Ravelry is a knit and crochet community. In an interview with Tim Bray of ongoing, their site engineer Casey Forbes says: “We have 7 servers running Gentoo Linux and virtualized into a total of 13 virtual servers with Xen.” On these servers they use nginx, HAProxy, Apache, MySQL, and of course Ruby on Rails (with Passenger). And how they use it!
We’ve got 430,000 registered users, in a month we’ll see 200,000 of those, about 135,000 in a week and about 70,000 in a day.
We peak at 3.6 million pageviews per day. That’s registered users only (doesn’t include the very few pages that are Google accessible) and does not include the usual API calls, RSS feeds, AJAX.
Actual requests that hit Rails per day is 10 million.
900 new users sign up per day.
The forums are very active with about 50,000 new posts being written each day.
Thanks for sharing the details, it’s what keeps us developers running. At least those as vain as me.
Just like last year, the German publication Linux Magazin, interviewed projects at LinuxTag and created a video collage. If you’ll skip through the video anyway, be sure to see fauli and me dance at 1:30 and lu_zero at 6:20. Ohh, and you want more pictures? Check out this site with pictures by Andie Gilmour.
LinuxTag 2009 is over. I slept 12 hours after that, slightly less than the total of sleep I got throughout the four days. But it was amazing. There’s so many people I have to thank that made this a unique experience. Here’s my attempt at a partial list. Thanks to…
- All visitors for keeping us busy through discussions, compiling buttons together, and by accepting all our sneaky attempts to hand out flyers.
- Gentoo e.V. for covering the costs for printing flyers, buttons, banner, sweets and drinks.
- Alex Legler for designing the flyers, the banner, making sure they get printed in time, and manning the booth.
- Sebastian Pipping for designing both the t-shirts and word cloud with me, and giving valuable of feedback on the booth presentation. He also organized sweets and the diner table of Tuesday evening.
- Christian Faulhammer for manning the booth longer than anybody else; he helped out throughout all four days, from the first minute until his train left.
- Tobias Scherbaum for approving all our funding requests; being there even at a busy time and organising the two Gentoo book samples.
- Wernfried Haas and Claudia, for creating and hanging up the great Larry prints again. What would a Gentoo booth be without them?
- Sebastian Dyroff for driving all the boxes to the exhibition grounds and back to my place, and staying at the booth for quite a while.
- Luca Barbato for being around every now and then, while not busy at the ffmpeg booth.
- Florian Streibelt for fixing the presentation machine, providing some hardware on short notice and his booth service.
- Daniel Sturm for lending the button machine and buying all supplies, and manning the booth.
- Fabian Groffen for taking the long drive from the Netherlands, and work the booth despite partying.
- Valentin Haenel for being at the booth on Saturday.
- Torsten Schmits for manning the booth on Friday. (Hope you get better soon!)
- Björn Tropf for preparing the flyer with Alex and being there two days.
- Gordon Malm for proof-reading and improving the flyer.
- Tobias Kral and an unknown messenger for getting the stickers and mouse pad to the event.
- Benedikt Böhm, Christian Parpart, and Hanno Boeck for stopping by at the booth and saying hello.
- All LinuxTag helpers for all the work they did, including full-time catering. Special thanks to Daniel, Sebastian Pipping and Fabian for participating in that.
- All corporate sponsors of the event, they paid for catering and parts of the Social Event.
- Fedora for the free pizza on Friday.
- Ubuntu Berlin for the barbeque on Saturday.
- All those who offered help for next year. We will come back to you, LinuxTag 2010 is June 9 to 12.
Let me finish with a few bytes of statistics. There were more than 10 000 visitors, we sold 39 t-shirts, drank 34 bottles of Mate and 10 bottles of water, and ate 3 kg of sweets. Ohh, and here’s us again:
Last row, from the left: rbu, grobian, sping, fauli behind dertobi123, a3li, Claudia and amne. Front row: Florian, Sebastian Dyroff, Dan Levin.
It’s time for a great summer in Germany again! And what better opportunity to spend it than with Gentoo friends at LinuxTag?
The largest Linux consumer and developer fair in Europe will be taking place Wednesday, June 24th to Saturday, June 27th. And of course Gentoo will be there with a booth. Meet some of the developers of your favourite distribution, and satisfy all your ebuild needs, maybe even have us fix one or the other bug. We even hope to bring some merchandise this time. So if you haven’t registered for a hostel or hotel, you might want to do that now.
You are also more than welcome to contribute to the booth, either by attending as a staff member (free entrance to the show is only one of the many benefits!), or by organising t-shirts, flyers and maybe even cups. Please contact me via email if you’re up for that.
And now back to hacking on my thesis and some security bugs… oh, and NetworkManager 0.7.1 is coming, thanks to Robert Piasek and Gilles Dartiguelongue who have been contributing a lot to the ebuilds while I was slacking.
Python is a great programming language, and I use it to write almost all of my tools. But even the best tool cannot protect you from hurting yourself when you don’t know all its edges.
Python has three ways to execute your code for you: You type up a script, and let python run it (python script.py or ./script.py), you start the interactive python console (or use dev-python/ipython which is really neat) or instruct python to run a specific command via an argument (”python -c ‘print 17′”). Now, in the interactive case you often have python files lying around in your current working directory, and want to import them and then test a function. For this reason the current working directory is the first element in the module search path, in Python terms: sys.path[0] = ‘.’. Obviously, this would be a huge mistake when asking Python to run some file; you would not expect virt-manager to load its dependencies from /tmp just because you started it there. The last option, however is the corner case here: The python developers went with the way the interactive shell works, and so this happens:
rbu@peanut /tmp $ echo 'print 1' > re.py
rbu@peanut /tmp $ python -c 'import re'
1
This is not an issue in itself, as it is documented, but it certainly is something you should note when writing scripts that people are supposed to run on multi-user systems. If your shell script in /usr/bin calls “python -c” and people run the script from /tmp, they might end up executing code from Python modules a local attacker had placed there.
And that is how today, we released GLSA 200810-02 for bug 239560, a local root vulnerability “in” Portage. But in the end, it’s not even Portage’s fault. Several ebuilds (among them the ebuild for Portage 2.1 itself) used “python -c” and Portage does not change the working directory when it executes the ebuild’s bash functions. And judging from the ebuild API specification, it does not have to: The ebuilds are the ones that need to make sure Python does not include the current working directory (e.g. export PYTHONPATH). But even those rules are not written in stone, and I hope we bring forward a change of this contract.
So, if you own or distribute any shell scripts that interact with Python, please make sure you keep your Python in its cage. Oh, and check your usage of urllib2.urlopen() while at it.
OpenSSH 5.1 is out, and besides a Security issue that does not affect Linux or the BSDs, it includes a new feature labelled VisualHostKey, aka SSH Fingerprint ASCII Visualisation. Using an idea proposed in the 1999 paper Hash visualization: A new technique to improve real-world security by Perrig and Song, an image with 18×9 resolution is generated from the fingerprint of the SSH server, and is displayed to the client.
Since the feature is experimental, and the algorithm to generate the image should not be considered final yet, display is disabled by default. You can see a test-run in the screen capture, and a (just for fun) list of images of my known hosts. I wonder how long it takes to remember that face… doesn’t it look like bit like Marge Simpson?
Now why all this, you are asking?
It is deemed that images are easier to compare and remember than the usual 32 hex digits, and I believe everyone has to judge by him/herself if that is true. How many of those SSH/OTR/SSL… fingerprint digits do you check*? All of them? Any, at all? Where did you derive your latest Firefox SSL CA certificates from? At a time where I cannot trust my provider to run a secure DNS server, verifying the authenticity of either the other side of communication, or the data in transit is most crucial. Let’s finally get that Tree Signing going!
* If you only check the first 4 digits, and the last 2 — you are riding on a 24 bit fingerprint.
There are only two days left until the LinuxTag in Berlin will start (May 28-31), and Gentoo will be featured with a booth again this year. It’s been some busy weeks for us, and I hope our presentation will turn out to be satisfactory. Even if we do not have the financial backing of other projects.
Speaking of money, if you are still in need of free tickets for all four days, drop me a mail. First come, first served.
If you run any kind of server, especially Debian or Ubuntu, or grant users access to your server, you might want to read the Debian Security Advisory DSA-1571-1 or Ubuntu’s Security Notice USN-612-1 for CVE-2008-0166, and check your encryption keys:
It is strongly recommended that all cryptographic key material which has
been generated by OpenSSL versions starting with 0.9.8c-1 on Debian
systems is recreated from scratch. Furthermore, all DSA keys ever used
on affected Debian systems for signing or authentication purposes should
be considered compromised; the Digital Signature Algorithm relies on a
secret random value used during signature generation.
The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
distribution on 2006-09-17, and has since propagated to the testing and
current stable (etch) distributions. The old stable distribution
(sarge) is not affected.
Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key
material for use in X.509 certificates and session keys used in SSL/TLS
connections. Keys generated with GnuPG or GNUTLS are not affected,
though.
This vulnerability is caused by a patch shipped in Debian, Ubuntu, and other derivatives. Gentoo’s OpenSSL version is not affected, but everyone should check user-provided public keys (such as OpenSSH’s authorized_keys) using the Debian/OpenSSL Weak Key Detector.
Update: Ben Laurie of OpenSSL is making a point that Vendors Are Bad For Security, which I would not follow in that general form. What I have to grant him: Mechanisms of peer review must be employed properly and patches discussed with upstream. If you follow this philosophy, Vendors Are Good For Security.
If you are like me and have a lot of good friends that use Debian-based GNU/Linux systems, you were probably envious that their Firefox uses a much nicer icon set, and a different name: Iceweasel. The reason lies within the fact that Debian removes unfree parts (like binary plug-ins) and was therefore forced by Mozilla to use another name and logo, as Firefox’ trademark policy forbids distributing patched versions under that name.
In Gentoo, if you compiled Firefox from source, you could either choose between official branding with the risk of trademark issues if you distribute binary packages, or Firefox’ default theme, “Bon Echo”. Thanks to our Mozilla grandmaster Raúl Porcel (armin76), we now also have the Iceweasel branding available, the USE flag is called “iceweasel”. It does not remove any parts of Firefox except icons and names, that is still your job to do. Thanks, Raúl. I don’t have to envy anymore!
