Planet ALUG

Syndicate content
Planet ALUG - http://planet.alug.org.uk/
Updated: 1 hour 54 min ago

Daniel Silverstone (Kinnison): Yay, finished my degree at last

Tue, 18/07/2017 - 22:56

A little while back, in June, I sat my last exam for what I hoped would be the last module in my degree. For seven years, I've been working on a degree with the Open University and have been taking advantage of the opportunity to have a somewhat self-directed course load by taking the 'Open' degree track. When asked why I bothered to do this, I guess my answer has been a little varied. In principle it's because I felt like I'd already done a year's worth of degree and didn't want it wasted, but it's also because I have been, in the dim and distant past, overlooked for jobs simply because I had no degree and thus was an easy "bin the CV".

Fed up with this, I decided to commit to the Open University and thus began my journey toward 'qualification' in 2010. I started by transferring the level 1 credits from my stint at UCL back in 1998/1999 which were in a combination of basic programming in Java, some mathematics including things like RSA, and some psychology and AI courses which at the time were aiming at a degree called 'Computer Science with Cognitive Sciences'.

Then I took level 2 courses, M263 (Building blocks of software), TA212 (The technology of music) and MS221 (Exploring mathematics). I really enjoyed the mathematics course and so...

At level 3 I took MT365 (Graphs, networks and design), M362 (Developing concurrent distributed systems), TM351 (Data management and analysis - which I ended up hating), and finally finishing this June with TM355 (Communications technology).

I received an email this evening telling me the module result for TM355 had been posted, and I logged in to find I had done well enough to be offered my degree. I could have claimed my degree 18+ months ago, but I persevered through another two courses in order to qualify for an honours degree which I have now been awarded. Since I don't particularly fancy any ceremonial awarding, I just went through the clicky clicky and accepted my qualification of 'Batchelor of Science (Honours) Open, Upper Second-class Honours (2.1)' which grants me the letters 'BSc (Hons) Open (Open)' which, knowing me, will likely never even make it onto my CV because I'm too lazy.

It has been a significant effort, over the course of the past few years, to complete a degree without giving up too much of my personal commitments. In addition to earning the degree, I have worked, for six of the seven years it has taken, for Codethink doing interesting work in and around Linux systems and Trustable software. I have designed and built Git server software which is in use in some universities, and many companies, along with a good few of my F/LOSS colleagues. And I've still managed to find time to attend plays, watch films, read an average of 2 novel-length stories a week (some of which were even real books), and be a member of the Manchester Hackspace.

Right now, I'm looking forward to a stress free couple of weeks, followed by an immense amount of fun at Debconf17 in Montréal!

Categories: LUG Community Blogs

Jonathan McDowell: Just because you can, doesn't mean you should

Mon, 17/07/2017 - 19:41

There was a recent Cryptoparty Belfast event that was aimed at a wider audience than usual; rather than concentrating on how to protect ones self on the internet the 3 speakers concentrated more on why you might want to. As seems to be the way these days I was asked to say a few words about the intersection of technology and the law. I think people were most interested in all the gadgets on show at the end, but I hope they got something out of my talk. It was a very high level overview of some of the issues around the Investigatory Powers Act - if you’re familiar with it then I’m not adding anything new here, just trying to provide some sort of details about why it’s a bad thing from both a technological and a legal perspective.

Download

Categories: LUG Community Blogs

Chris Lamb: Installation birthday

Fri, 14/07/2017 - 11:08

Fancy receiving congratulations on the anniversary of when you installed your system?

Installing the installation-birthday package on your Debian machines will celebrate each birthday of your system by automatically sending a message to the local system administrator.

The installation date is based on the system installation time, not the package itself.

installation-birthday is available in Debian 9 ("stretch") via the stretch-backports repository, as well as in the testing and unstable distributions:

$ apt install installation-birthday

Enjoy, and patches welcome. :)

Categories: LUG Community Blogs

Steve Engledow (stilvoid): An evening of linux on the desktop

Mon, 10/07/2017 - 23:14

Last time, I wrote about trying a few desktop environments to see what's out there, keep things fresh, and keep me from complacency. Well, as with desktop environments, so with text editors. I decided briefly that I would try a few of the more recent code editors that are around these days. Lured in by their pleasing, modern visuals and their promises of a smooth, integrated experience, I've been meaning to give these a go for a while. Needless to say, as a long-time vim user, I just found myself frustrated that I wasn't able to get things done as efficiently in any of those editors as I could in vim ;) I tried installing vim keybindings in Atom but it just wasn't the same as a very limited set of functionality was there. As for the integrated environment, when you have tmux running by default, everything's integrated anyway.

And, as with editors, so once again with desktop environments. I've decided to retract my previous hasty promise and no longer to bother with trying any other environments; i3 is more than fine :)

However, I did spend some time this evening making things a bit prettier so here are some delicious configs for posterity:

Configs Xresources

I've switched back to xterm from urxvt because, er... dunno.

Anyway, I set some nice colours for terminals and some magic stuff that makes man pages all colourful :)

XTerm*faceName: xft:Hack:regular:size=12 *termName: xterm-256color ! Colourful man pages *VT100.colorBDMode: true *VT100.colorBD: cyan *VT100.colorULMode: true *VT100.colorUL: darkcyan *VT100.colorITMode: true *VT100.colorIT: yellow *VT100.veryBoldColors: 518 ! terminal colours *foreground:#CCCCCC *background:#2B2D2E !black darkgray *color0: #2B2D2E *color8: #808080 !darkred red *color1: #FF0044 *color9: #F92672 !darkgreen green *color2: #82B414 *color10: #A6E22E !darkyellow yellow *color3: #FD971F *color11: #E6DB74 !darkblue blue *color4: #266C98 *color12: #7070F0 !darkmagenta magenta *color5: #AC0CB1 *color13: #D63AE1 !darkcyan cyan *color6: #AE81FF *color14: #66D9EF !gray white *color7: #CCCCCC *color15: #F8F8F2 Vimrc

Nothing exciting here except for discovering a few options I hadn't previous known about:

" Show a marker at the 80th column to encourage nice code set colorcolumn=80 highlight ColorColumn ctermbg=darkblue " Scroll the text when we're 3 lines from the top or bottom set so=3 " Use browser-style incremental search set incsearch " Override the default background colour in xoria256 to match the terminal background highlight Normal ctermbg=black " I like this theme colorscheme xoria256 i3

I made a few colour tweaks to my i3 config so I get colours that match my new Xresources. One day, I might see if it's easy enough to have them both read colour definitions from the same place so I don't have to define things twice.

The result

Here's what it looks like:

Categories: LUG Community Blogs

Jonathan McDowell: Going to DebConf 17

Mon, 10/07/2017 - 18:54

Completely forgot to mention this earlier in the year, but delighted to say that in just under 4 weeks I’ll be attending DebConf 17 in Montréal. Looking forward to seeing a bunch of fine folk there!

Outbound:

2017-08-04 11:40 DUB -> 13:40 KEF WW853 2017-08-04 15:25 KEF -> 17:00 YUL WW251

Inbound:

2017-08-12 19:50 YUL -> 05:00 KEF WW252 2017-08-13 06:20 KEF -> 09:50 DUB WW852

(Image created using GIMP, fonts-dkg-handwriting and the DebConf17 Artwork.)

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Gitano - Approaching Release - Access Control Changes

Sat, 08/07/2017 - 10:31

As mentioned previously I am working toward getting Gitano into Stretch. A colleague and friend of mine (Richard Maw) did a large pile of work on Lace to support what we are calling sub-defines. These let us simplify Gitano's ACL files, particularly for individual projects.

In this posting, I'd like to cover what has changed with the access control support in Gitano, so if you've never used it then some of this may make little sense. Later on, I'll be looking at some better user documentation in conjunction with another friend of mine (Lars Wirzenius) who has promised to help produce a basic administration manual before Stretch is totally frozen.

Sub-defines

With a more modern lace (version 1.3 or later) there is a mechanism we are calling 'sub-defines'. Previously if you wanted to write a ruleset which said something like "Allow Steve to read my repository" you needed:

define is_steve user exact steve allow "Steve can read my repo" is_steve op_read

And, as you'd expect, if you also wanted to grant read access to Jeff then you'd need yet set of defines:

define is_jeff user exact jeff define is_steve user exact steve define readers anyof is_jeff is_steve allow "Steve and Jeff can read my repo" readers op_read

This, while flexible (and still entirely acceptable) is wordy for small rulesets and so we added sub-defines to create this syntax:

allow "Steve and Jeff can read my repo" op_read [anyof [user exact jeff] [user exact steve]]

Of course, this is generally neater for simpler rules, if you wanted to add another user then it might make sense to go for:

define readers anyof [user exact jeff] [user exact steve] [user exact susan] allow "My friends can read my repo" op_read readers

The nice thing about this sub-define syntax is that it's basically usable anywhere you'd use the name of a previously defined thing, they're compiled in much the same way, and Richard worked hard to get good error messages out from them just in case.

No more auto_user_XXX and auto_group_YYY

As a result of the above being implemented, the support Gitano previously grew for automatically defining users and groups has been removed. The approach we took was pretty inflexible and risked compilation errors if a user was deleted or renamed, and so the sub-define approach is much much better.

If you currently use auto_user_XXX or auto_group_YYY in your rulesets then your upgrade path isn't bumpless but it should be fairly simple:

  1. Upgrade your version of lace to 1.3
  2. Replace any auto_user_FOO with [user exact FOO] and similarly for any auto_group_BAR to [group exact BAR].
  3. You can now upgrade Gitano safely.
No more 'basic' matches

Since Gitano first gained support for ACLs using Lace, we had a mechanism called 'simple match' for basic inputs such as groups, usernames, repo names, ref names, etc. Simple matches looked like user FOO or group !BAR. The match syntax grew more and more arcane as we added Lua pattern support refs ~^refs/heads/${user}/. When we wanted to add proper PCRE regex support we added a syntax of the form: user pcre ^/.+?... where pcre could be any of: exact, prefix, suffix, pattern, or pcre. We had a complex set of rules for exactly what the sigils at the start of the match string might mean in what order, and it was getting unwieldy.

To simplify matters, none of the "backward compatibility" remains in Gitano. You instead MUST use the what how with match form. To make this slightly more natural to use, we have added a bunch of aliases: is for exact, starts and startswith for prefix, and ends and endswith for suffix. In addition, kind of match can be prefixed with a ! to invert it, and for natural looking rules not is an alias for !is.

This means that your rulesets MUST be updated to support the more explicit syntax before you update Gitano, or else nothing will compile. Fortunately this form has been supported for a long time, so you can do this in three steps.

  1. Update your gitano-admin.git global ruleset. For example, the old form of the defines used to contain define is_gitano_ref ref ~^refs/gitano/ which can trivially be replaced with: define is_gitano_ref ref prefix refs/gitano/
  2. Update any non-zero rulesets your projects might have.
  3. You can now safely update Gitano

If you want a reference for making those changes, you can look at the Gitano skeleton ruleset which can be found at https://git.gitano.org.uk/gitano.git/tree/skel/gitano-admin/rules/ or in /usr/share/gitano if Gitano is installed on your local system.

Next time, I'll likely talk about the deprecated commands which are no longer in Gitano, and how you'll need to adjust your automation to use the new commands.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): F/LOSS activity, June 2017

Sat, 01/07/2017 - 13:59

It seems to be becoming popular to send a mail each month detailing your free software work for that month. I have been slowly ramping my F/LOSS activity back up, after years away where I worked on completing my degree. My final exam for that was in June 2017 and as such I am now in a position to try and get on with more F/LOSS work.

My focus, as you might expect, has been on Gitano which reached 1.0 in time for Stretch's release and which is now heading gently toward a 1.1 release which we have timed for Debconf 2017. My friend a colleague Richard has been working hard on Gitano and related components during this time too, and I hope that Debconf will be an opportunity for him to meet many of my Debian friends too. But enough of that, back to the F/LOSS.

We've been running Gitano developer days roughly monthly since March of 2017, and the June developer day was attended by myself, Richard Maw, and Richard Ipsum. You are invited to read the wiki page for the developer day if you want to know exactly what we got up to, but a summary of my involvement that day is:

  • I chaired the review of our current task state for the project
  • I chaired the decision on the 1.1 timeline.
  • I completed a code branch which adds rudimentary hook support to Gitano and submitted it for code review.
  • I began to learn about git-multimail since we have a need to add support for it to Gitano

Other than that, related to Gitano during June I:

  • Reviewed Richard Ipsum's lua-scrypt patches for salt generation
  • Reviewed Richard Maw's work on centralising Gitano's patterns into a module.
  • Responded to reviews of my hook work, though I need to clean it up some before it'll be merged.

My non-Gitano F/LOSS related work in June has been entirely centred around the support I provide to the Lua community in the form of the Lua mailing list and website. The host on which it's run is ailing, and I've had to spend time trying to improve and replace that.

Hopefully I'll have more to say next month. Perhaps by doing this reporting I'll get more F/LOSS done. Of course, July's report will be sent out while I'm in Montréal for debconf 2017 (or at least for debcamp at that point) so hopefully more to say anyway.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in June 2017

Sat, 01/07/2017 - 00:29

Here is my monthly update covering what I have been doing in the free software world (previous month):

  • Updated travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds:
    • Support Debian "buster". (commit)
    • Set TRAVIS=true environment variable when running autopkgtests. (#45)
  • Updated the documentation in django-slack, my library to easily post messages to the Slack group-messaging utility to link to Slack's own message formatting documentation. (#66)
  • Added "buster" support to local-debian-mirror, my package to easily maintain and customise a local Debian mirror via the DebConf configuration tool. (commit)
Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source. Multiple third-parties then can come to a consensus on whether a build was compromised or not.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:

  • Chaired our monthly IRC meeting. (Summary, logs, etc.)
  • Presented at Hong Kong Open Source Conference 2017.
  • Presented at LinuxCon China.
  • Submitted the following patches to fix reproducibility-related toolchain issues within Debian:
    • cracklib2: Ensuring /var/cache/cracklib/src-dicts are reproducible. (#865623)
    • fontconfig: Ensuring the cache files are reproducible. (#864082)
    • nfstrace: Make the PDF footers reproducible. (#865751)
  • Submitted 6 patches to fix specific reproducibility issues in cd-hit, janus, qmidinet, singularity-container, tigervnc & xabacus.
  • Submitted a wishlist request to the TeX mailing list to ensure that PDF files are reproducible even if generated from a difficult path after identifying underlying cause. (Thread)
  • Categorised a large number of packages and issues in the Reproducible Builds notes.git repository.
  • Worked on publishing our weekly reports. (#110, #111, #112 & #113)
  • Updated our website with 13 missing talks (e291180), updated the metadata for some existing talks (650a201) and added OpenEmbedded to the projects page (12dfcf0).

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.


strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Add libarchive-cpio-perl with the !nocheck build profile. (01e408e)
  • Add dpkg-dev dependency build profile. (f998bbe)


Debian

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce mailing list. However, I:

Debian LTS

This month I have been paid to work 16 hours hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 974-1 fixing a command injection vulnerability in picocom, a dumb-terminal emulation program.
  • Issued DLA 972-1 which patches a double-free vulnerability in the openldap LDAP server.
  • Issued DLA 976-1 which corrects a buffer over-read vulnerability in the yodl ("Your Own Document Language") document processor.
  • Issued DLA 985-1 to address a vulnerability in libsndfile (a library for reading/writing audio files) where a specially-crafted AIFF file could result in an out-of-bounds memory read.
  • Issued DLA 990-1 to fix an infinite loop vulnerability in the expat, an XML parsing library.
  • Issued DLA 999-1 for the openvpn VPN server — if clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker could cause the client to crash or disclose stack memory that was likely to contain the proxy password.
Uploads
  • bfs (1.0.2-1) — New upstream release, add basic/smoke autopkgtests.
  • installation-birthday (5) — Add some basic autopkgtest smoke tests and correct the Vcs-{Git,Browser} headers.
  • python-django:
    • 1:1.11.2-1 — New upstream minor release & backport an upstream patch to prevent a test failure if the source is not writable. (#816435)
    • 1:1.11.2-2 — Upload to unstable, use !nocheck profile for build dependencies that are only required for tests and various packaging updates.

I also made the following non-maintainer uploads (NMUs):

  • kluppe (0.6.20-1.1) — Fix segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863421)
  • porg (2:0.10-1.1) — Fix broken LD_PRELOAD path for libporg-log.so. (#863495)
  • ganeti-instance-debootstrap (0.16-2.1) — Fix "illegal option for fgrep" error by using "--" to escape the search needle. (#864025)
  • pavuk (0.9.35-6.1) — Fix segmentation fault when opening the "Limitations" window due to pointer truncation in src/gtkmulticol.[ch]. (#863492)
  • timemachine (0.3.3-2.1) — Fix two segmentation faults in src/gtkmeter.c and gtkmeterscale.c caused by passing a truncated pointers using guint instead of a GtkType. (#863420)
  • jackeq (0.5.9-2.1) — Fix another segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863416)
Debian bugs filed
  • debhelper: Don't run dh_installdocs if nodoc is specified in DEB_BUILD_PROFILES? (#865869)
  • python-blessed: Non-determistically FTBFS due to unreliable timing in tests. (#864337)
  • apt: Please print a better error message if zero certificates are loaded from the system CA store. (#866377)
FTP Team

As a Debian FTP assistant I ACCEPTed 16 packages: faceup, golang-github-andybalholm-cascadia, haskell-miniutter, libplack-builder-conditionals-perl, libprelude, lua-argparse, network-manager-l2tp, node-gulp-concat, node-readable-stream, node-stream-assert, node-xterm, pydocstyle, pytest-bdd, python-iso3166, python-zxcvbn & stressant.

Categories: LUG Community Blogs

Steve Engledow (stilvoid): The day of linux on the desktop

Thu, 15/06/2017 - 03:41

It's been a while since I last tried out a different desktop environment on my laptop and I've been using i3 for some time now so it's only fair to give other things a go ;)

To test these out, I ran another X display - keeping my original one running so I could switch back and forth to take notes - and started each environment with DISPLAY=:1 <the command to start the desktop>.

I'll start with just one today and perhaps review some others another time.

Deepin

In summary: bits of Gnome Shell, Chrome OS, and Mac OSX but not quite as polished as any of them.

The Deepin Desktop Environment (DDE - from the Deepin distribution) installed easily enough under Arch with a quick pacman -S deepin deepin-extra. It also started up easily with an unambiguous startdde.

Immediately on startup, DDE plays a slightly annoying chime presumably just to remind you of how far we've come since Windows 95. The initial view of the desktop looks similar to OSX or Chrome OS with file icons on the desktop and a launcher bar centred across the bottom of the screen.

The first thing I tried was clicking on a button labelled "Multitasking view" only to be presented with a prompt telling me "Kindly reminder: This application can not run without window effect" and an OK button. So far, so enigmatic. So then I tried a trusty right-click on the desktop which brought up the expected context menu. In the menu was a "Display settings" option so I plumped for that, thinking that perhaps that was where I could enable the mystic "window effect". Clicking the "Display settings" button opened a dark-themed panel from the right-hand side, similar to the information panel you get in OSX. I searched through that panel for a good couple of minutes but could find no allusion to any "window effect".

Unperturbed, I decided to press on and see what other features Deepin had to offer...

Moving the mouse around the desktop a bit, I discovered that Deepin has borrowed some ideas from Gnome shell as well as OSX and Chrome OS. Moving the mouse pointer into the top-left corner of the screen brings up an application list similar to Gnome's launcher. The bottom-right corner reveals the settings panel. The top-right does nothing and the bottom-left, wonder of wonders, brings up my old favourite, the "kindly reminder".

I poked around in the settings a bit more but didn't really see anything of interest so I fired up what looks to be the last part of Deepin left for me to explore: the file manager. It does the job and it's not very interesting although I did discover that Deepin also has it's own terminal emulator (unsurprisingly called deepin-terminal) which has a snazzy Matrix theme to it but is otherwise uninteresting.

That's it, I'm bored. Next!

I tried Budgie and LXQT for a few minutes each at this point but they weren't immediately interesting enough to make me want to write about them just now :)

Categories: LUG Community Blogs

Mick Morgan: it is now

Tue, 06/06/2017 - 15:35

Back in January 2011, I posted a brief note about a site hosted at the domain “ismycomputeroff.com“. I have just had occasion to look again at that site and found that the domain is now definitely off. It is parked at sedo and is up for sale at the ludicrous price of 599 euros.

Tell you what, you can have my “theinternetisoff.net” domain for the bargain price of half that – after all, it only cost me about a tenner.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in May 2017

Wed, 31/05/2017 - 19:25

Here is my monthly update covering what I have been doing in the free software world (previous month):

  • Wrote and released installation-birthday. Installing this package will celebrate the anniversary of installing your system by sending you an email via cron(8).
  • Fixed an issue in the Django web development framework where you couldn't run the testsuite against a read-only copy of the source code. This was found by the Debian Continuous Integration service. (#26755)
  • Provided a pull request for the "wammu" mobile phone manager to ensure the build is reproducible. (#49)
Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

(I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.)

This month I:

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Don't fail when run under perversely-recursive input files. (#780761).

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Move from verbose_print to nonquiet_print so we print when normalising a file. This is so we can start to target the removal of strip-nondeterminism itself.
  • Only print log messages by default if the file was actually modified. (#863033)
  • Update package long descriptions to clarify that the tool itself is a temporary workaround. (#862029)


Debian

My activities as the current Debian Project Leader are covered in my "Bits from the DPL" email to the debian-devel-announce list.

However, I:

  • Represented Debian at the OSCAL 2017 in Tirana, Albania.
  • Attended the Reproducible Builds hackathon in Hamburg, Germany. (Report)
  • Finally, I attended Debian SunCamp 2017 in Lloret de Mar in Catalonia, Spain.

Patches contributed
  • xarchiver: Adding files to .tar.xz deletes existing content. (#862593)
  • screen-message: Please invert the default colours. (#862056)
  • fontconfig: fc-cache returns with exit code 0 on 256 errors. (#863427)
  • quadrapassel: Segfaults when unpausing a paused finished game. (#863106)
  • camping: Broken symlink. (#861040)
  • dns-root-data: Does not build if /bin/sh is Bash. (#862252)
  • dh-python: bit.ly link doesn't work anymore. (#863074)
Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, adding links to upstream patches, etc.
  • Issued DLA 930-1 fixing a remote application crash vulnerability in libxstream-java, a Java library to serialize objects to XML and back again
  • Issued DLA 935-1 correcting a local denial of service vulnerability in lxterminal, the terminal emulator for the LXDE desktop environment.
  • Issued DLA 940-1 to remedy an issue in sane-backends which allowed remote attackers to obtain sensitive memory information via a crafted SANE_NET_CONTROL_OPTION packet.
  • Issued DLA 943-1 for the deluge bittorrent client to fix a directory traversal attack vulnerability in the web user interface.
  • Issued DLA 949-1 fixing an integer signedness error in the miniupnpc UPnP client that could allow remote attackers to cause a denial of service attack.
  • Issued DLA 959-1 for the libical calendaring library. A use-after-free vulnerability could allow remote attackers could cause a denial of service and possibly read heap memory via a specially crafted .ICS file.
Uploads
  • redis (3:3.2.9-1) — New upstream release.
  • python-django:
    • 1:1.11.1-1 — New upstream minor release.
    • 1:1.11.1-2 & 1:1.11.1-3 — Add missing Build-Depends on libgdal-dev due to new GIS tests.
  • docbook-to-man:
    • 1:2.0.0-36 — Adopt package. Apply a patch to prevent undefined behaviour caused by a memcpy(3) parameter overlap. (#842635, #858389)
    • 1:2.0.0-37 — Install manpages using debian/docbook-to-man.manpages over manual calls.
  • installation-birthday — Initial upload and misc. subsequent fixes.
  • bfs:
    • 1.0-3 — Fix FTBFS on hurd-i386. (#861569)
    • 1.0.1-1 — New upstream release & correct debian/watch file.

I also made the following non-maintainer uploads (NMUs):

  • ca-certificates (20161130+nmu1) — Remove StartCom and WoSign certificates as they are now untrusted by the major browser vendors. (#858539)
  • sane-backends (1.0.25-4.1) — Correct missing error handler in (generated) prerm script. (#862334)
  • seqan2 (2.3.1+dfsg-3.1) — Fix broken /usr/bin/splazers symlink on 32-bit architectures. (#863669)
  • jackeq (0.5.9-2.1) — Fix a segmentation fault caused by passing a truncated pointer instead of a GtkType. (#863416)
  • kluppe (0.6.20-1.1) — Fix segmentation fault at startup. (#863421)
  • coyim (0.3.7-2.1) — Skip tests that require internet access to avoid FTBFS. (#863414)
  • pavuk (0.9.35-6.1) — Fix segmentation fault when opening "Limitations" window. (#863492)
  • porg (2:0.10-1.1) — Fix broken LD_PRELOAD path. (#863495)
  • timemachine (0.3.3-2.1) — Fix two segmentation faults caused by truncated pointers. (#863420)
Debian bugs filed
  • acct: Docs incorrectly installed to "accounting.html" directory. (#862180)
  • git-hub: Does not work with 2FA-enabled accounts. (#863265)
  • libwibble: Homepage and Vcs-Darcs fields are outdated. (#861673)


I additionally filed 2 bugs for packages that access the internet during build against flower and r-bioc-gviz.



I also filed 6 FTBFS bugs against cronutils, isoquery, libgnupg-interface-perl, maven-plugin-tools, node-dateformat, password-store & simple-tpm-pk11.

FTP Team

As a Debian FTP assistant I ACCEPTed 105 packages: boinc-app-eah-brp, debug-me, e-mem, etcd, fdroidcl, firejail, gcc-6-cross-ports, gcc-7-cross-ports, gcc-defaults, gl2ps, gnome-software, gnupg2, golang-github-dlclark-regexp2, golang-github-dop251-goja, golang-github-nebulouslabs-fastrand, golang-github-pkg-profile, haskell-call-stack, haskell-foundation, haskell-nanospec, haskell-parallel-tree-search, haskell-posix-pty, haskell-protobuf, htmlmin, iannix, libarchive-cpio-perl, libexternalsortinginjava-java, libgetdata, libpll, libtgvoip, mariadb-10.3, maven-resolver, mysql-transitional, network-manager, node-async-each, node-aws-sign2, node-bcrypt-pbkdf, node-browserify-rsa, node-builtin-status-codes, node-caseless, node-chokidar, node-concat-with-sourcemaps, node-console-control-strings, node-create-ecdh, node-create-hash, node-create-hmac, node-cryptiles, node-dot, node-ecc-jsbn, node-elliptic, node-evp-bytestokey, node-extsprintf, node-getpass, node-gulp-coffee, node-har-schema, node-har-validator, node-hawk, node-jsprim, node-memory-fs, node-pbkdf2, node-performance-now, node-set-immediate-shim, node-sinon-chai, node-source-list-map, node-stream-array, node-string-decoder, node-stringstream, node-verror, node-vinyl-sourcemaps-apply, node-vm-browserify, node-webpack-sources, node-wide-align, odil, onionshare, opensvc, otb, perl, petsc4py, pglogical, postgresql-10, psortb, purl, pymodbus, pymssql, python-decouple, python-django-rules, python-glob2, python-ncclient, python-parse-type, python-prctl, python-sparse, quoin-clojure, quorum, r-bioc-genomeinfodbdata, radlib, reprounzip, rustc, sbt-test-interface, slepc4py, slick-greeter, sparse, te923con, trabucco, traildb, typescript-types & writegood-mode.

I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: libgetdata, odil, opensvc, python-ncclient, radlib and reprounzip.

Categories: LUG Community Blogs

Mick Morgan: monday in manchester

Thu, 25/05/2017 - 16:37

At around 22.30 last Monday, Manchester was subjected to an horrific attack at a pop concert. As the world now knows, a suicide bomber deliberately targeted young people and their friends and families as they were leaving a concert by the young pop singer Ariana Grande. In that attack, 22 people, including children as young as 8 years old lost their lives. Many, many more received life changing injuries.

This is the first confirmed suicide bombing attack in the UK since 7 July 2005. On that day, 12 years ago, I was working in London. I can vividly recall the aftermath of that attack. Shock, horror, disbelief, later turning to anger. But I also vividly recall the reactions of Londoners and visitors to London I met, talked to or simply listened to over the days that followed. Only a few days after the 7th I was travelling by bus to a meeting when quite unbidden a middle aged American couple, obviously tourists, told me and everyone else on the bus that they shared our pain and that they were praying for us. I am not a religious man, indeed, I have no faith whatsoever, but I was deeply moved by that couple’s sincerity. Later, towards the end of July, my wife and I were travelling by Tube towards St Pancras on our way to Paris for our wedding anniversary. The driver of that Tube welcomed us (and everyone else) aboard the “up yours al-Qaeda express”. This show of defiance in the face of horror actually raised a number of smiles from those around us. London survived, Londoners endured.

The citizens of Manchester are now all facing profound shock and grief. That shock and grief will also be felt by anyone who has any shred of humanity within them. London was bad – 52 people lost their lives in that series of co-ordinated attacks. But somehow, Manchester feels worse, much worse. The London bombers targeted morning Tube and bus travellers – mainly commuters, some of whom were late for work because of earlier rail disruption that day. They were a soft target. But the Manchester bombing was callously and deliberately aimed at the ultimate soft target – kids; youngsters and their families emerging from what should have been a wonderful night out. Kids simply enjoying themselves at a concert many would have been planning for and looking forward to for months. Ariane Grande’s fanbase is primarily young women and girls. The attacker would have known that and yet he deliberately chose to detonate his bomb at that time and that place. He, and any accomplices he may have had, deserve nothing but our contempt. Manchester will survive, and Mancunians will endure. They have faced this before in the IRA truck bombing in June 1996. That attack didn’t break them. This one won’t either.

Meanwhile, everyone must grieve for the loss of so many young lives in such a pointless, pitiless attack. My thoughts, and those of my family, are with Manchester.

Categories: LUG Community Blogs

Mick Morgan: using a VPN to take back your privacy

Fri, 12/05/2017 - 21:35

With the passage into law of the iniquitous Investigatory Powers (IP) Bill in the UK at the end of November last year, it is way past time for all those who care about civil liberties in this country to exercise their right to privacy.

The new IP Act permits HMG and its various agencies to surveil the entire online population. The Act actually formalises (or in reality, legalises) activity which has long gone on in this country (as in others) in that it gives LEAs and others a blanket right of surveillance.

The Act (PDF) itself states that it is:

“An Act to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.”

(Don’t you just love the “connected purposes” bit?)

The Open Rights Group says the Act:

“is one of the most extreme surveillance laws ever passed in a democracy. Its impact will be felt beyond the UK as other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance regimes.”

Liberty, which believes the Act breeches the public’s rights under the Human Rights Act, is challenging the Act through the Courts. That organisation says:

“Liberty will seek to challenge the lawfulness of the following powers, which it believes breach the public’s rights:

– Bulk hacking – the Act lets police and agencies access, control and alter electronic devices like computers, phones and tablets on an industrial scale, regardless of whether their owners are suspected of involvement in crime – leaving them vulnerable to further attack by hackers.

– Bulk interception – the Act allows the state to read texts, online messages and emails and listen in on calls en masse, without requiring suspicion of criminal activity.

– Bulk acquisition of everybody’s communications data and internet history – the Act forces communications companies and service providers to hand over records of everybody’s emails, phone calls and texts and entire web browsing history to state agencies to store, data-mine and profile at its will.

This provides a goldmine of valuable personal information for criminal hackers and foreign spies.

– “Bulk personal datasets” – the Act lets agencies acquire and link vast databases held by the public or private sector. These contain details on religion, ethnic origin, sexuality, political leanings and health problems, potentially on the entire population – and are ripe for abuse and discrimination.”

ProtonMail, a mail provider designed and built by “scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online.” announced on Thursday 19 January that they will be providing access to their email service via a Tor onion site, accessible only over the Tor anonymising network. The ProtonMail blog entry announcing the new service says:

“As ProtonMail has evolved, the world has also been changing around us. Civil liberties have been increasingly restricted in all corners of the globe. Even Western democracies such as the US have not been immune to this trend, which is most starkly illustrated by the forced enlistment of US tech companies into the US surveillance apparatus. In fact, we have reached the point where it simply not possible to run a privacy and security focused service in the US or in the UK.

At the same time, the stakes are also higher than ever before. As ProtonMail has grown, we have become increasingly aware of our role as a tool for freedom of speech, and in particular for investigative journalism. Last fall, we were invited to the 2nd Asian Investigative Journalism Conference and were able to get a firsthand look at the importance of tools like ProtonMail in the field.

Recently, more and more countries have begun to take active measures to surveil or restrict access to privacy services, cutting off access to these vital tools. We realize that censorship of ProtonMail in certain countries is not a matter of if, but a matter of when. That’s why we have created a Tor hidden service (also known as an onion site) for ProtonMail to provide an alternative access to ProtonMail that is more secure, private, and resistant to censorship.”

So, somewhat depressingly, the UK is now widely seen as a repressive state, willing to subject its citizens to a frighteningly totalitarian level of surveillance. Personally I am not prepared to put up with this without resistance.

Snowden hype notwithstanding, HMG does not have the resources to directly monitor all electronic communications traffic within the UK or to/from the UK, so it effectively outsources that task to “communications providers” (telcos for telephony and ISPs for internet traffic). Indeed, the IP act is intended, in part, to force UK ISPs to retain internet connection records (ICRs) when required to do so by the Home Secretary. In reality, this means that all the major ISPs, who already have relationships with HMG of various kinds, will be expected to log all their customer’s internet connectivity and to retain such logs for so long as is deemed necessary under the Act. The Act then gives various parts of HMG the right to request those logs for investigatory purposes.

Given that most of us now routinely use the internet for a vast range of activity, not limited just to browsing websites, but actually transacting in the real world, this is akin to requiring that every single library records the book requests of its users, every single media outlet (newsagents, bookshops, record shops etc.) records every purchase in a form traceable back to the purchaser, every single professional service provider (solicitors, lawyers, doctors, dentists, architects, plumbers, builders etc.) record all activity by name and address of visitor. All this on top of the already existing capability of of HMG to track and record every single person, social media site or organisation we contact by email or other form of messaging.

Can you imagine how you would feel if on every occasion you left your home a Police Officer (or in fact officials from any one of 48 separate agencies, including such oddities as the Food Standards Agency, the NHS Business Services Authority or the Gambling Commission) had the right, without a warrant or justifiable cause, to stop you and search you so that (s)he could read every piece of documentation you were carrying? How do you feel about submitting to a fishing trip through your handbag, briefcase, wallet or pockets?

I have no problem whatsoever with targeted surveillance, but forgive me if I find the blanket unwarranted surveillance of the whole populace, on the off-chance it might be useful, completely unacceptable. What happened to the right to privacy and the presumption of innocence in the eyes of the law? The data collected by ISPs and telcos under the IP act gives a treasure trove of information on UK citizens that the former East German Stasi could only have dreamed about.

Now regardless of whether or not you trust HMG to use this information wisely, and only for the reasons laid out under the Act, and only in the strict circumstances laid out in the Act, and only with the effective scrutiny of “independent” oversight, how confident are you that any future administration would be similarly wise and circumspect? What is to stop a future, let us suppose, less enlightened or liberal administration, misusing that data? What happens if in future some act which is currently perfectly legal and permissible, if of somewhat dubious taste, morality and good sense (such as, say, reading the Daily Mail online) were to become illegal? What constraint would there be to prevent a retrospective search for past consumers of such dubious material in order to flag them as “persons of interest”?

And even if you are comfortable with all of that, how comfortable are you with the idea that organised crime could have access to all your personal details? Given the aggregation of data inherent in the requirement for bulk data collection by ISPs, those datasets become massive and juicy targets for data theft (by criminals as as well as foreign nations states). And if you think that could not happen because ISPs and Telcos take really, really, really good care of their customer’s data, then think about TalkTalk or Plusnet or Three or Yahoo.

And they are just a few of the recent ones that we /know/ about.

So long as I use a UK landline or mobile provider for telephony, there is little I can do about the aggregation of metadata about my contacts (and if you think metadata aggregation doesn’t matter, take a look at this EFF note. I can, of course, and do, keep a couple of (cash) pre-paid SIM only mobile ‘phones handy – after all, you never know when you may need one (such as perhaps, in future when they become “difficult” to purchase). And the very fact that I say that probably flags me as suspicious in some people’s minds. (As an aside, ask yourself what comes to mind when you think about someone using a cash paid, anonymous, second hand mobile ‘phone. See? I must be guilty of something. Notice how pernicious suspicion becomes? Tricky isn’t it?) Nor can I do much about protecting my email (unless I use GPG, but that is problematic and in any case does not hide the all important metadata in the to/from/date/subject headers). Given that, I have long treated email just as if it were correspondence by postcard, though somewhat less private. For some long time I used to routinely GPG sign all my email. I have stopped doing that because the signatures meant, of course, that I had no deniability. Nowadays I only sign (and/or encrypt) when I want my correspondents to be sure I am who I say I am (or they want that reassurance).

But that does not mean I think I should just roll over and give up. There is plenty I can do to protect both myself and my immediate family from unnecessary, intrusive, unwarranted and unwanted snooping. For over a year now I have been using my own XMPP server in place of text messaging. I have had my own email server for well over a decade, and so long as I am conversing there with others on one of my domains served by that system, then that email is pretty private too (protected in transit by TLS using my own X509 certificates). My web browsing has also long been protected by Tor. But all that still leaves trails I don’t like leaving. I might, for example, not want my ISP to even know that I am using Tor, and in the case of my browsing activity it becomes problematic to protect others in my household or to cover all the multiple devices we now have which are network connected (I’ve actually lost count and would have to sit down and list them carefully to be sure I had everything covered).

What to do? The obvious solution is to wrap all my network activity in a VPN tunnel through my ISP’s routers before I hit the wider internet. That way my ISP can’t log anything beyond the fact that I am using a VPN. But which VPN to use? And should I go for a commercial service or roll my own? Bear in mind that not all VPNs are created equal, nor are they all necessarily really private or secure. The “P” in VPN refers to the ability to interconnect two separate (probably RFC 1918) private networks across a public untrusted network. It does not actually imply anything about the end user’s privacy. And depending upon the provider chosen and the protocols used, end user privacy may be largely illusory. In the worst case scenario, depending upon the jurisdiction in which you live and your personal threat model, a badly chosen VPN provider may actually reduce privacy by drawing attention to the fact that you value that privacy. (As an aside, using Tor can also have much the same effect. Indeed, there is plenty of anecdotal evidence to suggest that Tor usage lights you up like a christmas tree in the eyes of the main GPAs.)

Back in 2015, a team of researchers from the Sapienza University of Rome and Queen Mary University of London published a paper (PDF) entitled “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”. That paper described the researcher’s findings from a survey of 14 of the better known commercial VPN providers. The teams chose the providers in much the same way you or I might do so – they searched on-line for “best VPN” or “anonymous VPN” and chose the providers which came highest or most frequently in the search results. The paper is worth reading. It describes how a poor choice of provider could lead to significant traffic leakage, typically through IPV6 or DNS. The table below is taken from their paper.

The paper describes some countermeasures which may mitigate some of the problems. In my case I disable IPV6 at the router and apply firewall rules at both the desktop and VPS end of the tunnel to deny IPV6. My local DNS resolver files point to the OpenVPN endpoint (where I run a DNS resolver stub) for resolution and both that server and my local DNS resolvers (dnsmasq) point only to opennic DNS servers. It may help.

There are reports that usage of commercial VPN providers has gone up since the passage of the IP act. Many commercial VPN providers will be using the passage of the act as a potential booster for their services. And there are plenty of VPN providers about – just do what the Sapienza and Queen Mary researchers did and search for “VPN Provider” or “VPN services” to get lots of different lists, or take a look at lists provided by such sites as PrivacyTools or BestVPN. One useful point about the better commercial providers is that they usually have substantial infrastructure in place offering VPN exit points in various geographic locations. This can be particularly useful if you want to appear to be based in a particular country. Our own dear old BBC for example will block access to some services if you are not UK based (or if you are UK based and try to access services designed for overseas users). This can be problematic for UK citizens travelling overseas who wish to view UK services. A VPN with a UK exit gets around that problem. VPN users can also use local exits when they wish to access similarly (stupidly) protected services in foreign locales (the idiots in the media companies who are insistent on DRM in all its manifest forms are becoming more than just tiresome).

Some of the commercial services look better than others to me, but they all have one simple flaw as far as I am concerned. I don’t control the service. And no matter what the provider may say about “complete anonymity” (difficult if you want to pay by credit card) or “no logs”, the reality is that either there will be logs or the provider may be forced to divulge information by law. And don’t forget the problem of traffic leakage through IPV6 or DNS noted above. One further problem for me in using a commercial VPN provider rather than my own endpoint(s) is that I cannot then predict my apparent source IP address. This matters to me because my firewall rules limit ssh access to my various servers by source IP address. If I don’t know the IP address I am going to pop out on, then I’m going to have to relax that rule. I choose not to. I have simply amended my iptables rules to permit access from all my VPN endpoints.

The goldenfrog site has an interesting take on VPN anonymity. (Note that Goldenfrog market their own VPN service called “VyprVPN” so they are not entirely disinterested observers, but the post is still worth reading nevertheless). If you are simply concerned with protecting your privacy whilst browsing the net, and you are not concerned about anonymity then there may be a case for you to consider using a commercial provider – just don’t pick a UK company because they will be subject to lawful intercept requests under the IP act. Personally I’d shy away from US based companies too, (a view that is shared by PrivacyTools.io so it’s not just me). I would also only pick a provider which supports OpenVPN (or possibly SoftEther) in preference to less secure protocols such as PPTP, or L2TP. (For a comparison of the options, see this BestVPN blog post.

If you wish to use a commercial VPN provider, then I would strongly recommend that you pay for it – and check the contractual arrangements carefully to ensure that they match your requirements. I suggest this for the same reasons I recommend that you pay for an email service. You get a contract. In my view, using a free VPN service might be worse than using no VPN. Think carefully about the business model for free provision of services on the ‘net. Google is a good example of the sort of free service provider which I find problematic. Using a commercial, paid for, VPN service has the distinct advantage that the provider has a vested interest in keeping his clients’ details, and activity, private. After all, his business depends upon that. Trust is fragile and easily lost. If your business is predicated on trustworthiness then I would argue that you will (or should) work hard to maintain that trust. PrivacyTools has a good set of recommendations for VPN providers.

But what if, like me, you are still unsure about using a commercial VPN? Should you use your own setup (as I do)? Here are some things to think about.

Using a commercial VPN

 

For Against Probably easier than setting up OpenVPN on a self-managed VPS for most people. The service provider will usually offer configuration files aimed at all the most popular operating systems. In many cases you will get a “point and click” application interface which will allow you to select the country you wish to pop out in. “Easier” does not mean “safer”. For example, the VPN provider may provide multiple users with the same private key wrapped up in its configuration files. Or the provider may not actually use OpenVPN. The provider may not offer support for YOUR chosen OS, or YOUR router. Beware in particular of “binary blob” installation of VPN software or configuration files (this applies particularly to Windows users). Unless you are technically competent (which you may not be if you are relying on this sort of installation) then you have no idea what is in that binary installation. You get a contract (if you pay!) That contract may not be as strong as you might wish, or it might specifically exclude some things you might wish to see covered. Check the AUP before you select your provider. You get what you pay for. Management and maintenance of the service (e.g. software patching) is handled by the provider. You rely on the provider to maintain a secure, up to date, fully patched service. Again, you get what you pay for. The provider (should) take your security and privacy seriously. Their business depends on it. The provider may hold logs, or be forced to log activity if local LE require that. They may also make simple mistakes which leak evidence of your activity (is their DNS secure?)

The VPN service is a large, attractive, juicy target for hostile activity by organised crime and/or Global Passive Adversaries such as GCHQ and NSA. Consider your threat model and act accordingly.

Your network activity is “lost” in the noise of activity of others. But your legal and legitimate activity could provide “cover” for criminal activity of others. If this results in LEA seizure (or otherwise surveillance) of the VPN endpoint then your activity is swept up in the investigation. Are you prepared for the possible consequences of that? You should get “unlimited” bandwidth (if you pay for it). But you may have to trade that off for reduced access speed, particularly if you are in contention for network usage with a large number of other users You (may) be able to set up the account completely anonymously using bitcoin. Using a VPN provider cannot guarantee you are anonymous. All it can do is enhance your privacy. Do not rely on a VPN to hide illegal activity. (And don’t rely on Tor for that either!) You may be able to select from a wide range of exit locations depending upon need. “Most VPN providers are terrible

 

Using your own VPN

 

For Against You get full control over the protocol you use, the DNS servers you use, the ciphers you choose and the location(s) you pop up in. You have to know what you are doing and you have to be comfortable in configuring the VPN software. Moreover, you need to be sure that you can actually secure the server on which you install the VPN server software as well as the client end. There is no point in having a “secure” tunnel if the end server leaks like a sieve or is subject to surveillance by the server provider – you have just shifted surveillance from the UK ISP to someone else. It can be cheaper than using a commercial service. It may not be. If you want to be able to pop out in different countries you will have to pay for multiple VPSs in multiple datacentres. You will also be responsible for maintaining those servers. You can be confident that your network activity is actually private because you can enforce your own no logging policy. No you can’t be sure. The VPS provider may log all activity. Check the privacy policy carefully. And be aware that the provider of a 3 euro a month VPS is very likely to dump you in the lap of any LEA who comes knocking on the door should you be stupid enough to use the VPN for illegal activity (or even any activity which breaches their AUP).

Also bear in mind the fact that you have no plausible deniability through hiding in a lot of other’s traffic if you are the only user of the VPN – which you paid for with your credit card.

 

I’ve used OpenVPN quite a lot in the past. I like it, it has a good record for privacy and security, it is relatively easy to set up, and it is well supported on a range of different devices. I have an OpenVPN endpoint on a server on the outer screened subnet which forms part of my home network so that I can connect privately to systems when I am out and about and wish my source IP to appear to be that at my home address. This can be useful when I am stuck in such places as airport lounges, internet cafes, foreign (or even domestic) hotels etc. So when the IP Act was still but a gleam in the eyes of some of our more manic lords and masters, I set up one or two more OpenVPN servers on various VPSs I have dotted about the world. In testing, I’ve found that using a standard OpenVPN setup (using UDP as the transport) has only a negligible impact on my network usage – certainly much less than using Tor.

Apart from the privacy offered by OpenVPN, particularly when properly configured to use forward secrecy as provided by TLS (see gr3t for some tips on improving security in your configuration), we can also make the tunnel difficult to block. We don’t (yet) see many blanket attempts to block VPN usage in the UK, but in some other parts of the world, notably China or reportedly the UAE for example, such activity can be common. By default OpenVPN uses UDP as the transport protocol and the server listens on port 1194. This well known port and/or protocol combination could easily be blocked at the network level. Indeed, some hotels, internet cafes and airport lounges routinely (and annoyingly) block all traffic to ports other than 80 and 443. If, however, we reconfigure OpenVPN to use TCP as the transport and listen on port 443, then its traffic becomes indistinguishable from HTTPS which makes blocking it much more difficult. There is a downside to this though. The overhead of running TCP over TCP can degrade your network experience. That said however, in my view a slightly slower connection is infinitely preferable to no connection or an unprotected connection.

In my testing, even using Tor over the OpenVPN tunnel (so that my Tor entry point appears to the Tor network to be the OpenVPN endpoint) didn’t degrade my network usage too much. This sort of Tor usage is made easier by the fact that I run my Tor client (either Tails, or Whonix) from within a virtual server instance running on one of my desktops. Thus if the desktop is connected to an OpenVPN tunnel then the Tor client is forced to use that tunnel to connect to Tor and thence the outside world.

However, this set up has a few disadvantages, not least the fact that I might forget to fire up the OpenVPN tunnel on my desktop before starting to use Tor. But the biggest problem I face in running a tunnel from my desktop is that it only protects activity /from/ that desktop. Any network connections from any of my mobile devices, my laptops, my various servers, or other network connected devices (as I said, I have lost count) or most importantly, my family’s devices, are perforce unprotected unless I can set up OpenVPN clients on them. In some cases this may be possible (my wife’s laptop for example) but it certainly isn’t ideal and in many cases (think my kid’s ‘phones for example) it is going to be completely impractical. So the obvious solution is to move the VPN tunnel entry point to my domestic router. That way, /all/ traffic to the net will be forced over the tunnel.

When thinking about this, Initially I considered using a raspberry pi as the router but my own experience of the pi’s networking capability left me wondering whether it would cope with my intended use case. The problem with the pi is that it only has one ethernet port and its broadcom chip only supports USB 2.0 connection. Internally the pi converts ethernet to USB. Since the chip is connected to four USB external ports and I would need to add a USB to ethernet conversion externally as well as USB wifi dongle in order to get the kind of connectivity I want (which includes streaming video) I fear that I might overwhelm the pi – certainly I’m pretty sure the device might become a bottleneck. However, I have /not/ tested this (yet) so I have no empirical evidence either way.

My network is already segmented in that I have a domestic ADSL router connected to my ISP and a separate, internal ethernet/WiFi only router connecting to that external router. It looks (something) like this:

 

 

Since all the devices I care most about are inbound of the internal router (and wired rather than wifi where I really care) I can treat the network between the two devices as a sacrificial screened subnet. I consider that subnet to be almost as hostile as the outside world. I could therefore add the pi to the external screened net and thus create another separate internal network which is wifi only. That wouldn’t help with my wired devices (which tend to be the ones I really worry about) but it would give me a good test network which I could use as “guest only” access to the outside world. I have commented in the past about the etiquette of allowing guests access to my network. I currently force such access over my external router so that the guests don’t get to see my internal systems. However, that means that in future they won’t get the protection offered by my VPN. That doesn’t strike me as fair so I might yet set up a pi as described (or in fact add another router, they are cheap enough).

Having discounted the pi as a possibility, then another obvious solution would be re-purpose an old linux box (I have plenty) but that would consume way more power than I need to waste and looks to be overkill so the obvious solution is to stick with the purpose built router option. Now both OpenWrt or its fork LEDE and the more controversial DD-WRT offer the possibility of custom built routers with OpenVPN client capability built in. The OpenWrt wiki has a good description of how to set up OpenVPN. The DD-WRT wiki entry somewhat is less good, but then OpenWrt/LEDE would probably be a better choice in my view anyway. I’ve used OpenWrt in the past (on an Asus WL-500g) but found it a bit flaky. Possibly that is a reflection of the router I used (fairly old, bought cheap off ebay) and I should probably try again with a more modern device. But right now it is possible to buy new, capable SOHO routers with OpenVPN capability off the shelf. A quick search for “openvpn routers” will give you devices by Asus, Linksys, Netgear, Cisco or some really interesting little devices by GL Innovations. The Gli devices actually come with OpenWRT baked in and both the GL-MT300N and the slightly better specced GL-AR300M look to be particularly useful. I leave the choice of router to you, but you should be aware that many SOHO routers have lamentably poor security out of the box and even worse security update histories. You also need to bear in mind that VPN capability is resource intensive so you should choose the device with the fastest CPU and most RAM you can afford. I personally chose an Asus device as my VPN router (and yes, it is patched to the latest level….) simply because they are being actively audited at the moment and seem to be taking security a little more seriously than some of their competitors. I may yet experiment with one of the GL devices though.

Note here that I do /not/ use the OpenVPN router as the external router connected directly to my ISP, my new router replaced my old “inside net” router. This means that whilst all the connections I really care about are tunnelled over the OpenVPN route to my endpoint (which may be in one of several European datacentres depending upon how I feel) I can still retain a connection to the outside world which is /not/ tunnelled. There are a couple of reasons for this. Firstly some devices I use actually sometimes need a UK IP presence (think streaming video from catch-up TV or BBC news for example). Secondly, I also wish to retain a separate screened sub-net to house my internal OpenVPN server (to allow me to appear to be using my home network should I so choose when I’m out and about). And of course I may occasionally just like to use an unprotected connection simply to give my ISP some “noise” for his logs….

So, having chosen the router, we now need to configure it to use OpenVPN in client mode. My router can also be configured as a server, so that it would allow incoming tunnelled connections from the outside to my network, but I don’t want that, and nor probably do you. In my case such inbound connections would in any event fail because my external router is so configured as to only allow inbound connections to a webserver and my (separate) OpenVPN server on the screened subnet. It does not permit any other inbound connections, nor does my internal router accept connections from either the outside world or the screened subnet. My internal screened OpenVPN server is configured to route traffic back out to the outside world because it is intended only for such usage.

My new internal router expects its OpenVPN configuration file to follow a specific format. I found this to be poorly documented (but that is not unusual). Here’s how mine looks (well, not exactly for obvious reasons, in particular the (empty) keys are not real, but the format is correct).

 

# config file for router to VPN endpoint 1

# MBM 09/12/16

client
dev tun
proto udp
remote 12.34.56.78 1194
resolv-retry infinite
nobind
user nobody

# Asus router can’t cope with group change so:
# group nogroup

persist-key
persist-tun
mute-replay-warnings

<ca>

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

</ca>

<cert>

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

</cert>

<key>

—–BEGIN PRIVATE KEY—–

—–END PRIVATE KEY—–

</key>

<tls-auth>

—–BEGIN OpenVPN Static key V1—–

—–END OpenVPN Static key V1—–

</tls-auth>

key-direction 1
auth SHA512
remote-cert-tls server
cipher AES-256-CBC
comp-lzo

# end configuration

If you are using a commercial VPN service rather than your own OpenVPN endpoint, then your provider should give you configuration files much like those above. As I mentioned earlier, beware of “binary blob” non-text configurations.

If your router is anything like mine, you will need to upload the configuration file using the administrative web interface and then activate it. My router allows several different configurations to be stored so that I can vary my VPN endpoints depending on where I wish to pop up on the net. Of course this means that I have to pay for several different VPSs to run OpenVPN on, but at about 3 euros a month for a suitable server, that is not a problem. I choose providers who:

  • are not UK based or owned;
  • have AUPs which allow VPN usage (it helps if they are also Tor friendly);
  • have datacentre presences in more than one location (say Germany, as well as the Ukraine);
  • allow installation of my choice of OS;
  • have decent reputations for connectivity and uptime; and
  • are cheap.

Whilst this may appear at first sight to be problematic, there are in fact a large number of such providers dotted around Europe. Be aware, however, that many small providers are simply resellers of services provided by other, larger, companies. This can mean that whilst you appear to be using ISP “X” in, say, Bulgaria, you are actually using servers owned and managed by a major German company or at least are on networks so owned. Be careful and do your homework before signing up to a service. I have found the lowendtalk site very useful for getting leads and for researching providers. The lowendbox website is also a good starting point for finding cheap deals when you want to test your setup.

Now go take back your privacy.

Notes

Some of the sites I found useful when considering my options are listed below.

Check your IP address and the DNS servers you are using at check2ip.com

Also check whether you are leaking DNS requests outside the tunnel at ipleak.net.

You can also check for DNS leakage at dnsleaktest.

PrivacyTools.io is a very useful resource – and not just for VPN comparisons

cryptostorm.is/ and Mullvad.net look to be two of the better paid for commercial services.

TheBestVPN site offers a VPN Comparison and some reviews of 20 providers.

A very thorough comparison of 180 different commercial VPN providers is given by “that one privacy guy“. The rest of his (or her) site is also well worth exploring.

Brian Krebs discusses VPN options.

Categories: LUG Community Blogs

Daniel Silverstone (Kinnison): Yarn architecture discussion

Fri, 05/05/2017 - 16:45

Recently Rob and I visited Soile and Lars. We had a lovely time wandering around Helsinki with them, and I also spent a good chunk of time with Lars working on some design and planning for the Yarn test specification and tooling. You see, I wrote a Rust implementation of Yarn called rsyarn "for fun" and in doing so I noted a bunch of missing bits in the understanding Lars and I shared about how Yarn should work. Lars and I filled, and re-filled, a whiteboard with discussion about what the 'Yarn specification' should be, about various language extensions and changes, and also about what functionality a normative implementation of Yarn should have.

This article is meant to be a write-up of all of that discussion, but before I start on that, I should probably summarise what Yarn is.

Yarn is a mechanism for specifying tests in a form which is more like documentation than code. Yarn follows the concept of BDD story based design/testing and has a very Cucumberish scenario language in which to write tests. Yarn takes, as input, Markdown documents which contain code blocks with Yarn tests in them; and it then runs those tests and reports on the scenario failures/successes.

As an example of a poorly written but still fairly effective Yarn suite, you could look at Gitano's tests or perhaps at Obnam's tests (rendered as HTML). Yarn is not trying to replace unit testing, nor other forms of testing, but rather seeks to be one of a suite of test tools used to help validate software and to verify integrations. Lars writes Yarns which test his server setups for example.

As an example, lets look at what a simple test might be for the behaviour of the /bin/true tool:

SCENARIO true should exit with code zero WHEN /bin/true is run with no arguments THEN the exit code is 0 AND stdout is empty AND stderr is empty

Anyone ought to be able to understand exactly what that test is doing, even though there's no obvious code to run. Yarn statements are meant to be easily grokked by both developers and managers. This should be so that managers can understand the tests which verify that requirements are being met, without needing to grok python, shell, C, or whatever else is needed to implement the test where the Yarns meet the metal.

Obviously, there needs to be a way to join the dots, and Yarn calls those things IMPLEMENTS, for example:

IMPLEMENTS WHEN (\S+) is run with no arguments set +e "${MATCH_1}" > "${DATADIR}/stdout" 2> "${DATADIR}/stderr" echo $? > "${DATADIR}/exitcode"

As you can see from the example, Yarn IMPLEMENTS can use regular expressions to capture parts of their invocation, allowing the test implementer to handle many different scenario statements with one implementation block. For the rest of the implementation, whatever you assume about things will probably be okay for now.

Given all of the above, we (Lars and I) decided that it would make a lot of sense if there was a set of Yarn scenarios which could validate a Yarn implementation. Such a document could also form the basis of a Yarn specification and also a manual for writing reasonable Yarn scenarios. As such, we wrote up a three-column approach to what we'd need in that test suite.

Firstly we considered what the core features of the Yarn language are:

  • Scenario statements themselves (SCENARIO, GIVEN, WHEN, THEN, ASSUMING, FINALLY, AND, IMPLEMENTS, EXAMPLE, ...)
  • Whitespace normalisation of statements
  • Regexp language and behaviour
  • IMPLEMENTS current directory, data directory, home directory, and also environment.
  • Error handling for the statements, or for missing IMPLEMENTS
  • File (and filename) encoding
  • Labelled code blocks (since commonmark includes the backtick code block kind)
  • Exactly one IMPLEMENTS per statement

We considered unusual (or corner) cases and which of them needed defining in the short to medium term:

  • Statements before any SCENARIO or IMPLEMENTS
  • Meaning of split code blocks (concatenation?)
  • Meaning of code blocks not at the top level of a file (ignore?)
  • Meaning of HTML style comments in markdown files
  • Odd scenario ordering (e.g. ASSUMING at the end, or FINALLY at the start)
  • Meaning of empty lines in code blocks or between them.

All of this comes down to how to interpret input to a Yarn implementation. In addition there were a number of things we felt any "normative" Yarn implementation would have to handle or provide in order to be considered useful. It's worth noting that we don't specify anything about an implementation being a command line tool though...

  • Interpreter for IMPLEMENTS (and arguments for them)
  • "Library" for those implementations
  • Ability to require that failed ASSUMING statements lead to an error
  • A way to 'stop on first failure'
  • A way to select a specific scenario to run, from a large suite.
  • Generation of timing reports (per scenario and also per statement)
  • A way to 'skip' missing IMPLEMENTS
  • A clear way to identify the failing step in a scenario.
  • Able to treat multiple input files as a single suite.

There's bound to be more, but right now with the above, we believe we have two roughly conformant Yarn implementations. Lars' Python based implementation which lives in cmdtest (and which I shall refer to as pyyarn for now) and my Rust based one (rsyarn).

One thing which rsyarn supports, but pyyarn does not, is running multiple scenarios in parallel. However when I wrote that support into rsyarn I noticed that there were plenty of issues with running stuff in parallel. (A problem I'm sure any of you who know about threads will appreciate).

One particular issue was that scenarios often need to share resources which are not easily sandboxed into the ${DATADIR} provided by Yarn. For example databases or access to limited online services. Lars and I had a good chat about that, and decided that a reasonable language extension could be:

USING database foo

with its counterpart

RESOURCE database (\S+) LABEL database-$1 GIVEN a database called $1 FINALLY database $1 is torn down

The USING statement should be reasonably clear in its pairing to a RESOURCE statement. The LABEL statement I'll get to in a moment (though it's only relevant in a RESOURCE block, and the rest of the statements are essentially substituted into the calling scenario at the point of the USING.

This is nowhere near ready to consider adding to the specification though. Both Lars and I are uncomfortable with the $1 syntax though we can't think of anything nicer right now; and the USING/RESOURCE/LABEL vocabulary isn't set in stone either.

The idea of the LABEL is that we'd also require that a normative Yarn implementation be capable of specifying resource limits by name. E.g. if a RESOURCE used a LABEL foo then the caller of a Yarn scenario suite could specify that there were 5 foos available. The Yarn implementation would then schedule a maximum of 5 scenarios which are using that label to happen simultaneously. At bare minimum it'd gate new users, but at best it would intelligently schedule them.

In addition, since this introduces the concept of parallelism into Yarn proper, we also wanted to add a maximum parallelism setting to the Yarn implementation requirements; and to specify that any resource label which was not explicitly set had a usage limit of 1.

Once we'd discussed the parallelism, we decided that once we had a nice syntax for expanding these sets of statements anyway, we may as well have a syntax for specifying scenario language expansions which could be used to provide something akin to macros for Yarn scenarios. What we came up with as a starter-for-ten was:

CALLING write foo

paired with

EXPANDING write (\S+) GIVEN bar WHEN $1 is written to THEN success was had by all

Again, the CALLING/EXPANDING keywords are not fixed yet, nor is the $1 type syntax, though whatever is used here should match the other places where we might want it.

Finally we discussed multi-line inputs in Yarn. We currently have a syntax akin to:

GIVEN foo ... bar ... baz

which is directly equivalent to:

GIVEN foo bar baz

and this is achieved by collapsing the multiple lines and using the whitespace normalisation functionality of Yarn to replace all whitespace sequences with single space characters. However this means that, for example, injecting chunks of YAML into a Yarn scenario is a pain, as would be including any amount of another whitespace-sensitive input language.

After a lot of to-ing and fro-ing, we decided that the right thing to do would be to redefine the ... Yarn statement to be whitespace preserving and to then pass that whitespace through to be matched by the IMPLEMENTS or whatever. In order for that to work, the regexp matching would have to be defined to treat the input as a single line, allowing . to match \n etc.

Of course, this would mean that the old functionality wouldn't be possible, so we considered allowing a \ at the end of a line to provide the current kind of behaviour, rewriting the above example as:

GIVEN foo \ bar \ baz

It's not as nice, but since we couldn't find any real uses of ... in any of our Yarn suites where having the whitespace preserved would be an issue, we decided it was worth the pain.

None of the above is, as of yet, set in stone. This blog posting is about me recording the information so that it can be referred to; and also to hopefully spark a little bit of discussion about Yarn. We'd welcome emails to our usual addresses, being poked on Twitter, or on IRC in the common spots we can be found. If you're honestly unsure of how to get hold of us, just comment on this blog post and I'll find your message eventually.

Hopefully soon we can start writing that Yarn suite which can be used to validate the behaviour of pyyarn and rsyarn and from there we can implement our new proposals for extending Yarn to be even more useful.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in April 2017

Sun, 30/04/2017 - 17:35

Here is my monthly update covering what I have been doing in the free software world (previous month):

  • I was elected Debian Project Leader for 2017. I'd like to sincerely thank everyone who voted for me as well as everyone who took part in the election in general especially Mehdi Dogguy for being a worthy opponent. The result was covered on LWN, Phoronix, DistroWatch, iTWire, etc.
  • Added support for the Monzo banking API in social-core, a Python library to allow web applications to authenticate using third-parties. (#68)
  • Fixed a HTML injection attack in a demo of Russell Keith-Magee's BeeWare presentation library. (#3)
  • Updated systemd's documentation to explain why we suggest explicitly calling make all despite the Makefile's "check" target calling it. (#5830)
  • Updated the documentation of a breadth-first version of find(1) called bfs to refer to the newly-uploaded Debian package. (#23)
  • Updated the configuration for the ticketbot IRC bot (zwiebelbot on OFTC) to identify #reproducible-builds as a Debian-related channel. This is so that bug Debian bug numbers are automatically expanded by the bot. (#7)
Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:

I also made the following changes to diffoscope, our recursive and content-aware diff utility used to locate and diagnose reproducibility issues:

  • New features:
    • Add support for comparing Ogg Vorbis files. (0436f9b)
  • Bug fixes:
    • Prevent a traceback when using --new-file with containers. (#861286)
    • Don't crash on invalid archives; print a useful error instead. (#833697).
    • Don't print error output from bzip2 call. (21180c4)
  • Cleanups:
    • Prevent abstraction-level violations by defining visual diff support on Presenter classes. (7b68309)
    • Show Debian packages installed in test output. (c86a9e1)


Debian Patches contributed Debian LTS

This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 882-1 for the tryton-server general application platform to fix a path suffix injection attack.
  • Issued DLA 883-1 for curl preventing a buffer read overrun vulnerability.
  • Issued DLA 884-1 for collectd (a statistics collection daemon) to close a potential infinite loop vulnerability.
  • Issued DLA 885-1 for the python-django web development framework patching two open redirect & XSS attack issues.
  • Issued DLA 890-1 for ming, a library to create Flash files, closing multiple heap-based buffer overflows.
  • Issued DLA 892-1 and DLA 891-1 for the libnl3/libnl Netlink protocol libraries, fixing integer overflow issues which could have allowed arbitrary code execution.
Uploads
  • redis (4:4.0-rc3-1) — New upstream RC release.
  • adminer:
    • 4.3.0-2 — Fix debian/watch file.
    • 4.3.1-1 — New upstream release.
  • bfs:
    • 1.0-1 — Initial release.
    • 1.0-2 — Drop fstype tests as they rely on /etc/mtab being available. (#861471)
  • python-django:
    • 1:1.10.7-1 — New upstream security release.
    • 1:1.11-1 — New upstream stable release to experimental.

I sponsored the following uploads:

I also performed the following QA uploads:

  • gtkglext (1.2.0-7) — Correct installation location of gdkglext-config.h after "Multi-Archification" in 1.2.0-5. (#860007)

Finally, I made the following non-maintainer uploads (NMUs):

  • python-formencode (1.3.0-2) — Don't ship files in /usr/lib/python{2.7,3}/dist-packages/docs. (#860146)
  • django-assets (0.12-2) — Patch pytest plugin to check whether we are running in a Django context, otherwise we can break unrelated testsuites. (#859916)
RC bugs filed

I also filed 2 bugs for packages that access the internet during build (against fail2ban & ruby-rack-proxy). I also filed 11 FTBFS bugs against bup, golang-github-lunny-nodb, hunspell-dict-ko, icinga-web, nanoc, oggvideotools, polygen, python-dogpile.cache, reapr, tendermint-go-merkle & z88.

FTP Team

As a Debian FTP assistant I ACCEPTed 155 packages: aiohttp-cors, bear, colorize, erlang-p1-xmpp, fenrir, firejail, fizmo-console, flask-ldapconn, flask-socketio, fontmanager.app, fonts-blankenburg, fortune-zh, fw4spl, fzy, gajim-antispam, gdal, getdns, gfal2, gmime, golang-github-go-macaron-captcha, golang-github-go-macaron-i18n, golang-github-gogits-chardet, golang-github-gopherjs-gopherjs, golang-github-jroimartin-gocui, golang-github-lunny-nodb, golang-github-markbates-goth, golang-github-neowaylabs-wabbit, golang-github-pkg-xattr, golang-github-siddontang-goredis, golang-github-unknwon-cae, golang-github-unknwon-i18n, golang-github-unknwon-paginater, grpc, grr-client-templates, gst-omx, hddemux, highwayhash, icedove, indexed-gzip, jawn, khal, kytos-utils, libbloom, libdrilbo, libhtml-gumbo-perl, libmonospaceif, libpsortb, libundead, llvm-toolchain-4.0, minetest-mod-homedecor, mini-buildd, mrboom, mumps, nnn, node-anymatch, node-asn1.js, node-assert-plus, node-binary-extensions, node-bn.js, node-boom, node-brfs, node-browser-resolve, node-browserify-des, node-browserify-zlib, node-cipher-base, node-console-browserify, node-constants-browserify, node-delegates, node-diffie-hellman, node-errno, node-falafel, node-hash-base, node-hash-test-vectors, node-hash.js, node-hmac-drbg, node-https-browserify, node-jsbn, node-json-loader, node-json-schema, node-loader-runner, node-miller-rabin, node-minimalistic-crypto-utils, node-p-limit, node-prr, node-sha.js, node-sntp, node-static-module, node-tapable, node-tough-cookie, node-tunein, node-umd, open-infrastructure-storage-tools, opensvc, openvas, pgaudit, php-cassandra, protracker, pygame, pypng, python-ase, python-bip32utils, python-ltfatpy, python-pyqrcode, python-rpaths, python-statistics, python-xarray, qtcharts-opensource-src, r-cran-cellranger, r-cran-lexrankr, r-cran-pwt9, r-cran-rematch, r-cran-shinyjs, r-cran-snowballc, ruby-ddplugin, ruby-google-protobuf, ruby-rack-proxy, ruby-rails-assets-underscore, rustc, sbt, sbt-launcher-interface, sbt-serialization, sbt-template-resolver, scopt, seqsero, shim-signed, sniproxy, sortedcollections, starjava-array, starjava-connect, starjava-datanode, starjava-fits, starjava-registry, starjava-table, starjava-task, starjava-topcat, starjava-ttools, starjava-util, starjava-vo, starjava-votable, switcheroo-control, systemd, tilix, tslib, tt-rss-notifier-chrome, u-boot, unittest++, vc, vim-ledger, vis, wesnoth-1.13, wolfssl, wuzz, xandikos, xtensor-python & xwallpaper.

I additionally filed 14 RC bugs against packages that had incomplete debian/copyright files against getdns, gfal2, grpc, mrboom, mumps, opensvc, python-ase, sniproxy, starjava-topcat, starjava-ttools, unittest++, wolfssl, xandikos & xtensor-python.

Categories: LUG Community Blogs

Mick Morgan: free Dmitry Bogatov

Thu, 27/04/2017 - 16:11

Dmitry Bogatov, aka KAction, is a Russian free software activist and mathematics teacher at Moscow’s Finance and Law University. He was arrested in Russia on 6 April of this year and charged with extremism. He is currently held in a pre-trial detention centre, and is apparently likely to remain there until early June at least, while investigations continue. The Russian authorities claim that Bogatov published messages on a Russian website, “sysadmin.ru”, inciting violent action at the opposition protest demonstration held in Moscow on 2 April.

Bogatov is well known in the free software community as a contributor to debian. As a privacy activist he runs a Tor exit node in Russia and it is this latter point which would appear to have caused his difficulty. Apparently, Bogatov’s Tor exit node was logged as the source address for the inflammatory posts in question. The debian project have taken the precaution of revoking Bogatov’s keys which allow him to post material to the project. They see those keys as compromised following his arrest and the seizure of his computing equipment.

Bogatov claims (with some justification it would appear) that he had nothing to do with the posts of which he is accused. Indeed, at the time of the post from his Tor node he claims that he was at a gym with his wife and visited a supermarket immediately afterwards. CCTV footage from the store supports this claim.

Operating a Tor node is not illegal in Russia, nor is it illegal in many other jurisdictions around the world. However, the act of doing so can draw attention to yourself as a possible “dissident” wherever you may live.

I am a passionate fan of free software, I use debian (and its derivatives) as my preferred operating system. I am an advocate of privacy enhancing tools such as GPG, Tor and OpenVPN, and I run a Tor node.

I hope that Dmitry Bogatov is treated fairly and in due course is proved innocent of the charges he faces. I post this message in support.

Categories: LUG Community Blogs

Chris Lamb: Elected Debian Project Leader

Sun, 16/04/2017 - 13:52

I'd like to thank the entire Debian community for choosing me to represent them as the next Debian Project Leader.

I would also like to thank Mehdi for his tireless service and wish him all the best for the future. It is an honour to be elected as the DPL and I am humbled that you would place your faith and trust in me.

You can read my platform here.


Categories: LUG Community Blogs

Steve Engledow (stilvoid): Eulogy

Thu, 13/04/2017 - 22:09

A few years ago, I distinctly remember a time I went to visit Dad in hospital. We were chatting, as always, about what I had been up to. I think it must have been a Sunday as we were talking about my regular game of squash. He told me, "keep that up, don't end up like me". Which made me realise that all those years of childhood he really had meant it every time he said "Do as I say, not as I do".

He had lots of other useful advice on family life for me once Dylan was born Which he was expert at summing up into little phrases:

"If you can't blame your kids, who can you blame?" "I never had grey hair before I had you and Alan" and my favourite "Bribery and corruption are the corner stone of family life".

Thinking back, there are three really important things that I got from my Dad:

The first is my sense of humour for which I apologise to everyone.

The second is learning to experiment in the kitchen for which I apologise to my family.

The third, and most important in my life, has been a love of music.

I was brought up on a diet of David Bowie, Meatloaf, and Elton John's Goodbye Yellow Brick road (which mum and dad had on vinyl and I still can't believe they gave it away!)

Dad always encouraged me to play music and always seemed to enjoy listening to the exploits of my various bands over the years

I remember dad promising to buy me an electric guitar if I passed my GSCEs. A decision I'm sure he regretted almost immediately afterwards but he never said so and endured my terrible guitar playing for years to come

I know that while he was unwell, the thing Dad hated the most was feeling he was a burden and that he always wanted the best for mum and I think the best thing we can do to remember him is to look after eachother and make the most of life. Which is exactly the sort of thing Dad would be unable to resist following with a joke.

Categories: LUG Community Blogs

Chris Lamb: Free software activities in March 2017

Fri, 31/03/2017 - 23:01

Here is my monthly update covering what I have been doing in the free software world (previous month):

  • Fixed two issues in try.diffoscope.org, a web-based version of the diffoscope in-depth and content-aware diff utility:
    • Fix command-line API breakage. (commit)
    • Use deb.debian.org over httpredir.debian.org. (commit)
  • Made a number of improvements to travis.debian.net, my hosted service for projects that host their Debian packaging on GitHub to use the Travis CI continuous integration platform to test builds on every code change) travis.debian.net, including:
    • Correctly detecting the distribution to build with for some tags. (commit)
    • Use Lintian from the backports repository where appropriate. (#44)
    • Don't build upstream/ branches even if they contain .travis.yml files. (commit)
  • Fixed an issue in django-staticfiles-dotd, my Django staticfiles adaptor to concatentate .d-style directories, where some .d directories were being skipped. This was caused by modifying the contents of a Python list during iteration. (#3)
  • Performed some miscelleanous cleanups in django12factor, a Django utility to make projects adhere better to the 12-factor web-application philosophy. (#58)
  • Submitted a pull request for Doomsday-Engine, a portable, enhanced source port of Doom, Heretic and Hexen, to make the build reproducible (#16)
  • Created a pull request for gdata-python-client (a Python client library for Google APIs) to make the build reproducible. (#56)
  • Authored a pull request for the MochaJS JavaScript test framework to make the build reproducible. (#2727)
  • Filed a pull request against vine, a Python promises library, to avoid non-determinstic default keyword argument appearing in the documentation. (#12)
  • Filed an issue for the Redis key-value database addressing build failures on the MIPS architecture. (#3874)
  • Submitted a bug report against xdotool — a tool to automate window and keyboard interactions — reporting a crash when searching after binding an action with behave. (#169)
  • Reviewed a pull request from Dan Palmer for django-email-from-template, a library to send emails in Django generated entirely from the templating system, which intends to add an option to send mails upon transaction commit.
Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to permit verification that no flaws have been introduced — either maliciously or accidentally — during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area.

This month I:

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • New features/optimisations:
    • Extract squashfs archive in one go rather than per-file, speeding up ISO comparison by ~10x.
    • Add support for .docx and .odt files via docx2txt & odt2txt. (#859056).
    • Add support for PGP files via pgpdump. (#859034).
    • Add support for comparing Pcap files. (#858867).
    • Compare GIF images using gifbuild. (#857610).
  • Bug fixes:
    • Ensure that we really are using ImageMagick and not the GraphicsMagick compatibility layer. (#857940).
    • Fix and add test for meaningless 1234-content metadata when introspecting archives. (#858223).
    • Fix detection of ISO9660 images processed with isohybrid.
    • Skip icc tests if the Debian-specific patch is not present. (#856447).
    • Support newer versions of cbfstool to avoid test failures. (#856446).
    • Update the progress bar prior to working to ensure filename is in sync.
  • Cleanups:
    • Use /usr/share/dpkg/pkg-info.mk over manual calls to dpkg-parsechangelog in debian/rules.
    • Ensure tests and the runtime environment can locate binaries in /usr/sbin (eg. tcpdump).

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Fix a possible endless loop while stripping .ar files due to trusting the file's own file size data. (#857975).
  • Add support for testing files we should reject and include the filename when evaluating fixtures.

buildinfo.debian.net

buildinfo.debian.net is my experiment into how to process, store and distribute .buildinfo files after the Debian archive software has processed them.

  • Add support for Format: 1.0. (#20).
  • Don't parse Format: header as the source package version. (#21).
  • Show the reproducible status of packages.


Debian

I submitted my platform for the 2017 Debian Project Leader Elections. This was subsequently covered on LWN and I have been participating in the discussions on the debian-vote mailing list since then.


Patches contributed Debian LTS

This month I have been paid to work 14.75 hours on Debian Long Term Support (LTS). In that time I did the following:

  • "Frontdesk" duties, triaging CVEs, etc.
  • Issued DLA 848-1 for the freetype font library fixing a denial of service vulnerability.
  • Issued DLA 851-1 for wget preventing a header injection attack.
  • Issued DLA 863-1 for the deluge BitTorrent client correcting a cross-site request forgery vulnerability.
  • Issued DLA 864-1 for jhead (an EXIF metadata tool) patching an arbitrary code execution vulnerability.
  • Issued DLA 865-1 for the suricata intrusion detection system, fixing an IP protocol matching error.
  • Issued DLA 871-1 for python3.2 fixing a TLS stripping vulnerability in the smptlib library.
  • Issued DLA 873-1 for apt-cacher preventing a HTTP response splitting vulnerability.
  • Issued DLA 876-1 for eject to prevent an issue regarding the checking of setuid(2) and setgid(2) return values.
Uploads
  • python-django:
    • 1:1.10.6-1 — New upstream bugfix release.
    • 1:1.11~rc1-1 — New upstream release candidate.
  • redis:
    • 3:3.2.8-2 — Avoid conflict between RuntimeDirectory and tmpfiles.d(5) both attempting to create /run/redis with differing permissions. (#856116)
    • 3:3.2.8-3 — Revert the creation of a /usr/bin/redis-check-rdb to /usr/bin/redis-server symlink to avoid a dangling symlink if only the redis-tools package is installed. (#858519)
  • gunicorn 19.7.0-1 & 19.7.1-1 — New upstream releases.
  • adminer 4.3.0-1 — New upstream release.

Finally, I also made the following non-maintainer uploads (NMUs):

Debian bugs filed

I additionally filed 5 bugs for packages that access the internet during build against golang-github-mesos-mesos-go, ipywidgets, ruby-bunny, ruby-http & sorl-thumbnail.

I also filed 13 FTBFS bugs against android-platform-frameworks-base, ariba, calendar-exchange-provider, cylc, git, golang-github-grpc-ecosystem-go-grpc-prometheus, node-dateformat, python-eventlet, python-tz, sogo-connector, spyder-memory-profiler, sushi & tendermint-go-rpc.

FTP Team

As a Debian FTP assistant I ACCEPTed 121 packages: 4pane, adql, android-platform-system-core, android-sdk-helper, braillegraph, deepnano, dh-runit, django-auth-ldap, django-dirtyfields, drf-extensions, gammaray, gcc-7, gnome-keysign, golang-code.gitea-sdk, golang-github-bluebreezecf-opentsdb-goclient, golang-github-bsm-redeo, golang-github-cupcake-rdb, golang-github-denisenkom-go-mssqldb, golang-github-exponent-io-jsonpath, golang-github-facebookgo-ensure, golang-github-facebookgo-freeport, golang-github-facebookgo-grace, golang-github-facebookgo-httpdown, golang-github-facebookgo-stack, golang-github-facebookgo-subset, golang-github-go-openapi-loads, golang-github-go-openapi-runtime, golang-github-go-openapi-strfmt, golang-github-go-openapi-validate, golang-github-golang-geo, golang-github-gorilla-pat, golang-github-gorilla-securecookie, golang-github-issue9-assert, golang-github-issue9-identicon, golang-github-jaytaylor-html2text, golang-github-joho-godotenv, golang-github-juju-errors, golang-github-kisielk-gotool, golang-github-kubernetes-gengo, golang-github-lpabon-godbc, golang-github-lunny-log, golang-github-makenowjust-heredoc, golang-github-mrjones-oauth, golang-github-nbutton23-zxcvbn-go, golang-github-neelance-sourcemap, golang-github-ngaut-deadline, golang-github-ngaut-go-zookeeper, golang-github-ngaut-log, golang-github-ngaut-pools, golang-github-ngaut-sync2, golang-github-optiopay-kafka, golang-github-quobyte-api, golang-github-renstrom-dedent, golang-github-sergi-go-diff, golang-github-siddontang-go, golang-github-smartystreets-go-aws-auth, golang-github-xanzy-go-cloudstack, golang-github-xtaci-kcp, golang-github-yohcop-openid-go, graywolf, haskell-raaz, hfst-ospell, hikaricp, iptraf-ng, kanboard-cli, kcptun, kreport, libbluray, libcatmandu-store-elasticsearch-perl, libcsfml, libnet-prometheus-perl, libosmocore, libpandoc-wrapper-perl, libseqlib, matrix-synapse, mockldap, nfs-ganesha, node-buffer, node-pako, nose-el, nvptx-tools, nx-libs, open-ath9k-htc-firmware, pagein, paleomix, pgsql-ogr-fdw, profanity, pyosmium, python-biotools, python-django-extra-views, python-django-otp, python-django-push-notifications, python-dnslib, python-gmpy, python-gmpy2, python-holidays, python-kanboard, python-line-profiler, python-pgpy, python-pweave, python-raven, python-xapian-haystack, python-xopen, r-cran-v8, repetier-host, ruby-jar-dependencies, ruby-maven-libs, ruby-psych, ruby-retriable, seafile-client, spyder-unittest, stressant, systray-mdstat, telegram-desktop, thawab, tigris, tnseq-transit, typesafe-config, vibe.d, x2goserver & xmlrpc-c.

I additionally filed 14 RC bugs against packages that had incomplete debian/copyright files against: golang-github-cupcake-rdb, golang-github-sergi-go-diff, graywolf, hfst-ospell, libbluray, pgsql-ogr-fdw, python-gmpy, python-gmpy2, python-pgpy, python-xapian-haystack, repetier-host, telegram-desktop, tigris & xmlrpc-c.

Categories: LUG Community Blogs