Gentoo - 4

Today I managed to map the last few streets missing in the »west«-part of my hometown. I was very active in the last days and it makes lot's of fun (and is good for my health, driving up and down the mountains).

Beside that osm can make you addicted, it also seems to be epidemic. A friend of mine started mapping the nice city Veringenstadt (ok, to be honest, I never was there) and another one can't wait to get his hands on an own gps-device to continue mapping Köchersberg.

My next plans for osm are
a) map the rest of Murrhardt (at least the inner part)
b) get some more gps/osm-related stuff into gentoo (josm, tiles@home)

I'm happy to announce that I mentored Christian Hoffmann to become a new Gentoo Developer.

Christian did some PHP-security work for Gentoo recently, which is very important due to the high amount of security issues php had recently. Welcome on board and continue your good work.

Maybe you've read that I did some coordination on relicensing the old GATOS TV-Out code to make inclusion into the radeon driver possible (gatos was gpl, while xorg uses mit-license).

Now, shortly after that Alex Deucher started implementing tv-out in the randr-1.2-branch of the ati driver based on that code. randr-1.2 is the new and shiny stuff that will make future versions of xorg manage resolutions and output connectors much better. As you can see on the picture, today I played around with the new code and got it working (get Gentoo git-ebuild here).

As a short howto, on some cards (including mine), autodetection of the connector status doesn't work yet. You'll have to manually force the connector:

xrandr --addmode S-video 800x600
xrandr --output S-video --mode 800x600

This is especially exciting as it is the last features of my laptop that was missing for »full linux-compatibility« (some minor issues left, as the cardreader only reads sd at the moment, the modem needs a binary driver).

I recently wrote that I'm sometimes a bit unhappy how security issues are handled in free software project.

Now, to have some contrast, today I'll talk about an example how to do it right. Serendipity, the software I'm using to host this blog, had an SQL injection vulnerability. On the same day, they announced it and provide updated packages. The finder of the vulnerability is also mentioned. Now, it is only able to get password-hashes, many other projects probably would've treated this vulnerability as »low-impact« or something like that.
But beside that, they also provide some tipps how to check if the vulnerability has already been exploitet and suggest to change user passwords.

A while back, there was another vulnerability reported in serendipity. The authors said they don't think that it's really a vulnerability and it probably can't be used for anything evil. But anyway, an update was released and announced just to be sure.

Now, that's good security-work. The fact that serendipity has very few vulnerabilities at all already is very good. The fact they treat the few ones proper is even better. Some other projects should have a look at that.

It's an often told story that the free software community cares more about security. That it's much better because everyone can look at the code. While this may sometimes be true and I know many free software projects really care about security issues, often enough it's the exact opposite.

On 26.04., some guy called Marsu released an advisory about the GIMP. Loading files in the sunras-format can lead to a buffer overflow. Now, while it was silently fixed in svn, for a month they didn't put an advisory on their page and they didn't provide an update. Even with the release of new versions (2.2.15, 2.3.17), they somehow »forgot« to mention that it was a security-update.
Now, after looking into the NEWS-file (which is their Changelog), for 2.2.15 there's this little line:
- guard against a possible stack overflow in the Sunras loader (bug #433902)
They didn't mention the word »security«, they didn't give credits to Marsu, they didn't provide a reference to the advisory or the CVE-ID. Now, even worse, for 2.3.17, they forgot to mention that bug at all (it's probably part of the mentioned »lots of bug fixes«).

Now one might say this isn't that critical, because who uses sunras (I also never heared of that format before)? But think about this: I could mail someone a crafted sunras-file, saying it's an old image I found on some backup HD, together with the note that gimp can open it. I think it's not unlikely that someone might open it, especially with some intelligent social engineering. Beside that, EVERY SINGLE security bug should be taken serious.

Now, don't take me wrong. I love the GIMP, it's a great application. I also think that free software is an important precondition for secure software. But it's not the only thing. And as long as many people in the free software community treat security bugs like this, it's no better than those in the proprietary world.

I'm here at the Linux-Infotag 2007 from the linux user group Augsburg. It's a small and familiar event. Seems that there are a lot of freifunk-people (free wlan networks) in augsburg. On my way to Augsburg, fitting to the topic I had to switch trains in the linux-town Treuchtlingen.

I had a talk about 3D-Desktops (Linux 3D-Slides, OpenDocument). Will stay for some more hours.
It's nice to see more local linux events evolving.

Update: Some pictures from the LIT 2007

My laptop (Samsung P35) has an internal card reader (SD and MemoryStick) done by Ricoh. Several other laptops have this device. It's internally connected as a pcmcia-device and shows up as RICOH Bay1Controller on pccardctl ident.

For years now there was no way to get this thing running in linux, which stopped me from doing projects like having a crypto-key on a small SD-Card and insert that on boot. Now, finally someone did the job and reverse engineered the device: sdricohcs

In my first small tests, I could already download some photos from my digital camera card. No problems so far. Now, the only thing I'm really missing with linux on my laptop left is TV-Out (works with ati binary drivers, but they are unstable like hell). I heared some Xorg-devs are already working on it, so maybe I'll soon announce the »nearby 100%« support for Linux on Samsung P30/P35.

I wrote a few days ago (only in german) about my requests to the 1und1-support for information about the hardware of our rootserver (to complete the PCI ID database).

Now, after their first reply, I now got another mail with more useful information: They pointed me to the tool dmidecode, which can find lot's of information about the BIOS and the motherboard. Didn't know that before, it's also useful to find out the BIOS version on a running system.

Now, this looks like what I was looking for:
Handle 0x0002, DMI type 2, 8 bytes
Base Board Information
Manufacturer: FUJITSU SIEMENS
Product Name: D2030-A1

A thing that people often ask in the free software world: I can't program but I want to help out somewhere.

Theres one thing that's very simple to do for everyone using Linux. We have two tools called lspci and lsusb that look on the pci/usb-bus for installed devices. Each device has an ID, consisting of a vendor ID and a product ID. Everyone can check the own hardware if everything is detectet. For lspci, first run update-pciids, then lspci -v. Each »Unknown« represents some ID that's not in pci.ids. Report the exact device model name to the interface on http://pciids.sourceforge.net/.
For lsusb, run update-usbids and attach all usb devices you can find. lsusb doesn't show Unknown, if after a device number there's only a vendor name, then the ID is unknown. The usb.ids database is much more incomplete than the pci database. They don't have such a fancy interface as pciids, just send it to the current maintainer (listed in the file usually at /usr/share/misc/usb.ids or /usr/share/usb.ids).

Binary drivers are imho a hughe problem for free software. Nvidia, leading graphics company, has produced binary linux drivers for a long time and there was no way to get free software 3D-support on their cards.
A group of people is working at the moment on a free nvidia driver, the project is called nouveau. I now had a chance to test the nouveau driver on a nvidia card (nv43). It doesn't do much at the moment, but at least it runs glxgears almost smooth.

It's nice to see development on that front. We made a small video of glxgears running on nouveau. Oh, for all those who can't play theora, I put it up on youtube (but seriously, was just curious how youtube works and if it accepts theora).

Some experimental nouveau-ebuilds, maintained by pq from the nouveau-project, are here:
svn co https://svn.hboeck.de/nouveau-overlay

I live in a dormitory where I get cheap and fast internet access, but http only through a proxy. It's a pity to set this up in all apps every time I come here and disable it again when I wanna get online somewhere else, cause there's no centralized point to do so (there are many apps out there that just ignore http_proxy env var).
Now, it wasn't possible to directly forward http requests to the dormitory proxy, because it misses some options required for that. Maybe it's possible with more iptables skills, would require http-header rewriting.

My solution was setting up a local squid, forward requests via iptables to that and configure the dormitory proxy as a parent. I found that there's a lot of documentation out there, but also lot's of outdated stuff (squid configuration options significantly changed) and stuff you won't understand if you are no proxy-guru.

Now, some lines in my squid.conf:
http_port 7777 transparent
visible_hostname 127.0.0.1
acl local src [myip]/255.255.255.255
http_access allow local
cache_peer proxy.mynetwork.com parent 3128 3130 proxy-only

First line enables all Options required to allow transparent http and sets the port to 7777 (can be anything, just shouldn't collide with any service you might run). visible_hostname is required, something that resolves to localhost. The acl and http_access lines will deny any requests from other hosts, and finally, cache_peer sets the upstream proxy (just replace proxy.mynetwork.com with whatever your network proxy is).
Beside, there's some line starting with hierarchy_stoplist, you need to comment that out, else it won't allow you to use urls with GET variables.

Now, for the iptables-part, it's pretty simple:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to 127.0.0.1:7777

I've now added squid to my default runlevel, it doesn't take that long to start. My network setup scripts contain above iptables-line for the dormitory and the squid is just ignored elsewhere. One problem though I haven't debugged enough to know the cause is that sometimes it seems to be unable to deliver POST vars, e. g. the function search of php.net doesn't work.

For your info, my system is Gentoo Linux with squid 2.6.9, iptables 1.3.7 and kernel 2.6.20.

Now, if you've been on the internet a bit longer, you may remember those sites at the end of the 90s telling you that they're »best viewed with a resolution of 1024x768 and the Microsoft Internet Explorer version 6.0". Luckily, most of those pages disappeared with the upcoming success of Mozilla Firefox and others (oh, there are still some, e. g. the cinema in my home town, but ie6 runs on wine).

As you may know, I'm a happy KDE user and have been using Konqueror as my everyday browser for some time now. Recently, I discovered more and more pages I couldn't use any more. I had to start this thing called Firefox. I don't like it, but that is not the point here.
I even noticed today that ebay has a new interface that konqueror doens't like.

This is a result of the more and more upcoming AJAX/JavaScript-stuff, which is often nice, I saw a lot of well designed web applications lately (ok, I saw a lot of crap, too). I'm not enough into JavaScript to know if it's the lack of support by Konqueror or the pages. I just hope that people will come together and find solutions for that. I remember that there was some discussion about using webcore (the khtml-fork used by apples safari) for konqueror, don't know if that would make it better, maybe some users of this drm-crippled system could comment on that.

Read about Metisse just yesterday. A new approach to fancy/3D-Desktops by Mandriva. Unlike compiz, metisse has features that let you actually use windows in transformed status. Mandriva has some videos (Edit 2016: link down, archived version and videos on youtube) that show you some of the features.

As you may already have expected, I couldn't wait to create some ebuilds, so fetch my overlay (which is still called xgl, but don't care about that) for fancy x stuff and run emerge metisse:
svn co https://svn.hboeck.de/xgl-overlay

At the moment it requires it's own X-Server (very much like luminocity or xgl in the past), the window and composite manager is a modified variant of fvwm. After installing, run Xmetisse :1 on one console and on another one metisse-start-fvwm -wd :1. You'll get a fancy new desktop inside a window.

At the moment it very much looks like a design study, not really intuitive to use, but it has some interesting approaches. Nice to see that the linux desktop is evolving. For all non-gentooers, Mandriva has a live CD for you.

Fluendo, a company working with gstreamer, recently announced the availability of commercial, binary codecs for some multimedia formats. They list WMA, WMV, MMS, MPEG-2, MPEG-4, ASF and MP3.

Now, this raises some interesting questions for me: Pretty much all those codecs are already well supported by free implementations, ffmpeg and others. The only exception I can see is WMA3, which is still unsupported by free alternatives, but rarely used. Even the latest Windows Media Video, based on VC-1, has recently gained support by ffmpeg. So from a technical viewpoint, the codecs are basically of very low importance.
The issue that they don't mention in their press release is probably: We provide you with commercial codecs and save you from patent threads. Now that raises the question of software patents. For europe it's very doubtful if the covered patents are legal at all - as we know the EU has rejected the »legalization« of software patents back in 2005, keeping the uncertain situation we had before.

In strategic considerations for the free software community, this case is probably similar to the Novell-Microsoft deal - and raises the same problems Bruce Perens pointed out in his Open Letter: If there's a »licensed« way to use MPEG and other patented formats in linux - then this might weaken the position of projects fighting software patent threats against free software.

So, if you think software patents should be abadoned (which every free software developer should do), raise your voice against questionable patent agreements with those companies earning their money from software patents.

I've just committed some compiz-related updates to Gentoo. First we now have version 0.3.6, the most interesting news is probably that it now has a working kde-window-decorator. gnome/kde-stuff is now only enabled on use-flags, so if you wanna continue to use gconf, you'll have to build compiz with the gnome-flag.
compiz-start tries to autodetect a running kde and then run the kde-window-decorator. If compiz-start fails for you, please report it, because I plan to deprecate all the compiz-aiglx/xgl/nvidia-scripts.

Beside that we now have compiz-settings in the tree, which is a simple configuration-tool for compiz and saves you from using gconf manually.