Linux - 6

Habe dieses Jahr wieder die Chemnitzer Linux-Tage besucht, die sich inzwischen zu einem der wichtigsten Events der Linux-Community hierzulande entwickelt haben.

Ich habe tendenziell wenige, dafür aber gute Vorträge besucht (einen zum Hackerparagraphen und einen über Spam). Videos gibt's wohl leider keine, aber Audioaufnahmen sollten demnächst kommen. Desweiteren war ich aktiv am OpenStreetMap-Stand beteiligt, wir bekamen freundlicherweise bei der Wikipedia ein bißchen Platz. Für die Zukunft sind aber dann eher eigenen OpenStreetMap-Stände angesagt (beispielsweise beim Linux-Infotag in Augsburg).
Auch den Organisatoren sollten wir OpenStreetMap noch näher bringen, so war auf der Seite für die Wegbeschreibung lediglich map24 verlinkt. Zumindest ein alternativer OSM-Link sollte doch obligatorisch sein.

After some more »out of memory«-messages by josm, I thought it's time to look out for alternatives.

For the openstreetmap-project, the two main editors are josm (java) and potlach (flash). I think using java probably wasn't a very wise decision (I still wonder how an app can get »out of memory« after loading about 5 MB of images, do they create a pixel class and store every pixel in an object?) and I don't like flash either.

There's another project called merkaartor and today I had a look. My first feeling is that it's promising. It has good performance, it does nice live-rendering and it supports the basic features (adding nodes and ways, up/downloading stuff to the osm-system).

Sure, comparing to the large list of plugin features josm has, it's limited. Maybe I'll try to hack in some bits I'm missing at the moment.

In my continuing effort to improve gentoo for geo-related stuff, I've just added a merkaartor package to portage.

I recently took the new CAcert assurer test. Afterwards, one has to send a S/MIME-signed mail to get a PDF-certificate.

Having the same problem like Bernd, the answer came in an RC2-encrypted S/MIME-mail. I'm using kmail, kmail uses gpgsm for S/MIME and that doesn't support RC2.

While this opens some obvious questions (Why is anyone in the world still using RC2? Why is anyone using S/MIME at all?), I was able to circumvent that without the hassle of installing thunderbird (which was Bernd's solution).

openssl supports RC2 and can handle S/MIME. And this did the trick:

openssl smime -decrypt -in [full mail] -inkey sslclientcert.key

It needed the full mail, which took me a while, because I first tried to only decrypt the attachment.

Hatte gestern mal wieder einen OpenStreetMap-Einführungstalk gehalten, diesmal beim Entropia, dem Karlsruher CCC-Ableger.

Vortragstechnisch habe ich diesmal die Folien deutlich reduziert (Download hier als OpenDocument) und den Fokus auf das konkrete Zeigen von Software und Interfaces gelegt.

Für Karlsruher OSM und Geo-Interessierte: Auf der Mailingliste KA-Geo werden lokale Treffen und Aktivitäten koordiniert.

I recently wrote about geo-tagged images. This makes use of the fact that different devices collect data and you can associate the data by the timestamp. It's most probably interesting for much more than gps/images.

While it's possible to get accurate timesetting by hand, it's usually not what you want. Preferably one wants to sync all devices with an internal clock automatically from the computer or some kind of network connection.

As a first step, we want to get our computer's time accurate. There are tons of tools out there, some linux distributions (and also windows xp) do this automatically on boot. I'm usually using rdate, it's small and simple:

rdate -s [any public timeserver]

There's a list of public time servers here. Other tools like netdate, ntpdate etc. will do it as well.

Now, my digital camera is a Canon Ixus 50. It uses PTP (picture transfer protocol) for data communication. If you have a PTP camera, most likely it supports time syncing. Syncing the camera time to the system time was recently added to libgphoto svn, but it's not yet available in a release. It also doesn't support any timezone management yet, so I'll get GMT time (while I live in the CET zone). The command to do it is:

gphoto2 --set-config synctime=on

If you don't have PTP, you're not completely lost. There's support for a lot of proprietary cameras in gphoto, some of them also support time syncing. Give it a try. I don't have information about usb storage devices (many cameras are just storage devices), links welcome.

Next device is my mobile phone, Nokia 6230i. As a mobile phone is permanently connected to the GSM-network, the obvious option would be time syncing over gsm. This protocol exists and most phones (including mine) support that. But bad luck, many mobile providers don't support it. So I'm out of luck here (vodafone, pointers to information about different provider support that are welcome).

Now, this device also speaks bluetooth, so timesetting via the computer should be possible. Both gammu and gnokii (the common applications to talk with all those proprietary mobiles out there) have a timesetting-option, but it rounds down the time to zero seconds, thus making it useless for exact time. I'm not yet sure if this is a limitation of the hardware or a bug in the software. An option would be to send the timesync-signal at the moment seconds turn to zero, but that would require application support, as there's a relevant diff between the application call and the moment the time get's set (because you have to ack the connection on the phone).
Though at the moment my phone needs manual timesetting, but the only data I'm collecting with it is gps-data, which get's it's timestamp via gps, so this is fine.

Over two years ago, it was announced that the security scanner nessus will no longer be free software starting with version 3.0. Soon after that, several forks were announced. For a long time, none of these fork-projekts produced any output.

openvas was one of that forks and from my knowledge the only one that ever produced any releases. It recently had 1.0-releases for all packages, I just added ebuilds to gentoo.

While openvas isn't perfect yet (many of the old plugins fail, because some files had to be removed due to unclear licensing), it's nice to see that we have a free, maintained security scanner again that will fill the gap left by nessus.

Recently geotagging of images became some popularity due to some articles on popular newspages. I'm already using geotagged images regularly for my work on openstreetmap.

Geotagging images means that you add some metadata in the EXIF-header (part of JPEG-files) where the image was taken. Future cameras probably will include a gps module and will be able to do this automatically, but with today's hardware we need some extra work. Beside manually adding the coordinates, e. g. by clicking on a map, we can synchronize gpx tracks (a common format for recorded gps data) with our images.

I'm usually recording gpx tracks on my mobile phone with Mobile Trail Explorer (a Java/J2ME-software) and an external bluetooth gps device. Before starting, you should accurately set the clock of both devices (the camera and whatever you use to get gpx data). For my hardware I have to do this manually. The mobile phone (Nokia 6230i) supports timesetting via gsm, but my german mobile phone provider doesn't transport that signal. It's also possible to set the time via bluetooth, but then it's rounded down to minutes (at least with gnokii and gammu, I'm not sure if this is an application bug or a hardware limitation), so this is useless, too.
My camera (Canon IXUS 50) seems to have no way of automatically setting the time.

Now, considering you were out somewhere, made some photos while you had another device recording gpx data. There's a small skript called gpsPhoto that will give your images GPS data:

gpsPhoto.pl --dir [directory of your images] --gpsdir [directory of your gpx files] --timeoffset 0

Now you have images that contain data where they were made. JOSM (an openstreetmap tool to create map data) supports showing the geotagged images, which makes editing openstreetmap much easier (you don't have to write down/remember street names, you can take photos of postboxes, bus stops etc. instead of writing down/setting waypoints with your device).

Beside that, this brings up the question if openstreetmap should get a database of geotagged free images together with tools to show them on the map. While this brings up some privacy issues (if the photos contain private buildings, people, car numbers), even the ones without any privacy implications (nature, public buildings) would be a nice feature: Having a map and always being able to say »show me some photos of that location«.
At the moment, this is probably far beyond of the computer ressources available for a project like osm, but it's worth a thought for the future.

Update: Bernd just told me that MTE doesn't use the phone's timestamp, but the one from the GPS device. This means this method doesn't work if your gps doesn't send a correct timestamp signal.

Wie schon im Vorjahr haben wir Ende 2007 als Linux User Group Backnang die tuXmas-DVD herausgebracht, von der Idee her: Wir packen eine DVD voll mit freien, bzw. zumindest frei kopierbaren Inhalten.

Wie das bei solchen Projekten so ist, »eigentlich« war man schon lange fast fertig, aber der Unterschied zwischen fast fertig und fertig ist eben manchmal größer als man glaubt. Und so gestaltete es sich, dass die Endversion in einer ungeplanten Nachtschicht über's Knie gebrochen wurde und natürlich manches, was man mal vorhatte, nicht zur Umsetzung kam.
Die Ursprungsversion war dann auch prompt nicht unter Windows lesbar (hey, woher soll ich sowas wissen?), aber inzwischen gibt's für alle, die das tatsächlich benötigen sollten, ein re-release (r2).

Gefühlt fand ich diesmal deutlich mehr Erwähnungen auf Nachrichtenseiten und in Blogs (könnte aber auch an einer gestiegenen Zahl von Bloggern liegen), Downloadstatistiken hab ich keine, da wir die Verbindungen zu Mirrors von letztem Jahr nutzen konnten, liefen alle Downloads außerhalb meiner administrativen Reichweite. Die Newsmeldungsliste darf gern ergänzt werden, einfach kurze Mail an mich.

Und alle, die bestellt haben, kriegen heute oder morgen eine Nachricht, aber das war ja eh nur als Notlösung gedacht. Schließlich wollen wir der materiell manifestierten Form doch nicht allzu viel Tribut zollen.

Bewerbungen für das nächste DVD-Projekt werden gerne jederzeit entgegengenommen.

About one year ago, Sam Hocevar posted some results on tests with his fuzzing tool zzuf, which showed a large number of crashes in various applications, especially multimedia apps.
Crash bugs on invalid input very often lead to security issues, thus this should be taken seriously.

Now, I took the freedom to have a look how many of the issues found back then were fixed. I used the most current versions in gentoo linux (testing/~x86-system), which tend to be quite up-to-date. I also cross-checked the crashes for other apps, as they often use the same or similar code.
Seems only vlc devs did their homework (Sam Hocevar is part of the vlc team). Interesting enough, even firefox seems to have a gif-crasher since a year.

gstreamer crash by lol-ffplay.mpg lol-gstreamer.m2v lol-mplayer.m2v lol-mplayer.mpg lol-vlc.m2v lol-vlc.mpg
endless loop by lol-ffplay.m2v lol-xine.mpg

mplayer hang by lol-mplayer.wmv,
crash by lol-ffplay.flac lol-mplayer.aac lol-mplayer.mpg lol-mplayer.ogg lol-ogg123.flac lol-vlc.aac lol-xine.aac

xine crash by lol-mplayer.wmv lol-ffplay.m2v lol-ffplay.ogg lol-ffplay.wmv lol-gstreamer.avi lol-ogg123.flac lol-vlc.aac lol-xine.mpg

firefox crash by lol-firefox.gif

Recently I had a discussion with someone about the security of various linux distributions where he claimed Debian stable to be very secure and that they use old versions where they backport all occurances of security issues. This is a common assumption, too bad that it's wrong.
I want to document this to demonstrate the dangerousness of opinions like »stay with the old software«, »never touch a running system« and alike that are not limited but often found in the Debian community.

I had a look at the security policy on a package recently very popular for it's vast number of issues, namely php. Their last php-update on php5 was in july. They have a heavily patched version of php 5.2.0 and according to their changelog the last thing they patched was CVE-2007-1864.

Now that probably means that CVE-2007-3996, CVE-2007-3378, CVE-2007-3997, CVE-2007-4652, CVE-2007-4658, CVE-2007-4659, CVE-2007-4670, CVE-2007-4657, CVE-2007-4662, CVE-2007-3998, CVE-2007-5898, CVE-2007-5899, CVE-2007-5900 are unfixed. Oh, and before you ask: This list certainly is incomplete, it's just what I found without much hassle.

Not only looking at php5, php4 is still officially distributed by many vendors, some hosters still use it. You can't really blame them, as php.net announced it to be supported until 2007-12-31. But that's theory, in fact, nobody looks if the various recent issues also apply to php 4, most recent advisories don't mention it. Fact is, at least CVE-2007-3378, CVE-2007-3997, CVE-2007-4657, CVE-2007-3998 also apply to php 4 and are unfixed in their latest release 4.4.7 (not neccessary to mention that they're not fixed in the debian stable php4 package).

If someone prefers to stay with old software, it's up to them. But be serious. It's probably a hell-job to get all the recent security issues in an app like php backported to some ancient version. A quick check showed me that debian isn't able to do that. If you can't do that, don't claim it's in any way »supported«. Because doing that put's other people in dangerous situations.

I got an old laptop donated a while back, Pentium 133 with 24 MB RAM, no CDROM, no USB. I wanted to provide it for someone else as a basic internet surfing and office writing station and faced the problem what system would be suitable for that.

I tried some old flavours of Debian, but wasn't really happy. Then I found that there's a dsitribution called DeLi Linux that seemed to be just perfect. What they're doing is providing an intelligent mix of current and old software (yeah, xorg really runs on a P133). They have installation floppies for network install (well, it was nontrivial to find three floppies in my room). It's all a bit like doing Linux by foot, they're missing a real package management (they have one, but no auto-dependencies) and things like that, but that didn't really hurt.

In the end I had an IceWM-Desktop, together with Konqueror-Embedded, alternatively you can use Firefox 1.5 (they backport security fixes) linked against plain X-libs. Texts can be written with AbiWord, linked against gtk1.
It's a nice solution, if you once need some system for a machine where xubuntu is far too bloated, you might want to try out DeLi Linux. According to their webpage, it runs on a 486 with 16 MB.

My stub of an installation report for the HP OmniBook 5500CS is here (I may extend it when I get the laptop back, it has some more devices to explore, internal soundcard, tv-out).

The One Laptop per Child project will soon release a free software version of the classic SimCity game. The company agreed to publish the code under a GPL-license. It'll however contain a clause that modified versions are not allowed to be named SimCity, else it's completely free software.

I think that's great news and would welcome it if more classic games could be freed. Computer games are their own form of culture and we need more projects to protect this kind of culture.

SimCity at the OLPCWiki

Ich bin ja im Moment ganz froh, dass mein Laptop den Eindruck macht als würde er trotz ein paar Macken und Schrammen noch das ein- oder andere Jährchen überstehen. Ich plane in absehbarer Zeit also keinen Laptopkauf, dennoch bin ich immer neugierig und schau ab und an, was in den Läden so rumsteht.

Müsste ich im Moment einen Laptop kaufen, ich wüsste nicht was tun. Es scheint, als hat sich die gesammelte Welt der Laptophersteller darauf geeinigt, nur noch Widescreen-Laptops zu produzieren. In den allermeisten Fällen auch noch mit Auflösungen, mit denen ich nicht ernsthaft arbeiten will (1200x800 scheint so die Norm zu sein).

Liebe Laptop-Hersteller, wenn ihr das lest: Ich plane in vielleicht ein bis zwei Jahren mir ein neues Laptop anzuschaffen. Wenn Eure Produktpaletten weiterhin so schlecht sind, vielleicht auch erst in drei Jahren. Ich glaub Euch ja, dass es viele Menschen gibt, die gerne Widescreen-Laptops benutzen. Vielleicht sogar die Mehrheit. Ich glaub aber beim besten Willen nicht, dass ich der einzige Mensch auf der Welt bin, der das nicht mag. Ich bin mir ziemlich sicher, für qualitativ hochwertige Laptops mit 15"-Display und brauchbarer 4:3-Auflösung (1400x1050 hat mein momentanes und das finde ich ganz ok) gibt es einen Markt da draußen.

Achja, ceterum censeo vollständige Linux-Kompatibilität und ohne Microsoft-Steuer wär natürlich auch nett.

A big problem with web security in the past was that it was impossible to have https-hosts with more than one certificate per IP. This is due to the protocol design of https, which needs to establish an ssl-connection with the certificate before the hostname is transferred.

There is a solution though, called Server Name Indication (SNI) and part of TLS. Strange enough, client compatibility isn't that much of a problem. Firefox, Opera and IE already support it in their current versions, konqueror will with kde4, I've no information when it'll hit safari. Oh, and I haven't testet w3m, lynx, links and wget yet, but if you want, feel free to add your experiences to the comments :-)

The problem was that until some weeks ago, openssl didn't support SNI, apachen mod_ssl didn't, lighttpd didn't. Only GnuTLS, but mod_gnutls is considered unstable by it's authors. With OpenSSL 0.9.8f, TLS Extensions and with them SNI landet in openssl, apache still needs patches.

We've now implemented SNI on schokokeks.org, which you can test:
https://www.schokokeks.org/
https://www.hboeck.de/
https://www.fabian-fingerle.de/

If your browser supports SNI, you should see different certificates, all on the same IP. All certs are cacert-signed, they also have a Wiki page from the VhostTaskForce for SNI and alternative solutions.

I know you've been waiting far too long for that. Now that Compiz and Compiz Fusion 0.6 are out, I've added them to portage.

The background: Compiz and Beryl, the two famous 3D-composite/windowmanagers for Linux, have merged forces. Main Compiz still resides in the package x11-wm/compiz, many additional plugins and tools are fetched in by the x11-wm/compiz-fusion metapackage.

The ebuilds are all based on the xeffects overlay, with some cleanup by me.

Happy window-wobbling!