Michal Čihař - Blog Archives for SUSE

Starting next week, I'll start at new job. I will still stay at SUSE, so it's not that big change, but still it is new challenge for me.

I'll be moving out of L3 department, where I've spend almost four years. L3 is really a great team where man can learn basically anything, simply because you can meet there anything from broken swap on S390 up to wrong icons in LibreOffice :-).

The new position is inside Security team, still I'll be mostly focused on writing some internal tools, rather than doing security work (at least for first year or so). The current plan is base on work I've done for L3 tools and use Django for the web interface, but that's just a plan for now and might change in the future.

Anyway looking forward to new challenges at new job.

I'm participating on organizing this year's openSUSE conference and as we've finally finalized place and time and CFP is open, it's time to share some information.

This will be special - there is not a single conference, but four of them are sharing same space and the motto - Bootstrapping awesome!!!. The 4th openSUSE conference will be held together with LinuxDays, Czech conference following tradition of canceled LinuxExpo, what should be the biggest free software event in Czech republic. In addition there will be also 12th SUSE Labs conference (so you can meet quite a lot of kernel hackers and other strange guys) and first Gentoo mini summit (the website is empty so far).

All that will happen on weekend from 20th October to 21st October, the SUSE conferences will then continue for 22nd and 23rd October.

I believe it will be great mixture of conferences and I hope to meet lot of people there.

After few weeks of heavy testing, Weblate 1.0 has been released today.

Compared to 0.9 there are just minor changes and bug fixes. The most important thing is that Weblate should be now really ready to use :-).

Full list of changes for 1.0:

• Improved validation while adding/saving subproject.
• Experimental support for Android resource files (needs patched ttkit).
• Updates from hooks are run in background.
• Improved installation instructions.
• Improved navigation in dictionary.

You can find more information about Weblate on it's website, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user. Ready to run appliances can be found in SUSE Studio Gallery.

Weblate is also being used https://l10n.cihar.com/ as official translating service for phpMyAdmin, Gammu, Weblate itself and others.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you (this will be decided case by case as my hosting space is limited).

Thanks to great SUSE Studio I've made available appliance with ready to run Weblate. It's based on openSUSE 12.1, with few packages coming from Python devel repository (where I had to push some package updates) and Weblate package, which is currently available in my home.

After booting the appliance, you will get Weblate running as web service (it takes some time on first boot as database setup is done in that time). In case you will use it for more than playing, please remember to change default passwords as described in our documentation.

Anyway let's stop talking, you can get the appliance at SUSE Studio Gallery.

phpMyAdmin is quite popular software (to give some numbers let's mention 10000 downloads daily on SourceForge.net or 122685 reports in Debian's popcon) and as such is quite attractive target for various scripted attacks. If you run phpMyAdmin installation somewhere you should really make sure it is enough secured, so that these script kiddies don't get through.

In past month I've looked at what kind of attacks are these guys trying and in all cases these are pretty old vulnerabilities, some of them fixed years ago. So the first thing you should do is to update. It is always good to run latest stable version, but in case you can not for whatever reason, try at least taking the most important fixes and using them.

In ideal world your distribution would do this job for you, but in case it did not, you can for example take patches from Debian, which is pretty good at taking our patches (surprisingly it is not much related to my involvement there). To check which patches they have applied you can use excellent patch-tracker tool, which exposes patches from all released packages.

To give you overview of which issues are mostly being attempted to exploit by script kiddies right now, here is the list:

• PMASA-2010-3 - yes, more than two years old, but still unpatched in some places
• PMASA-2011-5 - "only" half year old
• PMASA-2011-6 - only useful together with wrongly configured PHP

If you have fixed these, you should be pretty safe for now, but follow our security announcements for possible future issues (you can use RSS feed or subscribe to news mailing list, where all security issues are announced as well).

However there are more things you can do to keep you safer:

• remove setup directory from phpMyAdmin, you will probably not use it after initial setup
• prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
• properly choose authentication method - cookie is probably the best choice for shared hosting
• in case you don't want all MySQL users to be able to access phpMyAdmin, you can use AllowDeny rules to limit them
• consider hiding phpMyAdmin behind authentication proxy, so that MySQL credenticals are not all users need to login

So these are the basic steps which will help you against possible compromise, I might return to some of these in more details in future posts.

Since infamous erasing of factory calibration in my ColorHug device and restoring calibration matrix, I noticed it did screen calibration wrong. However I did not find time to properly investigate the issue. Yesterdays mail from Richard was actually trigger for me so I've opened up this topic.

In the end it turned out to be caused by Little CMS wrongly parsing CCMX in case you are using locales which use something else than . as decimal point.

After lot of googling, I've realized there is probably no good way of parsing floats independent on current locales, so I used one of hacks I found and I think it's less intrusive - get current decimal point by printing float string using printf and then convert the string to it. I know it looks ugly, but including own implementation of strtod is also not nice and playing with locales is definitely something not thread safe to do within widely used library.

Anyway I've asked upstream to merge my patches, so let's see what they think of it.

Yet another FOSDEM is behind us and I'd like to thank all people organizing it. It was a great event as usual.

This year there were some changes - the conference grew and there was an extra building. This is great, but on the other side, there were more tracks to follow and occasionally I wanted to be in four places at once, what is of course not manageable.

Combined with quite freezing weather (well it was still much warmer than it is now in Prague), moving from one side of campus to another was not that comfortable as in last years, but there is not much man can do with that.

And the biggest change for me - I did not manage beer event this year. We enjoyed great team dinner on Friday evening and while it ended, I was too lazy to move to crowded beer event and rather enjoyed bed in my hotel.

Again, as usual in last few years, I'm spending first weekend in February in Brussels, where FOSDEM is happening.

This year we've again decided to do make this team meeting for phpMyAdmin, so people from five countries and three continents came to one conference to discuss future development and other stuff.

But of course this is not only thing I'm going to do here. I came with openSUSE folks, where we've brought lot of beer, some DVDs and hardware to show. You're welcome to check it out.

And of course there is about 430 talks to visit during weekend :-).

Finally I've also find time to test ColorHug on openSUSE 12.1. For my experiences on Debian check previous blog post.

Unfortunately on openSUSE calibration is also not that easy. First of all, you have to install patched argyll CMS from multimedia:color_management repository. You can also install gnome-color-management (and colord), but for some reasons they did not offer me any screen for calibration, so I gave up on this and tried manual calibration using Argyll.

After looking into documentation, it seems to be pretty straightforward:

$ dispcal -y l -o /tmp/L220x
Place instrument on test window.
Hit Esc or Q to give up, any other key to continue:

Display adjustment menu:
Press 1 .. 7
1) Black level (CRT: Offset/Brightness)
2) White point (Color temperature, R,G,B, Gain/Contrast)
3) White level (CRT: Gain/Contrast, LCD: Brightness/Backlight)
4) Black point (R,G,B, Offset/Brightness)
5) Check all
6) Measure and set ambient for viewing condition adjustment
7) Continue on to calibration
8) Exit
Doing check measurements

  Current Brightness = 190.74
  Target 50% Level  = 36.14, Current = 47.98, error =  6.2%
  Target Near Black =  1.91, Current =  4.11, error =  1.2%
  Current white = x 0.3424, y 0.3179, VDT 5910K DE 2K 18.3
  Target black = x 0.3424, y 0.3179, Current = x 0.3123, y 0.2711, error = 18.06 DE

Press 1 .. 7
1) Black level (CRT: Offset/Brightness)
2) White point (Color temperature, R,G,B, Gain/Contrast)
3) White level (CRT: Gain/Contrast, LCD: Brightness/Backlight)
4) Black point (R,G,B, Offset/Brightness)
5) Check all
6) Measure and set ambient for viewing condition adjustment
7) Continue on to calibration
8) Exit
Commencing device calibration
The instrument can be removed from the screen.
$ dispwin -I /tmp/L220x.icc 
$ dispwin -L

It turned out, that the change after calibration are quite minor here. This is sort of thing I've expected from past experiences with editing photos here, but anyway, now I trust results here even more :-).

I just got confirmed my flight bookings for FOSDEM 2012, so I'm looking to meet all great people there again. This year we've again arranged there meeting of phpMyAdmin developers, now it also includes three new faces from last years GSoC.

As for my schedule I did not yet find time to check all the schedule, but what definitely sounds interesting for me is Open Mobile Linux Devroom and some talks in MySQL and Friends Devroom. Rest will be (as usual) scheduled on the fly as I meet people there. This year I decided to deliberately skip keysigning as last year I anyway did not manage to attend it and I expect this year to be equally busy.

In case you want to meet me there, just let me know, we can try to arrange something in free slots :-).