issue with some specific politicians? He is a pastor, pastors are meant to have a strong opinion a vision and to project that for the congregation to see. “I’m not going to stop thinking just because I love Jesus” is the summary of that sermon if you ask me. And that is the most positive religious message I’ve heard from that side of the pond for a long time. You can agree or disagree with rev. Wright, but you can still go to his sermons and enjoy it because he makes you think. I would talk to most racist bastard, serial killer or even Hitler himself if he could tell me something that would provoke my mind to think and thus improve myself. You don’t have to agree with people to benefit from speaking to them or from listening to what they have to say. Even if someone is 100% wrong and misguided, if his speeches can make you think of some good idea, it is worth it. And rev. Jeremiah Wright is not 100% wrong, from what I’ve heard he is on the money most of the time and only some of his statements I would disagree with. And he is a great speaker. If I would have not been an Obama supporter, I would become one because of Wright.

Or because of the very accurate observation by Obama that in hard times people in rural USA cling to trusted values such as guns and religion. There is nothing wrong with that.

I am amazed how such true statements can be so turned by US press and can actually reduce Obamas rating. I was starting to believe that not all is lost in the US, but if Obama does not get elected, well … it is all lost in the US.

PS. How this related to Debian? Or software is the best choice for the society in the long term. However, that is only true if we assume that people behave rationally and use it, improve it and contribute back improvements for the public good. If the general population is made weary of rational thinking and starts thinking in soundbites and slogans, then there is a ceiling to free software expansion and the whole free software movement can eventually be crushed in the interests of homeland security with strong corporate commercial software backing. (Only government approved software is allowed to run with mandatory government approved back-doors and hardware verification to prevent cyber-terrorism or something, thus also forbidding any compilers and interpreters outside government controls.)

Popularity: 16% [?]