While Ubuntu lost the “just works on your notebook” unique selling point a while ago (thanks to freedesktop et. al.), we could convince Ubuntu founder Mark Shuttleworth to sign our Gentoo slogan “It’s all about choice” — so maybe in a year from now, you might see USE flags in Ubuntu as well. Don’t believe it? Here’s proof.

On a more serious note, I really like how events like LinuxTag encourage collaboration between distributions. You often meet people that do similar things in a different way, learn about new technology and ideas and (here’s the best part) most people will even want to show you how they integrated something and convince you to do it similarly. Try to get that with an i*hone at some consumer convention.

Oh, and if you read this whole text to get an answer to the question in the title: No. He was a Debian developer years before Gentoo was on the horizon.

And this time, we’re celebrating. As this is the fifth time we present our favorite distribution at LinuxTag, we have prepared a great booth for all Gentoo users, developers — and those who want to join the fun. After having visited the events in Karlsruhe in 2003 and 2004, we are regular visitors at the Berlin LinuxTag since 2008. Besides our usual activities (talking, emerging, giving away merchandise), we will have our unique Gentoo T-Shirts, the latest Gentoo DVDs, and the world’s most configurable Gentoo badge compiler.

So pack your bags, come to Berlin, and meet the 10+ Gentoo developers and users that already signed up. And maybe, you’ll join us for the some beer (or Mate tea) after the show or enjoy helping other users at the booth (drop us an email)?

But wait, there’s more! The German non-profit association “Förderverein Gentoo e.V.” will hold a member’s meeting right on the Fairgrounds on Friday (11th), 12:00–14:00 in the workshop room. Not a member yet? You can still become one, even right there and support our work.

Hope to see you all in Berlin!

Ich kann mich entscheiden, im “schwarzen Block” der Autonomen, im roten Block der Kommunisten, bei den Antifaschisten oder den Antikapitalisten mitzulaufen. Dann doch lieber zur S-Bahn.

We’ve got 430,000 registered users, in a month we’ll see 200,000 of those, about 135,000 in a week and about 70,000 in a day.
We peak at 3.6 million pageviews per day. That’s registered users only (doesn’t include the very few pages that are Google accessible) and does not include the usual API calls, RSS feeds, AJAX.
Actual requests that hit Rails per day is 10 million.
900 new users sign up per day.
The forums are very active with about 50,000 new posts being written each day.

Thanks for sharing the details, it’s what keeps us developers running. At least those as vain as me.

• All visitors for keeping us busy through discussions, compiling buttons together, and by accepting all our sneaky attempts to hand out flyers.
• Gentoo e.V. for covering the costs for printing flyers, buttons, banner, sweets and drinks.
• Alex Legler for designing the flyers, the banner, making sure they get printed in time, and manning the booth.
• Sebastian Pipping for designing both the t-shirts and word cloud with me, and giving valuable of feedback on the booth presentation. He also organized sweets and the diner table of Tuesday evening.
• Christian Faulhammer for manning the booth longer than anybody else; he helped out throughout all four days, from the first minute until his train left.
• Tobias Scherbaum for approving all our funding requests; being there even at a busy time and organising the two Gentoo book samples.
• Wernfried Haas and Claudia, for creating and hanging up the great Larry prints again. What would a Gentoo booth be without them?
• Sebastian Dyroff for driving all the boxes to the exhibition grounds and back to my place, and staying at the booth for quite a while.
• Luca Barbato for being around every now and then, while not busy at the ffmpeg booth.
• Florian Streibelt for fixing the presentation machine, providing some hardware on short notice and his booth service.
• Daniel Sturm for lending the button machine and buying all supplies, and manning the booth.
• Fabian Groffen for taking the long drive from the Netherlands, and work the booth despite partying.
• Valentin Haenel for being at the booth on Saturday.
• Torsten Schmits for manning the booth on Friday. (Hope you get better soon!)
• Björn Tropf for preparing the flyer with Alex and being there two days.
• Gordon Malm for proof-reading and improving the flyer.
• Tobias Kral and an unknown messenger for getting the stickers and mouse pad to the event.
• Benedikt Böhm, Christian Parpart, and Hanno Boeck for stopping by at the booth and saying hello.
• All LinuxTag helpers for all the work they did, including full-time catering. Special thanks to Daniel, Sebastian Pipping and Fabian for participating in that.
• All corporate sponsors of the event, they paid for catering and parts of the Social Event.
• Fedora for the free pizza on Friday.
• Ubuntu Berlin for the barbeque on Saturday.
• All those who offered help for next year. We will come back to you, LinuxTag 2010 is June 9 to 12.

Let me finish with a few bytes of statistics. There were more than 10 000 visitors, we sold 39 t-shirts, drank 34 bottles of Mate and 10 bottles of water, and ate 3 kg of sweets. Ohh, and here’s us again:

Last row, from the left: rbu, grobian, sping, fauli behind dertobi123, a3li, Claudia and amne. Front row: Florian, Sebastian Dyroff, Dan Levin.

]]> http://rrr.thetruth.de/2009/06/linuxtag-kudos/feed/ 4 http://rrr.thetruth.de/2009/06/linuxtag-setup-and-first-day/ http://rrr.thetruth.de/2009/06/linuxtag-setup-and-first-day/#comments Wed, 24 Jun 2009 14:20:14 +0000 rbu http://rrr.thetruth.de/?p=41 So the first day of the four days of Gentoo at LinuxTag is almost over. It’s a very exciting event, talking to users, visitors, and devs, and in the end we could even convince some unhappy Ubuntu users to try Gentoo. Here’s some pictures of what happened so far.

Pictures were taken by Florian, amne and fauli. The word cloud poster is by sping and me.

The largest Linux consumer and developer fair in Europe will be taking place Wednesday, June 24th to Saturday, June 27th.  And of course Gentoo will be there with a booth. Meet some of the developers of your favourite distribution, and satisfy all your ebuild needs, maybe even have us fix  one or the other bug. We even hope to bring some merchandise this time. So if you haven’t registered for a hostel or hotel, you might want to do that now.

You are also more than welcome to contribute to the booth, either by attending as a staff member (free entrance to the show is only one of the many benefits!), or by organising t-shirts, flyers and maybe even cups. Please contact me via email if you’re up for that.

And now back to hacking on my thesis and some security bugs… oh, and NetworkManager 0.7.1 is coming, thanks to Robert Piasek and Gilles Dartiguelongue who have been contributing a lot to the ebuilds while I was slacking.

rbu@localhost ~/copy-example $ ls -l
total 8.0K
-rw-r--r-- 1 rbu rbu  29 2009-04-01 17:24 doc1
-rwx--x--x 1 rbu rbu 181 2009-04-01 17:25 some-bin

rbu@localhost ~/copy-example $ copy doc1 some-bin
cat<<E=O=F | perl -MMIME::Base64 -e 'print MIME::Base64::decode(join("", <>))' - | tar xj
QlpoOTFBWSZTWbDjvy4AANl///6/SH1QLn+oZAgORH7jngCAcExyZEJgBABAYABqMEQJMAEbbbMN
QKR5TaEwAn6oxGaGiYAQDCNPTSY9QmTT0AaptKbUxGhHoaAE0aY0AAAEMJowEYTJglEinqD1Mgeo
ZGagAHqM0RkyNAD1D1PUADynlMBeffJ2xSkqIiZOGCIOv87QvSzIWsqS1GG4qIB55xMGD5cgy2Ya
IgH0wmmgmcKCEZJL0BilCat4n/ubxlVIXfIgMCABOZxo2zA0pK5IxR1+ikXrUe7bmHxeL1jyK6fe
fcO0xLbzPXYIxokkI+yKJynt03pqRDZQfBMbvdEaBRQwjQZvEhdVNDcIAOAhVyeeaKerlMFSJYBM
56ibgEosooEIAO8PC9oAbQmOVk8YoGRBgkN9wH8oaOxCgeCuu6VCljLtzvDSGdIYGcPOgRVh+LBi
u/AotDOnl/uuQtH7Md37RU6SE4jjPOLUEHLj0OIOKTNkqk1FiehcQSg62CAQ/4u5IpwoSFhx35cA
E=O=F

On the remote host you can simply paste this code:

buchholz@remotehost:~/target-dir$ ls -l
total 0
buchholz@remotehost:~/target-dir$ cat<<E=O=F | \
   perl -MMIME::Base64 -e 'print MIME::Base64::decode(join("", <>))' - | tar xj
> QlpoOTFBWSZTWbDjvy4AANl///6/SH1QLn+oZAgORH7jngCAcExyZEJgBABAYABqMEQJMAEbbbMN
> QKR5TaEwAn6oxGaGiYAQDCNPTSY9QmTT0AaptKbUxGhHoaAE0aY0AAAEMJowEYTJglEinqD1Mgeo
> ZGagAHqM0RkyNAD1D1PUADynlMBeffJ2xSkqIiZOGCIOv87QvSzIWsqS1GG4qIB55xMGD5cgy2Ya
> IgH0wmmgmcKCEZJL0BilCat4n/ubxlVIXfIgMCABOZxo2zA0pK5IxR1+ikXrUe7bmHxeL1jyK6fe
> fcO0xLbzPXYIxokkI+yKJynt03pqRDZQfBMbvdEaBRQwjQZvEhdVNDcIAOAhVyeeaKerlMFSJYBM
> 56ibgEosooEIAO8PC9oAbQmOVk8YoGRBgkN9wH8oaOxCgeCuu6VCljLtzvDSGdIYGcPOgRVh+LBi
> u/AotDOnl/uuQtH7Md37RU6SE4jjPOLUEHLj0OIOKTNkqk1FiehcQSg62CAQ/4u5IpwoSFhx35cA
> E=O=F
buchholz@remotehost:~/target-dir$ ls -l
total 8
-rw-r--r-- 1 buchholz buchholz  29 Apr  1 17:24 doc1
-rwx--x--x 1 buchholz buchholz 181 Apr  1 17:25 some-bin

And now for the shell action to do this (in ZSH):

function copy() {
        STR=$(tar cj $@ | perl -MMIME::Base64 -e 'print MIME::Base64::encode(join("", <>))' \
            - ; exit $pipestatus[1] ) || return $?
        echo "cat<<E=O=F | perl -MMIME::Base64 -e \
             'print MIME::Base64::decode(join(\"\", <>))' - | tar xj"
        echo "$STR"
        echo "E=O=F"
}

If you are using bash, you need to replace “exit $pipestatus[1]” with “exit $PIPESTATUS” :-/

Python has three ways to execute your code for you: You type up a script, and let python run it (python script.py or ./script.py), you start the interactive python console (or use dev-python/ipython which is really neat) or instruct python to run a specific command via an argument (”python -c ‘print 17′”). Now, in the interactive case you often have python files lying around in your current working directory, and want to import them and then test a function. For this reason the current working directory is the first element in the module search path, in Python terms: sys.path[0] = ‘.’. Obviously, this would be a huge mistake when asking Python to run some file; you would not expect virt-manager to load its dependencies from /tmp just because you started it there. The last option, however is the corner case here: The python developers went with the way the interactive shell works, and so this happens:

rbu@peanut /tmp $ echo 'print 1' > re.py
rbu@peanut /tmp $ python -c 'import re'
1

This is not an issue in itself, as it is documented, but it certainly is something you should note when writing scripts that people are supposed to run on multi-user systems. If your shell script in /usr/bin calls “python -c” and people run the script from /tmp, they might end up executing code from Python modules a local attacker had placed there.

And that is how today, we released GLSA 200810-02 for bug 239560, a local root vulnerability “in” Portage. But in the end, it’s not even Portage’s fault. Several ebuilds (among them the ebuild for Portage 2.1 itself) used “python -c” and Portage does not change the working directory when it executes the ebuild’s bash functions. And judging from the ebuild API specification, it does not have to: The ebuilds are the ones that need to make sure Python does not include the current working directory (e.g. export PYTHONPATH). But even those rules are not written in stone, and I hope we bring forward a change of this contract.

So, if you own or distribute any shell scripts that interact with Python, please make sure you keep your Python in its cage. Oh, and check your usage of urllib2.urlopen() while at it.

Now while I still wonder how they protect files from deletion on USB sticks, Charalambous Glafkos found out that the password to encrypt the files is stored in the Windows Registry. For maximum security it is reversed and encrypted with ROT-25.

Since the feature is experimental, and the algorithm to generate the image should not be considered final yet, display is disabled by default. You can see a test-run in the screen capture, and a (just for fun) list of images of my known hosts. I wonder how long it takes to remember that face… doesn’t it look like bit like Marge Simpson?

Now why all this, you are asking?

It is deemed that images are easier to compare and remember than the usual 32 hex digits, and I believe everyone has to judge by him/herself if that is true. How many of those SSH/OTR/SSL… fingerprint digits do you check*? All of them? Any, at all? Where did you derive your latest Firefox SSL CA certificates from? At a time where I cannot trust my provider to run a secure DNS server, verifying the authenticity of either the other side of communication, or the data in transit is most crucial. Let’s finally get that Tree Signing going!

* If you only check the first 4 digits, and the last 2 — you are riding on a 24 bit fingerprint.

Speaking of money, if you are still in need of free tickets for all four days, drop me a mail. First come, first served.

It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.

The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
(sarge) is not affected.

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.

This vulnerability is caused by a patch shipped in Debian, Ubuntu, and other derivatives. Gentoo’s OpenSSL version is not affected, but everyone should check user-provided public keys (such as OpenSSH’s authorized_keys) using the Debian/OpenSSL Weak Key Detector.

Update: Ben Laurie of OpenSSL is making a point that Vendors Are Bad For Security, which I would not follow in that general form. What I have to grant him: Mechanisms of peer review must be employed properly and patches discussed with upstream. If you follow this philosophy, Vendors Are Good For Security.

# copy the system's openssl config

$ cp /etc/ssl/openssl.cnf .

# patch

$ cat<<EOF | patch

--- openssl.cnf.orig	2008-04-10 18:01:37.000000000 +0200
+++ openssl.cnf	2008-04-10 18:02:18.000000000 +0200
@@ -141,8 +141,14 @@
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

-commonName			= Common Name (eg, YOUR name)
-commonName_max			= 64
+0.commonName			= Common Name 1
+0.commonName_max			= 64
+
+1.commonName			= Common Name 2
+1.commonName_max			= 64
+
+2.commonName			= Common Name 3
+2.commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64
EOF

# now create a certificate with this config

$ openssl req -newkey rsa:4096 -nodes -keyout ssl.key -out ssl.pem -config openssl.cnf
...Organizational Unit Name (eg, section) []:
Common Name 1 []:goodpoint.de
Common Name 2 []:*.goodpoint.de
Common Name 3 []:*.*.goodpoint.de
Email Address []:...

And for all remaining sceptics, these certificates will even be signed by CaCert.org:

CVE-2008-1546:
servlet/MIMEReceiveServlet in the web controller for Mitsubishi Electric GB-50
and GB-50A air-conditioning control systems allows remote attackers to cause
a denial of service (air-conditioning outage) via an XML document containing
a setRequest command.

I’m still hoping for the first GNU/Toaster.

In Gentoo, if you compiled Firefox from source, you could either choose between official branding with the risk of trademark issues if you distribute binary packages, or Firefox’ default theme, “Bon Echo”. Thanks to our Mozilla grandmaster Raúl Porcel (armin76), we now also have the Iceweasel branding available, the USE flag is called “iceweasel”. It does not remove any parts of Firefox except icons and names, that is still your job to do. Thanks, Raúl. I don’t have to envy anymore!

Apparantly, I was not the only to feel this way. Tobias Klauser of the Zürcher Hochschule für angewandte Wissenschaften in Switzerland who heard of (or attended?) our series started an own session of Distro Bashs in the Linux User Group of his university. Too bad I can’t be there, but it’s great to see how our idea travels and evolves. Read more about it in press reports at Pro-Linux and symlink.

Long version:

Fixing some security bugs in teTeX yesterday, I came across a problem that only happens when upstream really messes up: Changing their tarball and leave the same name.

This is disruptive as the user/portage can decide to download either from one of Gentoo’s mirrors or the SRC_URI, but he has one checksum for the file it expects. So we have two options now: Mirror the old file ourselves, changing SRC_URI to mirror://gentoo/ or update the file on our mirrors.

The latter is not a trivial thing to do though: Just changing the checksum and upload the new ebuild could cause serious damage to users. The tarball was 100 MB big and if a user has ten mirrors set up, 1 GB of traffic could be caused before downloading from SRC_URI. Solar came up with a great trick here:

1. Change all ebuilds referencing that file to RESTRICT=”mirror“.
2. Change the checksum of the distfile.
3. Wait a day.
4. Remove RESTRICT.

This will probably cause least damage (ok, it’s second to renaming the file). Users with current trees will download the new file from the SRC_URI. If they have the old file still on their disk, portage will download a new one. Users with old trees will find the file on the mirrors until some hours after (2). They have to re-sync or die a very painful traffic-death.

And that’s why you should

1. always emerge --sync before updating anything.
2. never ever re-release a file with the same name.