Index ¦ Archives ¦ RSS > Tag: en

security through obscurity

Estimated read time: 1 minutes

okay, this won't be a happy post either, but i thought i would just share a few links here.

first, there was this article about some microsoft ie security problem, and the opensource evangelists started to hype again linux about being open, etc, etc. you know the story.

the sad fact is that, just being opensource, or let's say even having an open scm will not guarantee that all the details are published. i want to pick up a minor issue, so that i can be sure about i don't publish any details here which may not public.

let's take this commit. it's a bugfix, right? umm, if it would be security-related, they would mention it. hm, no.

to make the long story short, the relevant cve is there, even secunia released an advisory.

i could add few more details (no cve on the secunia page, the "from remote" is probably wrong), and finally make some conclustions, but i would avoid that this sime.

take care.


non-public scm for free software

Estimated read time: 2 minutes

i find it really interesting that some people think that the scm for free software doesn't matter that much. just think about the "open"suse buildscripts, where the svn (in which they are tracked) is closed, or about "free"bsd, where the perforce repos (where _real_ development happens) is not checkoutable anonymously.

and no, i'm not rms who says you must use a free scm to develop free software, i just think a public access to it would be nice.

of course there are other projects like archlinux as well (no anonsvn), but i didn't wanted to start with it, since this post is not (just) about distro war..

ah and yes, the best of these is Debian where many maintainer use just a single huge generated diff and the real scm where they develop such diffs isn't public, either.

(finally a bad example is Ubuntu where the whole webapp behind the distro where all the bzr code and bugs are stored is closed source as well.)

so at the end it'll turn out that we're more free, without having any "open" or "free" in our name, without having a frugalware-legal@ and such? ;)

update:

the blacklist seem to grow.

see gentoo, where the releng repo isn't public, either.

an other funny fact is that they refuse to give security support for the kernel, the base of your system..


new in git-1.5.6: git cvsexportcommit -W

Estimated read time: 1 minutes

git-1.5.6 will be released soon (probably in a few weeks) and there are some interesting news in it.

one of them is the new git cvsimport -W switch which makes it easy to do bi-directional changes between git and cvs.

to set up your local repo:

$ CVSROOT=$URL cvs co module
$ cd module
$ git cvsimport

this will do a fresh checkout of the cvs module and will import it to git. you will have two interesting git branch: origin is the "reference" one, you should not touch it, and you can work in master.

you can commit to master, etc.

then there are two tricky operations:

first, you may want to commit back your local commits.

to do this:

$ for i in $(git rev-list --reverse origin..master)
do
        git cvsexportcommit -W -c -p -u $i
done

second, you may want to fetch upstream changes and rebase your local changes on top of them:

$ git cvsimport -i
$ git rebase origin

that's all.

cookies goes to Dscho in commit d775734. :)


interesting git talk

Estimated read time: 1 minutes

yesterday somebody mentioned on #git this talk. it's not a real video, just audio + slides but it's really nice. i would say if the "Linus one" made you say "heh, this may worth to check out" then this one will be the "hey, this one prevented me from learning things the hard way".

it's just one hour and it describes so many important tricks that i haven't encountered elsewhere yet.

just watch it.


fop 0.9x

Estimated read time: 2 minutes

uhm, this will be a long post, but i'll try to keep it short :)

a few words about fop. we write our documentation in asciidoc. asciidoc is plain text with a very simple markup, asciidoc can convert this to docbook. then docbook-xsl can convert this to .fo, finally fop can convert .fo to .pdf.

my problem with fop is that it's written in java and we just used the upstream binary. this is primarily a security problem.

so, about one and a half months ago got the crazy idea to compile fop from source. of course the correct way to do this is to package first the depends. this is really a avalanche, becase we didn't have too much generic java libs packaged, so i had to package many. namely:

jflex, piccolo, gnu.regexp, jarjar, jmock, qdox, easymock, hamcrest, iso-relax, relaxngdatatype, xsdlib, msv, xpp3, xpp2, gnu-crypto, apache-log4j, xmldb-api, ws-jaxme, dom4j, jdom, icu4j, jaxp, jaxp, xom, jaxen, rhino, batik, servletapi, jaf, gnuinetlib, gnumail, avalon-logkit, avalon-framework, commons-logging, commons-io and xmlgraphics-commons.

hm. that's 36. horrible ;)

the nice thing is that all these (except xmlgraphics-commons because classpath still lacks jpeg support) are compiled with the ecj/gcj toolchain, without any sun blob.

the other benefits are:

  • a native fop binary:
    $ file /usr/bin/fop
    /usr/bin/fop: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.0, dynamically linked (uses shared libs), stripped
  • now we got rid of fop-devel, since this version can both convert ttf fonts to xml ones (needed if you want to embed custom fonts into pdf) and convert fo documents to pdf ones.

yay!


message-ids

Estimated read time: 1 minutes

ok, this post will be a big generic, but it seems this is still totally new to some people. so, the Message-ID header in an email is ideally unique and you can easily use it to refer to an email in an other discussion.

in this post i want to deal with 3 issues:

first, how to display it in your mail client. ok, this depends on your mue, in mutt, you need to add

unignore message-id
to your muttrc.

second, if you want to search for a message-id in a folder, that's your mua's task as well. in mutt, you can do it by for example

~i 200804281829.11866.henrikau@orakel.ntnu.no

the third trick isn't mua-specific. if you want to link the message, and the list is indexed by gmane, then you can just type

http://mid.gmane.org/200804281829.11866.henrikau@orakel.ntnu.no
and it'll redirect to
http://article.gmane.org/gmane.comp.version-control.git/80566

ok, that's all for today :)


source highlight in asciidoc

Estimated read time: 1 minutes

i recently packaged source-highlight, and asciidoc can nicely use it. an example page (example codes using pacman-g2 bindings in 4 different languages) available here. yay! :)

ungreedy regex in javascript

Estimated read time: 1 minutes

a few days ago i wanted to use ungreedy regexs in javascript. first, let's see what an ungreedy regex is. look at the following example:

>>> "

foo

bar

".replace(/

f.*<\/p>/, '') ""

this is greedy. you want to get something like:

"

bar

"

right?

that would be ungreedy. in some other languages, there is a flag for this (php has 'U'), but in javascript, you need an other trick:

>>> "

foo

bar

".replace(/

f.*?<\/p>/, '') "

bar

"

and yes, that's what we wanted. also it works for .+?, and so on.

ah and as a side note, it seems '.' does not match newlines, so you'll have to work around it like:

>>> "

foo\nbar

baz

".replace(/

f[\s\S]*?<\/p>/, '') "

baz

"


being accepted in gsoc 2k8

Estimated read time: 1 minutes

ok, this is now official, i got paid for working on the C rewrite of git-merge during the summer ;)

just for fun, i collected some other projects with Hungarian students: samba, e17, freebsd, genmapp, xorg, drupal.


incremental bzr -> git conversion

Estimated read time: 1 minutes

i recently had problems with bzr -> git conversion using tailor and now Lele pulled my patches so here is a mini-howto about how i did the conversion.

i did all this in a ~/scm/tailor/bitlbee dir (to convert the bitlbee bzr repo), but of course you can do it somewhere else, too.

create the dir and place there the tailor config. mine is like:

$ cat bitlbee.conf [DEFAULT] verbose = True [bitlbee] target = git:target start-revision = INITIAL root-directory = /home/vmiklos/scm/tailor/bitlbee state-file = bitlbee.state source = bzr:source subdir = bitlbee.git [bzr:source] repository = /home/vmiklos/scm/tailor/bitlbee/bitlbee.bzr [git:target] repository = /home/vmiklos/scm/tailor/bitlbee/bitlbee.git

and here is the update script: $ cat update.sh #!/bin/sh -e cd dirname $0 cd bitlbee.bzr bzr pull cd .. tailor -c bitlbee.conf

to update the import daily i added the followings to my crontab:

40 4 * * * ~/scm/tailor/bitlbee/update.sh &>/dev/null

and we're ready, you'll have a daily updated git import.

one minor note: the bitlbee.git dir is a non-bare repo and it's also a bzr repo which is not a problem (you can clone it and gitweb handles it) but if you plan to switch to git later, you probably want to clone it once get rid of that junk :)

© Miklos Vajna. Built using Pelican. Theme by Giulio Fidente on github.