Search Results: "swan"

1 November 2021

Thorsten Alteholz: My Debian Activities in October 2021

FTP master This month I accepted 341 and rejected 46 packages. The rejection is as high as last month. I hope everybody is aware that pressing just one key when accepting a package is much faster than writing an explanation why a package has to be rejected. Anyway, the overall number of packages that got accepted was 355. Debian LTS This was my eighty-eighth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian. This month my all in all workload has been 28.5h. During that time I did LTS and normal security uploads of: I also continued to work on exiv2. Last but not least I did some days of frontdesk duties. Debian ELTS This month was the fortieth ELTS month. During my allocated time I uploaded: Last but not least I did some days of frontdesk duties. Debian Printing I improved packaging or fixed bugs or uploaded a new version of: Last but not least I looked at some old bugs and checked whether they could be closed. Debian Astro Though being a silent member of Debian Astro for a long time, I am now going to be more active now. Most of the time I will be focused on packages for telescope control, but of course I won t stay away from other topics. So I uploaded: If you know of other missing packages, don t hesitate to tell me! Other stuff On my neverending golang challenge I again uploaded some packages either for NEW or as source upload. I uploaded new upstream versions of: I improved packaging or fixed bugs of:

18 October 2021

Gunnar Wolf: raspi.debian.net now hosted on Debian infrastructure

So, since I registered the URL for serving the unofficial Debian images for the Raspberry computers, raspi.debian.net, in April 2020, I had been hosting it in my Dreamhost webspace. Over two years ago yes, before I finished setting it up in Dreamhost Steve McIntyre approached me and invited me to host the images under the Debian cdimages user group. I told him I d first just get the setup running, and later I would approach him for finalizing the setup. Then, I set up the build on my own server, hosted on my Dreamhost account and forgot about it for many months. Last month, there was a not particularly happy flamewar in debian-arm@lists.debian.org finished with me stating I would be moving the hosting to Debian infrastructure soon. Well It took me a bit over a month to get this sorted out, together with several days of half-broken links, but it is finally done: raspi.debian.net is a CNAME for ftp.acc.umu.se, which is the same system that hosts cdimage.debian.org. And, of course it is also reachable as https://cdimage.debian.org/cdimage/unofficial/raspi/ looks more official, but is less memorable Thanks a lot to Steve for the nudging, and to maswan to help finalizing the setup. What next? Well, the images are being built on my server. I d love to move the builder over to Debian machines as well. When? How? That s still in the air.

19 May 2021

Marco d'Itri: My resignation from freenode

As it is now known, the freenode IRC network has been taken over by a Trumpian wannabe korean royalty bitcoins millionaire. To make a long story short, the former freenode head of staff secretly "sold" the network to this person even if it was not hers to sell, and our lawyers have advised us that there is not much that we can do about it without some of us risking financial ruin. Fuck you Christel, lilo's life work did not deserve this. What you knew as freenode after 12:00 UTC of May 19 will be managed by different people. As I have no desire to volunteer under the new regime, this marks the end of my involvement with freenode. It had started in 1999 when I encouraged the good parts of #linux-it to leave ircnet, and soon after I became senior staff. Even if I have not been very active recently, at this point I was the longest-serving freenode staff member and now I expect that I will hold this record forever. The people that I have met on IRC, on freenode and other networks, have been and still are a very important part of my life, second only to the ones that I have known thanks to Usenet. I am not fine, but I know that the communities which I have been a part of are not defined by a domain name and will regroup somewhere else. The current freenode staff members have resigned with me, these are some of their farewell messages:
  • amdj
  • edk
  • emilsp
  • Fuchs
  • jess
  • JonathanD
  • kline
  • niko
  • mniip
  • Swant
  • Together we have created Libera.Chat, a new IRC network based on the same principles of the old freenode.

    6 February 2021

    Andrew Cater: Debian 10.8 release process - We're almost there - Signing and pushing about to happen

    Steve is about to sign the release and to begin the push across to the mirrors.Although it sometimes seems like an age, this will be approximately 8 hours rather than 15 hours - a 50% improvement in release timetable means that the behind the scenes work has been well worth while.We always find tweaks, improvements, things we forgot and genuine bugs. Once again: We've found that live images can be significantly memory intensive on older hardware or machines with limited memory. The boot process for any live CD image expands a squashfs so that the image runs entirely in memory. This is particularly noticeable on the 32 bit i386 images. These really require a minimum of 2GB of memory if you are using the heavier weight desktop images like KDE or Gnome: much less and they will either be unreasonably slow or just fail to work.There is also now a note on the download pages warning on this.Thanks once again to maswan early on and Sledge, RattusRattus, Isy, Schweer, linux-fan and sqr not for helping out in testing images. I'm listening in to an impromptu chat explaining the behind the scenes steps to run to actually sign and push the final images so we're a short while away from publishing to the principal CD image machine. At the same time, the torrent seeders will be started and the scripts will push to update the mirrors. And so to the next time :)Handy tip For people running mirrors of debian-cd: If you're low on disk space, perhaps you could remove the 10.7 images by hand before running your next sync scripts to allow space for 10.8 to move in: any ftpsync or rsync process might only remove the old images after copying in the new ones. It's only about 220GB - but you don't want that to be an instantaneous 440GB.

    Andrew Cater: And here we go: Debian 10.8 images release testing process is under way

    As is traditional, every three months or so: another Debian point release is being prepared today. This one is 10.8. As ever, not a huge amount of change if you've been updating your Debian machines regularly. CD/DVD/BluRay and other media files are all being produced today.
    Images are gradually being built and rsync'ed: tests are under way and the ususal suspects are taking part. A couple of issues: thanks very much indeed to maswan for chasing up early problems with petersson. Some script changes behind the scenes over the last month or so should mean that the images are built significantly more in parallel and this may mean we finish the release process much more quickly today.

    12 September 2020

    Ryan Kavanagh: Configuring OpenIKED VPNs for Road Warriors

    A few weeks ago I configured a road warrior VPN setup. The remote end is on a VPS running OpenBSD and OpenIKED, the VPN is an IKEv2 VPN using x509 authentication, and the local end is StrongSwan. I also configured an IKEv2 VPN between my VPSs. Here are the notes for how to do so. In all cases, to use x509 authentication, you will need to generate a bunch of certificates and keys: Fortunately, OpenIKED provides the ikectl utility to help you do so. Before going any further, you might find it useful to edit /etc/ssl/ikeca.cnf to set some reasonable defaults for your certificates. Begin by creating and installing a CA certificate:
    # ikectl ca vpn create
    # ikectl ca vpn install
    
    For simplicity, I am going to assume that the you are managing your CA on the same host as one of the hosts that you want to configure for the VPN. If not, see the bit about exporting certificates at the beginning of the section on persistent host-host VPNs. Create and install a key/certificate pair for your server. Suppose for example your first server is called server1.example.org:
    # ikectl ca vpn certificate server1.example.org create
    # ikectl ca vpn certificate server1.example.org install
    

    Persistent host-host VPNs For each other server that you want to use, you need to also create a key/certificate pair on the same host as the CA certificate, and then copy them over to the other server. Assuming the other server is called server2.example.org:
    # ikectl ca vpn certificate server2.example.org create
    # ikectl ca vpn certificate server2.example.org export
    
    This last command will produce a tarball server2.example.org.tgz. Copy it over to server2.example.org and install it:
    # tar -C /etc/iked -xzpvf server2.example.org.tgz
    
    Next, it is time to configure iked. To do so, you will need to find some information about the certificates you just generated. On the host with the CA, run
    $ cat /etc/ssl/vpn/index.txt
    V       210825142056Z           01      unknown /C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org
    V       210825142208Z           02      unknown /C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org
    
    Pick one of the two hosts to play the active role (in this case, server1.example.org). Using the information you gleaned from index.txt, add the following to /etc/iked.conf, filling in the srcid and dstid fields appropriately.
    ikev2 'server1_server2_active' active esp from server1.example.org to server2.example.org \
    	local server1.example.org peer server2.example.org \
    	srcid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org' \
    	dstid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org'
    
    On the other host, add the following to /etc/iked.conf
    ikev2 'server2_server1_passive' passive esp from server2.example.org to server1.example.org \
    	local server2.example.org peer server1.example.org \
    	srcid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org' \
    	dstid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org'
    
    Note that the names 'server1_server2_active' and 'server2_server1_passive' in the two stanzas do not matter and can be omitted. Reload iked on both hosts:
    # ikectl reload
    
    If everything worked out, you should see the negotiated security associations (SAs) in the output of
    # ikectl show sa
    
    On OpenBSD, you should also see some output on success or errors in the file /var/log/daemon.

    For a road warrior Add the following to /etc/iked.conf on the remote end:
    ikev2 'responder_x509' passive esp \
    	from 0.0.0.0/0 to 10.0.1.0/24 \
    	local server1.example.org peer any \
    	srcid server1.example.org \
    	config address 10.0.1.0/24 \
    	config name-server 10.0.1.1 \
    	tag "ROADW"
    
    Configure or omit the address range and the name-server configurations to suit your needs. See iked.conf(5) for details. Reload iked:
    # ikectl reload
    
    If you are on OpenBSD and want the remote end to have an IP address, add the following to /etc/hostname.vether0, again configuring the address to suit your needs:
    inet 10.0.1.1 255.255.255.0
    
    Put the interface up:
    # ifconfig vether0 up
    
    Now create a client certificate for authentication. In my case, my road-warrior client was client.example.org:
    # ikectl ca vpn certificate client.example.org create
    # ikectl ca vpn certificate client.example.org export
    
    Copy client.example.org.tgz to client and run
    # tar -C /etc/ipsec.d/ -xzf client.example.org.tgz -- \
    	./private/client.example.org.key \
    	./certs/client.example.org.crt ./ca/ca.crt
    
    Install StrongSwan and add the following to /etc/ipsec.conf, configuring appropriately:
    ca example.org
      cacert=ca.crt
      auto=add
    conn server1
      keyexchange=ikev2
      right=server1.example.org
      rightid=%server1.example.org
      rightsubnet=0.0.0.0/0
      rightauth=pubkey
      leftsourceip=%config
      leftauth=pubkey
      leftcert=client.example.org.crt
      auto=route
    
    Add the following to /etc/ipsec.secrets:
    # space is important
    server1.example.org : RSA client.example.org.key
    
    Restart StrongSwan, put the connection up, and check its status:
    # ipsec restart
    # ipsec up server1
    # ipsec status
    
    That should be it. Sources:

    Ryan Kavanagh: Configuring OpenIKED VPNs for StrongSwan Clients

    A few weeks ago I configured a road warrior VPN setup. The remote end is on a VPS running OpenBSD and OpenIKED, the VPN is an IKEv2 VPN using x509 authentication, and the local end is StrongSwan. I also configured an IKEv2 VPN between my VPSs. Here are the notes for how to do so. In all cases, to use x509 authentication, you will need to generate a bunch of certificates and keys: Fortunately, OpenIKED provides the ikectl utility to help you do so. Before going any further, you might find it useful to edit /etc/ssl/ikeca.cnf to set some reasonable defaults for your certificates. Begin by creating and installing a CA certificate:
    # ikectl ca vpn create
    # ikectl ca vpn install
    
    For simplicity, I am going to assume that the you are managing your CA on the same host as one of the hosts that you want to configure for the VPN. If not, see the bit about exporting certificates at the beginning of the section on persistent host-host VPNs. Create and install a key/certificate pair for your server. Suppose for example your first server is called server1.example.org:
    # ikectl ca vpn certificate server1.example.org create
    # ikectl ca vpn certificate server1.example.org install
    

    Persistent host-host VPNs For each other server that you want to use, you need to also create a key/certificate pair on the same host as the CA certificate, and then copy them over to the other server. Assuming the other server is called server2.example.org:
    # ikectl ca vpn certificate server2.example.org create
    # ikectl ca vpn certificate server2.example.org export
    
    This last command will produce a tarball server2.example.org.tgz. Copy it over to server2.example.org and install it:
    # tar -C /etc/iked -xzpvf server2.example.org.tgz
    
    Next, it is time to configure iked. To do so, you will need to find some information about the certificates you just generated. On the host with the CA, run
    $ cat /etc/ssl/vpn/index.txt
    V       210825142056Z           01      unknown /C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org
    V       210825142208Z           02      unknown /C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org
    
    Pick one of the two hosts to play the active role (in this case, server1.example.org). Using the information you gleaned from index.txt, add the following to /etc/iked.conf, filling in the srcid and dstid fields appropriately.
    ikev2 'server1_server2_active' active esp from server1.example.org to server2.example.org \
    	local server1.example.org peer server2.example.org \
    	srcid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org' \
    	dstid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org'
    
    On the other host, add the following to /etc/iked.conf
    ikev2 'server2_server1_passive' passive esp from server2.example.org to server1.example.org \
    	local server2.example.org peer server1.example.org \
    	srcid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server2.example.org/emailAddress=rak@example.org' \
    	dstid '/C=US/ST=Pennsylvania/L=Pittsburgh/CN=server1.example.org/emailAddress=rak@example.org'
    
    Note that the names 'server1_server2_active' and 'server2_server1_passive' in the two stanzas do not matter and can be omitted. Reload iked on both hosts:
    # ikectl reload
    
    If everything worked out, you should see the negotiated security associations (SAs) in the output of
    # ikectl show sa
    
    On OpenBSD, you should also see some output on success or errors in the file /var/log/daemon.

    For a road warrior Add the following to /etc/iked.conf on the remote end:
    ikev2 'responder_x509' passive esp \
    	from 0.0.0.0/0 to 10.0.1.0/24 \
    	local server1.example.org peer any \
    	srcid server1.example.org \
    	config address 10.0.1.0/24 \
    	config name-server 10.0.1.1 \
    	tag "ROADW"
    
    Configure or omit the address range and the name-server configurations to suit your needs. See iked.conf(5) for details. Reload iked:
    # ikectl reload
    
    If you are on OpenBSD and want the remote end to have an IP address, add the following to /etc/hostname.vether0, again configuring the address to suit your needs:
    inet 10.0.1.1 255.255.255.0
    
    Put the interface up:
    # ifconfig vether0 up
    
    Now create a client certificate for authentication. In my case, my road-warrior client was client.example.org:
    # ikectl ca vpn certificate client.example.org create
    # ikectl ca vpn certificate client.example.org export
    
    Copy client.example.org.tgz to client and run
    # tar -C /etc/ipsec.d/ -xzf client.example.org.tgz -- \
    	./private/client.example.org.key \
    	./certs/client.example.org.crt ./ca/ca.crt
    
    Install StrongSwan and add the following to /etc/ipsec.conf, configuring appropriately:
    ca example.org
      cacert=ca.crt
      auto=add
    conn server1
      keyexchange=ikev2
      right=server1.example.org
      rightid=%server1.example.org
      rightsubnet=0.0.0.0/0
      rightauth=pubkey
      leftsourceip=%config
      leftauth=pubkey
      leftcert=client.example.org.crt
      auto=route
    
    Add the following to /etc/ipsec.secrets:
    # space is important
    server1.example.org : RSA client.example.org.key
    
    Restart StrongSwan, put the connection up, and check its status:
    # ipsec restart
    # ipsec up server1
    # ipsec status
    
    That should be it. Sources:

    26 July 2020

    Enrico Zini: Consent links

    Teaching consent is ongoing, but it starts when children are very young. It involves both teaching children to pay attention to and respect others' consent (or lack thereof) and teaching children that they should expect their own bodies and their own space to be respected---even by their parents and other relatives. And if children of two or four can be expected to read the nonverbal cues and expressions of children not yet old enough to talk in order to assess whether there is consent, what excuse do full grown adults have?
    Small children have no sense of shame or disgust or fear of their bodies. A body is what it is. It does what it does.
    About commonly accepted violation of children boundaries
    Personal boundaries are guidelines, rules or limits that a person creates to identify reasonable, safe and permissible ways for other people to behave towards them and how they will respond when someone passes those limits.[1] They are built out of a mix of conclusions, beliefs, opinions, attitudes, past experiences and social learning.[2][3] This concept or life skill has been widely referenced in self-help books and used in the counseling profession since the mid-1980s.[4]

    17 October 2017

    Russ Allbery: Bundle haul

    Confession time: I started making these posts (eons ago) because a close friend did as well, and I enjoyed reading them. But the main reason why I continue is because the primary way I have to keep track of the books I've bought and avoid duplicates is, well, grep on these posts. I should come up with a non-bullshit way of doing this, but time to do more elegant things is in short supply, and, well, it's my blog. So I'm boring all of you who read this in various places with my internal bookkeeping. I do try to at least add a bit of commentary. This one will be more tedious than most since it includes five separate Humble Bundles, which increases the volume a lot. (I just realized I'd forgotten to record those purchases from the past several months.) First, the individual books I bought directly: Ilona Andrews Sweep in Peace (sff)
    Ilona Andrews One Fell Sweep (sff)
    Steven Brust Vallista (sff)
    Nicky Drayden The Prey of Gods (sff)
    Meg Elison The Book of the Unnamed Midwife (sff)
    Pat Green Night Moves (nonfiction)
    Ann Leckie Provenance (sff)
    Seanan McGuire Once Broken Faith (sff)
    Seanan McGuire The Brightest Fell (sff)
    K. Arsenault Rivera The Tiger's Daughter (sff)
    Matthew Walker Why We Sleep (nonfiction)
    Some new books by favorite authors, a few new releases I heard good things about, and two (Night Moves and Why We Sleep) from references in on-line articles that impressed me. The books from security bundles (this is mostly work reading, assuming I'll get to any of it), including a blockchain bundle: Wil Allsop Unauthorised Access (nonfiction)
    Ross Anderson Security Engineering (nonfiction)
    Chris Anley, et al. The Shellcoder's Handbook (nonfiction)
    Conrad Barsky & Chris Wilmer Bitcoin for the Befuddled (nonfiction)
    Imran Bashir Mastering Blockchain (nonfiction)
    Richard Bejtlich The Practice of Network Security (nonfiction)
    Kariappa Bheemaiah The Blockchain Alternative (nonfiction)
    Violet Blue Smart Girl's Guide to Privacy (nonfiction)
    Richard Caetano Learning Bitcoin (nonfiction)
    Nick Cano Game Hacking (nonfiction)
    Bruce Dang, et al. Practical Reverse Engineering (nonfiction)
    Chris Dannen Introducing Ethereum and Solidity (nonfiction)
    Daniel Drescher Blockchain Basics (nonfiction)
    Chris Eagle The IDA Pro Book, 2nd Edition (nonfiction)
    Nikolay Elenkov Android Security Internals (nonfiction)
    Jon Erickson Hacking, 2nd Edition (nonfiction)
    Pedro Franco Understanding Bitcoin (nonfiction)
    Christopher Hadnagy Social Engineering (nonfiction)
    Peter N.M. Hansteen The Book of PF (nonfiction)
    Brian Kelly The Bitcoin Big Bang (nonfiction)
    David Kennedy, et al. Metasploit (nonfiction)
    Manul Laphroaig (ed.) PoC GTFO (nonfiction)
    Michael Hale Ligh, et al. The Art of Memory Forensics (nonfiction)
    Michael Hale Ligh, et al. Malware Analyst's Cookbook (nonfiction)
    Michael W. Lucas Absolute OpenBSD, 2nd Edition (nonfiction)
    Bruce Nikkel Practical Forensic Imaging (nonfiction)
    Sean-Philip Oriyano CEHv9 (nonfiction)
    Kevin D. Mitnick The Art of Deception (nonfiction)
    Narayan Prusty Building Blockchain Projects (nonfiction)
    Prypto Bitcoin for Dummies (nonfiction)
    Chris Sanders Practical Packet Analysis, 3rd Edition (nonfiction)
    Bruce Schneier Applied Cryptography (nonfiction)
    Adam Shostack Threat Modeling (nonfiction)
    Craig Smith The Car Hacker's Handbook (nonfiction)
    Dafydd Stuttard & Marcus Pinto The Web Application Hacker's Handbook (nonfiction)
    Albert Szmigielski Bitcoin Essentials (nonfiction)
    David Thiel iOS Application Security (nonfiction)
    Georgia Weidman Penetration Testing (nonfiction)
    Finally, the two SF bundles: Buzz Aldrin & John Barnes Encounter with Tiber (sff)
    Poul Anderson Orion Shall Rise (sff)
    Greg Bear The Forge of God (sff)
    Octavia E. Butler Dawn (sff)
    William C. Dietz Steelheart (sff)
    J.L. Doty A Choice of Treasons (sff)
    Harlan Ellison The City on the Edge of Forever (sff)
    Toh Enjoe Self-Reference ENGINE (sff)
    David Feintuch Midshipman's Hope (sff)
    Alan Dean Foster Icerigger (sff)
    Alan Dean Foster Mission to Moulokin (sff)
    Alan Dean Foster The Deluge Drivers (sff)
    Taiyo Fujii Orbital Cloud (sff)
    Hideo Furukawa Belka, Why Don't You Bark? (sff)
    Haikasoru (ed.) Saiensu Fikushon 2016 (sff anthology)
    Joe Haldeman All My Sins Remembered (sff)
    Jyouji Hayashi The Ouroboros Wave (sff)
    Sergei Lukyanenko The Genome (sff)
    Chohei Kambayashi Good Luck, Yukikaze (sff)
    Chohei Kambayashi Yukikaze (sff)
    Sakyo Komatsu Virus (sff)
    Miyuki Miyabe The Book of Heroes (sff)
    Kazuki Sakuraba Red Girls (sff)
    Robert Silverberg Across a Billion Years (sff)
    Allen Steele Orbital Decay (sff)
    Bruce Sterling Schismatrix Plus (sff)
    Michael Swanwick Vacuum Flowers (sff)
    Yoshiki Tanaka Legend of the Galactic Heroes, Volume 1: Dawn (sff)
    Yoshiki Tanaka Legend of the Galactic Heroes, Volume 2: Ambition (sff)
    Yoshiki Tanaka Legend of the Galactic Heroes, Volume 3: Endurance (sff)
    Tow Ubukata Mardock Scramble (sff)
    Sayuri Ueda The Cage of Zeus (sff)
    Sean Williams & Shane Dix Echoes of Earth (sff)
    Hiroshi Yamamoto MM9 (sff)
    Timothy Zahn Blackcollar (sff)
    Phew. Okay, all caught up, and hopefully won't have to dump something like this again in the near future. Also, more books than I have any actual time to read, but what else is new.

    28 September 2017

    Russ Allbery: Review: The Seventh Bride

    Review: The Seventh Bride, by T. Kingfisher
    Publisher: 47North
    Copyright: 2015
    ISBN: 1-5039-4975-3
    Format: Kindle
    Pages: 225
    There are two editions of this book, although only one currently for sale. This review is of the second edition, released in November of 2015. T. Kingfisher is a pen name for Ursula Vernon when she's writing for adults. Rhea is a miller's daughter. She's fifteen, obedient, wary of swans, respectful to her parents, and engaged to Lord Crevan. The last was a recent and entirely unexpected development. It's not that she didn't expect to get married eventually, since of course that's what one does. And it's not that Lord Crevan was a stranger, since that's often how it went with marriage for people like her. But she wasn't expecting to get married now, and it was not at all clear why Lord Crevan would want to marry her in particular. Also, something felt not right about the entire thing. And it didn't start feeling any better when she finally met Lord Crevan for the first time, some days after the proposal to her parents. The decidedly non-romantic hand kissing didn't help, nor did the smug smile. But it's not like she had any choice. The miller's daughter doesn't say no to a lord and a friend of the viscount. The miller's family certainly doesn't say no when they're having trouble paying the bills, the viscount owns the mill, and they could be turned out of their livelihood at a whim. They still can't say no when Lord Crevan orders Rhea to come to his house in the middle of the night down a road that quite certainly doesn't exist during the day, even though that's very much not the sort of thing that is normally done. Particularly before the marriage. Friends of the viscount who are also sorcerers can get away with quite a lot. But Lord Crevan will discover that there's still a limit to how far he can order Rhea around, and practical-minded miller's daughters can make a lot of unexpected friends even in dire circumstances. The Seventh Bride is another entry in T. Kingfisher's series of retold fairy tales, although the fairy tale in question is less clear than with The Raven and the Reindeer. Kirkus says it's a retelling of Bluebeard, but I still don't quite see that in the story. I think one could argue equally easily that it's an original story. Nonetheless, it is a fairy tale: it has that fairy tale mix of magical danger and practical morality, and it's about courage and friendships and their consequences. It also has a hedgehog. This is an T. Kingfisher story, so it's packed full of bits of marvelous phrasing that I want to read over and over again. It has wonderful characters, the hedgehog among them, and it has, at its heart, a sort of foundational decency and stubborn goodness that's deeply satisfying for the reader. The Seventh Bride is a lot closer to horror than the other T. Kingfisher books I've read, but it never fell into my dislike of the horror genre, despite a few gruesome bits. I think that's because neither Rhea nor the narrator treat the horrific aspects as representative of the true shape of the world. Rhea instead confronts them with a stubborn determination and an attempt to make the best of each moment, and with a practical self-awareness that I loved reading about.
    The problem with crying in the woods, by the side of a white road that leads somewhere terrible, is that the reason for crying isn't inside your head. You have a perfectly legitimate and pressing reason for crying, and it will still be there in five minutes, except that your throat will be raw and your eyes will itch and absolutely nothing else will have changed.
    Lord Crevan, when Rhea finally reaches him, toys with her by giving her progressively more horrible puzzle tasks, threatening her with the promised marriage if she fails at any of them. The way this part of the book finally resolves is one of the best moments I've read in any book. Kingfisher captures an aspect of moral decisions, and a way in which evil doesn't work the way that evil people expect it to work, that I can't remember seeing an author capture this well. There are a lot of things here for Rhea to untangle: the nature of Crevan's power, her unexpected allies in his manor, why he proposed marriage to her, and of course how to escape his power. The plot works, but I don't think it was the best part of the book, and it tends to happen to Rhea rather than being driven by her. But I have rarely read a book quite this confident of its moral center, or quite as justified in that confidence. I am definitely reading everything Vernon has published under the T. Kingfisher name, and quite possibly most of her children's books as well. Recommended, particularly if you liked the excerpt above. There's an entire book full of paragraphs like that waiting for you. Rating: 8 out of 10

    13 September 2017

    Vincent Bernat: Route-based IPsec VPN on Linux with strongSwan

    A common way to establish an IPsec tunnel on Linux is to use an IKE daemon, like the one from the strongSwan project, with a minimal configuration1:
    conn V2-1
      left        = 2001:db8:1::1
      leftsubnet  = 2001:db8:a1::/64
      right       = 2001:db8:2::1
      rightsubnet = 2001:db8:a2::/64
      authby      = psk
      auto        = route
    
    The same configuration can be used on both sides. Each side will figure out if it is left or right . The IPsec site-to-site tunnel endpoints are 2001:db8: 1::1 and 2001:db8: 2::1. The protected subnets are 2001:db8: a1::/64 and 2001:db8: a2::/64. As a result, strongSwan configures the following policies in the kernel:
    $ ip xfrm policy
    src 2001:db8:a1::/64 dst 2001:db8:a2::/64
            dir out priority 399999 ptype main
            tmpl src 2001:db8:1::1 dst 2001:db8:2::1
                    proto esp reqid 4 mode tunnel
    src 2001:db8:a2::/64 dst 2001:db8:a1::/64
            dir fwd priority 399999 ptype main
            tmpl src 2001:db8:2::1 dst 2001:db8:1::1
                    proto esp reqid 4 mode tunnel
    src 2001:db8:a2::/64 dst 2001:db8:a1::/64
            dir in priority 399999 ptype main
            tmpl src 2001:db8:2::1 dst 2001:db8:1::1
                    proto esp reqid 4 mode tunnel
    [ ]
    
    This kind of IPsec tunnel is a policy-based VPN: encapsulation and decapsulation are governed by these policies. Each of them contains the following elements: When a matching policy is found, the kernel will look for a corresponding security association (using reqid and the endpoint source and destination addresses):
    $ ip xfrm state
    src 2001:db8:1::1 dst 2001:db8:2::1
            proto esp spi 0xc1890b6e reqid 4 mode tunnel
            replay-window 0 flag af-unspec
            auth-trunc hmac(sha256) 0x5b68[ ]8ba2904 128
            enc cbc(aes) 0x8e0e377ad8fd91e8553648340ff0fa06
            anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
    [ ]
    
    If no security association is found, the packet is put on hold and the IKE daemon is asked to negotiate an appropriate one. Otherwise, the packet is encapsulated. The receiving end identifies the appropriate security association using the SPI in the header. Two security associations are needed to establish a bidirectionnal tunnel:
    $ tcpdump -pni eth0 -c2 -s0 esp
    13:07:30.871150 IP6 2001:db8:1::1 > 2001:db8:2::1: ESP(spi=0xc1890b6e,seq=0x222)
    13:07:30.872297 IP6 2001:db8:2::1 > 2001:db8:1::1: ESP(spi=0xcf2426b6,seq=0x204)
    
    All IPsec implementations are compatible with policy-based VPNs. However, some configurations are difficult to implement. For example, consider the following proposition for redundant site-to-site VPNs: Redundant VPNs between 3 sites A possible configuration between V1-1 and V2-1 could be:
    conn V1-1-to-V2-1
      left        = 2001:db8:1::1
      leftsubnet  = 2001:db8:a1::/64,2001:db8:a6::cc:1/128,2001:db8:a6::cc:5/128
      right       = 2001:db8:2::1
      rightsubnet = 2001:db8:a2::/64,2001:db8:a6::/64,2001:db8:a8::/64
      authby      = psk
      keyexchange = ikev2
      auto        = route
    
    Each time a subnet is modified on one site, the configurations need to be updated on all sites. Moreover, overlapping subnets (2001:db8: a6::/64 on one side and 2001:db8: a6::cc:1/128 at the other) can also be problematic. The alternative is to use route-based VPNs: any packet traversing a pseudo-interface will be encapsulated using a security policy bound to the interface. This brings two features:
    1. Routing daemons can be used to distribute routes to be protected by the VPN. This decreases the administrative burden when many subnets are present on each side.
    2. Encapsulation and decapsulation can be executed in a different routing instance or namespace. This enables a clean separation between a private routing instance (where VPN users are) and a public routing instance (where VPN endpoints are).

    Route-based VPN on Juniper Before looking at how to achieve that on Linux, let s have a look at the way it works with a JunOS-based platform (like a Juniper vSRX). This platform as long-standing history of supporting route-based VPNs (a feature already present in the Netscreen ISG platform). Let s assume we want to configure the IPsec VPN from V3-2 to V1-1. First, we need to configure the tunnel interface and bind it to the private routing instance containing only internal routes (with IPv4, they would have been RFC 1918 routes):
    interfaces  
        st0  
            unit 1  
                family inet6  
                    address 2001:db8:ff::7/127;
                 
             
         
     
    routing-instances  
        private  
            instance-type virtual-router;
            interface st0.1;
         
     
    
    The second step is to configure the VPN:
    security  
        /* Phase 1 configuration */
        ike  
            proposal IKE-P1  
                authentication-method pre-shared-keys;
                dh-group group20;
                encryption-algorithm aes-256-gcm;
             
            policy IKE-V1-1  
                mode main;
                proposals IKE-P1;
                pre-shared-key ascii-text "d8bdRxaY22oH1j89Z2nATeYyrXfP9ga6xC5mi0RG1uc";
             
            gateway GW-V1-1  
                ike-policy IKE-V1-1;
                address 2001:db8:1::1;
                external-interface lo0.1;
                general-ikeid;
                version v2-only;
             
         
        /* Phase 2 configuration */
        ipsec  
            proposal ESP-P2  
                protocol esp;
                encryption-algorithm aes-256-gcm;
             
            policy IPSEC-V1-1  
                perfect-forward-secrecy keys group20;
                proposals ESP-P2;
             
            vpn VPN-V1-1  
                bind-interface st0.1;
                df-bit copy;
                ike  
                    gateway GW-V1-1;
                    ipsec-policy IPSEC-V1-1;
                 
                establish-tunnels on-traffic;
             
         
     
    
    We get a route-based VPN because we bind the st0.1 interface to the VPN-V1-1 VPN. Once the VPN is up, any packet entering st0.1 will be encapsulated and sent to the 2001:db8: 1::1 endpoint. The last step is to configure BGP in the private routing instance to exchange routes with the remote site:
    routing-instances  
        private  
            routing-options  
                router-id 1.0.3.2;
                maximum-paths 16;
             
            protocols  
                bgp  
                    preference 140;
                    log-updown;
                    group v4-VPN  
                        type external;
                        local-as 65003;
                        hold-time 6;
                        neighbor 2001:db8:ff::6 peer-as 65001;
                        multipath;
                        export [ NEXT-HOP-SELF OUR-ROUTES NOTHING ];
                     
                 
             
         
     
    
    The export filter OUR-ROUTES needs to select the routes to be advertised to the other peers. For example:
    policy-options  
        policy-statement OUR-ROUTES  
            term 10  
                from  
                    protocol ospf3;
                    route-type internal;
                 
                then  
                    metric 0;
                    accept;
                 
             
         
     
    
    The configuration needs to be repeated for the other peers. The complete version is available on GitHub. Once the BGP sessions are up, we start learning routes from the other sites. For example, here is the route for 2001:db8: a1::/64:
    > show route 2001:db8:a1::/64 protocol bgp table private.inet6.0 best-path
    private.inet6.0: 15 destinations, 19 routes (15 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    2001:db8:a1::/64   *[BGP/140] 01:12:32, localpref 100, from 2001:db8:ff::6
                          AS path: 65001 I, validation-state: unverified
                          to 2001:db8:ff::6 via st0.1
                        > to 2001:db8:ff::14 via st0.2
    
    It was learnt both from V1-1 (through st0.1) and V1-2 (through st0.2). The route is part of the private routing instance but encapsulated packets are sent/received in the public routing instance. No route-leaking is needed for this configuration. The VPN cannot be used as a gateway from internal hosts to external hosts (or vice-versa). This could also have been done with JunOS security policies (stateful firewall rules) but doing the separation with routing instances also ensure routes from different domains are not mixed and a simple policy misconfiguration won t lead to a disaster.

    Route-based VPN on Linux Starting from Linux 3.15, a similar configuration is possible with the help of a virtual tunnel interface3. First, we create the private namespace:
    # ip netns add private
    # ip netns exec private sysctl -qw net.ipv6.conf.all.forwarding=1
    
    Any private interface needs to be moved to this namespace (no IP is configured as we can use IPv6 link-local addresses):
    # ip link set netns private dev eth1
    # ip link set netns private dev eth2
    # ip netns exec private ip link set up dev eth1
    # ip netns exec private ip link set up dev eth2
    
    Then, we create vti6, a tunnel interface (similar to st0.1 in the JunOS example):
    # ip tunnel add vti6 \
       mode vti6 \
       local 2001:db8:1::1 \
       remote 2001:db8:3::2 \
       key 6
    # ip link set netns private dev vti6
    # ip netns exec private ip addr add 2001:db8:ff::6/127 dev vti6
    # ip netns exec private sysctl -qw net.ipv4.conf.vti6.disable_policy=1
    # ip netns exec private sysctl -qw net.ipv4.conf.vti6.disable_xfrm=1
    # ip netns exec private ip link set vti6 mtu 1500
    # ip netns exec private ip link set vti6 up
    
    The tunnel interface is created in the initial namespace and moved to the private one. It will remember its original namespace where it will process encapsulated packets. Any packet entering the interface will temporarily get a firewall mark of 6 that will be used only to match the appropriate IPsec policy4 below. The kernel sets a low MTU on the interface to handle any possible combination of ciphers and protocols. We set it to 1500 and let PMTUD do its work. We can then configure strongSwan5:
    conn V3-2
      left        = 2001:db8:1::1
      leftsubnet  = ::/0
      right       = 2001:db8:3::2
      rightsubnet = ::/0
      authby      = psk
      mark        = 6
      auto        = route
      keyexchange = ikev2
      keyingtries = %forever
      ike         = aes256gcm16-prfsha384-ecp384!
      esp         = aes256gcm16-prfsha384-ecp384!
      mobike      = no
    
    The IKE daemon configures the following policies in the kernel:
    $ ip xfrm policy
    src ::/0 dst ::/0
            dir out priority 399999 ptype main
            mark 0x6/0xffffffff
            tmpl src 2001:db8:1::1 dst 2001:db8:3::2
                    proto esp reqid 1 mode tunnel
    src ::/0 dst ::/0
            dir fwd priority 399999 ptype main
            mark 0x6/0xffffffff
            tmpl src 2001:db8:3::2 dst 2001:db8:1::1
                    proto esp reqid 1 mode tunnel
    src ::/0 dst ::/0
            dir in priority 399999 ptype main
            mark 0x6/0xffffffff
            tmpl src 2001:db8:3::2 dst 2001:db8:1::1
                    proto esp reqid 1 mode tunnel
    [ ]
    
    Those policies are used for any source or destination as long as the firewall mark is equal to 6, which matches the mark configured for the tunnel interface. The last step is to configure BGP to exchange routes. We can use BIRD for this:
    router id 1.0.1.1;
    protocol device  
       scan time 10;
     
    protocol kernel  
       persist;
       learn;
       import all;
       export all;
       merge paths yes;
     
    protocol bgp IBGP_V3_2  
       local 2001:db8:ff::6 as 65001;
       neighbor 2001:db8:ff::7 as 65003;
       import all;
       export where ifname ~ "eth*";
       preference 160;
       hold time 6;
     
    
    Once BIRD is started in the private namespace, we can check routes are learned correctly:
    $ ip netns exec private ip -6 route show 2001:db8:a3::/64
    2001:db8:a3::/64 proto bird metric 1024
            nexthop via 2001:db8:ff::5  dev vti5 weight 1
            nexthop via 2001:db8:ff::7  dev vti6 weight 1
    
    The above route was learnt from both V3-1 (through vti5) and V3-2 (through vti6). Like for the JunOS version, there is no route-leaking between the private namespace and the initial one. The VPN cannot be used as a gateway between the two namespaces, only for encapsulation. This also prevent a misconfiguration (for example, IKE daemon not running) from allowing packets to leave the private network. As a bonus, unencrypted traffic can be observed with tcpdump on the tunnel interface:
    $ ip netns exec private tcpdump -pni vti6 icmp6
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vti6, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    20:51:15.258708 IP6 2001:db8:a1::1 > 2001:db8:a3::1: ICMP6, echo request, seq 69
    20:51:15.260874 IP6 2001:db8:a3::1 > 2001:db8:a1::1: ICMP6, echo reply, seq 69
    
    You can find all the configuration files for this example on GitHub. The documentation of strongSwan also features a page about route-based VPNs.

    1. Everything in this post should work with Libreswan.
    2. fwd is for incoming packets on non-local addresses. It only makes sense in transport mode and is a Linux-only particularity.
    3. Virtual tunnel interfaces (VTI) were introduced in Linux 3.6 (for IPv4) and Linux 3.12 (for IPv6). Appropriate namespace support was added in 3.15. KLIPS, an alternative out-of-tree stack available since Linux 2.2, also features tunnel interfaces.
    4. The mark is set right before doing a policy lookup and restored after that. Consequently, it doesn t affect other possible uses (filtering, routing). However, as Netfilter can also set a mark, one should be careful for conflicts.
    5. The ciphers used here are the strongest ones currently possible while keeping compatibility with JunOS. The documentation for strongSwan contains a complete list of supported algorithms as well as security recommendations to choose them.

    31 August 2017

    Chris Lamb: Free software activities in August 2017

    Here is my monthly update covering what I have been doing in the free software world in August 2017 (previous month):
    Reproducible builds

    Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. I have generously been awarded a grant from the Core Infrastructure Initiative to fund my work in this area. This month I:
    • Presented a status update at Debconf17 in Montr al, Canada alongside Holger Levsen, Maria Glukhova, Steven Chamberlain, Vagrant Cascadian, Valerie Young and Ximin Luo.
    • I worked on the following issues upstream:
      • glib2.0: Please make the output of gio-querymodules reproducible. (...)
      • gcab: Please make the output reproducible. (...)
      • gtk+2.0: Please make the immodules.cache files reproducible. (...)
      • desktop-file-utils: Please make the output reproducible. (...)
    • Within Debian:
    • Categorised a large number of packages and issues in the Reproducible Builds "notes" repository.
    • Worked on publishing our weekly reports. (#118, #119, #120, #121 & #122)

    I also made the following changes to our tooling:
    diffoscope

    diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

    • Use name attribute over path to avoid leaking comparison full path in output. (commit)
    • Add missing skip_unless_module_exists import. (commit)
    • Tidy diffoscope.progress and the XML comparator (commit, commit)

    disorderfs

    disorderfs is our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues.

    • Add a simple autopkgtest smoke test. (commit)


    Debian
    Patches contributed
    • openssh: Quote the IP address in ssh-keygen -f suggestions. (#872643)
    • libgfshare:
      • SIGSEGV if /dev/urandom is not accessible. (#873047)
      • Add bindnow hardening. (#872740)
      • Support nodoc build profile. (#872739)
    • devscripts:
    • memcached: Add hardening to systemd .service file. (#871610)
    • googler: Tidy long and short package descriptions. (#872461)
    • gnome-split: Homepage points to domain-parked website. (#873037)

    Uploads
    • python-django 1:1.11.4-1 New upstream release.
    • redis:
      • 4:4.0.1-3 Drop yet more non-deterministic tests.
      • 4:4.0.1-4 Tighten systemd/seccomp hardening.
      • 4:4.0.1-5 Drop even more tests with timing issues.
      • 4:4.0.1-6 Don't install completions to /usr/share/bash-completion/completions/debian/bash_completion/.
      • 4:4.0.1-7 Don't let sentinel integration tests fail the build as they use too many timers to be meaningful. (#872075)
    • python-gflags 1.5.1-3 If SOURCE_DATE_EPOCH is set, either use that as a source of current dates or the UTC-version of the file's modification time (#836004), don't call update-alternatives --remove in postrm. update debian/watch/Homepage & refresh/tidy the packaging.
    • bfs 1.1.1-1 New upstream release, tidy autopkgtest & patches, organising the latter with Pq-Topic.
    • python-daiquiri 1.2.2-1 New upstream release, tidy autopkgtests & update travis.yml from travis.debian.net.
    • aptfs 2:0.10-2 Add upstream signing key, refer to /usr/share/common-licenses/GPL-3 in debian/copyright & tidy autopkgtests.
    • adminer 4.3.1-2 Add a simple autopkgtest & don't install the Selenium-based tests in the binary package.
    • zoneminder (1.30.4+dfsg-2) Prevent build failures with GCC 7 (#853717) & correct example /etc/fstab entries in README.Debian (#858673).

    Finally, I reviewed and sponsored uploads of astral, inflection, more-itertools, trollius-redis & wolfssl.

    Debian LTS

    This month I have been paid to work 18 hours on Debian Long Term Support (LTS). In that time I did the following:
    • "Frontdesk" duties, triaging CVEs, etc.
    • Issued DLA 1049-1 for libsndfile preventing a remote denial of service attack.
    • Issued DLA 1052-1 against subversion to correct an arbitrary code execution vulnerability.
    • Issued DLA 1054-1 for the libgxps XML Paper Specification library to prevent a remote denial of service attack.
    • Issued DLA 1056-1 for cvs to prevent a command injection vulnerability.
    • Issued DLA 1059-1 for the strongswan VPN software to close a denial of service attack.

    Debian bugs filed
    • wget: Please hash the hostname in ~/.wget-hsts files. (#870813)
    • debian-policy: Clarify whether mailing lists in Maintainers/Uploaders may be moderated. (#871534)
    • git-buildpackage: "pq export" discards text within square brackets. (#872354)
    • qa.debian.org: Escape HTML in debcheck before outputting. (#872646)
    • pristine-tar: Enable multithreaded compression in pristine-xz. (#873229)
    • tryton-meta: Please combine tryton-modules-* into a single source package with multiple binaries. (#873042)
    • azure-cli:
    • fwupd-tests: Don't ship test files to generic /usr/share/installed-tests dir. (#872458)
    • libvorbis: Maintainer fields points to a moderated mailing list. (#871258)
    • rmlint-gui: Ship a rmlint-gui binary. (#872162)
    • template-glib: debian/copyright references online source without quotation. (#873619)

    FTP Team

    As a Debian FTP assistant I ACCEPTed 147 packages: abiword, adacgi, adasockets, ahven, animal-sniffer, astral, astroidmail, at-at-clojure, audacious, backdoor-factory, bdfproxy, binutils, blag-fortune, bluez-qt, cheshire-clojure, core-match-clojure, core-memoize-clojure, cypari2, data-priority-map-clojure, debian-edu, debian-multimedia, deepin-gettext-tools, dehydrated-hook-ddns-tsig, diceware, dtksettings, emacs-ivy, farbfeld, gcc-7-cross-ports, git-lfs, glewlwyd, gnome-recipes, gnome-shell-extension-tilix-dropdown, gnupg2, golang-github-aliyun-aliyun-oss-go-sdk, golang-github-approvals-go-approval-tests, golang-github-cheekybits-is, golang-github-chzyer-readline, golang-github-denverdino-aliyungo, golang-github-glendc-gopher-json, golang-github-gophercloud-gophercloud, golang-github-hashicorp-go-rootcerts, golang-github-matryer-try, golang-github-opentracing-contrib-go-stdlib, golang-github-opentracing-opentracing-go, golang-github-tdewolff-buffer, golang-github-tdewolff-minify, golang-github-tdewolff-parse, golang-github-tdewolff-strconv, golang-github-tdewolff-test, golang-gopkg-go-playground-validator.v8, gprbuild, gsl, gtts, hunspell-dz, hyperlink, importmagic, inflection, insighttoolkit4, isa-support, jaraco.itertools, java-classpath-clojure, java-jmx-clojure, jellyfish1, lazymap-clojure, libblockdev, libbytesize, libconfig-zomg-perl, libdazzle, libglvnd, libjs-emojify, libjwt, libmysofa, libundead, linux, lua-mode, math-combinatorics-clojure, math-numeric-tower-clojure, mediagoblin, medley-clojure, more-itertools, mozjs52, openssh-ssh1, org-mode, oysttyer, pcscada, pgsphere, poppler, puppetdb, py3status, pycryptodome, pysha3, python-cliapp, python-coloredlogs, python-consul, python-deprecation, python-django-celery-results, python-dropbox, python-fswrap, python-hbmqtt, python-intbitset, python-meshio, python-parameterized, python-pgpy, python-py-zipkin, python-pymeasure, python-thriftpy, python-tinyrpc, python-udatetime, python-wither, python-xapp, pythonqt, r-cran-bit, r-cran-bit64, r-cran-blob, r-cran-lmertest, r-cran-quantmod, r-cran-ttr, racket-mode, restorecond, rss-bridge, ruby-declarative, ruby-declarative-option, ruby-errbase, ruby-google-api-client, ruby-rash-alt, ruby-representable, ruby-test-xml, ruby-uber, sambamba, semodule-utils, shimdandy, sjacket-clojure, soapysdr, stencil-clojure, swath, template-glib, tools-analyzer-jvm-clojure, tools-namespace-clojure, uim, util-linux, vim-airline, vim-airline-themes, volume-key, wget2, xchat, xfce4-eyes-plugin & xorg-gtest. I additionally filed 6 RC bugs against packages that had incomplete debian/copyright files against: gnome-recipes, golang-1.9, libdazzle, poppler, python-py-zipkin & template-glib.

    29 July 2017

    Antoine Beaupr : My free software activities, July 2017

    Debian Long Term Support (LTS) This is my monthly working on Debian LTS. This time I worked on various hairy issues surrounding ca-certificates, unattended-upgrades, apache2 regressions, libmtp, tcpdump and ipsec-tools.

    ca-certificates updates I've been working on the removal of the Wosign and StartCom certificates (Debian bug #858539) and, in general, the synchronisation of ca-certificates across suites (Debian bug #867461) since at least last march. I have made an attempt at summarizing the issue which led to a productive discussion and it seems that, in the end, the maintainer will take care of synchronizing information across suites. Guido was right in again raising the question of synchronizing NSS across all suites (Debian bug #824872) which itself raised the other question of how to test reverse dependencies. This brings me back to Debian bug #817286 which, basically proposed the idea of having "proposed updates" for security issues. The problem is while we can upload test packages to stable proposed-updates, we can't do the same in LTS because the suite is closed and we operate only on security packages. This issue came up before in other security upload and we need to think better about how to solve this.

    unattended-upgrades Speaking of security upgrades brings me to the question of a bug (Debian bug #867169) that was filed against the wheezy version of unattended-upgrades, which showed that the package simply stopped working since the latest stable release, because wheezy became "oldoldstable". I first suggested using the "codename" but that appears to have been introduced only after wheezy. In the end, I proposed a simple update that would fix the configuration files and uploaded this as DLA-1032-1. This is thankfully fixed in later releases and will not require such hackery when jessie becomes LTS as well.

    libmtp Next up is the work on the libmtp vulnerabilities (CVE-2017-9831 and CVE-2017-9832). As I described in my announcement, the work to backport the patch was huge, as upstream basically backported a whole library from the gphoto2 package to fix those issues (and probably many more). The lack of a test suite made it difficult to trust my own work, but given that I had no (negative) feedback, I figured it was okay to simply upload the result and that became DLA-1029-1.

    tcpdump I then looked at reproducing CVE-2017-11108, a heap overflow triggered tcpdump would parse specifically STP packets. In Debian bug #867718, I described how to reproduce the issue across all suites and opened an issue upstream, given that the upstream maintainers hadn't responded responded in weeks according to notes in the RedHat Bugzilla issue. I eventually worked on a patch which I shared upstream, but that was rejected as they were already working on it in their embargoed repository. I can explain this confusion and duplication of work with:
    1. the original submitter didn't really contact security@tcpdump.org
    2. he did and they didn't reply, being just too busy
    3. they replied and he didn't relay that information back
    I think #2 is most likely: the tcpdump.org folks are probably very busy with tons of reports like this. Still, I should probably have contacted security@tcpdump.org directly before starting my work, even though no harm was done because I didn't divulge issues that were already public. Since then, tcpdump has released 4.9.1 which fixes the issue, but then new CVEs came out that will require more work and probably another release. People looking into this issue must be certain to coordinate with the tcpdump security team before fixing the actual issues.

    ipsec-tools Another package that didn't quite have a working solution is the ipsec-tools suite, in which the racoon daemon was vulnerable to a remotely-triggered DOS attack (CVE-2016-10396). I reviewed and fixed the upstream patch which introduced a regression. Unfortunately, there is no test suite or proof of concept to control the results. The reality is that ipsec-tools is really old, and should maybe simply be removed from Debian, in favor of strongswan. Upstream hasn't done a release in years and various distributions have patched up forks of those to keep it alive... I was happy, however, to know that a maintainer will take care of updating the various suites, including LTS, with my improved patch. So this fixes the issue for now, but I would strongly encourage users to switch away from ipsec-tools in the future.

    apache2 Finally, I was bitten by the old DLA-841-1 upload I did all the way back in February, as it introduced a regression (Debian bug #858373). It turns out it was possible to segfault Apache workers with a trivial HTTP request, in certain (rather exotic, I might add) configurations (ErrorDocument 400 directive pointing to a cgid script in worker mode). Still, it was a serious regression and I found a part of the nasty long patch we worked on back then that was faulty, and introduced a small fix to correct that. The proposed package unfortunately didn't yield any feedback, and I can only assume it will work okay for people. The result is the DLA-841-2 upload which fixes the regression. I unfortunately didn't have time to work on the remaining CVEs affecting apache2 in LTS at the time of writing.

    Triage I also did some miscellaneous triage by filing Debian bug #867477 for poppler in an effort to document better the pending issue. Next up was some minor work on eglibc issues. CVE-2017-8804 has a patch, but it's been disputed. since the main victim of this and the core of the vulnerability (rpcbind) has already been fixed, I am not sure this vulnerability is still a thing in LTS at all. I also looked at CVE-2014-9984, but the code is so different in wheezy that I wonder if LTS is affected at all. Unfortunately, the eglibc gymnastics are a little beyond me and I do not feel confident enough to just push those issues aside for now and let them open for others to look at.

    Other free software work And of course, there's my usual monthly volunteer work. My ratio is a little better this time, having reached an about even ratio between paid and volunteer work, whereas this was 60% volunteer work in march.

    Announcing ecdysis I recently published ecdysis, a set of template and code samples that I frequently reuse across project. This is probably the least pronounceable project name I have ever chosen, but this is somewhat on purpose. The goal of this project is not collaboration or to become a library: it's just a personal project which I share with the world as a curiosity. To quote the README file:
    The name comes from what snakes and other animals do to "create a new snake": they shed their skin. This is not so appropriate for snakes, as it's just a way to rejuvenate their skin, but is especially relevant for anthropods since then "ecdysis" may be associated with a metamorphosis:
    Ecdysis is the moulting of the cuticle in many invertebrates of the clade Ecdysozoa. Since the cuticle of these animals typically forms a largely inelastic exoskeleton, it is shed during growth and a new, larger covering is formed. The remnants of the old, empty exoskeleton are called exuviae. Wikipedia
    So this project is metamorphosed into others when the documentation templates, code examples and so on are reused elsewhere. For that reason, the license is an unusally liberal (for me) MIT/Expat license. The name also has the nice property of being absolutely unpronounceable, which makes it unlikely to be copied but easy to search online.
    It was an interesting exercise to go back into older projects and factor out interesting code. The process is not complete yet, as there are older projects I'm still curious in reviewing. A bunch of that code could also be factored into upstream project and maybe even the Python standard library. In short, this is stuff I keep on forgetting how to do: a proper setup.py config, some fancy argparse extensions and so on. Instead of having to remember where I had written that clever piece of code, I now shove it in the crazy chaotic project where I can find it again in the future.

    Beets experiments Since I started using Subsonic (or Libresonic) to manage the music on my phone, album covers are suddenly way more interesting. But my collection so far has had limited album covers: my other media player (gmpc) would download those on the fly on its own and store them in its own database - not on the filesystem. I guess this could be considered to be a limitation of Subsonic, but I actually appreciate the separation of duty here. Garbage in, garbage out: the quality of Subsonic's rendering depends largely on how well setup your library and tags are. It turns out there is an amazing tool called beets to do exactly that kind of stuff. I originally discarded that "media library management system for obsessive-compulsive [OC] music geeks", trying to convince myself i was not an "OC music geek". Turns out I am. Oh well. Thanks to beets, I was able to download album covers for a lot of the albums in my collection. The only covers that are missing now are albums that are not correctly tagged and that beets couldn't automatically fix up. I still need to go through those and fix all those tags, but the first run did an impressive job at getting album covers. Then I got the next crazy idea: after a camping trip where we forgot (again) the lyrics to Georges Brassens, I figured I could start putting some lyrics on my ebook reader. "How hard can that be?" of course, being the start of another crazy project. A pull request and 3 days later, I had something that could turn a beets lyrics database into a Sphinx document which, in turn, can be turned into an ePUB. In the process, I probably got blocked from MusixMatch a hundred times, but it's done. Phew! The resulting e-book is about 8000 pages long, but is still surprisingly responsive. In the process, I also happened to do a partial benchmark of Python's bloom filter libraries. The biggest surprise there was the performance of the set builtin: for small items, it is basically as fast as a bloom filter. Of course, when the item size grows larger, its memory usage explodes, but in this case it turned out to be sufficient and bloom filter completely overkill and confusing. Oh, and thanks to those efforts, I got admitted in the beetbox organization on GitHub! I am not sure what I will do with that newfound power: I was just scratching an itch, really. But hopefully I'll be able to help here and there in the future as well.

    Debian package maintenance I did some normal upkeep on a bunch of my packages this month, that were long overdue:
    • uploaded slop 6.3.47-1: major new upstream release
    • uploaded an NMU for maim 5.4.64-1.1: maim was broken by the slop release
    • uploaded pv 1.6.6-1: new upstream release
    • uploaded kedpm 1.0+deb8u1 to jessie (oldstable): one last security fix (Debian bug #860817, CVE-2017-8296) for that derelict password manager
    • uploaded charybdis 3.5.5-1: new minor upstream release, with optional support for mbedtls
    • filed Debian bug #866786 against cryptsetup to make the remote initramfs SSH-based unlocking support multiple devices: thanks to the maintainer, this now works flawlessly in buster and may be backported to stretch
    • expanded on Debian bug #805414 against gdm3 and Debian bug #845938 against pulseaudio, because I had trouble connecting my computer to this new Bluetooth speaker. turns out this is a known issue in Pulseaudio: whereas it releases ALSA devices, it doesn't release Bluetooth devices properly. Documented this more clearly in the wiki page
    • filed Debian bug #866790 regarding old stray Apparmor profiles that were lying around my system after an upgrade, which got me interested in Debian bug #830502 in turn
    • filed Debian bug #868728 against cups regarding a weird behavior I had interacting with a network printer. turns out the other workstation was misconfigured... why are printers still so hard?
    • filed Debian bug #870102 to automate sbuild schroots upgrades
    • after playing around with rash tried to complete the packaging (Debian bug #754972) of percol with this pull request upstream. this ended up to be way too much overhead and I reverted to my old normal history habits.

    30 March 2017

    Shirish Agarwal: The tale of the dancing girl #nsfw

    Demonstration of a Lapdance - Wikipedia

    Demonstration of a Lapdance Wikipedia

    The post will be adult/mature in nature. So those below 18 please excuse. The post is about an anecdote almost 20 years to date, The result its being posted is I had a dinner with a friend to whom I shared this and he thought it would be nice if I shared this hence sharing it. The conversation was about being young and foolish in which I shared the anecdote. The blog post was supposed to be about Aadhar which shocked me both in the way no political discourse happened and the way the public as well as public policy was gamed but that would have to wait for another day. History I left college in 1995. The anecdote/incident probably happened couple of years earlier so probably 1992-1993. At that time, I was in my teens and as a typical teenager I made few friends. One of those friends, who would remain nameless as since we drifted apart, and as I have not take permission from him, taking his name would not be a good idea. Anyway, this gentleman, let s call him Mr. X as an example. Couple of months before, he had bought an open jeep, similar but very different from the jeep being shown below. Open Jeep had become a fashion statement few months back (in those days) as a Salman khan starred movie had that and anybody who had money wanted one just like that.
    Illustration of an open jeep, sadly its a military one - wikipedia

    Illustration of an open jeep, sadly its a military one wikipedia

    Those days we didn t have cell-phones and I had given my land-line phone number to very few friends as in those days, as the land-lines were a finicky instrument. One fine morning, I get a call from my friend telling he is going to come near my place and I should meet him at some xyz place and we would go for a picnic for the whole day and it is possible that we might return next day. As it was holidays and only a fool would throw away a chance to have a ride in open air jeep, I immediately agreed. I shared that my friends had organized a picnic and giving another friend s number (who didn t know anything) got permission and went to meet Mr. X. This was very early morning, around 0600 hrs. . After meeting him, he told that we would be going to Mumbai, take some more friends from there and then move on. In those days, a railway ticket from Shivaji Nagar to V.T. (now C.S.T.) costed INR 30/- . I had been to Mumbai few times before for various technical conferences and knew few cheap places to eat, I knew that going via train, we could go and come back spending at the most INR 150/- and still have some change left-over (today s meal at a roadside/street vendor easily passes that mark). The Journey I shared with him that it will be costly and I don t have any money to cover the fuel expenses and he said he would shoulder the expenses, he just wanted my company for the road. Those days, it was the scenic Old Mumbai-Pune highway and we took plenty of stops to admire that ghats (hills and valleys together). That journey must have taken around 7-8 hours while today by new Expressway, you could do the same thing by 2.5/3 hours. Anyhow, we reached to some swanky hotel in South Mumbai. South Mumbai was not the financial powerhouse that it today is, there was mix of very old buildings and new buildings like the swanky hotel that we had checked in. I have no memory nor any idea whether it was 1 class, 3 class or 5 class and could have cared less as had been tired from the journey. We checked in, I had a long warm water bath and then slept in the king-size bed with curtains drawn. Evening came and we took the jeep and picked up 2-3 of his friends who were from my age or a year or two older and we went to Nariman Point. Seeing the Queen s necklace from Nariman Point at night is a sight in itself. Keeping with the innocence, I was under the impression that we had arrived at our destination, at this our host, Mr. X and his Bombaiya friends had a quiet laugh saying its a young night still. We must have whiled away couple of hours, having chai and throwing rocks in the sea. The Meeting After a while, Mr. X took us to another swanky place. My eyes were out of my sockets as this seemed to be as elitist a place as could be. I saw many White European women in various stages of undress pole-dancing and lap-dancing. I had recently (in those days) come to know the term but was under the impression that it was something that happened in Europe and States only. I had no idea that lap-dancing was older than my birth as according to Wikipedia. So looking back now, I am not surprised that in two decades the concept crossed the oceans. Again, Mr. X being the host, agreed to bear all the costs and all of us had food, drink and a lap-dance from any of the dancers on the floor. As I was young and probably shy (still am) I asked Mr. X s help to pick a girl/woman for me. The woman whom he picked was auburn-aired, was either my age or a year or two older/younger to me. What proceeded next was about 20-30 minutes of totally sexualized erotic experience. While he and all his friends picked girls to go all the way, I was hesitant to let loose. Maybe it was due to my lack of courage or inexperience, maybe it was not in my city so couldn t predict the outcome, maybe was just afraid that reality might mar fantasy, I dunno till date. Although we kissed and necked a lot, I guess that should count for something. The conversation After all my friends had gone to the various rooms, sometime after I excused myself, went to the loo myself, peed a bit, splashed cold water on self, came out and had couple of glasses of water and came back to my seat. The lady came back and I shared that I was not interested in going further and while she was beautiful, I just didn t have the guts. I did ask her if she would give me company though for sometime as I didn t know anyone else at that place. Our conversation was more about her than me as I had more or less an average life upto that moment. There were only three unorthodox things that I had done before meeting her. I had drunk wines of different types, smoked weed and had a Magic Mushrooms experience the year before with another group of friends I had made there. Goa in those days was simply magical in those days but that probably would need its story/own blog post. When I enquired about her, she shared she was from Russia and she rattled off more than half a dozen places around the world where she had been to and this was her second or third stint in Mumbai and she wasn t at all unhappy about the lifestyle and choices she was leading. I had no answer for her as a young penniless college-going student. Her self-confidence and the way she carried herself was impressive, with or without clothes. During course of the conversation she shared a couple of contacts from whom I could get better weed at slightly higher price if I were in Goa. Few months later, those contacts turned out to be true. After sometime, we took all the women and ourselves, around 8-9 people in his jeep (how he negotiated that is beyond me) went to a hygienic Pani puri and Bhel (puffed rice mixed with variety of spices typically tomato, potato, coriander chutney as well as Tamarind Chutney among other things) place and moved them to tears (the spices in bhel and Pani puri did it for them) and this was when we had explicitly asked the bhel-wala guy to make it extremely mild with just a hint of spice in it. Anyways, sometime later, we dropped them at the same place, dropped his friends and came back to the hotel we booked and got drunk again. After-effects Few years later, it came in the newspapers/media that while India had broken out of financial isolation just few years back (1991) and were profiting from it, many countries of the former USSR were going the other way around and hence there was huge human trafficking and immigration that had taken place. This was in-line with what the lady/woman/Miss X had shared with me. The latest trigger The latest trigger happened couple of months back where I learnt of a hero flight attendant saving a girl from human-trafficking. Till date, I am unsure whether she was doing it willingly or putting a brave smile in front of me, because even if she had confided me in any way, I probably would have been too powerless to help her in any-way. I just don t know. Foolishness thy name While my friend took advantage of my innocence and introduced me to a world which otherwise I would probably not know exists, it could have easily have gone some other way as well. While I m still unsure of the choices I made, I was and am happy that I was able to strike a conversation with her and attempt to reach the person therein. Was it the truth or an elaborate fabricated lie to protect myself and herself, this I will never know. Oppression I understand the fact that as a customer or somebody who is taking part in either of those performances or experiences it isn t easy in any way to know/say that whether the performer is doing it wilfully or not as the experiences are in tightly controlled settings.
    Filed under: Miscellenous Tagged: #anecdote, #confusion, #elitist, #growing up, #lap dance, #NSFW, #Open Jeep, Mumbai

    25 March 2017

    Russ Allbery: Spring haul

    Work has been hellishly busy lately, so that's pretty much all I've been doing. The major project I'm working on should be basically done in the next couple of weeks, though (fingers crossed), so maybe I'll be able to surface a bit more after that. In the meantime, I'm still acquiring books I don't have time to read, since that's my life. In this case, two great Humble Book Bundles were too good of a bargain to pass up. There are a bunch of books in here that I already own in paperback (and hence showed up in previous haul posts), but I'm running low on shelf room, so some of those paper copies may go to the used bookstore to make more space. Kelley Armstrong Lost Souls (sff)
    Clive Barker Tortured Souls (horror)
    Jim Butcher Working for Bigfoot (sff collection)
    Octavia E. Butler Parable of the Sower (sff)
    Octavia E. Butler Parable of the Talents (sff)
    Octavia E. Butler Unexpected Stories (sff collection)
    Octavia E. Butler Wild Seed (sff)
    Jacqueline Carey One Hundred Ablutions (sff)
    Richard Chizmar A Long December (sff collection)
    Jo Clayton Skeen's Leap (sff)
    Kate Elliot Jaran (sff)
    Harlan Ellison Can & Can'tankerous (sff collection)
    Diana Pharoh Francis Path of Fate (sff)
    Mira Grant Final Girls (sff)
    Elizabeth Hand Black Light (sff)
    Elizabeth Hand Saffron & Brimstone (sff collection)
    Elizabeth Hand Wylding Hall (sff)
    Kevin Hearne The Purloined Poodle (sff)
    Nalo Hopkinson Skin Folk (sff)
    Katherine Kurtz Camber of Culdi (sff)
    Katherine Kurtz Lammas Night (sff)
    Joe R. Lansdale Fender Lizards (mainstream)
    Robert McCammon The Border (sff)
    Robin McKinley Beauty (sff)
    Robin McKinley The Hero and the Crown (sff)
    Robin McKinley Sunshine (sff)
    Tim Powers Down and Out in Purgatory (sff)
    Cherie Priest Jacaranda (sff)
    Alastair Reynolds Deep Navigation (sff collection)
    Pamela Sargent The Shore of Women (sff)
    John Scalzi Miniatures (sff collection)
    Lewis Shiner Glimpses (sff)
    Angie Thomas The Hate U Give (mainstream)
    Catherynne M. Valente The Bread We Eat in Dreams (sff collection)
    Connie Willis The Winds of Marble Arch (sff collection)
    M.K. Wren Sword of the Lamb (sff)
    M.K. Wren Shadow of the Swan (sff)
    M.K. Wren House of the Wolf (sff)
    Jane Yolen Sister Light, Sister Dark (sff)

    2 January 2017

    Shirish Agarwal: India Tourism, E-Visa and Hong Kong

    A Safe and Happy New Year to all. While Debconf India is still a pipe-dream as of now, did see that India has been gradually doing it easier for tourists and casual business visitors to come visit India. This I take as very positive development for India itself. The 1st condition is itself good for anybody visiting India
    Eligibility International Travellers whose sole objective of visiting India is recreation , sight-seeing , casual visit to meet friends or relatives, short duration medical treatment or casual business visit.
    https://indianvisaonline.gov.in/visa/tvoa.html That this facility is being given to 130 odd countries is better still
    Albania, Andorra, Anguilla, Antigua & Barbuda, Argentina, Armenia, Aruba, Australia, Austria, Bahamas, Barbados, Belgium, Belize, Bolivia, Bosnia & Herzegovina, Botswana, Brazil, Brunei, Bulgaria, Cambodia, Canada, Cape Verde, Cayman Island, Chile, China, China- SAR Hong-Kong, China- SAR Macau, Colombia, Comoros, Cook Islands, Costa Rica, Cote d lvoire, Croatia, Cuba, Czech Republic, Denmark, Djibouti, Dominica, Dominican Republic, East Timor, Ecuador, El Salvador, Eritrea, Estonia, Fiji, Finland, France, Gabon, Gambia, Georgia, Germany, Ghana, Greece, Grenada, Guatemala, Guinea, Guyana, Haiti, Honduras, Hungary, Iceland, Indonesia, Ireland, Israel, Jamaica, Japan, Jordan, Kenya, Kiribati, Laos, Latvia, Lesotho, Liberia, Liechtenstein, Lithuania, Luxembourg, Madagascar, Malawi, Malaysia, Malta, Marshall Islands, Mauritius, Mexico, Micronesia, Moldova, Monaco, Mongolia, Montenegro, Montserrat, Mozambique, Myanmar, Namibia, Nauru, Netherlands, New Zealand, Nicaragua, Niue Island, Norway, Oman, Palau, Palestine, Panama, Papua New Guinea, Paraguay, Peru, Philippines, Poland, Portugal, Republic of Korea, Republic of Macedonia, Romania, Russia, Saint Christopher and Nevis, Saint Lucia, Saint Vincent & the Grenadines, Samoa, San Marino, Senegal, Serbia, Seychelles, Singapore, Slovakia, Slovenia, Solomon Islands, South Africa, Spain, Sri Lanka, Suriname, Swaziland, Sweden, Switzerland, Taiwan, Tajikistan, Tanzania, Thailand, Tonga, Trinidad & Tobago, Turks & Caicos Island, Tuvalu, UAE, Ukraine, United Kingdom, Uruguay, USA, Vanuatu, Vatican City-Holy See, Venezuela, Vietnam, Zambia and Zimbabwe.
    This should make it somewhat easier for any Indian organizer as well as any participants from any of the member countries shared. There is possibility that this list would even get longer, provided we are able to scale our airports and all and any necessary infrastructure that would be needed for International Visitors to have a good experience. What has been particularly interesting is to know which ports of call are being used by International Visitors as well as overall growth rate
    The Percentage share of Foreign Tourist Arrivals (FTAs) in India during November, 2016 among the top 15 source countries was highest from USA (15.53%) followed by UK (11.21%), Bangladesh (10.72%), Canada (4.66%), Russian Fed (4.53%), Australia (4.04%), Malaysia (3.65%), Germany (3.53%), China (3.14%), France (2.88%), Sri Lanka (2.49%), Japan (2.49%), Singapore (2.16%), Nepal (1.46%) and Thailand (1.37%).
    And port of call
    The Percentage share of Foreign Tourist Arrivals (FTAs) in India during November 2016 among the top 15 ports was highest at Delhi Airport (32.71%) followed by Mumbai Airport (18.51%), Chennai Airport (6.83%), Bengaluru Airport (5.89%), Haridaspur Land check post (5.87%), Goa Airport (5.63%), Kolkata Airport (3.90%), Cochin Airport (3.29%), Hyderabad Airport (3.14%), Ahmadabad Airport (2.76%), Trivandrum Airport (1.54%), Trichy Airport (1.53%), Gede Rail (1.16%), Amritsar Airport (1.15%), and Ghojadanga land check post (0.82%) .
    The Ghojadanga land check post seems to be between West Bengal, India and Bangladesh. Gede Railway Station is also in West Bengal as well. So all and any overlanders could take any of those ways.Even Hardispur Land Check post comes in the Bengal-Bangladesh border only. In the airports, Delhi Airport seems to be attracting lot more business than the Mumbai Airport. Part of the reason I *think* is the direct link of Delhi Airport to NDLS via the Delhi Airport Express Line . The same when it will happen in Mumbai should be a game-changer for city too. Now if you are wondering why I have been suddenly talking about visas and airports in India, it came because Hong Kong is going to Withdraw Visa Free Entry Facility For Indians. Although, as rightly pointed out in the article doesn t make sense from economic POV and seems to be somewhat politically motivated. Not that I or anybody else can do anything about that. Seeing that, I thought it was a good opportunity to see how good/Bad our Government is and it seems to be on the right path. Although the hawks (Intelligence and Counter-Terrorist Agencies) will probably become a bit more paranoid , their work becomes tougher.
    Filed under: Miscellenous Tagged: #Airport Metro Line 3, #CSIA, #Incredible India, #India, #International Tourism

    1 December 2016

    Daniel Pocock: Using a fully free OS for devices in the home

    There are more and more devices around the home (and in many small offices) running a GNU/Linux-based firmware. Consider routers, entry-level NAS appliances, smart phones and home entertainment boxes. More and more people are coming to realize that there is a lack of security updates for these devices and a big risk that the proprietary parts of the code are either very badly engineered (if you don't plan to release your code, why code it properly?) or deliberately includes spyware that calls home to the vendor, ISP or other third parties. IoT botnet incidents, which are becoming more widely publicized, emphasize some of these risks. On top of this is the frustration of trying to become familiar with numerous different web interfaces (for your own devices and those of any friends and family members you give assistance to) and the fact that many of these devices have very limited feature sets. Many people hail OpenWRT as an example of a free alternative (for routers), but I recently discovered that OpenWRT's web interface won't let me enable both DHCP and DHCPv6 concurrently. The underlying OS and utilities fully support dual stack, but the UI designers haven't encountered that configuration before. Conclusion: move to a device running a full OS, probably Debian-based, but I would consider BSD-based solutions too. For many people, the benefit of this strategy is simple: use the same skills across all the different devices, at home and in a professional capacity. Get rapid access to security updates. Install extra packages or enable extra features if really necessary. For example, I already use Shorewall and strongSwan on various Debian boxes and I find it more convenient to configure firewall zones using Shorewall syntax rather than OpenWRT's UI. Which boxes to start with? There are various considerations when going down this path:
    • Start with existing hardware, or buy new devices that are easier to re-flash? Sometimes there are other reasons to buy new hardware, for example, when upgrading a broadband connection to Gigabit or when an older NAS gets a noisy fan or struggles with SSD performance and in these cases, the decision about what to buy can be limited to those devices that are optimal for replacing the OS.
    • How will the device be supported? Can other non-technical users do troubleshooting? If mixing and matching components, how will faults be identified? If buying a purpose-built NAS box and the CPU board fails, will the vendor provide next day replacement, or could it be gone for a month? Is it better to use generic components that you can replace yourself?
    • Is a completely silent/fanless solution necessary?
    • Is it possibly to completely avoid embedded microcode and firmware?
    • How many other free software developers are using the same box, or will you be first?
    Discussing these options I recently started threads on the debian-user mailing list discussing options for routers and home NAS boxes. A range of interesting suggestions have already appeared, it would be great to see any other ideas that people have about these choices.

    10 October 2016

    Daniel Pocock: DVD-based Clean Room for PGP and PKI

    There is increasing interest in computer security these days and more and more people are using some form of PKI, whether it is signing Git tags, signing packages for a GNU/Linux distribution or just signing your emails. There are also more home networks and small offices who require their own in-house Certificate Authority (CA) to issue TLS certificates for VPN users (e.g. StrongSWAN) or IP telephony. Back in April, I started discussing the PGP Clean Room idea (debian-devel discussion and gnupg-users discussion), created a wiki page and started development of a script to build the clean room ISO using live-build on Debian. Keeping the master keys completely offline and putting subkeys onto smart cards and other devices dramatically lowers the risk of mistakes and security breaches. Using a read-only DVD to operate the clean-room makes it convenient and harder to tamper with. Trying it out in VirtualBox It is fairly easy to clone the Git repository, run the script to create the ISO and boot it in VirtualBox to see what is inside: At the moment, it contains a number of packages likely to be useful in a PKI clean room, including GnuPG, smartcard drivers, the lightweight pki utility from StrongSWAN and OpenSSL. I've been trying it out with an SPR-532, one of the GnuPG-supported smartcard readers with a pin-pad and the OpenPGP card. Ready to use today More confident users will be able to build the ISO and use it immediately by operating all the utilities from the command line. For example, you should be able to fully configure PGP smart cards by following this blog from Simon Josefsson. The ISO includes some useful scripts, for example, create-raid will quickly partition and RAID a set of SD cards to store your master key-pair offline. Getting involved To make PGP accessible to a wider user-base and more convenient for those who don't use GnuPG frequently enough to remember all the command line options, it would be interesting to create a GUI, possibly using python-newt to create a similar look-and-feel to popular text-based installer and system administration tools. If you are keen on this project and would like to discuss it further, please come and join the new pki-clean-room mailing list and feel free to ask questions or share your thoughts about it. One way to proceed may be to recruit an Outreachy or GSoC intern to develop the UI. Before they can get started, it would be necessary to more thoroughly document workflow requirements.

    31 August 2016

    Chris Lamb: Free software activities in August 2016

    Here is my monthly update covering what I have been doing in the free software world (previously):

    Reproducible builds

    Whilst anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or "compiled") packages to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously and accidentally during this compilation process by promising identical binary packages are always generated from a given source.

    Diffoscope diffoscope is our "diff on steroids" that will not only recursively unpack archives but will transform binary formats into human-readable forms in order to compare them:
    • Added a command-line interface to the try.diffoscope.org web service.
    • Added a JSON comparator.
    • In the HTML output, highlight lines when hovering to make it easier to visually track.
    • Ensure that we pass str types to our Difference class, otherwise we can't be sure we can render them later.
    • Testsuite improvements:
      • Generate test coverage reports.
      • Add tests for Haskell and GitIndex comparators.
      • Completely refactored all of the comparator tests, extracting out commonly-used routines.
      • Confirm rendering of text and HTML presenters when checking non-existing files.
      • Dropped a squashfs test as it was simply too unreliable and/or has too many requirements to satisfy.
    • A large number of miscellaneous cleanups, including:
      • Reworking the comparator setup/preference internals by dynamically importing classes via a single list.
      • Split exceptions out into dedicated diffoscope.exc module.
      • Tidying the PROVIDERS dict in diffoscope/__init__.py.
      • Use html.escape over xml.sax.saxutils.escape, cgi.escape, etc.
      • Removing hard-coding of manual page targets names in debian/rules.
      • Specify all string format arguments as logging function parameters, not using interpolation.
      • Tidying imports, correcting indentation levels and drop unnecessary whitespace.

    disorderfs disorderfs is our FUSE filesystem that deliberately introduces nondeterminism in system calls such as readdir(3).
    • Added a testsuite to prevent regressions. (f124965)
    • Added a --sort-dirents=yes no option for forcing deterministic ordering. (2aae325)

    Other
    • Improved strip-nondeterminism, our tool to remove specific nondeterministic information after a build:
      • Match more styles of Java .properties files.
      • Remove hyphen from "non-determinism" and "non-deterministic" throughout package for consistency.
    • Improvements to our testing infrastucture:
      • Improve the top-level navigation so that we can always get back to "home" of a package.
      • Give expandable elements cursor: pointer CSS styling to highlight they are clickable.
      • Drop various trailing underlined whitespaces after links.
      • Explicitly log that build was successful or not.
      • Various code-quality improvements, including prefering str.format over concatentation.
    • Miscellaneous updates to our filter-packages internal tool:
      • Add --random=N and --url options.
      • Add support for --show=comments.
      • Correct ordering so that --show-version runs after --filter-ftbfs.
      • Rename --show-ftbfs to --filter-ftbfs and --show-version to --show=version.
    • Created a proof-of-concept reproducible-utils package to contain commonly-used snippets aimed at developers wishing to make their packages reproducible.


    I also submitted 92 patches to fix specific reproducibility issues in advi, amora-server, apt-cacher-ng, ara, argyll, audiotools, bam, bedtools, binutils-m68hc1x, botan1.10, broccoli, congress, cookiecutter, dacs, dapl, dateutils, ddd, dicom3tools, dispcalgui, dnssec-trigger, echoping, eekboek, emacspeak, eyed3, fdroidserver, flashrom, fntsample, forkstat, gkrellm, gkrellm, gnunet-gtk, handbrake, hardinfo, ircd-irc2, ircd-ircu, jack-audio-connection-kit, jpy, kxmlgui, libbson, libdc0, libdevel-cover-perl, libfm, libpam-ldap, libquvi, librep, lilyterm, mozvoikko, mp4h, mp4v2, myghty, n2n, nagios-nrpe, nikwi, nmh, nsnake, openhackware, pd-pdstring, phpab, phpdox, phpldapadmin, pixelmed-codec, pleiades, pybit, pygtksourceview, pyicu, python-attrs, python-gflags, quvi, radare2, rc, rest2web, roaraudio, rt-extension-customfieldsonupdate, ruby-compass, ruby-pg, sheepdog, tf5, ttf-tiresias, ttf-tiresias, tuxpaint, tuxpaint-config, twitter-bootstrap3, udpcast, uhub, valknut, varnish, vips, vit, wims, winswitch, wmweather+ & xshisen.

    Debian GNU/Linux
    Debian LTS

    This month I have been paid to work 15 hours on Debian Long Term Support (LTS). In that time I did the following:
    • "Frontdesk" duties, triaging CVEs, etc.
    • Authored the patch & issued DLA 596-1 for extplorer, a web-based file manager, fixing an archive traversal exploit.
    • Issued DLA 598-1 for suckless-tools, fixing a segmentation fault in the slock screen locking tool.
    • Issued DLA 599-1 for cracklib2, a pro-active password checker library, fixing a stack-based buffer overflow when parsing large GECOS fields.
    • Improved the find-work internal tool adding optional colour highlighting and migrating it to Python 3.
    • Wrote an lts-missing-uploads tool to find mistakes where there was no correponding package in the archive after an announcement.
    • Added optional colour highlighting to the lts-cve-triage tool.

    Uploads
    • redis 2:3.2.3-1 New upstream release, move to the DEP-5 debian/copyright format, ensure that we are running as root in LSB initscripts and add a README.Source regarding our local copies of redis.conf and sentinel.conf.
    • python-django:
      • 1:1.10-1 New upstream release.
      • 1:1.10-2 Fix test failures due to mishandled upstream translation updates.

    • gunicorn:
      • 19.6.0-2 Reload logrotate in the postrotate action to avoid processes writing to the old files and move to DEP-5 debian/copyright format.
      • 19.6.0-3 Drop our /usr/sbin/gunicorn ,3 -debian and related Debian-specific machinery to be more like upstream.
      • 19.6.0-4 Drop "template" systemd .service files and point towards examples and documentation instead.

    • adminer:
      • 4.2.5-1 Take over package maintenance, completely overhauling the packaging with a new upstream version, move to virtual-mysql-server to support MariaDB, updating package names of dependencies and fix the outdated Apache configuration.
      • 4.2.5-2 Correct the php5 package names.




    FTP Team As a Debian FTP assistant I ACCEPTed 90 packages: android-platform-external-jsilver, android-platform-frameworks-data-binding, camlpdf, consolation, dfwinreg, diffoscope, django-restricted-resource, django-testproject, django-testscenarios, gitlab-ci-multi-runner, gnome-shell-extension-taskbar, golang-github-flynn-archive-go-shlex, golang-github-jamesclonk-vultr, golang-github-weppos-dnsimple-go, golang-golang-x-time, google-android-ndk-installer, haskell-expiring-cache-map, haskell-hclip, haskell-hdbc-session, haskell-microlens-ghc, haskell-names-th, haskell-persistable-record, haskell-should-not-typecheck, haskell-soap, haskell-soap-tls, haskell-th-reify-compat, haskell-with-location, haskell-wreq, kbtin, libclipboard-perl, libgtk3-simplelist-perl, libjs-jquery-selectize.js, liblemon, libplack-middleware-header-perl, libreoffice, libreswan, libtest-deep-json-perl, libtest-timer-perl, linux, linux-signed, live-tasks, llvm-toolchain-3.8, llvm-toolchain-snapshot, lua-luv, lua-torch-image, lua-torch-nn, magic-wormhole, mini-buildd, ncbi-vdb, node-ast-util, node-es6-module-transpiler, node-es6-promise, node-inline-source-map, node-number-is-nan, node-object-assign, nvidia-graphics-drivers, openhft-chronicle-bytes, openhft-chronicle-core, openhft-chronicle-network, openhft-chronicle-threads, openhft-chronicle-wire, pycodestyle, python-aptly, python-atomicwrites, python-click-log, python-django-casclient, python-git-os-job, python-hypothesis, python-nosehtmloutput, python-overpy, python-parsel, python-prov, python-py, python-schema, python-tackerclient, python-tornado, pyvo, r-cran-cairo, r-cran-mi, r-cran-rcppgsl, r-cran-sem, ruby-curses, ruby-fog-rackspace, ruby-mixlib-archive, ruby-tzinfo-data, salt-formula-swift, scapy3k, self-destructing-cookies, trollius-redis & websploit.

    18 August 2016

    Norbert Tretkowski: No MariaDB MaxScale in Debian

    Last weekend I started working on a MariaDB MaxScale package for Debian, of course with the intention to upload it into the official Debian repository. Today I got pointed to an article by Michael "Monty" Widenius he published two days ago. It explains the recent license change of MaxScale from GPL so BSL with the release of MaxScale 2.0 beta. Justin Swanhart summarized the situation, and I could not agree more. Looks like we will not see MaxScale 2.0 in Debian any time soon...

    Next.