Linux - 4

A couple of projects exist for alternative router firmwares. I used to work with Buffalo Routers combined with DD-WRT.

Now DD-WRT became quite unusable for two reasons. First there was a Cross Site Request Forgery reported on bugtraq a while back, where one of the DD-WRT developers answered in a way that clearly showed he doesn't really understand what CSRF is - so already from a security point of view, DD-WRT seems to be a no-go.

Beside, DD-WRT development more or less is stale at the moment - there are commercial spin-offs and there's been some controversy if everything they did was compliant to the GPL. Fact is there were no new releases since several months - with open security bugs.

Now I've been looking for alternatives. What I'm looking for should be

• a ready-to-use router firmware with easy web-interface configuration from the start, not something like OpenWRT
• free software
• obviously, a project that handles security-reports in a sane way

For now, Gargoyle the only one suitable. It doesn't officially support my Hardware, but it works anyway. I haven't looked deeper into it (e. g. didn't do any security analysis myself), but it seems to do the basic tasks. If you have suggestions of other projects, please leave a comment.

A common way to check the health state of a hard disk is SMART. It gives various informations about occuring errors. In Linux, there's the smartmontools package containing tools to read SMART data of hard drives (smartctl -a /dev/[hddevice] gives you a bunch of information).

I found it always frustrating that SMART didn't work with USB drives. It's a standard bound to IDE/ATA. Although common USB-drives are internally IDE/SATA, sending the SMART commands to the drive requires proprietary extensions. But now, the smartmontools-developers have included support for some USB drives. It worked with the USB HDs I had available for testing.

There's no release yet containing the USB-support. If you're on Gentoo, you can fetch a live-CVS ebuild here.

Ich habe, wie ich kürzlich bereits erwähnt habe, auf den Chemnitzer Linux-Tagen die erste LPI-Prüfung abgelegt. Die LPI ist eine Institution, die Zertifizierungen für Linux-Kenntnisse anbietet. Es existieren verschiedene Levels, nach Bestehen der zweiten Prüfung darf ich mich dann LPIC-1 nennen.

Zwar darf ich natürlich zu konkreten Inhalten der Prüfungsfragen nichts sagen (das muss man während der Prüfung unterschreiben), möchte aber dennoch einige allgemeine Anmerkungen dazu loswerden.

Zunächst mein Haupt-Kritikpunkt: Die Prüfung bezieht sich auf alte Inhalte, und zwar auf sehr alte. Eine Frage bezog sich auf Spezifika eines 2.0-Kernels. Ich erinnere mich noch dunkel, dass zu der Zeit, als ich gerade mal anfing, mich mit Linux zu beschäftigen, gerade das Neuerscheinen von Kernel 2.4.0 ein heißes Thema war. Das ist nun schon knapp 10 Jahre her. Das war sicher das extremste Beispiel, aber es zieht sich durch mehrere Fragen durch. Nehmen wir jemanden, der sich sehr kompetent mit Linux auskennt, aber sich vielleicht erst seit 3 Jahren mit Linux beschäftigt. Er hätte schlicht das Problem, dass ihm xfree86 einfach nie begegnet ist. Bei den nicht gerade günstigen Preisen der Prüfung hätte ich schon erwartet, dass sie halbwegs dem aktuellen Stand der Entwicklung entsprechen.

Ein weiterer, sicher schon oft genannter Kritikpunkt, ist die Frage der (nicht vorhandenen) Distributions-Neutralität. Im Flyer des LPI wird explizit damit geworben wird, dass die Zertifizierungen Distributions-übergreifend seien. Das ist, um es deutlich zu sagen, schlicht gelogen. Es handelt sich nur um einen kleinen Teil der Fragen (bzgl. rpm), die man auch einfach weglassen könnte, es würde der Prüfung nichts nehmen.

Jenseits dessen noch eine eher grundsätzliche Anmerkung: Große Teile der Prüfung beziehen sich auf das mehr oder weniger Ausweniglernen von Befehlen und Parametern. Das ist natürlich komplett realitätsfern. In jeder realen Situation, in der meine Linux-Kompetenz gefordert ist, habe ich natürlich die Möglichkeit, mir die man-Pages und Dokumentationen von Programmen anzusehen. Insofern sollte man sich klar sein, dass ein LPI-Zertifikat auch nur sehr beschränkt Auskunft darüber gibt, wie fähig man tatsächlich mit einem Linux-System umgehen kann.

Ich bin mal wieder, wie in den Vorjahren auch schon, auf den Chemnitzer Linux-Tagen. Die Linux-Tage in Chemnitz gehören inzwischen zu einer der zentralen Veranstaltungen der freien Software-Community.

Morgen werde ich mich zum ersten Mal an einer LPI-Prüfung versuchen. Habe mich kaum vorbereitet und bin mal gespannt ob man das auch so schafft. Wenn es nicht klappt werde ich mir evtl. entsprechende Literatur zulegen und es erneut versuchen.

Bilder gibt's hier: https://pictures.hboeck.de/clt2009/

The free software projects for media playing did a good job in the past on supporting a wide variety of formats. From the common to many very obscure formats, current versions of the free software mediaplayers were usually able to play them. Today it's even common to suggest vlc for Windows users if they can't play unusual media formats.

Though there were a few exceptions, the most notable probably the long-time missing support for many of the Real formats. While these are rarely used today, many archived videos in the Internet still rely on it. For example, many german television stations provide real video files on their webpages.

Recently and without much public notion, ffmpeg first got support for RV40, some weeks later also for RV30. This fills a long time gap in free software support for video formats. ffmpeg is used by all major free software video players (vlc, xine, mplayer), so you should get the support within some time in all of them. For now, it's quite easy to checkout mplayer from subversion and build it on your own.

Want something to try out? Here's a video from Desert Planet in real format.

The only gap I know of a format that really got usage in the wild and that is not yet supported by free software is WMA3.

Die Linux User Group Backnang hat, wie auch in den letzten beiden Jahren, zu Weihnachten eine DVD herausgebracht, die vollgepackt ist mit freien und frei kopierbaren Inhalten aus dem Netz. Die Idee dabei ist, durch eine möglichst vielfältige Auswahl auf die große Menge freier Inhalte aufmerksam zu machen.

Im Gegensatz zu den Vorjahren war ich dieses Mal daran kaum beteiligt. Umso mehr freut es mich, dass es auch ohne mich geklappt hat. Also viel Spass mit der tuXmas DVD 2008.

As an FSFE fellow, I got interviewed for their webpage.

You can read it here.

The Free Software Foundation Europe has recently started a campaign promoting free PDF readers. The idea is to replace the tons of »Get Adobe Reader to view the PDF«-Buttons with ones that don't promote a proprietary product for viewing PDFs. On the page, they list a couple of free PDF readers for various operating systems.

While I fully support the intention of this campaign, I think there's a big strategic misconception. As a small sample, let's take this PDF (an old advertisement for a Linux installation party). It's created with Scribus, based on a transparent SVG tux image I got from Wikipedia. On the right, you can see the PDF rendered with Evince (one of the three Linux-based solutions listed there). The others (kpdf and okular), although based on the same poppler-libarary, show a different rendering, though it's not better.

Loading the same PDF in the only listed Windows program SumatraPDF (which will, sad but true, probably the one most people will look for) gives an even more interesting result (see on the left). Though, after resizing the window, it changes it's opinion and renders the PDF, although still broken as you can see on the right (results may be false as I only tried it in WINE).

Continuing with the problems, SumatraPDF is unable to fill in PDF forms. Luckily today Linux-based PDF readers are able to do that, though one of the listed programs (kpdf) is not.

In fact, those are no reasons not to start a campaign for free PDF readers. But it should start with a completely different focus, like »we have some coders wanting to improve free PDF readers, send us your wrong rendered PDFs« or something like that. And then start improving the free PDF readers. And then promote them. Doing it the other way round with a »there is no problem, just take a free PDF reader« message and then giving them ones with grave problems is just lying to people. There's a good reason why for example the Scribus project promotes the Adobe Reader.

Oh, and before you ask, yes, I have reported the bug about the misrendered transparency a long time ago.

Just saw yesterday that there were advertisements for the new Ubuntu 8.10 release (two days ago) in the subway of Berlin.

Quite cool, they also were advertising for the Ubuntu release party in the C-Base tonight (though I'm no longer in Berlin at the moment).

Recently there were some News that Lenovo does not like Linux any more. This was supported by comments like this at Lenovoblogs (by a Lenovo engineer):

»Again, what’s the incentive for us to start providing all of this intellectual property for free to the Linux community? You may say it drives support for Linux on ThinkPads and people would buy more ThinkPads as a result. I think that’s a dubious assertion at best.«
(the subject was driver support for switchable graphics on modern thinkpads and brings up some common urban legends about linux and driver support)

Sadly, I experienced one more place where Lenovo seems to shift away from a Linux friendly viewpoint: I tried to return the windows license of my new Thinkpad with a pre-made form by Lenovo itself (I got this from someone else by eMail, not from Lenovo directly). In the net, you can find tons of reports that it was easy for people to get money back for their windows licenses by Lenovo.

Though what I got was this:
»Leider können wir Ihrem Wunsch nach Rückerstattung der Kosten für das auf Ihrem Lenovo Produkt vorinstallierte Microsoft-Betriebssystem nicht entsprechen, da das Betriebssystem aus unserer Sicht einen integralen Bestandteil des jeweiligen Lenovo Produkts darstellt.«
(rough translation: We won't refund your windows-license, because we think it's an integral part of the product)

I find it hard to understand why Lenovo makes this shift. When running around on linux conferences in recent months, the number of thinkpads is hughe. While many other vendors shift to a much more free software friendly behaviour (think of AMD/ATI), Lenovo seems to go the different direction. It's especially strange because Lenovo is probably one of the few vendors that has a notable market share in the linux community.

By the way, I welcome any hints how I should continue with the windows refunding. I'd prefer not to capitulate yet (like I did with my last laptop by Samsung), and I assume the law is clearly on my side.

Update: As some of you asked, here is the form by Lenovo, though you'll probably just get the same reply I got.

Probably interesting, here you can find all EULAs from Microsoft. They are quite clear on the subject and say that you MUST return the windows license to the vendor if you don't agree to the EULA.

In the meantime, I wrote several messages about the issue to various people and instutitions. The FSFE is also working on the subject.

If you didn't know it, today is Software Freedom Day.

Just noticed that, when you surf to http://cgi.softwarefreedomday.org/map.shtml to look if there's something happening around you on SFD, you'll get a proprietary google map.

It seems that the organizers of the SFD can't look beyond one's own nose. I often saw this behaviour in parts of the free software movement (being ignorant about proprietary stuff if it's not software), but found this example especially frightening, as we have a well working alternative.

Today my new IBM/Lenovo Thinkpad T61 8895WFJ laptop arrived. While my P30 did a good job, it really was time to replace it.

I'm currently in the phase of installing Gentoo and getting used to the device, but I think it was a very good choice.

Beside the fact that Lenovos are probably popular for a reason, the 1400x1050-resolution, the well Linux-supported Intel-graphics and a quite acceptable weight (2,4 kg) were reasons for this model. I'm still in favour of 4:3 screens, because if you wanna have a 16:10 one with a decent resolution (e. g. > 1000 pixels height) they become either very expensive or very heavy. I still wonder why no vendor seems to produce 4:3 screens any more (from my research, not a single Montevina laptop has 4:3).

Some time soon you'll probably find some documentation about Linux on the T61 8895WFJ at http://www.int21.de/t61/.

I recently played around with the possibilities of fuzzing. It's a simple way to find bugs in applications.

What you do: You have some application that parses some kind of file format. You create lots (thousands) of files which have small errors. The simplest approach is to just change random bits. If the app crashes, you've found a bug, it's quite likely that it's a security relevant one. This is especially crucial for apps like mail scanners (antivirus), but pretty much works for every app that parses foreign input. It works especially well on uncommon file formats, because their code is often not well maintained.

My fuzzing tool of choice is zzuf.

I am impressed and a bit shocked how easy it is to find crashers and potential overflows in common, security relevant applications. My last discovery was a crasher in the chm parser of clamav.

Recently I was asked by a friend for a linux tool to extract ressources from windows exe files, especially icons. He used a windows tool in wine till then.

I said that this shouldn't be so hard and already started writing my own parser (I came to the point where I could extract headers and content separately), when I found that there already is an appropriate tool called wrestool. It's part of the icoutils package.

wrestool -o . -x filename.exe
will extract all ressources (icons, cursors etc.) to the current directory.

Seems with the latest versions of webkit-gtk and midori, a long-standing crasher-bug got fixed and it now allows you to run the browser-test ACID3.

I just bumped the webkit-gtk ebuild in Gentoo to the latest snapshot.

ACID3 is a test for the standards compliance of modern web browsers. I wrote about ACID2 some years ago.