Blogs

Results produced while at "X2Go - The Gathering 2018" in Stuttgart

Over the last weekend, I have attended the FLOSS meeting "X2Go - The Gathering 2018" [1]. The event took place at the shackspace maker space in Ulmerstraße in Stuttgart-Wangen (near S-Bahn station S-Untertürkheim). Thanks to the people from shackspace for hosting us there, I highly enjoyed your location's environment. Thanks to everyone who joined us at the meeting. Thanks to all event sponsors (food + accomodation for me). Thanks to Stefan Baur for being our glorious and meticulous organizer!!!

Thanks to my family for letting me go for that weekend.

Especially, a big thanks to everyone, that I was allowed to bring our family dog "Capichera" with me to the event. While Capichera adapted quite ok to this special environment on sunny Friday and sunny Saturday, he was not really feeling well on rainy Sunday (aching joints, unwilling to move, walk interact).

For those interested and especially for our event sponsors, below you can find a list of produced results related to the gathering.

light+love

My Work on Debian LTS (October 2018)

after some nice family vacation in Tuscany, I did four hours of work on the Debian LTS project as a paid contributor at the end of this month. Thanks to all LTS sponsors for making this possible.

I move over a backlog of 4h from October to November (so I will work 12h on Debian LTS in November 2018).

Furthermore, I have signed up for Debian ELTS work with another 4h (as a start, more availability planned for upcoming months).

This is my list of work done in October 2018:

  • Upload of poppler (DLA 1562-1 [1]), fixing 4 CVEs
  • Discuss my research on CVE-2018-12689 in phpldapadmin from August 2018 with Antoine Beaupré who identified the published exploit as 'false positive' (for details, see his monthly LTS report for Octobre 2018).

light+love
Mike

References

[1] https://lists.debian.org/debian-lts-announce/2018/10/msg00024.html

My Work on Debian LTS (September 2018)

In September 2018, I did 10 hours of work on the Debian LTS project as a paid contributor. Thanks to all LTS sponsors for making this possible.

This is my list of work done in September 2018:

  • Upload of polarssl (DLA 1518-1) [1].
  • Work on CVE-2018-16831 discovered in the smarty3 package. Plan (A) was to backport latest smarty3 release to Debian stretch and jessie, but runtime tests against GOsa² (one of the PHP applications that utilize smarty3) already failed for Debian stretch. So, this plan was dropped. Plan (B) then was extracting a patch [2] for fixing this issue in Debian stretch's smarty3 package version from a manifold of upstream code changes; finally with the realization that smarty3 in Debian jessie is very likely not affected. Upstream feedback is still pending, upload(s) will occur in the coming week (first week of Octobre).

light+love
Mike

References

[1] https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

[2] https://salsa.debian.org/debian/smarty3/commit/8a1eb21b7c4d971149e76cd2b...

You may follow me on Mastodon

I never fancied having accounts with the big players that much, so I never touched e.g. Twitter.

But Mastodon is the kind of service that works for me. You can find me on https://fosstodon.org.

My nick over there is sunweaver. I'll be posting intersting stuff of my work there, probably more regularly than on the blog.

My Work on Debian LTS (August 2018)

After some nice family vacation in Scandinavia, I did six hours of work on the Debian LTS project as a paid contributor at the end of this month. Thanks to all LTS sponsors for making this possible.

This is my list of work done in August 2018:

  • Research phpldapadmin (CVE-2018-12689) [1], overhead from July 2018, upload is still to come (planned for the coming week)
  • Upload of 389-ds-base (DLA 1483-1)
  • Upload of spice (DLA 1486-1).
    The patch that has been proposed by upstream to fix CVE-2018-10873 has been controversially discussed [2].
    Please refer to my review comment in the package's patch file for my reasoning [3] behind accepting upstream's patch for the fix of this package in Debian LTS.
  • Upload of spice-gtk (DLA 1489-1).
  • Fix a corner case flaw in the gen-DLA (and gen-DSA) script [4].

light+love
Mike

References

[1] https://lists.debian.org/debian-lts/2018/07/msg00123.html

[2] http://www.openwall.com/lists/oss-security/2018/08/17/4 (follow thread)

My Work on Debian LTS (July 2018)

This month, after a longer pause, I have started working again for the Debian LTS project as a paid contributor. Thanks to all LTS sponsors for making this possible.

This is my list of work done in July 2018:

  • Triage CVE issues of ~27 packages during my front desk week.
  • Upload gosa 2.7.4+reloaded2-13+deb9u1 (DLA-1436-1) to jessie-security.
  • Upload network-manager-vpnc 0.9.10.0-1+deb8u1 (DLA-1454-1) to jessie-security.
  • At the end of the month, I started looking at one of two open issues in phpldapadmin. More details on this, I have sent to the Debian LTS mailing list [1].

light+love
Mike

[1] https://lists.debian.org/debian-lts/2018/07/msg00123.html

I do it my way: Let's Encrypt

There are as many ways of doing the Let's Encrypt thing as there are site admins on this planet. So here is my way of doing it, mainly as a documentation for myself and as a tutorial for a supervision class I'll be teaching tomorrow morning.

TL;DR;

This blog post describes how to obtain certificates from Let's Encrypt on a production web server in a non-privileged user context. We use the small and well-readable acme-tiny [1] Python script for it.

Assumptions

  • You know how e.g. Apache2 gets configured (in general)
  • and you have a host running Apache2 that is reachable on the internet
  • and it least has one DNS hostname associated with its public IP address.
  • You have an idea about OpenSSL, requesting a signed certificate
  • You know what privileges on a *nix system are and why it is bad mostly to run self-updating scripts under a privileged user account (e.g. root)...

Starting the Ayatana Indicators Transition in Debian

This is to make people aware and inform about an ongoing effort to replace Indicators in Debian (most people know the concept from Ubuntu) by a more generically developed and actively maintained fork: Ayatana Indicators.

TL;DR;

In Debian, we will soon start sending out patches to SNI supporting applications via Debian's BTS (and upstream trackers, too, probably), that make the shift from Ubuntu AppIndicator (badly maintained in Debian) to Ayatana AppIndicator.

Status of the work being done is documented here: https://wiki.debian.org/Ayatana/IndicatorsTransition

Why Ayatana Indicators

The fork is currently pushed forward by the Debian and Ubuntu MATE packaging team.

The Indicators concept has originally been documented by Canonical, find your entry point in the readings here [1,2].

Some great work and achievement was done around Ubuntu Indicators by Canonical Ltd. and the Indicators concept has always been a special identifying feature of Ubuntu. Now with the switch to GNOMEv3, the future of Indicators in Ubuntu is uncertain. This is where Ayatana Indicators come in...

The main problem with Ubuntu Indicators today (and ever since) is (has been): they only work properly on Ubuntu, mostly because of one Ubuntu-specific patch against GTK-3 [3].

In Ayatana Indicators (speaking with my upstream hat on now), we are currently working on a re-implementation of the rendering part of the indicators (using GTK's popovers rather then menushells), so that it works on vanilla GTK-3.

Building packages with Meson and Debhelper version level 11 for Debian stretch-backports

More a reminder for myself, than a blog post...

If you want to backport a project from unstable based on the meson build system and your package uses debhelper to invoke the meson build process, then you need to modify the backported package's debian/control file slightly:

diff --git a/debian/control b/debian/control
index 43e24a2..d33e76b 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Build-Depends: debhelper (>= 11~),
                libmate-menu-dev (>= 1.16.0),
                libmate-panel-applet-dev (>= 1.16.0),
                libnotify-dev,
-               meson,
+               meson (>= 0.40.0),
                ninja-build,
                pkg-config,
 Standards-Version: 4.1.3

Enforce the build to pull-in meson from stretch-backports, i.e. a meson version that is newer than 0.40.0.

Reasoning: if you want to build your package against debhelper (>= 11~) from stretch-backports it will use the --wrap-mode option when invoking meson. However, this option only got added in meson 0.40.0. So you need to make sure, the meson version from stretch-backports gets pulled in, too, for your build. The build will fail when using the meson version that we find in Debian stretch.

Call for Translations: Arctica Greeter and Ayatana Indicators

This is a quick call for help to all non-English native speakers.

Please visit projects hosted by the Arctica Project and the Ayatana Indicators project on Weblate and help localizing our projects into your native language.

Projects waiting for Your Language Expertise

The projects on Weblate are:

Arctica Project:
https://hosted.weblate.org/projects/arctica-framework/

Ayatana Indicators:
https://hosted.weblate.org/projects/ayatana-indicators/

If interested in helping with localizations for these project, please add your language for these projects to your Hosted Weblate Dashboard and stay informed when changes occur, components get added, etc.

Credits

Thanks to all those who already have contributed with translation, so far. However, more work is needed. Let's come together!!!

light+love
Mike Gabriel

Syndicate content