This is the beginning of a series of articles where I develop a variation on the classic lunar-lander game themed around the planet Mars. To do this in three dimensions can be rather complicated, so in the spirit of the original arcade game (that I became rather obsessed with, I should admit), I'm going to tackle the simplified two-dimensional problem. more>>
Helping people overcome the challenges of building and growing an online business is what the PrestaShop open-source ecommerce platform is all about. The significant PrestaShop 1.7 release provides innovations focused on three themes: sell faster, create easier and code better. more>>
I grew up in the 1980s. That meant we drank far too much Kool-Aid, and on Saturday mornings, we got up early to watch cartoons. It also was the heyday of arcades, but I lived in the ghetto of Detroit and couldn't afford quarters to play games. Plus, there were none anywhere near the neighborhood where I lived. For me, the first real video-game experience was the Atari 2600. more>>
New versions of not just one but two dynamic analysis tools from Rogue Wave Software were unveiled recently to pleased developers everywhere. Upgraded TotalView for HPC and CodeDynamics, versions 2016.07, improve the diagnosis and correction of bugs, memory issues and crashes at execution. more>>
It used to be that the true sign you were dealing with a Linux geek was the pile of computers lying around that person's house. How else could you experiment with networked servers without a mass of computers and networking equipment? If you work as a sysadmin for a large company, sometimes one of the job perks is that you get first dibs on decommissioned equipment. more>>
Functional, powerful and there when you need it, unobtrusive when you don't—that's how Panther MPC, Inc., sums up the company's new Panther Alpha personal micro PC that features the company's powerful, easy-to-use Linux-based Panther OS. more>>
I'm a big Evernote user. It's a powerful commercial program that allows you to sync text, photos and documents across multiple devices. Sadly, there's no native Linux client. Also, it's a proprietary software package, and that bums me out. more>>
By providing a realistic simulated driving experience, the new GENIVI Vehicle Simulator (GVS) assists adopters to develop and test the user interface of an open in-vehicle infotainment (IVI) system safely, thereby identifying and executing necessary design changes quickly and efficiently. more>>
The description of iguazio's new flagship Enterprise Data Cloud platform is bold and simple: the world's fastest, simplest and lowest-cost enterprise data cloud. iguazio adds that unleashing the full potential of megatrend applications and analytics for big data, IoT and cloud-native applications, it has pioneered a new service-driven approach to enterprise d more>>
You had to be a crank to insist on being right. Being right was largely a matter of explanations. Intellectual man had become an explaining creature. Fathers to children, wives to husbands, lecturers to listeners, experts to laymen, colleagues to colleagues, doctors to patients, man to his own soul, explained. more>>
One of the most important characteristics of the contemporary data center, notes Applied Expert Systems, Inc. (AES), is that an ever-increasing amount of the traffic is between servers. Realizing the resulting need to facilitate improved server-to-server communications, AES developed CleverView for TCP/IP on Linux v2.5 with KVM Monitoring. more>>
I've covered several different programs that are useful when doing electrical engineering in the past. In this article, I want to look at a program called linsmith that helps you do calculations or see how different parameters behave. more>>
There have been epic battles over whether "insecure" or "unsecure" should be used when referring to computer security. more>>
Those were 8th and 9th months working on Debian LTS started by Raphael Hertzog at Freexian. I had trouble resuming work in November as I had taken a long break during the month and started looking at issues only during the last week of November.Imagemagick, again
I have, again, spent a significant amount of time fighting the ImageMagick (IM) codebase. About 15 more vulnerabilities were found since the last upload, which resulted in DLA-756-1. In the advisory, I unfortunately forgot to mention CVE-2016-8677 and CVE-2016-9559, something that was noticed by my colleague Roberto after the upload... More details about the upload are available in the announcement.
When you consider that I worked on IM back in october, which lead to an upload near the end of November covering around 80 more vulnerabilities, it doesn't look good for the project at all. Of the 15 vulnerabilities I worked on, only 6 had CVEs assigned and I had to request CVEs for the other 9 vulnerabilities plus 11 more that were still unassigned. This lead to the assignment of 25 distinct CVE identifiers as a lot of issues were found to be distinct enough to warrant their own CVEs.
One could also question how many of those issues affect the fork, Graphicsmagick. A lot of the vulnerabilities were found through fuzzing searches that may not have been tested on Graphicsmagick. It seems clear to me that a public corpus of test data should be available to test regressions and cross-project vulnerabilities. It's already hard enough to track issues withing IM itself, I can't imagine what it would be for the fork to keep track of those issues, especially since upstream doesn't systematically request CVEs for issues that they find, a questionable practice considering the number of issues we all need to keep track of.Nagios
I have also worked on the Nagios package and produced DLA 751-1 which fixed two fairly major issues (CVE-2016-9565 and CVE-2016-9566) that could allow remote root access under certain conditions. Fortunately, the restricted permissions setup by default in the Debian package made both exploits limited to information disclosure and privilege escalation if the debug log is enabled.
This says a lot about how proper Debian packaging can help in limiting the attack surface of certain vulnerabilities. It was also "interesting" to have to re-learn dpatch to add patches to the package: I regret not converting it to quilt, as the operation is simple and quilt is so much easier to use.
People new to Debian packaging may be curious to learn about the staggering number of patching systems historically used in Debian. On that topic, I started a conversation about how much we want to reuse existing frameworks when we work on those odd packages, and the feedback was interesting. Basically, the answer is "it depends"...NSS
I had already worked on the package in November and continued the work in December. Most of the work was done by Raphael, which fixed a lot of issues with the test suite. I tried to wrap this up by fixing CVE-2016-9074, the build on armel and the test suite. Unfortunately, I had to stop again because I ran out of hours and the fips test suite was still failing, but fortunately Raphael was able to complete the work with DLA-759-1.
For the second time, I forgot to formally assign myself a package before working on it, which meant that I wasted part of my hours working on the monit package. Those hours, of course, were not counted in my regular hours. I still spent some time reviewing mejo's patch to ensure it was done properly and it turned out we both made similar patches working independently, always a good sign.
As I reported in my preliminary November report, I have also triaged issues in libxml2, ntp, openssl and tiff.
Finally, I should mention my short review of the phpMyAdmin upload, among the many posts i sent to the LTS mailing list.Other free software work
One reason why I had so much trouble getting paid work done in November is that I was busy with unpaid work...manpages.debian.org
A major time hole for me was trying to tackle the manpages.debian.org service, which had been offline since August. After a thorough evaluation of the available codebases, I figured the problem space wasn't so hard and it was worth trying to do an implementation from scratch. The result is a tool called debmans.
It took, obviously, way longer than I expected, as I experimented with Python libraries I had been keeping an eye on for a while. For the commanline interface, I used the click library, which is really a breeze to use, but a bit heavy for smaller scripts. For a web search service prototype, I looked at flask, which was also very interesting, as it is light and simple enough to use that I could get started quickly. It also, surprisingly, fares pretty well in the global TechEmpower benchmarking tests. Those interested in those tools may want to look at the source code, in particular the main command (using an interesting pattern itself, __main__.py) and the search prototype.
Debmans is the first project for which I have tried the CII Best Practices Badge program, an interesting questionnaire to review best practices in software engineering. It is an excellent checklist I recommend every project manager and programmer to get familiar with.
I still need to complete my work on Debmans: as I write this, I couldn't get access to the new server the DSA team setup for this purpose. It was a bit of a frustrating experience to wait for all the bits to get into place while I had a product ready to test. In the end, the existing manpages.d.o maintainer decided to deploy the existing codebase on the new server while the necessary dependencies are installed and accesses are granted. There's obviously still a bunch of work to be done for this to be running in production so I have postponed all this work to January.
My hope is that this tool can be reused by other distributions, but after talking with Ubuntu folks, I am not holding my breath: it seems everyone has something that is "good enough" and that they don't want to break it...Monkeysign
I spent a good chunk of time giving a kick in the Monkeysign project, with the 2.2.2 release, which features contributions from two other developers, which may be a record for a single release.
I am especially happy to have adopted a new code of conduct - it has been an interesting process to adapt the code of conduct for such a relatively small project. Monkeysign is becoming a bit of a template on how to do things properly for my Python projects: documentation on readthedocs.org including a code of conduct, support and contribution information, and so on. Even though the code now looks a bit old to me and I am embarrassed to read certain parts, I still think it is a solid project that is useful for a lot of people. I would love to have more time to spend on it.LWN publishing
As you may have noticed if you follow this blog, I have started publishing articles for the LWN magazine, filed here under the lwn tag. It is a way for me to actually get paid for some of my blogging work that used to be done for free. Reports like this one, for example, take up a significant amount of my time and are done without being paid. Converting parts of this work into paid work is part of my recent effort to reduce the amount of time I spend on the computer.
An funny note: I always found the layout of the site to be a bit odd, until I looked at my articles posted there in a different web browser, which didn't have my normal ad blocker configuration. It turns out LWN uses ads, and Google ones too, which surprised me. I definitely didn't want to publish my work under banner ads, and will never do so on this blog. But it seems fair that, since I get paid for this work, there is some sort of revenue stream associated with it. If you prefer to see my work without ads, you can wait for it to be published here or become a subscriber which allows you to get rid of the ads on the site.
My experience with LWN is great: they're great folks, and very supportive. It's my first experience with a real editor and it really pushed me in improving my writing to make better articles that I normally would here. Thanks to the LWN folks for their support! Expect more of those quality articles in 2017.Debian packaging
I have added a few packages to the Debian archive:
- magic-wormhole: easy file-transfer tool, co-maintained with Jamie Rollins
- slop: screenshot tool
- xininfo: utility used by teiler
- teiler (currently in NEW): GUI for screenshot and screencast tools
Against my better judgment, I worked again on the borg project. This time I tried to improve the documentation, after a friend asked me for help on "how to make a quick backup". I realized I didn't have any good primer to send regular, non-sysadmin users to and figured that, instead of writing a new one, I could improve the upstream documentation instead.
I generated a surprising 18 commits of documentation during that time, mainly to fix display issues and streamline the documentation. My final attempt at refactoring the docs eventually failed, unfortunately, again reminding me of the difficulty I have in collaborating on that project. I am not sure I succeeded in making the project more attractive to non-technical users, but maybe that's okay too: borg is a fairly advanced project and not currently aimed at such a public. This is yet another project I am thinking of creating: a metabackup program like backupninja that would implement the vision created by liw in his A vision for backups in Debian post, which was discarded by the Borg project.
Github also tells me that I have opened 19 issues in 14 different repositories in November. I would like to particularly bring your attention to the linkchecker project which seems to be dead upstream and for which I am looking for collaborators in order to create a healthy fork.
Finally, I started on reviving the stressant project and changing all my passwords, stay tuned for more!
Okay, that title really isn't fair. NethServer has all the Linux stuff, it's just that you don't have to interact with it in the traditional way in order to reap the benefits. NethServer is a web-based management software package built on top of CentOS. You can download it as a separate distribution, but truly, it's just software on top of CentOS. more>>
Although open-source software excels at innovation and leverages the immense power of talented developers dedicated to solving difficult problems, the focus is rarely on enterprise capabilities, asserts CloudBees, the hub of enterprise Jenkins and DevOps. Fortunate for Jenkins developers, CloudBees, Inc., has announced CloudBees Jenkins Enterprise, a Jen more>>
A year or so ago, I wrote a short article titled "Network Go Bag". During the past year, I've gotten lots of email about that bag and actually quite a few questions about working while traveling in general. more>>
In a previous article, I introduced the Tiny Internet Project, a self-contained Linux project that shows you how to build key pieces of the internet on a single computer using virtualization software, a router and free open-source applications. more>>
In perfect alignment with its self-described identity as "the data reduction expert", Permabit Technology Corporation recently announced availability of its Albireo Virtual Data Optimizer (VDO) 6 for Canonical's Ubuntu Server. more>>