I still don't know why I'm here

I wasn't going to comment on the recent openssl security update, because too many people have already done so.

Personally I thought that Aigars Mahinovs made the best writeup I've seen so far.

However I would like to say that having 20+ people all mailing security[at]debian.org to say the webpage we referenced in the security advisory is currently blank is not useful, or ask for details already released in the advisory they replied to, or ask for even more details is not so much fun.

Having people immediately start mailing questions like "Huh? What can I do" is only natural, but you can't expect a response when things are as hectic as they have been recently. Ideally people would sit on their hands and bite their tongues. Realistically that isn't going to happen, and realistically this post will make no difference either...

Had the issue not leaked to unstable so quickly (and inappropriately IMHO) then we'd have had a little more time. But once an issue is reported you need to coordinate with other distributions, and etc. Handling something as severe as this is not fun, and random mails from users are a distraction, and a resource-hog.

I should say I was not in any way involved in the discovery, the reporting, the preparation of the fix(es), or the releasing of the update. I knew it was coming, but everybody else seemed to have it well in hand. When there are mails going back and forth for 5+ days with ever-growing Cc: lists, and mailing lists being involved I figure one more cook wouldn't be useful.

So in conclusion:

a. Bad hole.

b. Fixing this will take years, probably.

c. 50+ mails to the security team within an hour of the advisory going public complaining of missing information is not helpful, not useful, and quite irritating. (Albeit understandable).

d. People who don't know the details of an attack, or issue, shouldn't speculate and start panic, fear, and confusion. Esp. when details are a little vague.

e. I still like pies.

Once again thanks to everybody who was involved and put in an insane amount of work. Yes this is only the start - our users have to suffer the pain of regenerating everything - but we did good.

Really. Debian did good.

It might not look like it right now, but it could have been so much worse, and Debian did do good.

ObQuote: X-Men: The Last Stand

Syndicated 2008-05-14 12:59:00 from Steve Kemp's Blog

Yea, just look at all the passion on that wall.

There should be a website to coordinate cinema-dates.

I don't like going to the cinema alone and have, in the past, frequently missed viewing films rather than go alone.

This is a habit I'm growing out of, but I still think it is better to go with a friend or two.

In the near future I'm going to view the last Indianna Jones movie, and the Sex & The City film. I have partners for both of those.

But after that? There are a few films which I can't immediately think of who I'm going to lure away with me. I could either :

• Go alone, regardless.
• Randomly ask people to come

If there were a site that had list of upcoming films, and allowed you to express interest in going to see them that would be a fantastic idea. (Obviously location based).

I'd not even assume "dating", because I think in my life I've had a first-date at a cinema once. When I was about 14. Because it just doesn't work - you can't talk during, (and back then we couldn't go to the pub afterward to discuss the film. I think we did anyway ;)

For bonus points you could allow people to rate the films, or even each other. Hmm.

Somebody write it for me? I've got too much on my plate ..probably

ObQuote: Se7en

Syndicated 2008-05-10 20:00:06 from Steve Kemp's Blog

You're not too technical, just ugly, gross ugly

Well a brief post about what I've been up to over the past few days.

An alioth project was created for the maintainance of the bash-completion package. I spent about 40 minutes yesterday committing fixes to some of the low-lying fruit.

I suspect I'll do a little more of that, and then back off. I only started looking at the package because there was a request-for-help bug filed against it. It works well enough for me with some small local additions

The big decision for the bash-completion project is how to go forwards from the current situation where the project is basically a large monolithic script. Ideally the openssh-client package should contain the completion for ssh, scp, etc..

Making that transition will be hard. But interesting.

In other news I submitted a couple of "make-work" patches to the QPSMTPD SMTP proxy - just tidying up a minor cosmetic issues. I'm starting to get to the point where I understand the internals pretty well now, which is a good thing!

I love working on QPSMTPD. It rocks. It is basically the core of my antispam service and a real delight to code for. I cannot overemphasise that enough - some projects are just so obviously coded properly. Hard to replicate, easy to recognise...

I've been working on my own pre-connection system which is a little more specialied; making use of the Class::Pluggable library - packaged for Debian by Sarah.

(The world -> Pre-Connection/Load-Balancing Proxy -> QPSMTPD -> Exim4. No fragility there then ;)

Finally I made a tweak to the Debian Planet configuration. If you have Javascript disabled you'll no longer see the "Show Author"/"Hide Author" links. This is great for people who use Lynx, Links, or other minimal browsers.

TODO:

I'm still waiting for the creation of the javascript project to be setup so that I can work on importing my jQuery package.

I still need to sit down and work through the Apache2 bugs I identified as being simple to fix. I've got it building from SVN now though; so progress is being made!

Finally this weekend I need to sit down and find the time to answer Steve's "Team Questionnaire". Leave it any longer and it'll never get answered. Sigh.

ObQuote: Shooting Fish

Syndicated 2008-05-07 13:02:04 from Steve Kemp's Blog

Only after disaster can we be resurrected

I leave my main desktop logged in for months a time; as demonstrated by my previous bug with the keyboard transition for xorg.

The screen is setup to lock after 5 minutes of idle, so there's no real security issue, and it is extremely convenient.

Every few weeks though my desktop gets into a funny state where no new windows may be opened.. Existing applications continue running without any problems, but no new windows/shells/whatever may be opened.

Tonight it happened again.

And the lightbulb went on in my head: My flat uses CFEngine to manage itself. (Two physical servers here, with 5-10 Xen guests, and a number of remote servers.)

One of the things that CFengine is configued to do is to tidy directories of files which are older than 30 days. Including /tmp.

So that explains that.

Every month the magic cookie in $TMP would be nuked, and X would disallow new connections.

I guess the next time this happens I should look at using Xauth to fix the issue, but generally I just logout, make coffee, smoke a cigarette, and login again.

In conclusion: I'm a stupid-head.

ObQuote: Fight Club

Syndicated 2008-05-06 19:25:13 from Steve Kemp's Blog

Please don't let them be as boring as Brian's friends

I made an emergency release of the chronicle blog compiler yesterday, after noticing that it was truncating titles containing periods.

That was a bit of a mea-culpea moment, but I guess mistakes happen.

The new release is in perfect shape for Lenny, and now includes two new scripts installed into the examples/ directory:

• The RSS-feed importer I mentioned prviously.
• A quick hack to detect duplicate post/entry titles.

The latter was applied to my own blog, and I discovered several duplicates. I guess my film quotes having only a limited source collection to work from could also include duplicates - so I've updated my Makefile to only build and rysnc my blog if there are none detected.

(In many ways that films site is the precursor to this blog; it uses a collection of text files, one per film, and generates a cross-linked HTML output of film entries. Sadly it is out of date, because entering titles is a real pain..) Chronicle Comments

I'm pleased with the comment process now though, the CGI comment submission script simply archives each submitted comment into a "comments/" directory on the webserver.

There a cron-job passes each one through a bayasian filter and moves the file(s) to either "comments/good/", "comments/bad/" or "comments/unsure/".

When I come to rebuild the blog I rsync the "comments/good" directory to my local machine, rebuild and then rsync the output back to my remote webserver.

(On a single machine this would be much simpler process!)

I've imported my blog source into a mercurial repository, so the client-side is consistent. I have a bad habit of making new postings from wherever I happen to be and having a central repository will make that less prone to diaster.

Just running "make steve" against the Makefile is sufficient to rebuild everything and sync it to my live system.

ObQuote: Kalifornia

Syndicated 2008-05-03 14:41:36 from Steve Kemp's Blog