Entries tagged exaile

Related tags: lazyweb, rinse, screen, security, stenogrpahy, xmms, xmms2.

Doesn't sound too bad. I'll try to stay awake

Sunday, 10 August 2008

Well a semi-productive week during which I submitted another patch to GNU Screen - this is a trivial one, and the bug itself probably doesn't require an "important" severity.

However I'm a little disappointed to see that a bug which I submitted late last year in the exaile package (#451303) is still not fixed - and worse still we're going to be stuck with it in Lenny.

Still who knows, the recent activity suggests there might be a fix. But with the words "DNS cache poisoning" still ringing in our ears packages which automatically download and execute code from remote HTTP servers should ring alarm bells. Loudly.

(Don't forget exaile.org has already been hacked once.)

Next week I'll try to fix a couple of bugs. Publicly. Again. Unless that is dull to watch, or I find my time eaten by a .. grue.

ObFilm: The Princess Bride

| 3 comments.

 

It brings on many changes, and I can take or leave it as I please

Thursday, 15 November 2007

On Tuesday I released a new version of rinse which now supports Fedora Core 8.

On Wednesday I rebuilt xen-unstable several times, and reported a vaguely security relevant issue against the Exaile music player. I flagged that as important, but I'm not really sure how important it should be. True it works. True it requires DNS takeover, or similar, to become a practical attack, but .. serious or not?

Today I'm wondering about "hiding" messages in debian/changelog files. Each changelog entry includes the time & date of the new revision. I tend to pick the last two digits of the timestamp pretty much as random. (ie. the hours and minutes are always correct, but the seconds is a random value).

Given two digits which may be manipulated in the range 0-59 I'm sure a few small messages could be inserted into a package. But the effort would be high. (Hmmm timezone offset too?)

And that concludes todays entry.

| No comments

 

She said she'd teach me 'bout voodoo

Tuesday, 10 July 2007

So I've been very happy with exaile - the media player - for the past week or so.

I think I'm going to switch to it full time.

The "random play" is suprisingly random. Despite listening to music 24x7 I'm finding myself hearing new music. I can only conclude that xmms and xmms2 have poor random functionlity ..

The bigger issue is the handling of plugins. How do plugins get loaded? Via an external website.

You do the pointy-clicky dance with the user-interface, and the system downloads arbitary code from exaile.org, installs it into ~/.exaile/plugins and executes it.

Double-plus ungood.

 download_url = "http://www.exaile.org/plugins/plugins.py?version=%s&plugin=%s" \
    % (self.app.get_plugin_location(), file)
  xlmisc.log('Downloading %s from %s' % (file, download_url))

Let us hope they never lose control of that domain, (and never implement automatic plugin updates) otherwise all current users will hit the site, be persuaded there are newer plugins available and be compromised en masse...

In other news, even with my planet-searching script, I cannot find the blog entry I wanted to refer people to. It involved people looking pretty and acting miserable. Possibly on buses?

| No comments

 

Recent Posts

Recent Tags