Search Results: "teddy"

10 July 2020

Enrico Zini: Wait until a command opened a file

In my last post I wrote:
The sleep 0.3s is needed because xdg-open exits right after starting the program, and when invoked by mutt it means that mutt could delete the attachment before evince has a chance to open it. I had to use the same workaround for sensible-browser, since the same happens when a browser opens a document in an existing tab. I feel like writing some wrapper about all this that forks the viewer, then waits for an IN_OPEN event on its argument via inotify before exiting.
I wrote it: https://github.com/spanezz/waitused/
$ ./waitused --help
usage: waitused [-h] path ...
Run a command exiting only after it quits and a given file has been opened and
closed
positional arguments:
  path        file to monitor
  command     command to run
optional arguments:
  -h, --help  show this help message and exit
This works around situations like mutt deleting the temporary attachment file after run-mailcap is run, while run-mailcap runs a program that backgrounds before opening its input file. Example
waitused file.pdf xdg-open file.pdf
waitused file.pdf run-mailcap file.pdf
Example ~/.mailcap entry
application/pdf; waitused -- %s xdg-open %s; test=test -n "$DISPLAY"
Update: Teddy Hogeborn pointed out that the initial mailcap entry would fail on files starting with a dash. I added -- for waitused, but unfortunately there seems to be no way at the moment to have xdg-open open files starting with a dash (see: #964949

22 April 2016

Matthew Garrett: Circumventing Ubuntu Snap confinement

Ubuntu 16.04 was released today, with one of the highlights being the new Snap package format. Snaps are intended to make it easier to distribute applications for Ubuntu - they include their dependencies rather than relying on the archive, they can be updated on a schedule that's separate from the distribution itself and they're confined by a strong security policy that makes it impossible for an app to steal your data.

At least, that's what Canonical assert. It's true in a sense - if you're using Snap packages on Mir (ie, Ubuntu mobile) then there's a genuine improvement in security. But if you're using X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.

The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security. Mir and Wayland both fix this, which is why Wayland is a prerequisite for the sandboxed xdg-app design.

I've produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it's in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy . An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that's not going to respect your privacy.

The Snap format provides a lot of underlying technology that is a great step towards being able to protect systems against untrustworthy third-party applications, and once Ubuntu shifts to using Mir by default it'll be much better than the status quo. But right now the protections it provides are easily circumvented, and it's disingenuous to claim that it currently gives desktop users any real security.

comment count unavailable comments

10 February 2014

Mario Lang: Neurofunkcasts

I have always loved Drum and Bass. In 2013 I rediscovered my love for Darkstep and Neurofunk, and found that these genres have developed quite a lot in the recent years. Some labels like Black Sun Empire and Evol Intent produce mixes/sets on a regular basis as podcasts these days. This article aggregates some neurofunk podcasts I like a lot, most recent first. Enjoy 33 hours and 57 minutes of fun with dark and energizing beats. Thanks to BSE Contrax and Evol Intent for providing such high quality sets. You can also see the Python source for the program that was used to generate this page.

30 August 2010

Tim Retout: Hacking

Here in the UK we've had a bank holiday weekend. Usually I would have gone to Cambridge for the Debian BBQ, but this year I joined forces with Thomas Adam for some SmoothWall Express on Debian hacking. There are several challenges involved in moving the SWE3 code from its native distribution to Debian; this weekend we worked around some of the permissions problems. On SWE3, the web server and most of the service daemons run as the user 'nobody'. This means that the web server can write out configuration files as the same user as everything else; it can also read the system log files. When the web interface needs to run a privileged action (like setting firewall rules), it sends a command to 'smoothd', which is a daemon running as root. (Admin ssh access is always directly as the root user.) However, web servers in Debian tend to run as user 'www-data', which does not have permission to read log files. Similarly, writing out configuration files as that user would mean that any cgi script (not just ones in the swe3 package) could modify them. I would prefer to run the swe3 cgi scripts as a separate user, and grant this user permission to view logs etc. This debian-webapps thread makes it sound very easy, but if you want to do that with cgi scripts rather than fastcgi, I think you have to run a separate web server for each user. On Sunday afternoon, in a dramatic display of corner-cutting, I gave up on that approach and added www-data to the 'adm' and 'proxy' groups in the postinst. Thomas heroically patched all the cgis to call the "config writers" via smoothd, although I'm wondering whether some careful use of the chgrp command in the postinst might be better than running that code as root. Another hack: in order to actually start a firewall, we needed to know which network card is the "RED" interface, in SWE3 terms; i.e. which one is meant to be the public-facing network device. It's also nice to know which one is "GREEN". So two debconf questions and some hardcoded magic numbers later, we have a basic firewall init script. Lovely. Oh, and at some point I removed the htaccess file, so any user on your network can mess with your firewall. Should probably fix that. Today I started some awful scripts which use Simple-CDD to build an iso containing all the packages we want. We are going to need to extend the networking configuration in the installer to set up multiple network cards. Then we need to figure out a nicer way of assigning IP addresses to devices; unlike on the proprietary version of the product, there seems to be no web configuration of network settings in Express. I've not figured all of this out yet. So, in summary: we are deliberately trading some technical debt in order to quickly produce an initial release that might interest people. (But please note the disclaimer of warranty in the README file in that directory.) And in other news, I've been working at Smoothwall Ltd. for just over one year. Hmm. So this is what they call 'experience'.

11 February 2008

Joachim Breitner: How to fork privately

A few days ago, I asked how to fork a debian package privately. I got some repsonses by comments, e-Mail and other blog posts, and I want to summarize the tools that were suggested. I have not really tried them, just looked at the webpages, the documentation or the sourcecode. I m only including Debian-specific solutions, as using Gentoo might be nice, but is out of scope here :-)I also deleted half the text before saving it, and I hate rewriting stuff, so it might be a bit terse.debtooEddy Petri or tells me about his three year old project debtoo, which wants to bring a Gentoo-like experience to Debian. While it probably provides what I need, it feels too big in that it has a more general aim than what I m looking for. It is not in Debian and not actively developed in the last two years.srcinstEddy also tells me about srcinst, which is a small haskell program written by jgoerzen in 2005. This is more a proof-of-concept that builds a package and all necessariy build-dependencies without using a binary package, but does not allow for patches to be applied. It is in Debian, actively maintained, but not developed, and barely documented (just an IRC log).apt-buildA similar tool and also in Debian is apt-build. This package is created to compile packages for optimization (as it asks half a dozend compiler-flag-questions with DebConf during the installation). It allows the user to apply a patch to the source, but it has to be passed as a command line option, and patches seem not to be tracked. Not much development in the last year, and not much documentation.debpatchNot to be confused with the program in the debdelta package is the debpatch tool by Victor Hsieh which Carsten Hey told me about. Also written in 2005, this comes closest to what I want. For every package you want to modify, you can configure it to apply patches to the source, to add patches to the debian/patches directory or to statically replace files in the generated binary and puts it in a local apt repository. No code yet to track new versions of the packages and no support for pbuilder though. This perl script is not yet in Debian, but is available as a Debian package and seems to have seen some development in the last years. Quick Googleing does not return any user reports; has any already tried this?customdebSomewhat in this direction goes the script that I wrote two weeks ago for a totally different project, customdeb, but it is aimed at binary debian files exclusively, and debpatch already supports replacing files in the binary package.Summary I found a few projects that go in a similar direction, and one that seems to fit my needs quite well. All of them are not widely used and in a very early state of development. I m actually surprised that this is not a itch more people had to scratch! I will have a closer look at debpatch when I find the time and maybe, if found useful, see if it can be included in Debian probably after a name change, since we already have a debpatch binary.

Joachim Breitner: Ways to fork privately

A few days ago, I asked how to fork a debian package privately. I got some repsonses by comments, e-Mail and other blog posts, and I want to summarize the tools that were suggested. I have not really tried them, just looked at the webpages, the documentation or the sourcecode. I m only including Debian-specific solutions, as using Gentoo might be nice, but is out of scope here :-)I also deleted half the text before saving it, and I hate rewriting stuff, so it might be a bit terse.debtooEddy Petri or tells me about his three year old project debtoo, which wants to bring a Gentoo-like experience to Debian. While it probably provides what I need, it feels too big in that it has a more general aim than what I m looking for. It is not in Debian and not actively developed in the last two years.srcinstEddy also tells me about srcinst, which is a small haskell program written by jgoerzen in 2005. This is more a proof-of-concept that builds a package and all necessariy build-dependencies without using a binary package, but does not allow for patches to be applied. It is in Debian, actively maintained, but not developed, and barely documented (just an IRC log).apt-buildA similar tool and also in Debian is apt-build. This package is created to compile packages for optimization (as it asks half a dozend compiler-flag-questions with DebConf during the installation). It allows the user to apply a patch to the source, but it has to be passed as a command line option, and patches seem not to be tracked. Not much development in the last year, and not much documentation.debpatchNot to be confused with the program in the debdelta package is the debpatch tool by Victor Hsieh which Carsten Hey told me about. Also written in 2005, this comes closest to what I want. For every package you want to modify, you can configure it to apply patches to the source, to add patches to the debian/patches directory or to statically replace files in the generated binary and puts it in a local apt repository. No code yet to track new versions of the packages and no support for pbuilder though. This perl script is not yet in Debian, but is available as a Debian package and seems to have seen some development in the last years. Quick Googleing does not return any user reports; has any already tried this?customdebSomewhat in this direction goes the script that I wrote two weeks ago for a totally different project, customdeb, but it is aimed at binary debian files exclusively, and debpatch already supports replacing files in the binary package.apt-srcAlso a related tool Carsten Hey told me about is apt-src. This tool wants to provide apt-like features for source packages. It allows you to install sources somewhere, upgrade the source and build binary packages from them. It does not really hide the sources from the user and seems to be created for people who want to work with the source somehow. If you have local changes to the sources, it can try to merge them with the new version, but these changes are not kept as a separate patch but only as implicit changes. If that were different, it would seem be a very nice tool. It s written by Joey Hess he abondonned it in 2004. Since then, not much development has happened.debnestYet another approach is taken by debnest, which Peter Makholm took over. Here, you create a full debian source package with a debian/ directory containing a control and rule file etc., but besides the debian/ directory, it contains just the packed sources (.dsc et al) from another package. In your debian/rules, you can specify your changes. I can see no support for tracking new versions of the inner package, but at least this project is maintained and in Debian.Summary I found a few projects that go in a similar direction, and one that seems to fit my needs quite well. All of them are not widely used and in a very early state of development, and it seems to be something people start to work on and quickly lose interest. I m actually surprised that this is not a itch more people had to scratch! I will have a closer look at debpatch when I find the time and maybe, if found useful, see if it can be included in Debian probably after a name change, since we already have a debpatch binary. Or maybe I should try to add support for what I need to apt-src, which seems to be the most advanced of all these programs, although it s unmaintained longer than the others exist.Update: Added apt-src.Update 2: Added debnest;

22 May 2007

Erich Schubert: Birthday dancing

Tonight I turned 27. By chance, this fell onto a Tuesday, and there is a great dancing party every Monday. This monday, there was also a great band, the Souvenirs. They're pure fun and great for dancing - so I obviously opted to celebrate my birthday there.This probably was the nicest birthday party I've ever had: lots of friends showed up (though mostly girls, but thats fine with me :-)), we danced a lot. And danced. And danced. :-) And I'll probably spend some more hours today dancing later this day.And with dancing I mean: Swing, Lindy Hop, Balboa. I just love this music and these dances. So playful, sometimes cheeky - swinging...
Would you like to swing on a star
Carry moonbeams home in a jar
Todays music was also great, a nice speed and patterns you could play with... I don't know what it is, adrenaline?, that makes dancing so much fun. And probably the communication. Dancing is all about communication. There was this class titled "Moves that make the follow smile" once... That is the best moment in a dance, when you managed to lead the follow into some slight variations or some fun move matching the music, it worked out great and you see this flash of delight in their face... this "I'm not sure what we just did, but it felt just so right"-smile. The "I didn't know we could do that"-smile. That's what I'm striving for. Sometimes there are some moments in a song where this works out great, and occasionally there is a song where it works out through most of the song. These are the really great moments when dancing.Sorry, no pictures or videos. Just memories.Keep on swingin'!I'm really looking forward to events such as Senigallia (Summer Jamboree) or the Munich Lindy Exchange.And of course our regular events here in Munich, such as our Thursday open air get-together at Hofgarten, sundays in Salon Erna and mondays in Cord.

13 April 2007

Jaldhar Vyas: That LILUG Talk

As mentioned previously I was invited to talk about Debian at the Long Island Linux User Group. Much to my embarrassment I had forgotten I had actually spoken at this venue before way back in 2003. But the audience (which of course included many members who had joined since then) were receptive, and asked lots of questions which I like. I did my "Three Pillars of Debian" talk updated for Etch with snazzy new slides — feel free to use them in your own presentations if you like. I was supposed to speak for two hours and ended up speaking for three. So hopefully I managed to impart some useful information and maybe make some new recruits. I would like to publically thank John Teddy and all the people at LILUG for inviting me. Also, note for the future: I really ought to learn how to correctly pronounce Hocevar. Sam, you should put up an audio clip somewhere.

11 March 2007

Annabelle Tully: Horror

Inbetween working late and moving, I went for a relaxing weekend to my parents. Though ended up going out for a poker night. After passing out in a pram full of teddy bears, I was awakened a couple of hours later of my phone ringing. My sister was in panic and asked if I was at home with my parents.
She informed me that my father had passed out while he was talking on the phone with her and made strange noises that sounded like his lungs were being emptied.
I paniced, being far away and in the middle of nowhere with no car, I had to wait 45 minutes for a bus, that used roughly 30 minutes to get back home to my parents.
We didn’t know what had happened, we could not get a hold of my mother and thought my father had had a stroke or heart attack with noone around.
We eventually got a hold of my mother, who had called an ambulance, who refused to pick him up because my dad was concious at the time of their arrival. Bastards.
After busing and running home I dragged him into the hospital and insisted that he’d have a CT-scan.
Turns out he had had a non-epileptic seizure. Apparently happens if you push yourself too much.
Having a fright like that really makes you appreciate the presence of those you love. In other news; Time and place of the Helsinki March event has been decided. Sign up, people!

17 September 2006

Zak B. Elep: Software Freedom Day 2006 - Manila

Yesterday, I was at the UP Engineering Theatre at Diliman to join in the worldwide Software Freedom Day celebration. I was supposed to be there earlier, but due to new work (and some new stuff to learn too ;) I woke up rather late that day. So, I found myself there in UP at around 3 o’clock in the afternoon, rather tired and sweating (note to self: walking around the campus and looking for the venue at that time is not a good idea) but also looking forward to have some FOSS fun with fellow FOSS enthusiasts. I found Dom, Jerome, Paolo, Dong, Charlton, Ian Dexter, and Doc Mana there at the theatre listening on the technical seminars that were held by PLUG as part of the celebration. This time, the TechSem was particularly interesting, due to the new student project presentations’ by UP Engineering students, covering areas as diverse as Embedded Linux and SMS-to-Speech technology. I missed the special video from Richard Stallman though, as it was shown earlier, but I was able to grab a copy thanks to Dom :D . In between presentations, there were also mini-matchups of Frozen Bubble, which drove the (mostly geeky) crowd crazy with the rocking music and players’ itches. Representative Teddy Casi o of Bayan Muna also dropped by later that day, to observe the goings-on as well as to bring his filing of the draft FOSS bill to the public fore. This bill has been much talked about in the PLUG list, where the especially cynical posters (me more or less included ;) had been taking their time nitpicking many of the details on the draft (especially on the section where it essentially says all your base are belong to us’ ;) Turns out that RMS also saw some things that he thought needs improving (towards the end of his video, he took some time reflecting on the proposed bill,) and he wanted to see more emphasis on promoting FOSS to the education sector. Ubuntu CDs were also given away, as well as custom SFD/UP stickers. I also finally got to meet the UnPLUG hackers who, with PLUG, jointly organized this year’s SFD.

2 August 2006

Evan Prodromou: 15 Thermidor CCXIV

I'm at the Wikimania hacking days today. We drove down from wt:Montreal through wt:Vermont and wt:New Hampshire on Monday, stopping overnight in the beautiful town of wt:Lincoln (New Hampshire) in the White Mountains. Amita June had a crappy ride on Monday -- she was unhappy and uncomfortable and let us know it at every possible opportunity. We stopped in wt:Saint Johnsbury, VT for dinner, and she got some time to walk around and play, but beside that she was crabby. Tuesday morning was much better -- she had a big bagel from the Comfort Inn's breakfast buffet, and her Sleepy Bear teddy bear, and she was happy. Sleepy Bear is winning the war for hearts and minds in our house -- it's the bear that she's starting to sleep with more and more, and she makes a happy squeal when she sees it. This could be good or bad news. Anyways, we made it down to wt:Cambridge (Massachusetts) aaaalmost in time for the beginning of Hacking Days. HD is the technical pre-conference for the more sociological and content-oriented Wikimania. I thought it was going to be mostly MW committers and Wikimedia sysadmins, but it's turned out to be huge. I think there are about 40-50 people here -- a just gigantic group. Anyways, I was sitting in the One Laptop Per Child office meeting room with about 30 hackers yesterday morning. I was about 20 minutes late, but I managed to find a seat anyways. Everyone was giving introductions, and up stand David Recordon, Jonathan Daugherty, and David Strauss, all of whom say they're there to help me with the OpenID MediaWiki extension. As everyone's talking, I realize wp:Ward Cunningham is sitting right in front of me. The guy sitting next to me stands up to introduce himself, and says, "I'm Dan Bricklin, who many of you may know as the inventor of the spreadsheet..." Jeez. Anyways, the talk has been fast and furious. Yesterday was a long discussion about the state of Wikimedia servers, the upshot of which, for me, was: Holy Shit, Wikimedia is a big project. I managed to talk to a ton of people, including Travis Derouin of wikiHow, Jason from Wikia, all the OpenID folks, etc. etc. Jonathan Daugherty and I actually got some hacking done, which was great. tags:

The future of MediaWiki This morning Brion Vibber and Tim Starling gave a discussion about the future of MediaWiki. The story? More cool features, I think. The OpenID will be part of it; incorporating a WYSIWYG editor like WikiWyg or FCKEditor into the software. Also, more [[wp:AJAX]-y features, which are coming up through the codebase right now. I think in a large way MW's future is going to be outside of Wikipedia proper. Some of the cooler developments using the MW as a platform include WiktionaryZ and Semantic MediaWiki, both of which provide a structured data substrate to wiki pages. They're not compatible, which I think is something that needs to happen at some point in the future, but they're very promising for future projects. Another big class of projects is bots -- like PyWikipediabot or some of the "vandal fighting" bots and interfaces, e.g. Tawkerbot. I think that MediaWiki is drifting from being a monolithic browser app more into a Web-based service, which will be really productive from a content-production and -maintenance point of view, but which is extremely challenging from the social point of view. Finally, I think the great explosion in the world of customized MW extensions and skins is meaning a real marketplace for expanding the software is happening. I think this is pretty fabu, also. Some people have been discussing formalizing this ecology into a CPAN or JabberStudio-style site for hosting and organizing MW extensions. We'll see what happens with that, but if it comes around, I hope that it's named $wgForge. Maj and Amita June are running around Boston today... very slowly and carefully. They've got a brutal heat wave on here, and people are fainting and collapsing like wilting flowers. I think they're going to go places that have air conditioning, like museums and so forth. tags:

10 January 2006

Joey Hess: wow!

Not every day you get an email like this:
link is the result of my work making mooix multilingual. It is twenty seven thousand lines. It assumes my VServer patch. It allows allows multiple users to communicate with the same mooix session at the same time in different languages, without ever seeing any language but their own unless that language is being spoken (via the "say" command or similar) by another user. This is, the two different users will be typing different commands in different languages, and seeing different languages (but hopefully the same semantic content!) in the output. Example runs are at link and link These two scripts (the first in English and the second in Lojban) each have their users doing exactly the same actions, in effect, but with totally different results. Note that unless each specifically asks for the other language, the English user never sees Lojban, and vice versa.
Lojban! Mooix! Incredible.