In diesen Minuten demonstrieren (mehr oder weniger) fünftausend Schüler und Studenten auf der Spandauer Straße in Berlin. Ich war auch am Roten Rathaus, doch meine Ideen von besserer Bildung (frühzeitig, durchlässig, besser ausgestattet, kostenfrei) sprachen dort nur wenige aus. “Kritik am Bildungssystem ist immer auch Kritik am Kapitalismus!” schallt es. Man verkauft T-Shirts und protestiert, die Universitäten seien “Steigbügelhalter des neoliberalen Systems”. Ich fühle mich instrumentalisiert von den Ideologen am Mikrofon.
Ich kann mich entscheiden, im “schwarzen Block” der Autonomen, im roten Block der Kommunisten, bei den Antifaschisten oder den Antikapitalisten mitzulaufen. Dann doch lieber zur S-Bahn.
Ravelry is a knit and crochet community. In an interview with Tim Bray of ongoing, their site engineer Casey Forbes says: “We have 7 servers running Gentoo Linux and virtualized into a total of 13 virtual servers with Xen.” On these servers they use nginx, HAProxy, Apache, MySQL, and of course Ruby on Rails (with Passenger). And how they use it!
We’ve got 430,000 registered users, in a month we’ll see 200,000 of those, about 135,000 in a week and about 70,000 in a day.
We peak at 3.6 million pageviews per day. That’s registered users only (doesn’t include the very few pages that are Google accessible) and does not include the usual API calls, RSS feeds, AJAX.
Actual requests that hit Rails per day is 10 million.
900 new users sign up per day.
The forums are very active with about 50,000 new posts being written each day.
Thanks for sharing the details, it’s what keeps us developers running. At least those as vain as me.
Just like last year, the German publication Linux Magazin, interviewed projects at LinuxTag and created a video collage. If you’ll skip through the video anyway, be sure to see fauli and me dance at 1:30 and lu_zero at 6:20. Ohh, and you want more pictures? Check out this site with pictures by Andie Gilmour.
LinuxTag 2009 is over. I slept 12 hours after that, slightly less than the total of sleep I got throughout the four days. But it was amazing. There’s so many people I have to thank that made this a unique experience. Here’s my attempt at a partial list. Thanks to…
- All visitors for keeping us busy through discussions, compiling buttons together, and by accepting all our sneaky attempts to hand out flyers.
- Gentoo e.V. for covering the costs for printing flyers, buttons, banner, sweets and drinks.
- Alex Legler for designing the flyers, the banner, making sure they get printed in time, and manning the booth.
- Sebastian Pipping for designing both the t-shirts and word cloud with me, and giving valuable of feedback on the booth presentation. He also organized sweets and the diner table of Tuesday evening.
- Christian Faulhammer for manning the booth longer than anybody else; he helped out throughout all four days, from the first minute until his train left.
- Tobias Scherbaum for approving all our funding requests; being there even at a busy time and organising the two Gentoo book samples.
- Wernfried Haas and Claudia, for creating and hanging up the great Larry prints again. What would a Gentoo booth be without them?
- Sebastian Dyroff for driving all the boxes to the exhibition grounds and back to my place, and staying at the booth for quite a while.
- Luca Barbato for being around every now and then, while not busy at the ffmpeg booth.
- Florian Streibelt for fixing the presentation machine, providing some hardware on short notice and his booth service.
- Daniel Sturm for lending the button machine and buying all supplies, and manning the booth.
- Fabian Groffen for taking the long drive from the Netherlands, and work the booth despite partying.
- Valentin Haenel for being at the booth on Saturday.
- Torsten Schmits for manning the booth on Friday. (Hope you get better soon!)
- Björn Tropf for preparing the flyer with Alex and being there two days.
- Gordon Malm for proof-reading and improving the flyer.
- Tobias Kral and an unknown messenger for getting the stickers and mouse pad to the event.
- Benedikt Böhm, Christian Parpart, and Hanno Boeck for stopping by at the booth and saying hello.
- All LinuxTag helpers for all the work they did, including full-time catering. Special thanks to Daniel, Sebastian Pipping and Fabian for participating in that.
- All corporate sponsors of the event, they paid for catering and parts of the Social Event.
- Fedora for the free pizza on Friday.
- Ubuntu Berlin for the barbeque on Saturday.
- All those who offered help for next year. We will come back to you, LinuxTag 2010 is June 9 to 12.
Let me finish with a few bytes of statistics. There were more than 10 000 visitors, we sold 39 t-shirts, drank 34 bottles of Mate and 10 bottles of water, and ate 3 kg of sweets. Ohh, and here’s us again:
Last row, from the left: rbu, grobian, sping, fauli behind dertobi123, a3li, Claudia and amne. Front row: Florian, Sebastian Dyroff, Dan Levin.
It’s time for a great summer in Germany again! And what better opportunity to spend it than with Gentoo friends at LinuxTag?
The largest Linux consumer and developer fair in Europe will be taking place Wednesday, June 24th to Saturday, June 27th. And of course Gentoo will be there with a booth. Meet some of the developers of your favourite distribution, and satisfy all your ebuild needs, maybe even have us fix one or the other bug. We even hope to bring some merchandise this time. So if you haven’t registered for a hostel or hotel, you might want to do that now.
You are also more than welcome to contribute to the booth, either by attending as a staff member (free entrance to the show is only one of the many benefits!), or by organising t-shirts, flyers and maybe even cups. Please contact me via email if you’re up for that.
And now back to hacking on my thesis and some security bugs… oh, and NetworkManager 0.7.1 is coming, thanks to Robert Piasek and Gilles Dartiguelongue who have been contributing a lot to the ebuilds while I was slacking.
I often need to copy small files (configs, scripts, patches) from one machine to another and I have found using “cat” and copy-paste to be very unreliable for this: You lose tab characters, file names, permissions, and it cannot handle binaries. Plus, it gets tedious for long text files. So I added a function to my .zshrc that takes file names as an argument and prints shell code you can simply copy and paste into a remote ssh session. The current working directory will then contain the files:
rbu@localhost ~/copy-example $ ls -l
total 8.0K
-rw-r--r-- 1 rbu rbu 29 2009-04-01 17:24 doc1
-rwx--x--x 1 rbu rbu 181 2009-04-01 17:25 some-bin
rbu@localhost ~/copy-example $ copy doc1 some-bin
cat<<E=O=F | perl -MMIME::Base64 -e 'print MIME::Base64::decode(join("", <>))' - | tar xj
QlpoOTFBWSZTWbDjvy4AANl///6/SH1QLn+oZAgORH7jngCAcExyZEJgBABAYABqMEQJMAEbbbMN
QKR5TaEwAn6oxGaGiYAQDCNPTSY9QmTT0AaptKbUxGhHoaAE0aY0AAAEMJowEYTJglEinqD1Mgeo
ZGagAHqM0RkyNAD1D1PUADynlMBeffJ2xSkqIiZOGCIOv87QvSzIWsqS1GG4qIB55xMGD5cgy2Ya
IgH0wmmgmcKCEZJL0BilCat4n/ubxlVIXfIgMCABOZxo2zA0pK5IxR1+ikXrUe7bmHxeL1jyK6fe
fcO0xLbzPXYIxokkI+yKJynt03pqRDZQfBMbvdEaBRQwjQZvEhdVNDcIAOAhVyeeaKerlMFSJYBM
56ibgEosooEIAO8PC9oAbQmOVk8YoGRBgkN9wH8oaOxCgeCuu6VCljLtzvDSGdIYGcPOgRVh+LBi
u/AotDOnl/uuQtH7Md37RU6SE4jjPOLUEHLj0OIOKTNkqk1FiehcQSg62CAQ/4u5IpwoSFhx35cA
E=O=F
On the remote host you can simply paste this code:
buchholz@remotehost:~/target-dir$ ls -l
total 0
buchholz@remotehost:~/target-dir$ cat<<E=O=F | \
perl -MMIME::Base64 -e 'print MIME::Base64::decode(join("", <>))' - | tar xj
> QlpoOTFBWSZTWbDjvy4AANl///6/SH1QLn+oZAgORH7jngCAcExyZEJgBABAYABqMEQJMAEbbbMN
> QKR5TaEwAn6oxGaGiYAQDCNPTSY9QmTT0AaptKbUxGhHoaAE0aY0AAAEMJowEYTJglEinqD1Mgeo
> ZGagAHqM0RkyNAD1D1PUADynlMBeffJ2xSkqIiZOGCIOv87QvSzIWsqS1GG4qIB55xMGD5cgy2Ya
> IgH0wmmgmcKCEZJL0BilCat4n/ubxlVIXfIgMCABOZxo2zA0pK5IxR1+ikXrUe7bmHxeL1jyK6fe
> fcO0xLbzPXYIxokkI+yKJynt03pqRDZQfBMbvdEaBRQwjQZvEhdVNDcIAOAhVyeeaKerlMFSJYBM
> 56ibgEosooEIAO8PC9oAbQmOVk8YoGRBgkN9wH8oaOxCgeCuu6VCljLtzvDSGdIYGcPOgRVh+LBi
> u/AotDOnl/uuQtH7Md37RU6SE4jjPOLUEHLj0OIOKTNkqk1FiehcQSg62CAQ/4u5IpwoSFhx35cA
> E=O=F
buchholz@remotehost:~/target-dir$ ls -l
total 8
-rw-r--r-- 1 buchholz buchholz 29 Apr 1 17:24 doc1
-rwx--x--x 1 buchholz buchholz 181 Apr 1 17:25 some-bin
And now for the shell action to do this (in ZSH):
function copy() {
STR=$(tar cj $@ | perl -MMIME::Base64 -e 'print MIME::Base64::encode(join("", <>))' \
- ; exit $pipestatus[1] ) || return $?
echo "cat<<E=O=F | perl -MMIME::Base64 -e \
'print MIME::Base64::decode(join(\"\", <>))' - | tar xj"
echo "$STR"
echo "E=O=F"
}
If you are using bash, you need to replace “exit $pipestatus[1]” with “exit $PIPESTATUS” :-/
Python is a great programming language, and I use it to write almost all of my tools. But even the best tool cannot protect you from hurting yourself when you don’t know all its edges.
Python has three ways to execute your code for you: You type up a script, and let python run it (python script.py or ./script.py), you start the interactive python console (or use dev-python/ipython which is really neat) or instruct python to run a specific command via an argument (”python -c ‘print 17′”). Now, in the interactive case you often have python files lying around in your current working directory, and want to import them and then test a function. For this reason the current working directory is the first element in the module search path, in Python terms: sys.path[0] = ‘.’. Obviously, this would be a huge mistake when asking Python to run some file; you would not expect virt-manager to load its dependencies from /tmp just because you started it there. The last option, however is the corner case here: The python developers went with the way the interactive shell works, and so this happens:
rbu@peanut /tmp $ echo 'print 1' > re.py
rbu@peanut /tmp $ python -c 'import re'
1
This is not an issue in itself, as it is documented, but it certainly is something you should note when writing scripts that people are supposed to run on multi-user systems. If your shell script in /usr/bin calls “python -c” and people run the script from /tmp, they might end up executing code from Python modules a local attacker had placed there.
And that is how today, we released GLSA 200810-02 for bug 239560, a local root vulnerability “in” Portage. But in the end, it’s not even Portage’s fault. Several ebuilds (among them the ebuild for Portage 2.1 itself) used “python -c” and Portage does not change the working directory when it executes the ebuild’s bash functions. And judging from the ebuild API specification, it does not have to: The ebuilds are the ones that need to make sure Python does not include the current working directory (e.g. export PYTHONPATH). But even those rules are not written in stone, and I hope we bring forward a change of this contract.
So, if you own or distribute any shell scripts that interact with Python, please make sure you keep your Python in its cage. Oh, and check your usage of urllib2.urlopen() while at it.
According to the author the $35 Windows program Folder Lock is “a fast file-security program that can password-protect, lock, hide and encrypt any number of files… Protected files are hidden, undeletable, inaccessible and highly secure”. It even works on “USB Flash Drives, Memory Sticks, CD-RW, floppies and notebooks.”
Now while I still wonder how they protect files from deletion on USB sticks, Charalambous Glafkos found out that the password to encrypt the files is stored in the Windows Registry. For maximum security it is reversed and encrypted with ROT-25.
OpenSSH 5.1 is out, and besides a Security issue that does not affect Linux or the BSDs, it includes a new feature labelled VisualHostKey, aka SSH Fingerprint ASCII Visualisation. Using an idea proposed in the 1999 paper Hash visualization: A new technique to improve real-world security by Perrig and Song, an image with 18×9 resolution is generated from the fingerprint of the SSH server, and is displayed to the client.
Since the feature is experimental, and the algorithm to generate the image should not be considered final yet, display is disabled by default. You can see a test-run in the screen capture, and a (just for fun) list of images of my known hosts. I wonder how long it takes to remember that face… doesn’t it look like bit like Marge Simpson?
Now why all this, you are asking?
It is deemed that images are easier to compare and remember than the usual 32 hex digits, and I believe everyone has to judge by him/herself if that is true. How many of those SSH/OTR/SSL… fingerprint digits do you check*? All of them? Any, at all? Where did you derive your latest Firefox SSL CA certificates from? At a time where I cannot trust my provider to run a secure DNS server, verifying the authenticity of either the other side of communication, or the data in transit is most crucial. Let’s finally get that Tree Signing going!
* If you only check the first 4 digits, and the last 2 — you are riding on a 24 bit fingerprint.
