dwmw2 is currently certified at Master level.

Name: David Woodhouse
Member since: 2000-03-01 13:20:40
Last Login: 2009-07-03 06:59:04

FOAF RDF Share This

Homepage: http://www.infradead.org/

Notes:

I suppose I ought to at least put _something_ in here. Hacker. Doesn't like bright light. Unless it's seen from the top of mountains. Oft suspected of being schizophrenic - long periods of languishing in the dark in front of a CRT are intermingled with declaring an unquenchable urge to climb mountains, and disappearing off into the countryside for a week or so at a time.

I don't have opinions and if I did have any I wouldn't dare to voice them - I'm such a quiet person. But if anything I say here does happen to look like an opinion, then it's all mine. My employer may own my soul, but opinions are mine.

Projects

Articles Posted by dwmw2

Recent blog entries by dwmw2

Syndication: RSS 2.0

8 Jun 2009 »

Software makes me sad sometimes.
Q: My application has a command-line option to use an SSL client certificate. What is the OpenSSL function to load and use the certificate from a file?

A: Well, we make this lots of fun for you — it would be boring if there was just one function which you could pass the filename to. You have to write 230 lines of code like this instead.... First you have to check for yourself what type of file it is — is it a PKCS#12 file, is it a PEM file with a key in it, or is it a TPM key 'blob'?

No, there's no function which determines that for you — you have to do it yourself. And depending on the answer, you have to do three entirely different things to load the key.

To make things even more fun, those three file types have wildly different ways to handle their passphrase/PIN:

  • For a PEM file, you can't tell OpenSSL the passphrase in advance — if the user gave it on the command line, you have to manually override the user interface function that OpenSSL will call, and make your replacement function return the pre-set passphrase. Or if you do ask the user, you've got no way to easily tell whether the user got the passphrase wrong; if they get it wrong (and type 4 or more characters) then the 'load key' function will fail and you have to compare against a special error code, which may differ from version to version of OpenSSL because it has internal function names. Just for variety, if the user enters a wrong passphrase with fewer than 4 characters, they'll get no feedback and will just be asked again immediately.

  • For a PKCS#12 file, it's the other way round — you have to give the passphrase in advance, so you have to ask the user for it yourself. Even if the file isn't actually encrypted — because you don't know that yet.

  • For a TPM key it's a bit saner — you can either set the PIN in advance or otherwise OpenSSL will ask the user for it if necessary. But you do have to jump through various other hoops to use the TPM 'engine', instead of just pointing OpenSSL at the file and having everything handled for you.

Excuse me while I bash my head against a brick wall for a while...

And no, the answer is not "don't use OpenSSL then".

At least, not until one of the potential replacements actually starts to catch up with the features I need — support for using a TPM for certificates, and DTLS support.

22 May 2009 »

WTF? Case-sensitive, but not case-preserving...

27 Apr 2009 »

Why are people so bloody clueless about email? I received this in snail mail from my bank today:
Account Number xxxxxxxx Sort Code xx-xx-xx
Your statement
Your statement for the above account, is ready to view by logging in to online banking at www.natwest.com.

Unfortunately, we have been unable to deliver this alert to you by email. This may be because the email address we hold for you (DAVID@WOODHOU.SE) is incorrect.

That has to be almost the most clueless bug report I've ever seen. It should have included at least some of:

  • Precise date and time of the latest delivery attempt
  • Sender's email address
  • Sending server IP address
  • Which MX host was being delivered to
  • The rejection message from the MX host

If I hadn't been running my own mail server, I'd have had no way to work out what happened — no ISP is going to go trawling through their logs looking for a needle in a haystack based on virtually nothing.

Since I do run my own, I was able to log into all the MX hosts for that domain, look through the historical mail logs on each of them and I happened to find their failed message among all the lots of other people trying to fake mail from NatWest:

2009-04-21 00:38:20 +0000 1Lw40C-0002sE-3D H=mailhost7a.rbs.com [155.136.80.121] F=<OnlineBanking@Information.natwest.com> rejected after DATA: Your message lacks a Date: header, which RFC5322 says it MUST have.

Upon calling them to tell them of their problem, I was asked "who says our mails lack a Date: header?" and "who says that they should?".

After dealing with that, I left the first-line support person with three items to pass on to Nat West's technical team:

  1. The lack of Date: header on their outbound mail
  2. The uselessness of the letter they send when they can't deliver email
  3. The fact that they are converting email addresses to upper case, when localparts may well be case-sensitive
I wonder what the odds are of any of them actually getting fixed?

Maybe I should have added "you're sending outbound mail without GPG-signing it" as a fourth item? :)

26 Mar 2009 (updated 26 Mar 2009 at 08:55 UTC) »

Today is the third birthday of GNOME bug #336076, which I filed to report a particularly idiotic regression in Evolution's IMAP code. (Update: It looks like I also posted about it on Advogato, too.)

Instead of just issuing a simple STATUS command to check the status of each folder for new mail, Evolution started to actually open the folder, fetch the headers for all new mail in it, re-fetch the flags for all mail in it.... and it does this for every folder that it's checking (which, with bug #336074 still unfixed, is all folders — not just the active folders. So in my case it was continuously re-fetching the flags for years of archived mail in folders which are marked on the server as being inactive.)

This meant that it took Evolution two HOURS to start up that first time, when connected across the Internet. Even when I ran it on a local machine which was connected to the server by Gigabit Ethernet, it still took 23 minutes to start up; downloading half a gigabyte of mail before it was usable.

I don't know what's scarier — the fact that this utterly moronic regression got into the code base in the first place (what in fuck's name were they thinking?), or the fact that GNOME 2.26 went out last week with it still not fixed, three years later.

I've actually moved my older archived mail folders off to a separate server to work around bug #336074, and I've stopped checking for new mail in folders other than the INBOX to work around bug #336076, which is a PITA but is the only way to keep Evolution even vaguely usable — and it's still extremely bad over a slow connection, such as GPRS (or connecting home from China).

It's not just at startup, either. It goes off into the weeds frequently, doing this stuff in the "background" while I'm waiting for it to fetch the mail I just clicked on. Sometimes, I end up using pine to read my email while I'm waiting for Evolution to do whatever weird crack-inspired stuff it's doing with the IMAP server and start responding again.

I think it's about time that the choice of default mail client for GNOME was re-evaluated. Evolution seems to be mostly stagnant, and the changes that are being made seem to be entirely dubious. Version 2.24 was a significant regression in many ways. Evolution is definitely letting the side down.

This kind of post inevitably leads to people mailing suggestions for an alternative MUA. Changing MUAs is a painful process, but I think after the 2.24 release I've reached the point where I'm going to have to give up on Evolution. Things I really need from the MUA are:

  • Graphical folder 'tree' showing the number of new mails in each folder (currently broken/disabled in Evolution as described above).
  • Ability to reach mail server over ssh: ssh $MAILSERVER exec imapd
  • No mangling of outgoing or incoming patches
As far as I'm aware, the latter two requirements rule out Thunderbird. I think I'm going to try Sylpheed. Last time I did that, it would SEGV at startup, which quickly put me off — but I'm sure that's fixed now, and I've heard good things about it. Next alternative if I can't get on with that is probably kmail.

Whatever I use, it would also be nice if it handled the calendar stuff that the Outlook/Exchange weenies use — preferably with the calendar on the Exchange server, but just using its own calendar (as I do in Evolution) would be fine.

(Of course, Evolution being the steaming pile of crap that it is, it fucks up the calendaring too. It has its own idea of what the timezone is, perhaps because it thinks it might be in a different timezone to the rest of the system? So for someone who travels a lot and uses the calendar infrequently, it's fairly much guaranteed that a meeting will be displayed in some arbitrary, wrong, timezone. And just for fun, it stupidly displays the meeting times without any hint about the time zone. )

18 Mar 2009 »

I finally got round to writing up some documentation on the greylisting setup that I use, and that we've been shipping in an exim-greylist package in Fedora for some time.

This setup avoids some of the common mistakes that greylisting implementations make, and tries hard to avoid delaying mail except where it's actually likely to be a benefit to you. Mostly, that means:

  • Remember which hosts actually do retry, and never delay mail from those hosts in future.
  • Only delay mails which actually look suspicious in some way; don't just delay everything blindly.
  • Avoid greylisting for hosts on the DNS Whitelist database.
It's amazing how many greylisting implementations miss all three of these fairly obvious points. I often see my outgoing mails being delayed due to greylisting, by hosts which I deliver mail to all the time. That's just stupid. They know it's going to be retried, so all they achieve is a delay on mail that they're going to accept later anyway.

I also see a lot of greylisting which happens at RCPT time, without even looking at the mail. I appreciate that some people claim that they don't want to use the extra bandwidth to actually look at the mail, or the extra CPU time. I think that's a very poor decision, if it means you're delaying mail that has absolutely nothing wrong with it. Bandwidth and CPU time on a mail host really shouldn't be an issue these days. Some people even do it at RCPT time when the sender is empty (a bounce), which means that sender verification also fails (temporarily) and they end up delaying their own outgoing mail.

Using dnswl.org is something I added quite recently, and also makes a lot of sense — if the host is registered as a known mail server, it's almost certain to retry the mail and therefore you gain nothing by greylisting except for a delay.

This greylisting is done purely in Exim's ACL configuration, which is quite versatile enough to handle it — there's no need to call out to external software at all. For storage, it uses an sqlite database, again using Exim's built-in capabilities rather than calling out to an external database server. (Thanks to Jeff Garzik for that bit; I used to use simple text files with a fairly evil hack to append to them, but he converted it to sqlite for me after I added sqlite support to Exim.)

201 older entries...

 

dwmw2 certified others as follows:

  • dwmw2 certified ajkroll as Journeyer
  • dwmw2 certified jes as Master
  • dwmw2 certified kira as Journeyer
  • dwmw2 certified gbritton as Journeyer
  • dwmw2 certified dan as Journeyer
  • dwmw2 certified nm as Journeyer
  • dwmw2 certified dick as Master
  • dwmw2 certified uzi as Journeyer
  • dwmw2 certified lmb as Journeyer
  • dwmw2 certified nwv as Journeyer
  • dwmw2 certified chbm as Journeyer
  • dwmw2 certified willy as Master
  • dwmw2 certified prumpf as Journeyer
  • dwmw2 certified pp as Journeyer
  • dwmw2 certified alan as Master
  • dwmw2 certified djs as Journeyer
  • dwmw2 certified jlm30 as Journeyer
  • dwmw2 certified alex as Journeyer
  • dwmw2 certified jgg as Journeyer
  • dwmw2 certified leibnitz27 as Journeyer
  • dwmw2 certified axboe as Master
  • dwmw2 certified arb33 as Journeyer
  • dwmw2 certified dhd as Master
  • dwmw2 certified sad as Apprentice
  • dwmw2 certified Bryce as Master
  • dwmw2 certified johnsonm as Master
  • dwmw2 certified jgarzik as Master
  • dwmw2 certified sjhill as Journeyer
  • dwmw2 certified wli as Master
  • dwmw2 certified mallum as Journeyer
  • dwmw2 certified benh as Master
  • dwmw2 certified laredo as Journeyer
  • dwmw2 certified fenrus as Master
  • dwmw2 certified rmk as Master
  • dwmw2 certified snim2 as Journeyer
  • dwmw2 certified timriker as Master
  • dwmw2 certified joern as Journeyer
  • dwmw2 certified jwboyer as Journeyer
  • dwmw2 certified andersee as Master
  • dwmw2 certified acme as Master
  • dwmw2 certified LaForge as Master
  • dwmw2 certified davej as Master
  • dwmw2 certified AntonA as Master
  • dwmw2 certified bcrl as Master
  • dwmw2 certified riel as Master
  • dwmw2 certified edd as Master
  • dwmw2 certified gohigh as Journeyer
  • dwmw2 certified bdale as Master
  • dwmw2 certified bernie as Journeyer
  • dwmw2 certified mako as Master
  • dwmw2 certified etbe as Master
  • dwmw2 certified jaswinder as Apprentice

Others have certified dwmw2 as follows:

  • ajkroll certified dwmw2 as Journeyer
  • dick certified dwmw2 as Master
  • chbm certified dwmw2 as Journeyer
  • neo certified dwmw2 as Apprentice
  • gbritton certified dwmw2 as Master
  • jes certified dwmw2 as Master
  • pp certified dwmw2 as Journeyer
  • uzi certified dwmw2 as Master
  • alan certified dwmw2 as Journeyer
  • mkp certified dwmw2 as Master
  • djs certified dwmw2 as Master
  • marcelo certified dwmw2 as Journeyer
  • jgg certified dwmw2 as Journeyer
  • jpick certified dwmw2 as Journeyer
  • leibnitz27 certified dwmw2 as Master
  • axboe certified dwmw2 as Journeyer
  • davej certified dwmw2 as Journeyer
  • Marcus certified dwmw2 as Master
  • arb33 certified dwmw2 as Master
  • lmb certified dwmw2 as Master
  • acme certified dwmw2 as Journeyer
  • rodrigo certified dwmw2 as Master
  • quintela certified dwmw2 as Journeyer
  • jbowman certified dwmw2 as Master
  • pjones certified dwmw2 as Master
  • dido certified dwmw2 as Master
  • 8bit certified dwmw2 as Master
  • vladimir certified dwmw2 as Master
  • ths certified dwmw2 as Journeyer
  • ciro certified dwmw2 as Master
  • schoen certified dwmw2 as Master
  • Telsa certified dwmw2 as Master
  • lethal certified dwmw2 as Master
  • apenwarr certified dwmw2 as Journeyer
  • samo certified dwmw2 as Master
  • fxn certified dwmw2 as Master
  • hch certified dwmw2 as Master
  • rmk certified dwmw2 as Master
  • AntonA certified dwmw2 as Master
  • Mac certified dwmw2 as Master
  • pzb certified dwmw2 as Master
  • mharris certified dwmw2 as Master
  • wli certified dwmw2 as Master
  • benh certified dwmw2 as Master
  • zwane certified dwmw2 as Master
  • laredo certified dwmw2 as Master
  • daniels certified dwmw2 as Master
  • ploppy certified dwmw2 as Master
  • pasky certified dwmw2 as Master
  • ilgiz certified dwmw2 as Master
  • ladis certified dwmw2 as Master
  • badvogato certified dwmw2 as Master
  • timriker certified dwmw2 as Master
  • zx80user certified dwmw2 as Master
  • proski certified dwmw2 as Master
  • snim2 certified dwmw2 as Master
  • ebf certified dwmw2 as Master
  • glasseyes certified dwmw2 as Master
  • lerdsuwa certified dwmw2 as Master
  • jwboyer certified dwmw2 as Master
  • Zaitcev certified dwmw2 as Master
  • joern certified dwmw2 as Master
  • mirwin certified dwmw2 as Master
  • tglx certified dwmw2 as Master
  • pjames certified dwmw2 as Master
  • spstarr certified dwmw2 as Master
  • gohigh certified dwmw2 as Master
  • jcm certified dwmw2 as Master
  • hpa certified dwmw2 as Master
  • badger certified dwmw2 as Master
  • trini certified dwmw2 as Master
  • zbowling certified dwmw2 as Apprentice
  • mjg59 certified dwmw2 as Master
  • zanee certified dwmw2 as Master
  • bernie certified dwmw2 as Master
  • lkundrak certified dwmw2 as Master

[ Certification disabled because you're not logged in. ]

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page