Home » Blogs

sunweaver's blog

Kudos to the Rspamd developers

I just migrated the first / a customer's mail server site away from Amavis+SpamAssassin to Rspamd. Main reasons for the migration were speed and the setup needed a polish up anyway. People on site had been complaining about too much SPAM for quite a while. Plus, it is always good to dive into something new. Mission accomplished.

Implemented functionalities:

  • Sophos AV (savdi) antivirus checks backend
  • Clam AV antivirus backend as fallback
  • Auto-Learner CRON Job for SPAM mails published by https://artinvoice.hu
  • Work-around lacking http proxy support

Unfortunately, I could not enable the full scope of Rspamd features, as that specific site I worked on is on a private network, behind a firewall, etc. Some features don't make sense there (e.g. greylisting) or are hard-disabled in Rspamd once it detects that the mail host is on some local network infrastructure (local as in RFC-1918, or the corresponding fd00:: RFC for IPv6 I currently can't remember).

Kudos + Thanks!

Rspamd is just awesome!!! I am really really pleased with the result (and so is the customer, I heard). Thanks to the upstream developers, thanks to the Debian maintainers of the rspamd Debian package. [1]

Credits + Thanks for sharing your Work

The main part of the work had already been documented in a blog post [2] by someome with the nick "zac" (no real name found).

MATE 1.22 landed in Debian unstable

Last week, I did a bundle upload of (nearly) all MATE 1.22 related components to Debian unstable. Packages should have been built by now for most of the 24 architectures supported by Debian (I just fixed an FTBFS of mate-settings-daemon on non-Linux host archs). The current/latest build status can be viewed on the DDPO page of the Debian+Ubuntu MATE Packaging Team [1].

Credits

Again a big thanks goes to the packaging team and also to the upstream maintainers of the MATE desktop environment. Martin Wimpress and I worked on most parts of the packaging for the 1.22 release series this time. On the upstream side, a big thanks goes to all developers, esp. Vlad Orlov and Wolfgang Ulbrich for fixing / reviewing many many issues / merge requests. Good work, folks!!! plus Big Thanks!!!

References


light+love,
Mike Gabriel (aka sunweaver)

  • By sunweaver at 08/04/2019 - 10:55
  • Login to post comments

My Work on Debian LTS/ELTS (July 2019)

In July 2019, I have worked on the Debian LTS project for 15.75 hours (of 18.5 hours planned) and on the Debian ELTS project for another 12 hours (as planned) as a paid contributor.

LTS Work

  • Upload to jessie-security: libssh2 (DLA 1730-3) [1]
  • Upload to jessie-security: libssh2 (DLA 1730-4) [2]
  • Upload to jessie-security: glib2.0 (DLA 1866-1) [3]
  • Upload to jessie-security: wpa (DLA 1867-1) [4]

The Debian Security package archive only has arch-any buildds attached, so source packages that build at least one arch-all bin:pkg must include the arch-all DEBs from a local build. So, ideally, we upload source + arch-all builds and leave the arch-any builds to the buildds. However, this seems to be problematic when doing the builds using sbuild. So, I spent a little time on...

  • sbuild: Try to understand the mechanism of building arch-all + source package (i.e. omit arch-any uploads)... Unfortunately, there is no "-g" option (like in dpkg-buildpackage). Neither does the parameter combination ''--source --arch-all --no-arch-any'' result in a source + arch-all build. More investigation / communication with the developers of sbuild required here. To be continued...

My Work on Debian LTS/ELTS (June 2019)

In June 2019, I did not at all reach my goal of LTS/ELTS hours, unfortunately. (At this point, I could come up with a long story about our dog'ish family member and the infection diseases he got, the vet visits we did and the daily care and attention he needed, but I won't...).

I have worked on the Debian LTS project for 9,75 hours (of 17 hours planned) and on the Debian ELTS project just for 1 hour (of 12 hours planned) as a paid contributor.

LTS Work

  • LTS: Setup physical box running Debian jessie (for qemu testing)
  • LTS: Bug hunting mupdf regarding my CVE-2018-5686 patch backport
  • LTS: Upload to jessie-security: mupdf (DLA-1838-1), 3 CVEs [1]
  • LTS: Glib2.0: request CVE Id (CVE-2019-13012) + email communication with upstream [2] (minor issue for Glib2.0 << 2.60)
  • LTS: cfengine3: triage CVE-2019-9929, email communication with upstream (helping out security team) [3]

ELTS Work

  • Upload to wheezy-lts: expat (ELA 136-1), 1 CVE [4]

References

  • By sunweaver at 07/05/2019 - 21:02
  • Login to post comments

List Open Files for a Running Application/Service

This is merely a little reminder for myself:

for pid in `ps -C <process-name> -o pid=`; do ls -l "/proc/$pid/fd"; done

On Linux, this returns a list of file handles being held open by all instances of <process-name>.

Update (2019-06-27): Martin Schuster suggested an even nicer (and regarding the output seemingly a more complete) approach to me by email:

lsof -c /^<process-name>$/ -a -d ^mem

  • By sunweaver at 06/28/2019 - 07:03
  • Login to post comments

My Work on Debian LTS/ELTS (May 2019)

In May 2019, I have worked on the Debian LTS project for 23.75 hours (as planned) and on the Debian ELTS project for another 10 hours (as planned) as a paid contributor.

LTS Work

  • Upload to jessie-security: 389-ds-base (DLA 1779-1), 1 CVE [1]
  • Upload to jessie-security: qt4-x11 (DLA 1786-1), 5 CVEs [2]
  • Upload to jessie-security: libav (DLA 1809-1), 2 CVEs [3]
  • Prepare a test-build for qemu [4]. Testing still pending.
  • Prepare a test-build for mupdf [5]. Testing still pending.
  • Triaging of open CVEs for 12 packages

ELTS Work

  • Dive deeply into questionable issues that were open for pacemaker.
    • CVE-2018-16877/pacemaker -> not affected
    • CVE-2018-16878/pacemaker -> ignored -> not affected
  • Upload to wheezy-lts: sqlite3 (ELA 123-1), 1 CVE [6]
  • Upload to wheezy-lts: glib2.0 (ELA 125-1), 1 CVE [7]

References

  • By sunweaver at 06/03/2019 - 12:49
  • Login to post comments

My Work on Debian LTS/ELTS (April 2019)

In April 2019, I have worked on the Debian LTS project for 11.5 hours (of 17.25 hours planned, pulling over 5.75 hours to the next month) and on the Debian ELTS project for another 10 hours (of 10 hours planned) as a paid contributor.

LTS Work

  • Upload to jessie-security: libssh2 (DLA-1730-2 [1], regression fix)
  • Upload to jessie-security: poppler (DLA-1752-1 [2])
  • Upload to jessie-security: samba (DLA-1754-1 [3])
  • Upload to jessie-security: systemd (DLA-1762-1 [4])
  • Upload to jessie-security: systemd (DLA-1762-2 [5], regression fix)

ELTS Work

  • Help fixing sbuild in Debian 10, so it still supports building packages for Debian wheezy.

My Work on Debian LTS/ELTS (March 2019)

In March 2019, I have worked on the Debian LTS project for 14 hours (of 10 hours planned plus 4 hours pulled over from February) and on the Debian ELTS project for another 2 hours (of originally planned 6 hours) as a paid contributor.

LTS Work

  • CVE triaging (ntp, glib2.0, libjpeg-turbo, cron, otrs2, poppler)
  • Sponsor upload to jessie-security (aka LTS): cron (DLA 1723-1 [1])
  • Upload to jessie-security (aka LTS): openssh (DLA 1728-1 [2])
  • Upload to jessie-security (aka LTS): libssh2 (DLA 1730-1 [3])
  • Upload to jessie-security (aka LTS): libav (DLA 1740-1 [4])

ELTS Work

  • Create .debdiff for cron src:pkg targetting wheezy (but I failed to build it due to two issues with Debian 10 as build machine)
  • Discover and document that kernel boot parameter "vsyscall=emulate" is required for building wheezy packages on Debian 10. (See #844350 and #845942 for details).
  • Bug hunt sbuild bug #926161 in sbuild 0.78.1-1 [5]

References

  • By sunweaver at 04/03/2019 - 13:23
  • Login to post comments

Picnic in the Dead Zone

Today, I talked to Christoph. He is from a local, rather new intiative here in Nothern Germany:

     Picknick im Funkloch

(Picnic in the Dead Zone).

We discussed how DAS-NETZWERKTEAM (my FLOSS business) can support that initiative on the technical level (we will start with mailing lists).

The Picnic in the Dead Zone initiative aims at making people more aware of possible health and social consequences that may be caused by the upcoming 5G mobile standard reaching 90%-plus coverage.

Personally, I know individual people who are (highly) sensitive to electro-magnetic radiation and fields (they can tell you if wireless network is on or off, tell you which access point where in the house is on or off, can differentiate between WiFi and PoweLAN, etc.). For people with such a sensitivity it is crucial to have spots in the country they want to live in, where electro-magnetic radiation is at a minimum level. Mobile connectivity does not work for everyone. Hyper-sensitive people suffer from it, in fact.

@all-the-Germans: Currently, there is an ePetition waiting for (maybe your) signature(s) on the German Bundestag's ePetition home page. The signing deadline is pretty close: 4th April 2019.

My Work on Debian LTS/ELTS (February 2019)

In February 2019, I have worked on the Debian LTS project for 6 hours (of originally planned 10 hours) and on the Debian ELTS project for another 6 hours as a paid contributor. The non-worked 4 LTS hours I will carry over into March 2019.

LTS Work

  • Upload and announce FreeRDP security fixes and RDP v6 / CredSSP v3 proto updates (DLA-1666-1 [1])

ELTS + LTS Work (shared hours)

  • Chew on OpenSSH security fixes. Esp. CVE-2019-6111 caused me headaches with the final result that the said fix for CVE-2019-6111 did not fix it entirely. See Debian bug #923486 [2].

CVE-2019-6111 has already been amended fully now in Debian unstable's and stable's version of OpenSSH. For jessie LTS a fixed version will be provided within the next couple of days.

References

  • By sunweaver at 03/04/2019 - 15:41
  • Login to post comments
Syndicate content