Aigarius Blog

Lately following the US elections (and lately the finance collapse) is an interesting thing, I have been watching the following (in the order of importance):

1. NBC Nightly News
2. NBC Meet the Press
3. NBC Countdown
4. The Daily Show/The Colbert Report

Additionally, if you watch it in this order, the fear and maybe even panic that sets in watching the news is slightly relived by the common sense and a bit of humor.

And to the people that say that that the above is very anti-Republican leaning - I admit, it is a bit, but when Democrats fail, they cover it as well. It just does not happen as much lately. I mean, Republicans manage to contradict themselves inside one sentence, entertainment TV loves that and Democrats actually have hard time competing for air time. A Democrat gets an oral relief from his secretary? A bunch Republicans are selling government oil-rich lands for sex! Beat that! Poor Democrats

Popularity: 5% [?]

According to the Slashdot article and the StopSoftwarePatents.org website itself and on Digg, the anti-software-patent activists are attempting a world-wide event on the 24th of September as a world-wide day against software patents. USA has them via a weird court ruling, Japan has them as well (not sure why), there have been efforts to force software patents on EU, India, Australia and many other countries either by Microsoft lobbies or even via US trade treaty pressure.

While lobbying by local Microsoft branches and their pet companies can be countered locally, like I and many others did in EU a couple years ago (mostly thanks to FFII), trade negotiations are very secretive affairs and it is very hard to lobby there directly. The public needs to be aware of the issue, otherwise the politicians will not be aware of its importance to their voters.

Software patents are a threat to free software as it circumvents the power of GPL and other copyright licenses if enough money is thrown at the lawyers. If a software patent is generic enough, it can easily stop development of a whole class of free software applications on a whim of the patent holder. And there are plenty of granted software patents with a very broad scope (progress bar, anyone?).

I am aware that to get Debian support for such an initiative, a GR is needed, but how about a personal word of support from the DPL or support from the SPI? It is in direct area of interest for SPI - software patents create an ever present threat of legal action against any and all software in Debian (in USA and Japan, at least) and, as the legal umbrella of Debian in the USA, SPI would be a prime target.

What do others think about this?

Popularity: 10% [?]

Personal-life rant follows after a break.

(Continued)

Popularity: 13% [?]

Please help set a world record of most downloads in 24 hours by downloading a copy of Firefox 3.0 in the next 24 hours starting at 18:00 GMT today. Download yourself and get all your friends to do so as well. Only one download per computer is counted towards the record. More info on the record attempt.

Firefox 3.0 Download record countdown timers.

P.S. The SpreadFirefox web page is down at the moment. Overloaded less than 2 hours before the go time.

Popularity: 25% [?]

Eric, I cann’t claim to 100% understand the situation but after glancing trough the logs of the discussions and of the patches the conclusion I came to was this - OpenSSL used supposed randomness of the uninitialized memory as an added source of entropy (interesting hack, but not an example of good coding as such). Valgring caught that problem and the Debian maintainer during a cleanup fixed it. Making such a fix can be considered a preventive step against possible attack vectors by poisoning the uninitialized memory. He took it up to upstream, they did not raise red flags, but did not quite merge the ‘clean up’ patch either. It fell through the cracks.

The problem is that in the same file, in another function all other sources of entropy were being merged into the pool of randomness using exactly the same code line as the one code line flagged by Valgrind. The maintainer assumed that the second code line has a similar function to the first and commented that one as well. AFAIK that also did not show up in the emails to the upstream list.

So we have:

• Upstream using clever hacks that rely on uninitialized memory having some randomness to it
• Upstream using same code and same variable names to describe different things
• Upstream having no comments in the code explaining the two things above
• Maintainer slightly over-generalizing a change
• A bug slipping trough the cracks in the review processes
• Another Debian Developer discovering the bug and recognizing its significance despite all of the above
• Debian project coming out and admitting all of the above and scrambling to get fixes out to its users ASAP

I am impressed by the swift action of the people involved in fixing this. And while I think everyone can find some lesson be learned here, I think this is another good example of free software in action. And I hope that in the aftermath of this we will find ways to prevent this from happening in the future without stifling our progress.

Popularity: 60% [?]

http://www.debian.org/security/2008/dsa-1571

Īsumā - visas pēdējos divos gados uz Debian sistēmām (ieskaitot Ubuntu, Knoppix, …) ģenerētās SSH atslēgas, SSH serveru sertifikāti, SSL sertifikāti, x509 sertifikāti, OpenVPN atslēgas un DNSSEC atslēgas ir uzskatāmas par nedrošām. Nekavējoties atjaunojiet libssl-dev, libssl0.9.8-dbg, openssl un libssl0.9.8 pakas uz jaunākajām versijām un uzģenerējat jaunas atslēgas.

Sīkāk:

• http://wiki.debian.org/SSLkeys
• http://www.debian.org/security/key-rollover/

Serveru administrātoru darāmais:

• sudo apt-get update && sudo apt-get upgrade
• Servera SSH atslēgas pārģenerācija:
  sudo rm /etc/ssh/ssh_host*
sudo dpkg-reconfigure openssh-server
• Lietotāju atslēgu dzēšana:sudo rm /home/*/.ssh/authorized_keys
• Informēt SSH lietotājus par nepieciešamību atjaunot viņu sistēmas un tikai tad uzģenerēt jaunu atslēgu un augšupielādēt to
• Dabūt jaunu SSL sertifikātu HTTPS darbībai
• Uzlikt jaunās ‘open*-blacklist’ pakas, kas neļaus pieslēgties izmantojot nedrošas atslēgas

Popularity: 20% [?]

I am having a problem of my tiny Fonera router restart on me endlessly whenever I have two laptops with Azureus running connect to the network, so I started to investigate. I could not get any meaningful error messages from the router before it reboots and the only weird thing I could find in the statistics was the huge number of active connections. When I have one laptop with Skype running, Firefox browsing a few pages and Internet radio playing the number of active connections was around 200. Starting Liferea for RSS bumps that to 300. Nothing serious. However, as soon as I start Azureus (with no active downloads!) the number of active connections jumps by 400-500, starting one download adds another 300 connections. That is despite setting a maximum global limit of active connections to 100 in Azureus preferences. After 5-10 minutes the number of connections goes down to 500 (with one download active), but with two laptops with Azureus in the same wireless network the initial spike is high enough to kill the router in 2-3 minutes, force it to reboot and then do it all over again, and again, and again …

No I am thinking whether to spend around 50€ for another router or try to work with Azureus folks to try to fix this.

Popularity: 33% [?]

For a Debian package creation seminar:

• Debian Policy Reference
• Filesystem Hierarchy Standard
• Debian Reference
• New Maintainers Guide
• RTorrent - the simple example

Popularity: 17% [?]

The new release from the Debian EEE PC Team is simply great - it works flawlessly to install a fully functional Debian install onto an EEE PC over wireless. You only need a 16 Mb USB stick (or SD card) to boot from.

The only remaining bug that people are still working on is the selection of the wireless network - int the current build the installer autoselects the strongest signal by default and if you want another you need to go back and reconfigure the network in the installer.

Great work guys!

BTW: This got me thinking - it shouldn’t be too hard to take over the EEEPC from the default installation without having to have a USB stick or an SD card The default EEE PC setup consists of a (read-only) system partition and a user partition overlay. It should be simple to download the 16 Mb D-I boot image, save it to the system partition and write a boot loader that would allow the choice between normal boot, EEE PC rescue boot and Debian installation boot. With a bit of pre-seeding we could have the d-i install a Debian instance in place of the user partition unless the user overrides that.

Popularity: 34% [?]

There is one particular aspect of Microsoft’s document format going through ISO process that I had a hard time to find a counter-argument against: “Well it is better to have multiple open formats, isn’t it?”. Last night when I was presenting in a Document Freedom Day event, I finally got one. When multiple standards exist in the same area, two options can exist:

1. Cooperative standards - providing similar functionality in different ways that can coexist in the same medium without a significant overhead. An example of this are the credit cards - they have multiple ways that the card information can be transferred to the bank: visual writing down of the data, imprint, magnetic strip and the chip. Any of these ways can be used and all of the are equally valid;
2. Conflicting standards - providing the same functionality in incompatible ways. The example here is the power adaptors - the form of the power plug is an open and public standard (AFAIK), but so many of them exist in different places that it creates all sorts of problems both for companies producing electronic equipment and for frequent travellers.

What Microsoft proposes is much worse than the power plug mess, because the power plug standards are at least restricted by region. But imagine going to another country and having to be ready that you hotel could have any one of 8 power plug types at random. And while electricity is rather easy to convert looselesly, complex documents are far more .. complex. It is like having to buy 8 different power bricks for each of your electrical devices to be prepared for all possible voltages, frequencies, waveforms, polarities and whatnot.

Having more than one ISO document standard in a horrifying idea for any programmer that will have to ever work on software that will need to support both of them - twice the work for no etra benefit whatsoever.

If Microsoft can prove (in technical terms) that their file formats present capabilities that Open Document can not, then the only sane way to implement those in the ISO format is to add those capabilities as an extension of the existing Open Document format and not to reinvent the wheel.

Microsoft also has a habit of pointing to JPEG and PNG being “competing”. Well, they are not - those are complimentary standards, because JPEG is designed for compression of photographic details while PNG is designed for the compression of bitmapped vector images. Something like DejaVu could be seen as a superset of the two formats.

So, if you ever need an argument against more standards - remember about the power plugs.

Popularity: 19% [?]