Planet HantsLUG

Syndicate content
Planet HantsLUG -
Updated: 1 hour 15 min ago

Steve Kemp: luonnos viesti - 31 heinäkuu 2014

Thu, 31/07/2014 - 13:54

Yesterday I spent a while looking at the Debian code search site, an enormously useful service allowing you to search the code contained in the Debian archives.

The end result was three trivial bug reports:

#756565 - lives

Insecure usage of temporary files.

A CVE-identifier should be requested.

#756566 - libxml-dt-perl

Insecure usage of temporary files.

A CVE-identifier has been requested by Salvatore Bonaccorso, and will be added to my security log once allocated.

756600 - xcfa

Insecure usage of temporary files.

A CVE-identifier should be requested.

Finding these bugs was a simple matter of using the code-search to look for patterns like "system.*>.*%2Ftmp".

Perhaps tomorrow somebody else would like to have a go at looking for backtick-related operations ("`"), or the usage of popen.

Tomorrow I will personally be swimming in a loch, which is more fun than wading in code..

Categories: LUG Community Blogs

Debian Bits: Jessie will ship Linux 3.16

Wed, 30/07/2014 - 22:10

The Debian Linux kernel team has discussed and chosen the kernel version to use as a basis for Debian 8 'jessie'.

This will be Linux 3.16, due to be released in early August. Release candidates for Linux 3.16 are already packaged and available in the experimental suite.

If you maintain a package that is closely bound to the kernel version - a kernel module or a userland application that depends on an unstable API - please ensure that it is compatible with Linux 3.16 prior to the freeze date (5th November, 2014). Incompatible packages are very likely to be removed from testing and not included in 'jessie'.

  1. My kernel module package doesn't build on 3.16 and upstream is not interested in supporting this version. What can I do?
    The kernel team might be able to help you with forward-porting, but also try Linux Kernel Newbies or the mailing list(s) for the relevant kernel subsystem(s).

  2. There's an important new kernel feature that ought to go into jessie, but it won't be in 3.16. Can you still add it?
    Maybe - sometimes this is easy and sometimes it's too disruptive to the rest of the kernel. Please contact the team on the debian-kernel mailing list or by opening a wishlist bug.

  3. Will Linux 3.16 get long term support from upstream?
    The Linux 3.16-stable branch will not be maintained as a longterm branch at However, the Ubuntu kernel team will continue to maintain that branch, following the same rules for acceptance and review, until around April 2016. Ben Hutchings is planning to continue maintenance from then until the end of regular support for 'jessie'.

Categories: LUG Community Blogs

Chris Dennis: Website version control with Git

Sat, 26/07/2014 - 21:59

Some notes on using git to manage development and production versions of a website on a Linux server, based on Using Git to manage a web site.  There seem to be several web pages with similar ideas out there: I don’t know who wrote it down first.  And also with reference to Version Control with Git by Jon Lodger.

I’ve adapted those ideas for the way I like to do things:

  • I SSH in to the server, and do the editing there, using vim.
  • I have separate domains for development and production versions of my sites.  For the purposes of these notes, they’re called and  So the development version is also an active real-world website: my nginx configuration makes it only visible to me.
  • The document roots are /var/www/website and /var/www/website-dev respectively.
  • The ‘bare’ production git repository can be anywhere on the server.  I’ll put it at /var/www/website.git.  It’s a git convention to use the .git extension for bare repositories.

The steps for setting it up are as follows.  I’ll leave the setting of suitable permissions and use of sudo as an exercise for the reader.

  1. Put some web pages in /var/www/website-dev.
  2. mkdir /var/www/website cd /var/www/website-dev git init git add <all the appropriate files and directories> git commit -a -m "a message" mkdir /var/www/website.git cd /var/www/website.git git --bare init
  3. Create /var/www/website.git/hooks/post-receive containing:
#!/bin/bash GIT_WORK_TREE=/var/www/website git checkout -f
  • In the following, I’ve used ‘live’ as an alias for the production environment; you could use ‘prod’ or whatever you fancy.
  • chmod +x /var/www/website.git/hoots/post-receive cd /var/www/website-dev git remote add live file:///var/www/website.git git push live +master:refs/heads/master git push --set-upstream live master git push live
  • And, as if by magic, the files from the master branch of /var/www/website-dev are now in /var/www/website.
  • Then whenever you’ve got new code ready to into production, all that’s required is:
  • git push live
    Categories: LUG Community Blogs

    Steve Kemp: The selfish programmer

    Fri, 25/07/2014 - 14:16

    Once upon a time I wrote a piece of software for scheduling the classes available to a college.

    There was a bug in the scheduler: Students who happened to be named 'Steve Kemp' had a significantly higher chance (>=80% IIRC) of being placed in lessons where the class makeup was more than 50% female.

    This bug was never fixed. Which was nice, because I spent several hours both implementing and disguising this feature.

    I'm was a bad coder when I was a teenager.

    These days I'm still a bad coder, but in different ways.

    Categories: LUG Community Blogs

    Anton Piatek: The department of dirty

    Thu, 24/07/2014 - 10:03

    I quite like the Open Rights Group‘s new campaign against internet filtering

    The Department of Dirty is working with internet and mobile companies to stop the dirty internet. We are committed to protecting children and adults from online filth such as:

    • Talk to Frank: This government website tries to educate young people about drugs. We all know what ‘education’ means, don’t we? Blocked by Three.
    • Girl Guides Essex: They say, ‘guiding is about acquiring skills for life’. We say, why would young girls need skills? Blocked by BT.
    • South London Refugee Association: This charity aims to relieve poverty and distress. Not on our watch they don’t. Blocked by BT, EE, Sky and VirginMedia
    We need you to help us take a stand against blogs, charities and education websites, all of which are being blocked [1]. It’s time to stop this sick filth. Together, we can clean up the
    Categories: LUG Community Blogs

    Steve Kemp: An alternative to devilspie/devilspie2

    Mon, 21/07/2014 - 15:30

    Recently I was updating my dotfiles, because I wanted to ensure that media-players were "always on top", when launched, as this suits the way I work.

    For many years I've used devilspie to script the placement of new windows, and once I googled a recipe I managed to achieve my aim.

    However during the course of my googling I discovered that devilspie is unmaintained, and has been replaced by something using Lua - something I like.

    I'm surprised I hadn't realized that the project was dead, although I've always hated the configuration syntax it is something that I've used on a constant basis since I found it.

    Unfortunately the replacement, despite using Lua, and despite being functional just didn't seem to gell with me. So I figured "How hard could it be?".

    In the past I've written softare which iterated over all (visible) windows, and obviously I'm no stranger to writing Lua bindings.

    However I did run into a snag. My initial implementation did two things:

    • Find all windows.
    • For each window invoke a lua script-file.

    This worked. This worked well. This worked too well.

    The problem I ran into was that if I wrote something like "Move window 'emacs' to desktop 2" that action would be applied, over and over again. So if I launched emacs, and then manually moved the window to desktop3 it would jump back!

    In short I needed to add a "stop()" function, which would cause further actions against a given window to cease. (By keeping a linked list of windows-to-ignore, and avoiding processing them.)

    The code did work, but it felt wrong to have an ever-growing linked-list of processed windows. So I figured I'd look at the alternative - the original devilspie used libwnck to operate. That library allows you to nominate a callback to be executed every time a new window is created.

    If you apply your magic only on a window-create event - well you don't need to bother caching prior-windows.

    So in conclusion :

    I think my code is better than devilspie2 because it is smaller, simpler, and does things more neatly - for example instead of a function to get geometry and another to set it, I use one. (e.g. "xy()" returns the position of a window, but xy(3,3) sets it.).

    kpie also allows you to run as a one-off job, and using the simple primitives I wrote a file to dump your windows, and their size/placement, which looks like this:

    shelob ~/git/kpie $ ./kpie --single ./samples/dump.lua -- Screen width : 1920 -- Screen height: 1080 .. if ( ( window_title() == "Buddy List" ) and ( window_class() == "Pidgin" ) and ( window_application() == "Pidgin" ) ) then xy(1536,24 ) size(384,1032 ) workspace(2) end if ( ( window_title() == "feeds" ) and ( window_class() == "Pidgin" ) and ( window_application() == "Pidgin" ) ) then xy(1,24 ) size(1536,1032 ) workspace(2) end ..

    As you can see that has dumped all my windows, along with their current state. This allows a simple starting-point - Configure your windows the way you want them, then dump them to a script file. Re-run that script file and your windows will be set back the way they were! (Obviously there might be tweaks required.)

    I used that starting-point to define a simple recipe for configuring pidgin, which is more flexible than what I ever had with pidgin, and suits my tastes.

    Bug-reports welcome.

    Categories: LUG Community Blogs

    Steve Kemp: Did you know xine will download and execute scripts?

    Sat, 19/07/2014 - 21:48

    Today I was poking around the source of Xine, the well-known media player. During the course of this poking I spotted that Xine has skin support - something I've been blissfully ignorant of for many years.

    How do these skins work? You bring up the skin-browser, by default this is achieved by pressing "Ctrl-d". The browser will show you previews of the skins available, and allow you to install them.

    How does Xine know what skins are available? It downloads the contents of:

    NOTE: This is an insecure URL.

    The downloaded file is a simple XML thing, containing references to both preview-images and download locations.

    For example the theme "Sunset" has the following details:

    • Download link:
    • Preview link:

    if you choose to install the skin the Sunset.tar.gz file is downloaded, via HTTP, extracted, and the shell-script is executed, if present.

    So if you control DNS on your LAN you can execute arbitrary commands if you persuade a victim to download your "corporate xine theme".

    Probably a low-risk attack, but still a surprise.

    Categories: LUG Community Blogs

    Martin Wimpress: Monitorix on Debian

    Sat, 19/07/2014 - 12:00

    I have a few Debian servers that run at home and on VPSs. I wanted to add some basic systems monitoring to them, but didn't want anything too complicated to look after. I found Monitorix.

    Monitorix is a free, open source, lightweight system monitoring tool designed to monitor as many services and system resources as possible. It has been created to be used under production Linux/UNIX servers, but due to its simplicity and small size can be used on embedded devices as well.

    Install Monitorix

    This install has been tested on Debian Squeeze and Wheezy. First install the dependencies.

    sudo apt-get install rrdtool perl libwww-perl libmailtools-perl \ libmime-lite-perl librrds-perl libdbi-perl libxml-simple-perl \ libhttp-server-simple-perl libconfig-general-perl libio-socket-ssl-perl

    Now Monitorix itself.

    wget -c "" -O monitorix_3.5.1-izzy1_all.deb sudo dpkg -i monitorix_3.5.1-izzy1_all.deb

    At this point Monitorix is installed and running. Point your browser to and enjoy!

    Configuring Monitorix

    Everything in /etc/monitorix/monitorix.conf is comprehensively documented, just get tweaking.

    Each time you update the configuration Monitorix will require a restart.

    sudo service monitorix restart nginx status

    If you run nginx then you'll want to drop the following into /etc/nginx/conf.d/status.conf so that Monitorix can monitor nginx.

    server { listen localhost:80; location /nginx_status { stub_status on; access_log off; allow; deny all; } } References
    Categories: LUG Community Blogs