Entries posted in June 2007

I'm starving now, feeling dead on my feet

Sunday, 1 July 2007

Three, count them, three local root exploits discovered so far via the source scan of the Debian archive. More to follow.

Right now my biggest irritation is the amount of time it takes to report bugs in packages which don't have security issues - just bad coding. It takes me a fair while to do it, since I either have to install the package and use "reportbug", or lookup version numbers and submit manually. I should think of a better way of doing it.

| No comments

 

Push the button

Wednesday, 27 June 2007

Martin f. Krafft wrote about the Edinburgh Keysigning, and I find his post very interesting.

I did not take part in either keysigning. The first one I missed because I was in the sauna (which was a lot of fun). The second I missed because my uncle died that evening (which was less fun; but mostly expected).

So I expected to receive no new signatures:

skx@vain:~/Debian/Etch/hiki$ gpg-get-key
No key specified, defaulting to Steve's.
Updating key from keyring.debian.org
gpg: requesting key CD4C0D9D from hkp server keyring.debian.org
gpg: key CD4C0D9D: "Steve Kemp " 18 new signatures

So 18 several people signed my key without checking for valid identification. Is that good? Is that bad? I think it is appalling. But maybe I'm taking it too seriously.

(I just realised 18 sigs != 18 people. So not quite as bad as I initially thought.)

| No comments

 

Other things just make you swear and curse

Tuesday, 26 June 2007

I find myself in need of a simple "blogging system" for a small non-dynamic site I'm putting together.

In brief I want to be able to put simple text files into "blog/", and have static HTML files build from them, with the most recent N being included in an index - and each one individually linked to.

At a push I could just read "entries/*.blog", then write a perl script to extract a date + title and code it myself - but I'm sure such a thing must already exist? I vaguely remember people using debian/changelog files as blogs a while back - that seems similar?

Update: NanoBlogger it is.

| No comments

 

Unknown, even to its own employees, its massive profits are generated by military technology, genetic experimentation and viral weaponry

Sunday, 24 June 2007

The scanning of the Debian source archive for security bugs has begun.

I've wrote about this previously and there was some interest in how it worked, so I've put up a simple webpage describing the process.

There are a lot of results to go through, but so far I've managed to find one local root exploit and many many many trivial problems.

Sample bugs:

Unfortunately my usertags seem to be broken. This was working a day or two ago. Not sure if I fucked up or if the BTS is broken ..?

| No comments

 

We've Been Out All Night And We Havn't Been Home,

Thursday, 21 June 2007

The source-searching system I was talking about previously is progressing slowly.

So far I've synced the source to Etch to my local machine, total size 29Gb, and this evening I've started unpacking all the source.

I'm still in the "a" section at the moment, but thanks to caching I should be able to re-sync the source archive and unpack newer revisions pretty speedily.

The big problem at the moment is that the unpacking of all the archives is incredibly slow. Still I do have one new bug to report aatv: Buffer overflow in handling environmental variables..

That was found with:

rgrep getenv /mnt/mirror/unpacked | grep sprintf

(A very very very slow pair of greps. Hopefully once the unpacking has finished it will become faster. ha!)

The only issue I see at the moment is that I might not have the disk space to store an unpacked tree. I've got 100Gb allocated, with 29Gb comprised of the source. I'll just have to hope that the source is less than 70Gb unpacked or do this in stages.)

I've been working on a list of patterns and processes to run, I think pscan, rats, and its should be the first tools to run on the archive. Then after that some directed use of grep.

If anybody else with more disk space and connectivity than myself be interested I can post the script(s) I'm using to sync and unpack .. Failing that I'll shut up now.

| No comments

 

Seek & destroy

Wednesday, 20 June 2007

Debconf7 continues very well, with a nice trip to a local sauna this evening.

Unfortunately our party had to split into two, with the ladies going to one section and the gentlemen to another. Still it was fun, and I'm glad I went. It was probably just as well that Megan didn't get to see me being terrified of the cold water!

Apart from that things went well today. I saw half a talk on Xen, sufficient to see my name in lights, then half a talk on security, again managing to see my name on the big screen.

If people, at debconf7, would like to learn more about security I've volunteered myself on the "skills exchange" page of the wiki to demonstrate the process which Moritz described as "manual and complicated". (ie. releasing a DSA and updating the webpage.) I think this will happen sometime on Friday.

I also need to track down AJ and talk about debootstrap work.

One more thing, before I go to sleep. During the security talk Moritz did mention the idea of being able to grep through the source code of the entire archive. This is a topic which has been raised before.

Right now I'm keen to make this possible, so overnight I'm syncing the latest sid archive and I think I have a plan to make it work.

  • Sync the sources of the given distribution.
  • Once that has happened recursively unpack any archive we can understand. (.tar.bz2, tar.gz, etc).
  • Either:
    • Write a simple script with "grep".
    • or import the unpacked root into a text indexing system.
    • Also it would be useful to recognize common files via SHA + MD5 checksums.
  • make some simple GUI.

I think that the sync will take a while for me on my home connection, and I also believe that the unpacking will be grossly CPU-intensive. Still it should be a worthwhile job even if I can't get it done, because it will tell us the kind of machine which is required to actually do it.

I'd like to use a project machine because I'm not entirely sure I have the necessary space but that should become apparent fairly quickly. (The archive I can handle, the unpacked tress might be a little bit much for me. Still I have 100Gb free and I guess that is a good starting point).

If anybody has any tips for full-text-indexers that would be appropriate for fast queries against a large directory tree of source code then I'd be interested in hearing about them.

| No comments

 

Though my name was Eliza Day

Monday, 18 June 2007

Today I mostly familiarized with Ruby On Rails coding, after an absence of several months.

I wrote a quick multi-user online DVD catalog program to replace my current online DVD list.

This is pretty neat as it allows me to actually edit the films via the web GUI, and should also allow me to create per-user lists of films.

Of course the hard part will be importing all my "old" data, then adding all the movies that Megan brought to the flat when she moved in ..

| No comments

 

I was up above it

Monday, 18 June 2007

went to Teviot, the main Debconf7 venue, with Megan for a while. Picked up a couple of people and then left for a night in the pub. After chatting to the barmaid, Emma, who wanted her Ubuntu laptop fixed. Looks like that is sorted now.

Met Ian Jackson, who surprised me by being both younger and shorter than I expected.

Met Hannah, who killed Alfie, and who wasn't pregnant.

Excellent night.

I also hacked on xen-tools and tracked down copyright bits for debootstrap.

Now to bed, via The Hobbit. The tattoo I expect people will recognize when it comes to sauna-time.

In other news - I don't have a bear but now I own sandals.

TODO: Print groupie badges for people.

| No comments

 

You have to go on living

Monday, 11 June 2007

Debconf7 TODO:

These are my personal goals for the debcamp week:

  • Develop xen-tools to fix bugs reported by Henning.
  • Unify debootstrap.
  • Get involved in discussions of Debian init-systems.

The second item is the one that I'm most interersted in right now, but I'll leave it a day to see if there is any useful feedback or massive objections right now.

The debootstrap problem

Right now there are two versions of debootstrap - the "Debian one" and the "Ubuntu one".

The Ubuntu debootstrap package has support for installing additional suites; dapper, feisty, etc.. (My current understanding is that the Ubuntu debootstrap can still install Etch, Sarge, etc.)

Right now if you want to bootstrap an Ubuntu system on a Debian host you're out of luck unless you install the Ubuntu debootstrap package.

There is no real reason why this should be the case. Either distribution should be able to install the other.

Why I care

I wrote/maintain xen-tools. This package allows you to create Xen guests of different distributions. Most of the time the tool will install a distribution by invoking "debootstrap ...".

It would be nice if this could work upon a plain Debian system such that installing Dapper, Fiesty, etc, was supported.

What We Can't Solve

There are problems with debootstrap which I'm not going to attempt to solve. The most obvious one is that Sarge's debootstrap cannot install Etch.

There are a few open bugs in the Debian BTS which I will triage though, since some of them are safe to close.

The Approach

There are three approaches for this:

The hack

Download the source to Ubuntu's package. Test it can install Sarge, Etch & Lenny. Then upload to Debian.

What I'll do

I'll do three things:

  • Triage open bugs on debootstrap.
  • I'll compare the two scripts + manpages, to see if they've diverged.
  • I'll move the Ubuntu scripts into the Debian package.
The neat way forward

Split debootstrap into :

  • debootstrap
    • Compatability package, to pull in the next three:
  • debootstrap-common
    • The tool.
  • debootstrap-debian
    • Contains the scripts/support for installing Sarge, Etch & Lenny.
  • debootstrap-ubuntu
    • Contains the scripts/support for installing Dapper, Feisty, etc.

This second approach should be straightforward. The first thing to do is to test that actual debootstrap script differ little between the two distributions. That should be simple enough.

The next thing is to create the additional packages.

Acceptance?

For this work to be useful it needs support from the maintainers of the Debian & Ubuntu packages. (I guess mostly the Debian maintainers actually.)

Progress

The good news is that between the version of debootstrap in Ubuntu right now, debootstrap-0.3.3.3ubuntu4, and that in Debian sid, debootstrap-0.3.3.3, the code has only one minor change. There is only a minor typo-fix in the manpage too.

So I can move the scripts into the package trivially...

| No comments

 

You and I in a little toyshop

Saturday, 9 June 2007

Surprisingly many local people seem to be catching icky-illnesses of death recently.

Both Megan and myself are under the weather recently. I managed to infect her with a nasty cough and cold on Wednesday and the pair of us have been mostly shivering indoors since then.

Today is the closing day of The Leith Festival (Leith being a district of Edinburgh. Where we live.) So we made it outside and consumed beer and pies for a while. Now we're back and I'm wishing I'd not left the house.

Still it could have been worse I could have been in the sun in a blurry suit and without any books! (Books visible and recognizable include the complete works of Terry Pratchett, minus two, the complete works of Steven Brust (Maybe Vlad will give me the edge in the assassins game!))

Steve in Leith Meg likes pies

All being well we'll be more recovered in time for the Debconf7 activities, although I expect Meg to be driving around Scotland for part of the time with a friend and not completely available. (A three-day roadtrip with Emma - a local girl who is hoping that somebody at Debconf will be able to fix her Ubuntu laptop..?)

Update: - Debconf7 game of Settlers of Catan..? (I have only the Zarahemla set myself, but it will suffice for four players in a pinch.)

| No comments

 

Recent Posts

Recent Tags