Yesterday evening, Paris Perl Mongers Meeting, at the Maldoror bar, near République.
Adam Kennedy was spending few days in Paris, so he joined us, and had brought some Perl USB keys that were quite successful.

The pictures here : Paris.pm 07/08/08 [flickr]

If you are like me, you roam around with Wi-Fi or your ISP’s DNS servers just really suck. NetworkManager has the habit of ignoring /etc/conf.d/net here and uses the crappy DNS servers.

No more!

To use OpenDNS simply add this to your /etc/dhcp/dhclient.conf

supersede domain-name “opendns.com”;

prepend domain-name-servers 208.67.222.222, 208.67.220.220;

Now OpenDNS should be working for any access point you connect to. Enjoy the freedom.

If, like me, you don’t trust your ISP’s nameservers to be patched and working correctly (or for them to sell you out to advertisers by redirecting broken links or whatever), then here’s a quick solution to setting up your box to use OpenDNS servers instead.

Using this assumes three things though:

• You don’t have anything in /etc/conf.d/net
• You are a DHCP client
• You are using sys-apps/openrc

Anything besides that, you’ll just have to figure it out yourself, though the commands should be close.  BTW, someone correct me if I’m wrong.

Add this to /etc/conf.d/net:

dhcp_eth0=”nodns”
dns_servers_eth0=”208.67.222.222 208.67.220.220″

If eth0 is not your primary NIC, then you’d have to change that.

Then just restart net.eth0 (/etc/init.d/net.eth0 restart) and  you should see this in /etc/resolv.conf:

nameserver 208.67.222.222
nameserver 208.67.220.220

Leave a comment

There is one interesting differnce between Linux and full operating system projects like FreeBSD, the other BSDs and OpenSolaris: Linux historically didn’t have much coordination between kernel and userland.

This becomes a problem for instance when udev and the kernel disagree on how to handle something, or on when you end up with a tool trying to use some old kernel interface.

It looks tremendously bad when you see that even strace fail (which on FreeBSD does not seem to happen, as ktrace is part of the single project). And I don’t know of any strace replacement.. and I relay a lot on that tool!

This gets further interesting when you add in the USB access through /proc (usbfs), that has been deprecated a long time ago, but that most people are probably still enabling in their kernel. The new interface, using /dev is available for quite a while, and libusb is supporting it very well. But as it turns out, VMware does not use libusb for accessing the USB devices, and it does not suppor the new interface.

I wonder how many projects have this problem. I remember net-tools being worked on, iproute2 replacing ifconfig and so on… but how many tools are actually always in sync between kernel and userland, as of now?

ALSA is also a very common problem with this as the drivers in the past often ended up out of sync between kernel and driver, causing subtle and obnoxious problems.

And even counting software tools that are well in sync between the two, how many of these tools are being audited for, for instance, performance improvements? I wonder.

I’m afraid this is a blog post without solution, but I’d like to make people think about this, maybe someone can help finding solutions ;)

Leave a comment

Hello again, Planet. Another month, another week, another doc or three, another bug, another GMN. Etc.

* * *

For the last month I've been dealing with optical drive issues. First my IDE drive, then the new SATA drive.

The issues with the Samsung IDE optical drive seem to be resolved with kernel 2.6.25, and with the newest stable gstreamer packages. Audio applications can not only see the drive and the media inside, but can actually play the tracks.

Now, however, I'm having issues with the Asus SATA drive I bought when the IDE drive was acting up. It's giving my system fits, as you can see in bug 221145. Libata just hates this drive, no matter what kernel I use.

I did discover that the SATA cables I had been using were bad; they were the original cables packaged with my MSI motherboard. I ordered ,a href="http://www.jab-tech.com">replacements and plugged 'em in. No more cryptic. I/O errors in /var/log/messages.

However, the drive is still no better off than it was. Applications can see what's in the drive, but can't read from it. The weird thing is that I can sometimes use the drive to burn discs. I was able to burn distro ISOs, and copy them from the Samsung to the SATA drive for on-the-fly burning. But reading is right out. Strange. There are no error messages; there are no unusual messages of any kind. For awhile, I wasn't sure if the errors were of the common variety (poor SATA cables; seems it's universal), or if the SATA ports on the motherboard itself were bad. Given that just swapping out cables removes the errors messages, I assume it was the former.

So basically, I've spent $53 on a drive (Asus DRW-2014L1T), SATA cables, and shipping, and I'm stuck with a piece of nonworking hardware. Maybe I should have gone for another IDE drive, but I only have one IDE port on my motherboard, and it's in use by the other drive. Besides, SATA is supposed to be the way forward. I'd like to eventually have just one kind of interface for everything. Better bandwidth than IDE, no master/slave hassle, etc. Alas, the kernel and my applications refuse to cooperate with the drive. And there's no updated firmware available from the manufacturer, either.

If anyone has any suggestions not already covered in the bug, lemme know. I'm about out of ideas. The only thing I've come up with is booting with some other distro CD, one with known good hardware detection, like Knoppix or *buntu, from the IDE drive, then try to play a disc in the SATA drive and see if it works. If it does, I'll have to hunt up the kernel config and version for the LiveCD.

* * *

Now on to the good news. Jeremy Olexa (darkside) has added wicd to the tree. And not just wicd -- a working version! So now my laptop is amazingly happy. As am I; I had been trying to make wicd work for a long time without success. Fortunately, upstream released 1.5, which creates a much simpler dependency chain, and introduces better networking scripts.

Wicd really makes networking much easier when jumping between networks. It removes all the guesswork from network configuration, as well as the long, arcane iwconfig and wpa_supplicant command sequences. Random public hotspots are no longer a challenge. Just point and click to connect. Wicd is faster and more reliable than NetworkManager, and it has fewer dependencies.

I filed a bug requesting configuration information to be added to the ebuild. Jeremy obliged, so do read the output after you've installed wicd. It really is simple to setup, though baselayout-2/openrc users will need to make a couple of changes, replacing /etc/conf.d/rc with /etc/rc.conf. Here's how I setup wicd for my laptop:

# rc-update del net.wlan0
# rc-update del net.eth0
# rc-update add wicd default battery
# nano -w /etc/conf.d/rc
RC_PLUG_SERVICES="!net.wlan0 !net.eth0"

I rebooted, just to test its autostart capabilities; previous versions could never start properly. 1.5 does; no issues so far. It displayed my network, asked for my key, and then connected. Simple, but oh-so-wonderful.

I'm now a proud wicd user.

Leave a comment

So I’m in the need of a laptop bag for when I leave for college. At the moment I can’t decide on any bookbag/backpack designed for a laptop to buy. Needs to hold a decent amount of garbage plus keep my 15.4” lappy safe.

If anyone has any recommendations please let me know!

This is a copy+paste from my email to the gentoo-dev mailing list, simply because some developers and users follow the RSS feeds rather than read email. If you want the bot in your channel and you are a channel founder/lead op, please respond on the thread in the mailing list

Hi folks,

Sorry that it's taken this long to get completed, but the Jeeves
replacement, Willikins, is finally 99% done, and ready to join lots of
channels.

Getting the bot out there
-------------------------
If you would like to have the new bot in your #gentoo-* channel, would
each channel founder/leader please respond to this thread, stating the
channel name, and that they are the contact for any problems/troubles.

Bug reports
-----------
Please open a bug in the Gentoo Infrastructure product, using the
'Other' component, and assign it directly to me.

Custom bot functionality:
-------------------------
Here's all the functionality that we have assembled, beyond the standard
rbot stuff.
Bugzilla
========
!bug [ZILLA] ID
Looks up bug #ID in the per-channel default or specified bugzilla.

!bugstats [ZILLA]
Totals of bugs per the bugzilla 'status' field.

!archstats [ZILLA] [STATUS] [RESO]
Totals of bugs per architecture, optionally with some specific set of
status or resolution values, comma delimited.

status = OPEN, DONE, UNCONFIRMED,NEW,ASSIGNED,REOPENED, RESOLVED, VERIFIED, CLOSED
Reso = FIXED, INVALID, WONTFIX, LATER, REMIND, DUPLICATE, WORKSFORME,
       CANTFIX, NEEDINFO, TEST-REQUEST, UPSTREAM
zilla = gentoo xine sourcemage redhat mozilla kernel fdo abisource
        apache kde gnome
If you want another bugzilla, file a bug.

Gentoo-specific
===============
!meta [-v] [CAT/]PACKAGE
Print the metadata and optionally herd members for a given package.

!changelog [CAT/]PACKAGE
Changelog stats for a package

!devaway list
List all away developers.

!devaway DEVNAME
Display .away message for a single developer.

!herd HERD
Show herd members

!expn NAME
Show the expansion of any public Gentoo mail alias

!glsa GLSAID
Shows the title and external IDS for any given GLSA ID.

!earch [CAT/]PACKAGE
Earch output for a given package

!rdep [CAT/]PACKAGE
Reverse RDEPEND for a given package

!ddep
Reverse DEPEND for a given package

What isn't supported yet
------------------------
1. !glsa -s TEXT
This used to search for GLSAs that matched that string in their title or
external IDS.

2. New bug announcements
Jeeves used to announce brand new bugs to #gentoo-bugs as well as
targeted channels or users, depending on the product, component,
assignee, cc and a number of other factors (deeply nested if/else
trees). The old implementation had this in code entirely, and it would
be nice to avoid having to modify the code whatsoever, and instead have
some domain-specific language for doing this.

Source availability
-------------------
Gentoo specific:
http://git.overlays.gentoo.org/gitweb/?p=proj/rbot-gentoo.git
Bugzilla support:
http://git.overlays.gentoo.org/gitweb/?p=proj/rbot-bugzilla.git
(flameeyes has his own tree as well, but he's been sick lately, so it
was lagging behind my development)

Right now, if you want to run your own instance of the bot, you will
need the latest Git tree of the rBot itself, as upstream only fixed the
last remaining issue a couple of hours ago.

Thanks to
---------
solar:
Running the old Jeeves Eggdrop till now, and helping to document all of
the Eggdrop functionality we used.

flameeyes:
Bugzilla plugin development

halcy0n:
Gentoo-specific stuff

tango_, jsn-:
(rbot upstream developers) For fixing the bugs as I found them :-).

Leave a comment

I just found my old layman article is available for free. It probably has been accessible for a while already but I didn't know, so I thought I mention it here. It has been written for the German Linux Magazin so it is available in German only.

As a response to this little article I got a short e-mail about a week later. Patricia Jung asked me whether I'd be interested in writing a whole book about Gentoo. And I was. As people probably know...

I’ve been job hunting, and while my dream job would be somewhere that uses PostgreSQL, I am having an extremely hard time finding anyone that uses it. So, I think my chances might be better actually getting a company to convert to using it instead. In doing that, I’ve started outlining a draft of a paper that I can present to both lead programmers, database administrators, and management on the pros of using PostgreSQL over MySQL. If anyone has some ideas that I could add in, I would appreciate it.

Here’s the general principles I already plan on covering: foreign key support, data types, transactions, shell interface, ANSI SQL support, table types, general features, history, licensing, abstraction layers (using PHP).

Also, and I don’t mean to sound like I’m spreading FUD, but it occurred to me this morning that I’ve never heard anyone say that MySQL is better than PostgreSQL.

Anyway, ideas welcome. I’ll post my progress as I get the paper put together. This is something I’ve been meaning to do for a long time.

Leave a comment

This post, and probably a few more posts that will come to be, is being written about a day before it’s actually being posted. The reason for this is that, as I’ll be probably be hospitalised at the end of August, I want to have something going on so I don’t need to write during the hospitalisation.

I was reflecting tonight with Mark (Halcy0n) that for having hardened features on GCC 4.x you shouldn’t, in general, need any particular support in the compiler. What hardened would be doing for the modern compilers is creating new “spec files” that tell the compiler which flags to use by default. This would force the compiler to always generate PIE (Position Independent Executable) code and SSP (Stack Smashing Protection).

In general, to have the same features it would be enough to properly set CFLAGS and CXXFLAGS. The idea is that once you put -fPIE in your flags, all the code that Portage built would be PIE, and if you set -fstack-protector in your CFLAGS (and not CXXFLAGS because SSP is known not to cope properly with C++ code), you expect your system to be built with stack protector turned on.

The problem is, reality and theory don’t seem to coincide. The problem is that a huge lot of ebuilds ignore your flags entirely, others strip them, and might strip -fPIE and -fstack-protector, and quite a few mix CFLAGS and CXXFLAGS, using the former to build C++ code and the latter to build C code. The result is that you end up with something different than what you asked for.

Even worse, there are packages that save your CFLAGS in their -config files, letting your custom flags creep into other projects that might not want them.

So the result is that if we want to make it much easier for everybody to enable hardened, we should be making sure that the behaviour of ebuilds is standardised on the policy of respecting the flags set by the user, not filtering them unless really needed, and even then letting most of the non-optimisation flags through. And to actually use the correct variable depending on the language used.

What are the problems? The first is obviously upstreams that don’t want users to use their own flags for building their code (MPlayer, anyone?), then there is at least the problem of broken build systems that either don’t understand the difference between CFLAGS and CXXFLAGS or don’t support custom flags at all.

If you wish to help, there is an easy way to actually find where the flags are mixed up. As the most obvious problem is CFLAGS used for building C++ code (rather than the other way around), you can add -Wno-pointer-sign to your CFLAGS. When the variable is misused, it turns out this error:

cc1plus: warning: command line option "-Wno-pointer-sign" is valid for C/ObjC but not for C++

When you see that, it’s time to report it against bug #234011 so that the maintainers know they need to fix something in the build system to keep the two variables separated.

As to how to fix this, on custom build systems it’s difficult to say, on autotools-based systems, the problem might be in the configure.ac, if code similar to this is present:

CFLAGS="${CFLAGS} -DSOMETHING"
CXXFLAGS="${CFLAGS} -DSOMETHING"

An alternative is that the build system is adding to _CXXFLAGS the value of a variable reported by one of the foo-config scripts that are bugged and report the flags used to build the source package rather than just the flags needed to get their include directories right. In that case the bug lies in a different package, and is there that it has to be fixed.

Hopefully, this kind of fixes will become routine and new packages won’t be added to the tree if they mix CFLAGS and CXXFLAGS… I can always dream, can’t I?

But yes this is another point of my checklist when creating an ebuild, if the new ebuild is not needed immediately and upstream fails to understand CFLAGS and CXXFLAGS differences, then I avoid adding it at all. I hope other developers will start considering this, too :)

Oh yeah I’m sorry I’m actually filing bugs now without providing a fix immediately. The reason why I stopped providing fixes right away is that first of all I’m opening a huge amount of bugs when I find them, rather than waiting to have time to debug and fix them, and I have not enough time for myself to take care of that stuff too, and I’d rather explain how to fix them and then see them fixed by the actual maintainers. And also, I think I have bugs with patches still waiting on maintainers, so…

Leave a comment

notes for future selves:

the day you have a new girl start on your crew and the day you bury the truck to the floorboards in mud should preferably not be the same day.

when a coworker tells you he charged your GPS batteries last week while you were on vacation consider he can't often get his boots on the correct feet.

if there is a slough within a hundred meters of your location you will find yourself in it, and it will be two inches over your boots.

Leave a comment

Cardoe was complaining that repeatedly hitting the Gentoo CVS server was too slow, and it turned out he wasn't using SSH ControlMaster at all. Other developers have blogged about it before, but here is a quick reminder how.

Without ControlMaster, running "time ssh robbat2@cvs.gentoo.org w" shows a turnaround of 1.9 seconds. With ControlMaster, It's more in the range of 0.07-0.09 seconds :-).

Host master-cvs.gentoo.org
    HostName cvs.gentoo.org
    User robbat2
    ControlMaster yes
    ControlPath ~/.ssh/master-%l-%h-%p-%r.sock
Host cvs.gentoo.org
    ControlMaster no 
    ControlPath ~/.ssh/master-%l-%h-%p-%r.sock
    BatchMode yes

Now just do anything like you would normally. For security, you should probably close the ControlMaster session if you're going away from your machine for a long time. It would be nice to detect the loss of the ControlMaster and re-initiate it always at the start of a sequence.

Leave a comment

Well I took and completed my required AlcoholEdu course yesterday online after messing around with getting flash working. It was pretty meh. Filled with surveys that mostly assumed you drink so you can’t really answer them if you are like me and don’t drink at all. Suddenly halfway throughout the course I randomly needed Java for an error page it seems which totally ticked me off, but I digress.

Apparently if you enable closed captioning (which I did as it’s easier to read and listen than simply listening to something) the course is broken around module 2, after you learn about BAC levels. Switching captions off let me proceed throughout the course.

All in all the course was easy albeit massively boring. Towards the latter part I just started blasting techno music to keep me occupied while I finished up the exam.

The following error occurred while opening the database: Unknown error while loading database.

This is what I was just greeted to after trying to open my KeePassX database. The problem? I just recently emerged KeePassX 0.3.2 from portage. I’m glad whoever maintains this checked if you can even open an existing database…sigh.

My Solution?

Well I rescued the old ebuild from cvs and emerged it. Behold! The database opened right up after entering my password. So I’ll export this database as a KeePassX XML file. This should work hopefully…

Nope. After saving the new database it still ain’t working. Hrmm.. Let’s run a revdep-rebuild just in case something got broken along the way. It comes up clean, so this isn’t the option. OK, maybe TwoFish is simply broken with the new version. Let’s try with AES encryption…

Success. It seems for now TwoFish is broken on my Gentoo system with the new KeePassX. I wonder if this is an issue that is affecting others?

It seems there is a bug open at sourceforge about it.

I was reading Planet FreeBSD the other day and I noticed an intersting post about PAM. It talks about a couple of old vulnerabilities in OpenSSH that allows to gather information about a system depending on the timing used for authentication.

As it turns out, the issues have been fixed a long time ago in OpenSSH portable so Gentoo is far from being affected by those, but the interesting part is that the issue is caused by the delay that Linux-PAM implements by default on failed login attempts.

As it turns out, I wonder now if there is a reason at all we enable that. I wonder because even if OpenSSH is fixed, similar problems may apply to other remote services that use PAM for remote authentication. One option I see is to enable the delay only on local logins, but that would require a bit of duplication in pambase, as it is. Or maybe it could be implemented through a pam_delay module.

The nice thing about pambase is that it takes very little time to actually get this updated, as I need just to update pambase package rather than the whole Linux-PAM, which is a mess to update.

And just to show one good thing about pambase, in the past days I added an sha512 USE flag to the package, with that enabled, the latest Linux-PAM version is brought in and SHA512 password hashing is enabled. This means that rather than using MD5 for encrypting the passwords in the shadow file, once you’ll change them they’ll be saved using SHA512. The advantage is that SHA512 should be more secure than MD5 (which I think is, nowadays, considered not secure anymore).

Before version 1.0.1 of Linux-PAM to achieve similar goals you had a few different options. You could have used pam_unix2 (which I think was used or developed by SUSE) or you could have used pam_sha512, otherwise you could have been using tcb to use blowfish encryption.

Now that the same result can be achieved with a single USE flag (and a single change to the PAM configuration), the sys-auth/pam_sha512 package is masked for removal, one less package to maintain in tree.

So at the end, pambase is coming along nicely, as I was hoping it would. This should be a very good way to handle future options and other increased securities without having to update the code behind at the same time.

Leave a comment

distcc's got zeroconf support
That is cool!

However, there are problems (althouth not everyone got these problems).
One of them is that if you have multiple version of gcc's or even
cross compilers, distcc clients can't discover them, since distccd will
only register your current active gcc.
And if you want to change your native compiler's version, you must
restart distccd in order to let it take effect.

Having multiple gcc's may not be common in other distribution, but
this is common in gentoo.
This is what I have on my x86 notebook:
gcc-config -l
[1] i686-pc-linux-gnu-4.3.1 *
[2] mipsel-unknown-linux-gnu-4.3.0-alpha20080731
[3] mipsel-unknown-linux-gnu-4.3.1
[4] mipsel-unknown-linux-gnu-4.4.0-alpha20080718 *
[5] mipsel-unknown-linux-gnu-4.4.0-alpha20080801
[6] powerpc-unknown-linux-gnu-4.2.3 *

So I made a little patch:
https://bugs.gentoo.org/show_bug.cgi?id=233843

Hope there will be a distcc-2.18.3-r14 or distcc-3.0_rc4 in tree soon, ;)

Having my bike stolen has made me wonder about locks more. Defeating most forms of bike locks are trivially easy with some lateral thinking.

This was my lock:

key-based

bumpkey (given a suitable blank or other key of same style), pick the lock, drill or freeze the lock (either LN₂ or just adding in warm water on a day that's below freezing)

combination-based

guess or shoulder-surf the combination

Cable/Chain

Large bolt cutters, wire cutters or hacksaw

U-Lock/D-Lock

Use a jack inside the arms to apply outward force

Any other bicycle lock types or different attacks that you can think of? Any way to effectively defeat one of more of the above attacks? From a security perspective, we need to consider not only the permitted attacks, but all possible attacks.

In my case, they either defeated my combination (probably by shoulder-surfing), or just used some form of cutting attack. Since the lock wasn't left behind, I suspect the former more than the latter.

Leave a comment

Ok, so I've totally slacked off, and not posted about the rest of OLS2008 yet, but this post is more important than that for now. I was out at the Pride Parade today, then went to meet up with a friend. I locked up my bike at ~17h20, to the racks outside Waterfront Station (I wrote Centre in my Twitter posts, but then realized it was actually Waterfront Station at that spot). I came back at 20h30, to find my bike was gone :-(.

Description: Norco model 7030 (only 95% certain, can't remember exactly), mountain bike. Olive Green and Beige, with some white lines. Front white LED from PlanetBike (batteries quite worn down), no rear light. Stock seat. Rear aluminum pannier rack. Bike lock was an OnGuard Doberman combination lock.

I bought the bike used, almost 3 years ago, from the antiques/junk store on the corner of 31st and Main, for $50. It was probably hot merchandise at the time, but it was a good deal, and in reasonable condition. I've put in probably $50 of maintenance, and the lock+rack were another $40 approximately. Not a lot of money, just enough to be annoying.

Leave a comment

I’m almost tempted to send my resumé to them, I’m sure I can do better than whoever designed the interface of my 3Com router.

Don’t get me wrong, the router, at an hardware level, is very good. It works pretty well under heavy load, I was able to crash it just once when I tried multiple wireless transfers, but beside that it was pretty stable.

The problems are all on a software level, firmware level, which is what bothers me more, as if they actually opened their firmware I would probably stick with them. Unfortunately as far as I know this type of router is not yet supported by Linux in any way, which drives me crazy.

I blogged about this a little short of two years ago , the problem increased recently because I changed my network graph. The configuration interface of the router does not allow to enable port forwarding (or, as they call it, virtual servers) if the target IP is not in the same /24 network of the router’s IP. This ignoring whatever netmask setting the router has set.

In my case, I ended up creating a 172.16.0.0/16 network here. Why? Because the /28 I was using before dried up, because of another bug in the software of the router. Although leases haven’t been confirmed, the router’s DHCP server will “reserve” the IPs already assigned to a mac address, and I couldn’t find a single way to let it release those leases. If you are not quick by mind on network calculation, a /28 network mask mean there are

(2^{)-2 = (2}4)-2 = 16-2 = 14

IPs available for hosts.

As you can see from this rough schema I have quite a few devices connected on the wireless network. And as it happens, I do support work on Windows systems from time to time, and all the times one of the tasks I need to perform is connecting laptops to the wireless network to make sure they are set up to connect to Internet on their own. Add to that a few PSP that friends of mine bring along, and you can guess that the DHCP address space disappeared pretty easily.

Beside from the /16 network there is a /24 network that is forwarded to Enterprise. I actually was thinking of forwarding a while /17 or /18 for safety, and to avoid mixing 192.168 and 172.16 addresses, but I haven’t gotten around fixing that yet. The reason why I have some address space reserved and redirected to Enterprise is that this way I can have a special network for just the laptop, for iSCSI, NFS and Samba, when I’m working on Windows or moving stuff around on OSX.

Okay so let’s return to the 3Com router now. As I said the router, that has IP 172.16.0.1 does not allow me to redirect ports to the addressed of the DHCP-allocated devices (which, just to make sure, I set to 172.168.1.0/24—again I cannot let DHCP take more than a /24 range!). And I DHCP-allocate basically anything. Why? Because it’s easier, if I change the network setup, to re-run the DHCP clients on the various devices, rather than having to set them up from scratch again, there are quite a few of them. This meant, up to now, that I had no forwarding at all for no service at all.

Today, by chance, I found a way to get around this. I was booted in Windows XP (to play Empire Earth), and I noticed that the router’s UPnP interface was being identified by Windows, and I could manage it from there. I know a bit about UPnP because, when I had a D-Link router, I already tried writing a simple software for managing port forwarding. I checked and… magically, the router allows me to redirect ports to any IP address, if I do ask it to via UPnP.

Unfortunately, as far as I know, the only work going on regarding UPnP under Linux is for mediaserver devices (including MediaTomb for the PS3), and not port forwarding. I know Azureus supports redirecting port and, if I recall correctly, KTorrent had something too, lately, but I don’t think there is an easy to use library to manage that just yet. If there was, I’d probably be working on a configuration interface myself. I think it should be really useful, and it would allow to set up services so that ports are automatically forwarded on request on the right IP, so not only I wouldn’t have to reconfigure the clients to get the new IP (thanks to DHCP) but I wouldn’t have to tell the router where to find the services either.

Of course, I can see there are a few downsides to this approach, mostly security-related, but I don’t think it’s less or more of an issue whether there is a library that helps implementing this on Free Software or not.

And soon enough I’ll be hitting a new limit of the software in the router. The MAC address table for wireless connection control is limited to 32 entries, not commented. I will have more than 32 allowed elements soon. And I won’t know which entries refer to old laptops I fixed, and which ones refer to devices that I might take care of again soon.

I’m sincerely displeased to see that even a huge and trusted manufacturer like 3Com has very bad firmwares. I wish I could find a router that has hardware as capable as 3Com’s, but a firmware flexible enough to provide IPv6 through a broker, for instance, or that allows me to write my own connection filters.

3Com, please open your firmware! You’ll make all your consumers happy, and they’ll return to you! If you were to release a router that has the same hardware capabilities as mine, with a much more open firmware, and 802.11n wireless, I’d be buying it right away!

Leave a comment

Just a service announcement post for the few users following my blog. As the GMN is often reporting blog posts of mine that are more than a month old I decided to make some changes to how comments get disabled.

Up to today, posts older than 30 days had their comments section disabled, this is because after a while most of the comments arriving on these are just simple spam, and while I’m forced to premoderate the comments anyway (too much spam otherwise), I’d rather not having more of it to remove.

Now I moved the limit to 90 days, so there should be enough time to comment even when GMN posts a link a month later.

If you wanted to comment on a not-so-recent post of mine and you found the comments disabled, you might want to take a look now, as the change is retroactive.

If I don’t see an exponential amount in spam I might just as well leave all the posts enabled even after 90 days.. there’s time to see that ;)

Leave a comment

After my checklist post I got asked for some documentation about ruby-elf tools like cowstats and missingstatic.

As it turns out I wrote little to no documentation at all, and I relied exclusively on the scripts being self-documenting, for the most part. Probably not a good idea if I want to have a broader audience.

For this reason, I think I’ll start by writing some man pages for the tools, hopefully today or tomorrow, before I get to the hospital again. I’ll see also to actually release a version of this so I can add it to portage too, so that it’s actually available for developers who are interested (for now you can get it from my overlay as dev-ruby/ruby-elf-9999.

I also started working on improving the way cowstats decides what whether a symbol is in a copy on write section or not. Before I only used the name of the section and, as it turns out, I used to ignore the TLS sections (no, not SSL successor but Thread-local storage).

The TLS problem is solved now but I decided using the name of the section to decide whether it’s CoW or not is not very feasible. I added code that checks the type and the flags of the sections, to an extent, so that it ignores automatically all the sections containing executable code, and all the read-only sections. It also considers .bss and equivalent sections just by type rather than by name (if I did this in the first place I would have supported .tbss in the first place too).

On a different note, I forgot to write that while I was hospitalised, my Nokia decided to go crazy and corrupted the fring app I was using to chat from the E61 itself. I think (and from one side hope) that the MiniSD I was using was broken, because then the rest of the phone would be fine. The problem is that the internal memory is very tiny and the MiniSD that Nokia gave me with the phone, which I just put back in it, is half full of Nokia’s own software, like the MailForExchange launcher (which I don’t care of, or TravelMate). I think I’ll have to pick up a new MiniSD hoping that will work. Last time I bought a Corsair 1GB, this time I think I’ll stop with a Trascend one as they never failed me up to now. Interestingly enough, at my supplier, the MiniSD card would be pretty cheap (€5) while the shipping costs would be over that price. I should check if they have cheap SD cards too, in the stores around here they are tremendously expensive still (€10 for a 2GB card!).

Leave a comment

Bear with me for this long post (no pun intended) describing the awesome Mozilla Summit at Whistler. The short version is that it was supercalifragilisticexpialidoceous. Ok, that’s a nonsense word but there’s no way I can put the experience in just one word

Monday
All the interns got up fairly early to catch a shuttle to SFO, and we arrived in Whistler after a pleasant 3 hour flight and 2 hour bus ride from YVR. The scenery was fantastic all along the way, and the hotel was overwhelmingly comfortable. Nothing much happened except meeting some familiar as well as new people at dinner.

Tuesday
First day of the summit started off with keynotes by John Lilly and Mitchell Baker. Mitchell’s analogy of what she thought of Mozilla was especially intriguing. A great way to kick-off the sessions that were to follow over the next few days. The UX talk on the history and future of browsers was especially a good one. Highlight of the day was Gary spotting bears. Apparently, there were a few that were brave enough to jump into the room balconies too.

Wednesday
I spent most of the early part of the day in the Emerald room, attending sessions on Mozilla’s Technology roadmap, Fennec and the Labs concept series. I ended the round of session-attending with Myk’s talk on Snowl, which is another cool labs project (well, all labs projects are cool!).

The big news of the day was the rockslide on the road connecting Vancouver with Whistler. ~350 at the summit suddenly had to change travel plans to accomodate for this… um… natural disaster. The contingency plan involved 8-hour long bus rides on a longer, more scenic route or float planes.

The labs team spent wednesday night hacking at Chris’ room, in preparation for our presentations the next day. Prior experience led us to believe that relying on the WiFi network in the hotel was probably not a wise idea for our demos, so I setup a local weave sever with a few demo accounts and changed the bookmark sharing code to not depend on XMPP to notify the receving user of the share. It was 3 am by the time I got to sleep so I responsibly set an alarm because the weave talk was the first one on the next day.

Thursday
Except the alarm didn’t go off, and I woke up 45 minutes after the scheduled time for the session. My first reaction was along the lines of oops, I screwed up. But as I became fully awake I realized there was no power in the entire hotel and breathed a sigh of relief because all the morning sessions were postponed. So the story was that a laundry truck ran into a transformer and it would take a few hours for power to be restored.

The Labs sessions were moved to a conference room run by our friendly neighbors (The Hilton), and we started off shortly after lunch. The Labs sessions on Weave and Ubiquity went off really well and I think they created a lot of buzz. Especially with ubiquity, some of the demos were mind-blowing!

Though I really wanted to attend the session on HG, I decided to take a nap instead and prepare myself for the grand dinner atop Whistler-Blackcomb (which are, incidentally, codenames for Windows editions). The dinner was a fine end to a fine summit, and I was especially excited to experience snowfall for the first time in my life

My plan to get back home was to catch a Floatplane with the rest of Labs the next morning, in time for the YVR-SFO flight at 3 pm.

Friday
But NO. All the floatplanes had been cancelled due to fog and low tides, so Dan & Chris put me up on the last bus out of Whistler at 11 am, and kindly provided a goodie bag full of food and coffee for my 8 hour bus ride.

The ride itself was not bad at all, the scenery on the way was well worth it. As we approached Vancouver (around 6:30 pm), Melissa Shapiro found me on the bus and informed me that she would try to catch the 8:15 pm flight to SFO (which was the last one out of YVR) and recommended I do the same. The bus didn’t go to the airport, but to the Sheraton at Wall centre instead, so Melissa and I took a cab and rushed to the airport.

We managed to get standby tickets on the plane, and went through US immigration, customs and security check (where I was “selected for random screening”). We did make it to the gate on time, but not on the plane. Technically, I had to re-enter Canada through immigration, but I had a single-entry VISA. Thankfully, Melissa was there to vouch for me, so I was able to make it back in.

Chris had rooms for us at the Sheraton and we headed back. After a great dinner with Bret, Brad, Melissa, Chris and Dan, I tucked in for the night watching Vancouver’s great skyline.

Saturday
Quite an uneventful day, considering the last week, because everything went as planned. All of us had confirmed tickets on the 11 am flight to SFO.

Melissa, Chris and I stopped for a while at Stanley Park on our way to the Aiport, while Dan had to leave early because he had to pick up his bag and passport (which he left at the party on Thursday, there’s another whole story!)

Phew
Well, I’m back in Mountain View now; and only have a week more to go. I’m really going to miss everyone, and the summit just made it a whole lot harder for me to say goodbye. But as Chris Hoffman had said in a brown-bag sometime ago: “This is Hotel Mozilla - you can check out anytime you like, but you can never leave!”

Just want to convey a big Thank You to everyone at Mozilla; especially Dan Portillo, Tiffney Mortensen, John Lilly, Julie Deroche, Melissa Shapiro, Maria Emerson, and most of all, Chris Beard, for making my experience at the summit an experience of a lifetime!

(Pictures up on Flickr)

Leave a comment

Today a friend of mine came visiting me. We ended up playing a bit with PlayStation 3, in particular, we played Marvel Ultimate Alliance, which I got some time ago, pretty cheap too. I haven’t played much of it actually, it was cheap, it supports more than one player (which is nice when you play with friends) and I always was a Marvel fan.

Indeed, a few years ago I was a great Marvel fan myself, I read Spider-Man every two weeks (when it was released in Italy, that is), and I also bought more comics when there were crossovers. I stopped reading comics just because it became difficult to actually find them around here.

I also still watch the movies Marvel releases, I have quite a few DVDs of Marvel movies, although I disliked Spider-Man movies very much, I did like X-Men and Fantastic Four sagas, to the point I have Fantastic Four – Rise of the Silver Surfer and X-Men The Last Stand in Blu-Ray. I don’t want to “convert” the old movies just yet. They do cost and I don’t want to spend too much for stuff I have already.

The game was a bit of a “jump in the past” for me, as it was quite a bit of time since I last found myself “in” Marvel super-heroes. The nice thing is the fact that you can actually choose the costume you like more of the heroes, which is a very nice touch, as you can see many different attires they were depicted in.

I admit I haven’t followed much the stories in the recent years, especially I didn t follow at all the “Ultimate” universe which is where the game is most likely taking place (otherwise why would it be called Ultimate Alliance?). But one thing I noticed: it’s impossible to think of Wolverine nowadays without thinking of Hugh Jackman, since X-Men was released. I think they did a great thing there, and Jackman is really the perfect Wolverine, at least to my eyes.

The one thing I’m waiting for at this point is the release of Iron Man in Blu-Ray. I remember the TV series and I very much loved that. For a long while I also read the comic books, but again, they were hard to find around here.

I’m sure I’d gladly resume reading them, the problem is that I hardly find time to read lately (I read a bit in the hospital, but not ever since), and I would find myself pretty much out of place if I ever try to read them again. There were huge changes every time I stopped and resumed reading Spider-Man alone, and that is far from being the most complex series in the Marvel Universe.

Okay sorry for this totally off-topic post, I had some old-time feeling that I needed to put off my chest. For those interested, I just finished setting up my MacBook Pro so that, if they hospitalise me, I’ll be able to play some games I didn’t play in the past years.

Leave a comment

Quick tip:

Problem: When installing Gentoo, Xfce4 on my new amd64 laptop, the fonts were extremely goofy compared to my old installation on x86. Meaning that terminal fonts looked ok, but gtk based fonts were large and small. I couldn’t figure this out and finally found a solution on XUbuntu’s blog post. I will reiterate it here for my future reference and maybe help someone else with this same problem.

Solution: In ~/.config/xfce4, append to the Xft.xrdb file (or create the file):
Xft.dpi: 96.

Then, log out and log back in. The fonts look normal sized again. I’m not sure what Xfce4 defaults to but whatever it was, it was clearly incorrect for my laptop.

Update: nightmorph, a fellow Gentoo developer, explains how to use the Xfce GUI to change the DPI setting as well. Please see the comments of this post.

Leave a comment

We’ve been pretty lucky I guess that we didn’t buy a house that was well outside of what we could afford.

Leave a comment

Thanks to dblatex you can now find a PDF version of my work-in-progress book called Linux Sea.

Leave a comment

So everybody says that CMake is great because it’s faster. Of course CMake achieves speed with an approach different from the one autotools have, that is, they don’t discover features, they apply knowledge. Hey it’s a valid method as any other, if you actually know what you are doing, and if you can keep up with variants and all the rest. Another thing that it does is to avoid the re-linking during the install phase.

Let me try to explain why re-linking exists: when you build a project using libtool, there might be binaries (executables and/or libraries) that depend on shared libraries that are being built in the same source tree. When you run the executables from the source tree, you want them to be used. When you install, as you might be installing just a subtree of the original software, libtool tries to guess if you just installed the library or not (often making mistakes) and if not, it re-links the target, that is, recreates it from scratch to link to the system library. In the case of packages built by ebuild, by the use of DESTDIR, we almost always have the relinking stage in there. Given that GNU ld is slow (and IMHO should be improved, rather than replaced by gold, but that’s material for another post), it’s a very wasteful process indeed, and libtool should be fixed not to perform that stage every time.

One of the things that the relinking stage is supposed to take care is to replace the rpath entries. An rpath entry specify to the runtime linker (ld.so) where to find the dependent libraries outside of the usual library paths (that is /etc/ld.so.conf and LD_LIBRARY_PATH). It’s used for non-standard install directories (for instance for internal libraries that should never be linked against) or during the in-tree execution of software, so that the just-built libraries are preferred over the ones in the system already.

So to make the install phase faster in CMake, they decided, with 2.6 series, to avoid the relinking, by messing with the rpath entries directly. It would be all fine and nice if they did it correctly of course.

I reported earlier a bug about cmake creating insecure runpaths in executables starting from version 2.6. Don’t panic, if you’re using Portage, it’s all fine, because the scanelf run that reports the problem also fixes it already. In that bug you can find a link to a discussion from April . The problem was known before 2.6.0 final was released, yet it was not addressed.

So it seems like someone (Alex) used chrpath first. That’s a good choice, there’s a tool out there that does what you need, use it. At the worse you use it wrong and you fix it fine.

But no, that’s not good enough for Kitware, of course, and Brad King decided to replace that with a built-in ELF parser (and editor). Guess what? Mr. King does not know ELF that well, and expected an empty rpath to behave like no rpath at all.

Try these simple commands:

% echo "echo Mr. King does not know ELF" > test-cmake-rpath
% chmod +x test-cmake-rpath
% PATH= test-cmake-rpath

An empty PATH adds the current working directory to it. Which means that the generated ELF files from CMake 2.6 would load any library that is in the current working directory that is named after one of the names in the NEEDED lines of itself and its dependencies. There are a few attack vectors exploiting those; not all of them are exactly easy to apply, most of them don’t cause root vulnerabilities but it’s still not good.

Now of course a mistake, or missing knowledge about a particular meaning of a value in an ELF file is nothing major. Myself I didn’t know about PATH= before a few months ago, but I did know an empty rpath was not good at least.

What is the problem then? The problem is that messing with an ELF attribute like rpath, without knowing ELF files, without knowing the behaviour of ld.so and even more importantly without asking to any of the QA team of any of the distributions out there (Gentoo is certainly not the only one who dislikes insecure rpath), is just not something that earns my trust. At all.

And even worse, if the original implementation used chrpath, why not leaving it at that? Given you don’t know enough about ELF files it sounds like a very good idea. It’s not like chrpath is a tremendously exotic tool to have around for distributions.

For your information, this is how chrpath behave, and how it’s difficult to actually misuse:

flame@enterprise mytmpfs % scanelf -r hellow*
 TYPE   RPATH FILE 
ET_EXEC /tmp hellow 
ET_EXEC   -   hellow-2 
ET_EXEC  hellow-3 
flame@enterprise mytmpfs % scan
flame@enterprise mytmpfs % gcc -Wl,-rpath,/tmp hellow.c -o hellow 
flame@enterprise mytmpfs % scanelf -r hellow 
 TYPE   RPATH FILE 
ET_EXEC /tmp hellow 
flame@enterprise mytmpfs % cp hellow hellow-2
flame@enterprise mytmpfs % chrpath -d hellow-2   
flame@enterprise mytmpfs % scanelf -r hellow-2
 TYPE   RPATH FILE 
ET_EXEC   -   hellow-2 
flame@enterprise mytmpfs % cp hellow hellow-3
flame@enterprise mytmpfs % chrpath -r '' hellow-3
hellow-3: RPATH=/tmp
hellow-3: new RPATH: 
flame@enterprise mytmpfs % scanelf -r hellow-3
 TYPE   RPATH FILE 
ET_EXEC  hellow-3 

And this is the easy fix:

flame@enterprise mytmpfs % scanelf -Xr hellow-3
 TYPE   RPATH FILE 
ET_EXEC   -   hellow-3 

Okay now at the end of the day, what can we do about this problem? Well in Gentoo we should disable this behaviour from CMake, let’s make it a bit slower, but safer; even if scanelf is covering our butts, it’s still a patching up something that someone else is continuously screwing up; and it opens the vulnerability when the users build without Portage.

And indeed, if you are building something with CMake 2.6, outside of Portage, you might also want to fix the rpaths of the installed executables and libraries, by issuing scanelf -RXr $path_to_the_installed_tree. Possibly after each time you rebuild your stuff.

To finish, a nice note that shows just how much caring people handling CMake in KDE are …. KDE trunk will require CMake 2.6 on August 4th . Nevermind there is an open security issue related to the code it builds.

Oh the irony, and they say I don’t give enough arguments why I don’t like CMake!

Leave a comment

… your medical records folder is ten times thicker than the job contracts folder. I was cleaning up through the paperwork yesterday and today, and there are so many things.. Luckily I have most of my CT scans in digital format, beside the last one I did at the ER last week, and a cerebral CT from a few months ago. But the release paperwork I had only in printed form, which I needed to scan and “PDFize” on Tuesday to send to my GP—nice to have one who’s reachable via e-mail.

It’s the scanning that actually made me think a bit. I have the scanner a bit far from my workstation; to scan a five pages document I have to prepare the scanimage command in batch mode on the workstation, then walk all around my desk to get to the scanner, and then get my arm around the monitor to press the return key on the keyboard to start the scan.

The annoying thing is that the scanner has four buttons on it, that should be made just for the task of starting the scan. Unfortunately these buttons don’t work out of the box on Linux at all. There is a package, called scanbuttond that polls for them through libusb and then execute a custom script when they are pressed. But as you can guess, polling means it uses a lot of CPU, and the fact that they run a generic script makes it less integrable in a desktop environment. Of course it would be easy to port scanbuttond to submit the read buttons back into the kerel input subsystem so that they appear as generic events, but… I think this should be a task well suited for a kernel module, hooking them up directly in the input subsystem, so that evdev could pick them up and then a program could just wait for them as shortcuts to have some action.

I tried looking into writing something before, but I ended up stuck in a problem: would a kernel module interfacing with the scanner interfere with libusb access by sane itself? Last time I enquired Greg KH, he asked me to proivde lsusb -vv output but, sorry Greg, work piled up and I forgot about all of it (until yesterday when I had to scan some more documents). Well, if anybody wants to take a look, this is it for my current scanner:

Bus 001 Device 003: ID 04b8:0121 Seiko Epson Corp. Perfection 2480 Photo
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          255 Vendor Specific Class
  bDeviceSubClass       255 Vendor Specific Subclass
  bDeviceProtocol       255 Vendor Specific Protocol
  bMaxPacketSize0        64
  idVendor           0x04b8 Seiko Epson Corp.
  idProduct          0x0121 Perfection 2480 Photo
  bcdDevice            0.00
  iManufacturer           1 EPSON
  iProduct                2 EPSON Scanner
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           39
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0xc0
      Self Powered
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           3
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceSubClass    255 Vendor Specific Subclass
      bInterfaceProtocol    255 Vendor Specific Protocol
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              16
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass          255 Vendor Specific Class
  bDeviceSubClass       255 Vendor Specific Subclass
  bDeviceProtocol       255 Vendor Specific Protocol
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0001
  Self Powered

Can anybody tell if it would be possible for a kernel module and sane to access it at once? :)

If there is the chance, I might look at it once I feel better. I haven’t written or touched a kernel module in so much time that I’m feeling like doing some work in that regard. And the code to actually get the data out of the scanner should be present in scanbuttond already, it’s just a matter of getting it “pushed in” rather than “polled for”.

Once I could get the buttons working, I’d probably be working on a GTK-based frontend for scanimage with handling of those, so I could just use those rather than having to set it up manually. Although the nice thing of scanimage is that, through that, tiffcp and tiff2pdf, I can quickly create a multi-page PDF of the scan (the first command creates a multi-page TIFF file, the second converts it to PDF), and if I do the scan in lineart (the perfect solution for B/W text) it also is tremendously small in size. I should try to have the same result with my frontend. My idea would be a light frontend written in Ruby, calling the commands directly.

Oh well, at any rate, this will have to wait till I’m feeling really better, or maybe it’s just unfeasible because of the way it’d need to access the scanner from kernel and libusb.

Leave a comment

Recently I was asked by a friend for a linux tool to extract ressources from windows exe files, especially icons. He used a windows tool in wine till then.

I said that this shouldn't be so hard and already started writing my own parser (I came to the point where I could extract headers and content separately), when I found that there already is an appropriate tool called wrestool. It's part of the icoutils package.

wrestool -o . -x filename.exe
will extract all ressources (icons, cursors etc.) to the current directory.

Leave a comment

A new life is in the process. The join of looking at a small paper with a tiny bean that is part of me is overwhelming.

Raquel told me that even with this small size she could hear the tiny human being hearts beating fast. Next time I’ll go and no matter what I’ll get to listen to it to.

Ecografia 7 Semanas

42 ? 42 is not the answer. Life is the answer.

Leave a comment

As I wrote I’ll be trying to write more documentation about what I do, rather than doing stuff. This is because I’m simply too tired, and I should rest and relax rather than stress myself.

So after playing some Lego Star Wars I’ve decided to take a look to what I need to document for PAM. There was an easy bug to fix so I decided to tackle that down; tackling that down I decided to look if I was missing anything and I noticed that sys-libs/pam could use a debug USE flag. Unfotunately, not only it does not build with debug USE flag enabled, but it also fails with it disabled because the configure file was written by someone who yet again fail at using AC_ARG_ENABLE.

But this was just one of the two things I noticed today and I wished to fix if I didn’t have to rest, so I decided to write here a small checklist I follow when I have to check or fix packages:

• If the package is using autotools, I make sure they can be rebuilt with a simple autoreconf -i. Usually this fails when macros are present in the m4 directory (or something like that), or if it misses the gettext version specification for autopoint.
• If the package supports out-of-sourcetree builds, I create an “enterprise” directory and build from there (usually it involves a ../configure). A lot of packages fail at this step because they assume that source directory and build directory are one and the same.
• If the package uses assert() I make sure it works with it disabled (-DNDEBUG); this is usually nice to link to the debug USE flag to remove debugging code.
• I check the resulting object files with cowstats (check Introducing cowstats for more information about this), and see if I can improve the situation with some trivial changes.
• I check the resulting object files with missingstatic (another script in ruby-elf).