Skip to main content

Feed aggregator

Linux for Everyone—All 7.5 Billion of Us

Linux Journal - Thu, 07/06/2017 - 05:58

Linux has long since proven it's possible for one operating system to work for everyone—also that there's an approach to development that opens and frees code so everyone can use it, improve it and assure its freedoms spread to everyone doing the same. more>>

Categories: Linux News

Analyzing Videos for Fun and Profit

Linux Journal - Wed, 07/05/2017 - 05:46

People's phones and all of the various sensors that may be built in to them is a source of scientific data logging that almost everyone carries around. Although the selection of sensors varies from phone to phone, they almost all have a camera. In this article, I take a look at a piece of software called Tracker that can be used to analyze videos you take of experiments. more>>

Categories: Linux News

My free software activities, June 2017

Anarcat - Mon, 07/03/2017 - 11:37
Debian Long Term Support (LTS)

This is my monthly Debian LTS report. This time I worked on Mercurial, sudo and Puppet.

Mercurial remote code execution

I issued DLA-1005-1 to resolve problems with the hg server --stdio command that could be abused by "remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name" (CVE-2017-9462).

Backporting the patch was already a little tricky because, as is often the case in our line of work, the code had changed significantly in newer version. In particular, the commandline dispatcher had been refactored which made the patch non-trivial to port. On the other hand, mercurial has an extensive test suite which allowed me to make those patches in all confidence. I also backported a part of the test suite to detect certain failures better and to fix the output so that it matches the backported code. The test suite is slow, however, which meant slow progress when working on this package.

I also noticed a strange issue with the test suite: all hardlink operations would fail. Somehow it seems that my new sbuild setup doesn't support doing hardlinks. I ended up building a tarball schroot to build those types of packages, as it seems the issue is related to the use of overlayfs in sbuild. The odd part is my tests of overlayfs, following those instructions, show that it does support hardlinks, so there maybe something fishy here that I misunderstand.

This, however, allowed me to get a little more familiar with sbuild and the schroots. I also took this opportunity to optimize the builds by installing an apt-cacher-ng proxy to speed up builds, which will also be useful for regular system updates.

Puppet remote code execution

I have issued DLA-1012-1 to resolve a remote code execution attack against puppetmaster servers, from authenticated clients. To quote the advisory: "Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution."

The fix was non-trivial. Normally, this would have involved fixing the YAML parsing, but this was considered problematic because the ruby libraries themselves were vulnerable and it wasn't clear we could fix the problem completely by fixing YAML parsing. The update I proposed took the bold step of switching all clients to PSON and simply deny YAML parsing from the server. This means all clients need to be updated before the server can be updated, but thankfully, updated clients will run against an older server as well. Thanks to LeLutin at Koumbit for helping in testing patches to solve this issue.

Sudo privilege escalation

I have issued DLA-1011-1 to resolve an incomplete fix for a privilege escalation issue (CVE-2017-1000368 from CVE-2017-1000367). The backport was not quite trivial as the code had changed quite a lot since wheezy as well. Whereas mercurial's code was more complex, it's nice to see that sudo's code was actually simpler and more straightforward in newer versions, which is reassuring. I uploaded the packages for testing and uploaded them a year later.

I also took extra time to share the patch in the Debian bugtracker, so that people working on the issue in stable may benefit from the backported patch, if needed. One issue that came up during that work is that sudo doesn't have a test suite at all, so it is quite difficult to test changes and make sure they do not break anything.

Should we upload on fridays?

I brought up a discussion on the mailing list regarding uploads on fridays. With the sudo and puppet uploads pending, it felt really ... daring to upload both packages, on a friday. Years of sysadmin work hardwired me to be careful on fridays; as the saying goes: "don't deploy on a friday if you don't want to work on the weekend!"

Feedback was great, but I was surprised to find that most people are not worried worried about those issues. I have tried to counter some of the arguments that were brought up: I wonder if there could be a disconnection here between the package maintainer / programmer work and the sysadmin work that is at the receiving end of that work. Having myself to deal with broken updates in the past, I'm surprised this has never come up in the discussions yet, or that the response is so underwhelming.

So far, I'll try to balance the need for prompt security updates and the need for stable infrastructure. One does not, after all, go without the other...

Triage

I also did small fry triage:

Hopefully some of those will come to fruitition shortly.

Other work

My other work this month was a little all over the place.

Stressant

Uploaded a new release (0.4.1) of stressant to split up the documentation from the main package, as the main package was taking up too much space according to grml developers.

The release also introduces limited anonymity option, by blocking serial numbers display in the smartctl output.

Debiman

Also did some small followup on the debiman project to fix the FAQ links.

Local server maintenance

I upgraded my main server to Debian stretch. This generally went well, althought the upgrade itself took way more time than I would have liked (4 hours!). This is partly because I have a lot of cruft installed on the server, but also because of what I consider to be issues in the automation of major Debian upgrades. For example, I was prompted for changes in configuration files at seemingly random moments during the upgrade, and got different debconf prompts to answer. This should really be batched together, and unfortunately I had forgotten to use the home-made script I established when i was working at Koumbit which shortens the upgrade a bit.

I wish we would improve on our major upgrade mechanism. I documented possible solutions for this in the AutomatedUpgrade wiki page, but I'm not sure I see exactly where to go from here.

I had a few regressions after the upgrade:

  • the infrared remote control stopped working: still need to investigate
  • my home-grown full-disk encryption remote unlocking script broke, but upstream has a nice workaround, see Debian bug #866786
  • gdm3 breaks bluetooth support (Debian bug #805414 - to be fair, this is not a regression in stretch, it's just that I switched my workstation from lightdm to gdm3 after learning that the latter can do rootless X11!)
Docker and Subsonic

I did my first (and late?) foray into Docker and containers. My rationale was that I wanted to try out Subsonic, an impressive audio server which some friends have shown me. Since Subsonic is proprietary, I didn't want it to contaminate the rest of my server and it seemed like a great occasion to try out containers to keep things tidy. Containers may also allow me to transparently switch to the FLOSS fork LibreSonic once the trial period is over.

I have learned a lot and may write more about the details of that experience soon, for now you can look at the contributions I made to the unofficial Subsonic docker image, but also the LibreSonic one.

Since Subsonic also promotes album covers as first-class citizens, I used beets to download a lot of album covers, which was really nice. I look forward to using beets more, but first I'll need to implement two plugins.

Wallabako

I did a small release of wallabako to fix the build with the latest changes in the underlying wallabago library, which led me to ask upstream to make versionned releases.

I also looked into creating a separate documentation site but it looks like mkdocs doesn't like me very much: the table of contents is really ugly...

Small fry

That's about it! And that was supposed to be a slow month...

Categories: External Blogs

eCosCentric Limited's eCosPro

Linux Journal - Mon, 07/03/2017 - 08:25

In contrast to general-purpose operating systems for the Raspberry Pi, the new eCosPro from eCosCentric Limited is a lightweight, multithreaded, industrial-strength RTOS delivering reduced latency with bounded response times. eCosPro's resource requirements are a fraction of those demanded by a general-purpose OS and maximize the RAM resources available to applications. more>>

Categories: Linux News

FreeDOS Is 23 Years Old, and Counting

Linux Journal - Fri, 06/30/2017 - 15:49

The FreeDOS Project has just reached its 23rd birthday! This is a major milestone for any free software or open-source software project. more>>

Categories: Linux News

J. and K. Fidler's Cut the Cord, Ditch the Dish, and Take Back Control of Your TV (Iron Violin Press)

Linux Journal - Fri, 06/30/2017 - 11:05

Prospective TV cable-cutters, even those with technical abilities, often are flummoxed in the face of choosing between all of the content options and new technologies available. Reliable sources of complete and neutral information in this space are hard to find, and the fun evaporates rapidly when you're faced with hours of stumbling through forums and strings of searches. more>>

Categories: Linux News

Testing Models

Linux Journal - Thu, 06/29/2017 - 06:20

In my last few articles, I've been dipping into the waters of "machine learning"—a powerful idea that has been moving steadily into the mainstream of computing, and that has the potential to change lives in numerous ways. more>>

Categories: Linux News

AWS Quickstart for Kubernetes

Linux Journal - Wed, 06/28/2017 - 11:27
Kubernetes is an open-source cluster manager that makes it easy to run Docker and other containers in production environments of all types (on-premises or in the public cloud). What is now an open community project came from development and operations patterns pioneered at Google to manage complex systems at internet scale.

more>>

Categories: Linux News

Steve Suehring's CompTIA Linux+ and LPIC Practice Tests (Sybex)

Linux Journal - Wed, 06/28/2017 - 10:48

Possessing Linux skills is valuable in today's IT job market where demand for talent outstrips supply. Getting certified proves you have the chops to do the job, and two well worn paths to Linux certification are the Computing Technology Industry Association's CompTIA Linux+ and the Linux Professional Institute Certification (LPIC). more>>

Categories: Linux News

Ubuntu Kylin, a Linux Distribution with a Microsoft Windows Experience

Linux Journal - Tue, 06/27/2017 - 09:48

Ubuntu Kylin is an open-source Linux distribution based on Ubuntu since 2013, mainly developed by a Chinese team alongside dozens of Linux developers all over the world. It contains the basic features you would expect from Ubuntu, plus features a desktop environment and applications. more>>

Categories: Linux News

SUSE CaaS Platform

Linux Journal - Mon, 06/26/2017 - 06:33

There are a lot of decisions to be made before enterprises are ready for production and deployment of container apps, asserts SUSE. more>>

Categories: Linux News

Linux Lite

Linux Journal - Fri, 06/23/2017 - 13:28

Linux Lite is a beginner-friendly Linux distribution that is based on the well known Ubuntu LTS and targeted at Windows users. Its mission is to provide a complete set of applications to support users' everyday computing needs, including a complete office suite, media players and other essential applications. more>>

Categories: Linux News

My Love Affair with Synology

Linux Journal - Thu, 06/22/2017 - 08:23

In my "Hodge Podge" article in the October 2016 issue, I mentioned how much I love the Synology NAS I have in my server closet (Figure 1). more>>

Categories: Linux News

ONF/ON.Lab's ONOS Project

Linux Journal - Wed, 06/21/2017 - 10:01

Networks have become indispensable infrastructure in modern society. The danger is that these networks tend to be closed, proprietary, complex, operationally expensive and inflexible, all of which impede innovation and progress rather than enable them. more>>

Categories: Linux News

Never Trust Yellow Fruit

Linux Journal - Tue, 06/20/2017 - 09:34

You've probably heard about the WiFi Pineapple from Hak5. It's a fascinating device that allows you to do some creepy pen testing. It's the sort of tool that could be used for evil, but it's also incredibly useful for securing networks. more>>

Categories: Linux News

Five Reasons to Love SAP HANA

Linux Journal - Mon, 06/19/2017 - 08:51
If you are reading a blog on SAP HANA, you probably already know that it is an in-memory data platform built to handle massive amounts of data in real time. You probably already know that it can be deployed as an on-premises appliance or purchased as a hybrid or cloud service. more>>
Categories: Linux News

BlueCat DNS Edge

Linux Journal - Mon, 06/19/2017 - 06:27

Migration to the cloud, the flexibility of network virtualization and the promise of IoT involve IT transformations that have placed incredible strain on enterprise security. more>>

Categories: Linux News

Jetico's BestCrypt Container Encryption for Linux

Linux Journal - Fri, 06/16/2017 - 11:22

Cyber-attacks are now constant, threats to privacy are increasing, and more rigid regulations are looming worldwide. To help IT folks relax in the face of these challenges, Jetico updated its BestCrypt Container Encryption solution to include Container Guard. more>>

Categories: Linux News

SQL Server on Linux

Linux Journal - Thu, 06/15/2017 - 15:54

When Wim Coekaerts, Microsoft's vice president for open source, took the stage at LinuxCon 2016 in Toronto last summer, he came not as an adversary, but as a longtime Linux enthusiast promising to bring the power of Linux to Microsoft and vice versa. With the recent launch of SQL Server for Linux, Coekaerts is clearly having an impact. more>>

Categories: Linux News

Low Tech High Tech

Linux Journal - Thu, 06/15/2017 - 09:15

Google Cardboard should be terrible. Really, it should. It's literally made of cardboard. I remember as a kid some cereal boxes came with spy glasses you had to cut out of the box itself—and they were terrible. But Google Cardboard is amazing. Granted, you need to add your $750 Android phone to it, but that's already in your pocket anyway. more>>

Categories: Linux News
Syndicate content