Sebastian was invited to a radio interview with RadioTux during LinuxTag and I decided to join him. It was a lot of fun talking with Roman (much more than talking alone as I did the last year). Now, finally here’s the recording (in German).
Fortunately, sping said almost everything there is to say about LinuxTag. But there’s one important part missing: We finally made a peace treaty with what many call Gentoo’s arch nemesis (no pun intended?): Ubuntu.
While Ubuntu lost the “just works on your notebook” unique selling point a while ago (thanks to freedesktop et. al.), we could convince Ubuntu founder Mark Shuttleworth to sign our Gentoo slogan “It’s all about choice” — so maybe in a year from now, you might see USE flags in Ubuntu as well. Don’t believe it? Here’s proof.
On a more serious note, I really like how events like LinuxTag encourage collaboration between distributions. You often meet people that do similar things in a different way, learn about new technology and ideas and (here’s the best part) most people will even want to show you how they integrated something and convince you to do it similarly. Try to get that with an i*hone at some consumer convention.
Oh, and if you read this whole text to get an answer to the question in the title: No. He was a Debian developer years before Gentoo was on the horizon.
LinuxTag is coming, and we’re on board again! All four days, starting Wednesday, June 9th until Saturday, June 12th, Gentoo will be present at the Berlin Fairgrounds.
And this time, we’re celebrating. As this is the fifth time we present our favorite distribution at LinuxTag, we have prepared a great booth for all Gentoo users, developers — and those who want to join the fun. After having visited the events in Karlsruhe in 2003 and 2004, we are regular visitors at the Berlin LinuxTag since 2008. Besides our usual activities (talking, emerging, giving away merchandise), we will have our unique Gentoo T-Shirts, the latest Gentoo DVDs, and the world’s most configurable Gentoo badge compiler.
So pack your bags, come to Berlin, and meet the 10+ Gentoo developers and users that already signed up. And maybe, you’ll join us for the some beer (or Mate tea) after the show or enjoy helping other users at the booth (drop us an email)?
But wait, there’s more! The German non-profit association “Förderverein Gentoo e.V.” will hold a member’s meeting right on the Fairgrounds on Friday (11th), 12:00–14:00 in the workshop room. Not a member yet? You can still become one, even right there and support our work.
Hope to see you all in Berlin!
Ravelry is a knit and crochet community. In an interview with Tim Bray of ongoing, their site engineer Casey Forbes says: “We have 7 servers running Gentoo Linux and virtualized into a total of 13 virtual servers with Xen.” On these servers they use nginx, HAProxy, Apache, MySQL, and of course Ruby on Rails (with Passenger). And how they use it!
We’ve got 430,000 registered users, in a month we’ll see 200,000 of those, about 135,000 in a week and about 70,000 in a day.
We peak at 3.6 million pageviews per day. That’s registered users only (doesn’t include the very few pages that are Google accessible) and does not include the usual API calls, RSS feeds, AJAX.
Actual requests that hit Rails per day is 10 million.
900 new users sign up per day.
The forums are very active with about 50,000 new posts being written each day.
Thanks for sharing the details, it’s what keeps us developers running. At least those as vain as me.
Just like last year, the German publication Linux Magazin, interviewed projects at LinuxTag and created a video collage. If you’ll skip through the video anyway, be sure to see fauli and me dance at 1:30 and lu_zero at 6:20. Ohh, and you want more pictures? Check out this site with pictures by Andie Gilmour.
LinuxTag 2009 is over. I slept 12 hours after that, slightly less than the total of sleep I got throughout the four days. But it was amazing. There’s so many people I have to thank that made this a unique experience. Here’s my attempt at a partial list. Thanks to…
Let me finish with a few bytes of statistics. There were more than 10 000 visitors, we sold 39 t-shirts, drank 34 bottles of Mate and 10 bottles of water, and ate 3 kg of sweets. Ohh, and here’s us again:
Last row, from the left: rbu, grobian, sping, fauli behind dertobi123, a3li, Claudia and amne. Front row: Florian, Sebastian Dyroff, Dan Levin.
So the first day of the four days of Gentoo at LinuxTag is almost over. It’s a very exciting event, talking to users, visitors, and devs, and in the end we could even convince some unhappy Ubuntu users to try Gentoo. Here’s some pictures of what happened so far.
Pictures were taken by Florian, amne and fauli. The word cloud poster is by sping and me.
It’s time for a great summer in Germany again! And what better opportunity to spend it than with Gentoo friends at LinuxTag?
The largest Linux consumer and developer fair in Europe will be taking place Wednesday, June 24th to Saturday, June 27th. And of course Gentoo will be there with a booth. Meet some of the developers of your favourite distribution, and satisfy all your ebuild needs, maybe even have us fix one or the other bug. We even hope to bring some merchandise this time. So if you haven’t registered for a hostel or hotel, you might want to do that now.
You are also more than welcome to contribute to the booth, either by attending as a staff member (free entrance to the show is only one of the many benefits!), or by organising t-shirts, flyers and maybe even cups. Please contact me via email if you’re up for that.
And now back to hacking on my thesis and some security bugs… oh, and NetworkManager 0.7.1 is coming, thanks to Robert Piasek and Gilles Dartiguelongue who have been contributing a lot to the ebuilds while I was slacking.
Python is a great programming language, and I use it to write almost all of my tools. But even the best tool cannot protect you from hurting yourself when you don’t know all its edges.
Python has three ways to execute your code for you: You type up a script, and let python run it (python script.py or ./script.py), you start the interactive python console (or use dev-python/ipython which is really neat) or instruct python to run a specific command via an argument (”python -c ‘print 17′”). Now, in the interactive case you often have python files lying around in your current working directory, and want to import them and then test a function. For this reason the current working directory is the first element in the module search path, in Python terms: sys.path[0] = ‘.’. Obviously, this would be a huge mistake when asking Python to run some file; you would not expect virt-manager to load its dependencies from /tmp just because you started it there. The last option, however is the corner case here: The python developers went with the way the interactive shell works, and so this happens:
rbu@peanut /tmp $ echo 'print 1' > re.py rbu@peanut /tmp $ python -c 'import re' 1
This is not an issue in itself, as it is documented, but it certainly is something you should note when writing scripts that people are supposed to run on multi-user systems. If your shell script in /usr/bin calls “python -c” and people run the script from /tmp, they might end up executing code from Python modules a local attacker had placed there.
And that is how today, we released GLSA 200810-02 for bug 239560, a local root vulnerability “in” Portage. But in the end, it’s not even Portage’s fault. Several ebuilds (among them the ebuild for Portage 2.1 itself) used “python -c” and Portage does not change the working directory when it executes the ebuild’s bash functions. And judging from the ebuild API specification, it does not have to: The ebuilds are the ones that need to make sure Python does not include the current working directory (e.g. export PYTHONPATH). But even those rules are not written in stone, and I hope we bring forward a change of this contract.
So, if you own or distribute any shell scripts that interact with Python, please make sure you keep your Python in its cage. Oh, and check your usage of urllib2.urlopen() while at it.
OpenSSH 5.1 is out, and besides a Security issue that does not affect Linux or the BSDs, it includes a new feature labelled VisualHostKey, aka SSH Fingerprint ASCII Visualisation. Using an idea proposed in the 1999 paper Hash visualization: A new technique to improve real-world security by Perrig and Song, an image with 18×9 resolution is generated from the fingerprint of the SSH server, and is displayed to the client.
Since the feature is experimental, and the algorithm to generate the image should not be considered final yet, display is disabled by default. You can see a test-run in the screen capture, and a (just for fun) list of images of my known hosts. I wonder how long it takes to remember that face… doesn’t it look like bit like Marge Simpson?
Now why all this, you are asking?
It is deemed that images are easier to compare and remember than the usual 32 hex digits, and I believe everyone has to judge by him/herself if that is true. How many of those SSH/OTR/SSL… fingerprint digits do you check*? All of them? Any, at all? Where did you derive your latest Firefox SSL CA certificates from? At a time where I cannot trust my provider to run a secure DNS server, verifying the authenticity of either the other side of communication, or the data in transit is most crucial. Let’s finally get that Tree Signing going!
* If you only check the first 4 digits, and the last 2 — you are riding on a 24 bit fingerprint.
