Michal Čihař - Blog Archives for Debian

Good morning DebConf

Yesterday evening I've arrived at DebConf 13. I was quite tired after traveling so I just had few beers and went to bed.

The travel went quite well besides somebody else broke wine and my suitcase was all wet from it. Fortunately almost nothing got inside so I have some clean clothes for next week :-).

As I went to bed quite early, I woke up early as well so I went to short walk to see what is nearby:

Sunrise at Lake Neuchâtel Castle Vaumarcus Castle Vaumarcus

Photo uploader 0.10

Photo uploader has just got first release under new maintainer. It mostly fixes various bugs, but the project is going on.

Full list of changes:

  • Compatibility with Python 3.
  • Fix build with Python 2.7.
  • Added documentation in Sphinx format.
  • Updated imageshack support.

Thanks to Andrew Shadura for taking over this tool.

PS: The package should be soon available in Debian as well.

FOSDEM 2013 summary (Sunday)

FOSDEM 2013 is over and it's time to look what interesting I have seen there on Sunday.

Sunday was supposed to start for me with L20N, but it was postponed to 13:00 as the presenters weren't on time. I could have used one more hour of sleep, but at least I spent some time on coding.

Detect merge conflicts in realtime was quite interesting talk, though I was pretty surprised that the conflict detecting does not at all care about underlying version control system, but does purely file based guesses.

The Hardening MySQL talk pretty much described why security in MySQL sucks and what you should do to make it secure. Quite good introduction to the topic, but not much new information for me.

Introduction of Firefox OS, was quite nice demo showing they have something working, though it had some problems with flaky network on FOSDEM. Looking forward to see phone being sold, though it will probably not be something I'd buy.

To add some fun, I've stayed on systemd, Two Years Later presentation, which gave some summary of what is currently in systemd and where it wants to go. Still it did not move systemd from category of "I don't care as long as it works".

Now followed delayed L20N talk - it showed new Mozilla's effort for localization. Which is quite powerful and has nice features, on the other side it put's quite more load to translators - now they would have to understand some basics of programming as well to be able to use the new features (or not so new ones as plurals). Their motivation is to remove localization effort from developers, but I'm not really convinced it will work nicely.

After some meetings and lunch, I went to LibreOffice: cleaning and re-factoring a giant code-base, which showed some challenges LibreOffice has to take and how they dealt with that. I think it's pretty great job done and I'm looking forward to new releases.

Being GNOME user, I could not skip Has the GNOME community gone crazy?. It of course tried to tell that they did not :-).

Last, but not least my friend Dieter from phpMyAdmin had talk Present and future of phpMyAdmin. He listed some of the new features, demoed 3.5 and 4.0 version (of course the demo of 4.0 version broke due to some caching). Even when the talk had quite unpleasant timing, it has attracted some people and they even asked few questions.

This years FOSDEM was again great and looking forward to be there next year.

FOSDEM 2013 summary (Saturday)

FOSDEM 2013 is over and it's time to look what interesting I have seen there on Saturday.

First of all the most important for me is to meet people. As usual, I came with SUSE folks, but it's not that unusual to meet people from company where you work :-). I've met some current and former phpMyAdmin developers and surprisingly I've met few Weblate users or people who consider using it on their project. This gave me some important feedback and one of first thing you will see in near future is remade Weblate website to give more information about some of it's unique features. As for the talks, I think I've managed to visit quite lot of them.

How we made the Jenkins community explained some ways Jenkins has used to build good community - mostly focused on extensibility of the code and having everything as an extension, but with some focus on social things as well (and important thing that with Git people are not that motivated to join the team).

Better software through user research was about various way to gather information of what your users hate on the software. It was pretty interesting, though many of that can not easily be used on small scale free software product.

OSS code goes in and never comes out talk focused about licensing issues of various software as a service platforms. As I've never used Amazon cloud or such, it was quite surprising how these behave in relation to GPL and actually made me thing more about AGPL and attend related panel discussion later.

An Integrated Localization Environment is Mozilla approach to online translation, quite different than anything we have before, but mostly for reasons which were explained later on Sunday talk on l20n. Maybe reverse ordering of these would make it easier to understand the motivation.

Scale your Jenkins build pipeline automatically to minimize test time was not that useful as I thought - increasing test speed by buying EC2 instances and pushing part of the work to them is not something what will help me in near future.

Trends in Open Source Security explained what is going on in distributions security, mostly focused on Redhat (but touching Debian as well). It has some interesting thoughts about sharing the information between vendors, so let's see if it will really work in future.

QML’s many faces showed some other ways to use QML besides using QtQuick. Some uses were quite interesting, though I'm not really fan of creating yet another buildsystem based on it.

Panel Discussion: GNU Affero General Public License, version 3 was last thing I've visited on Sunday and it was really interesting to listen all that opinions on AGPL. Still I was not confirmed to consider switching to this license.

phpMyAdmin 3.5.6 for Ubuntu and Debian

Finally, phpMyAdmin packages for Debian and Ubuntu do not lag much behind upstream. Today, I've prepared packages for yesterday released bug fix release 3.5.6.

For Debian users, the package should be soon available in experimental (sorry no uploads to unstable during freeze).

Ubuntu users, can use my phpMyAdmin PPA. After dozens of comments and no help offered, I've still decided to be nice to Ubuntu users and adjusted the package so that it should work on Lucid as well. The downside is that, unlike in Debian, the package includes bundled copy of many PHP and javascript libraries.

PS: As soon as Debian is not frozen or 4.0 is officially released, I will start uploading 4.0 to experimental. My current bet is that 4.0 release will come earlier.

Updated phpMyAdmin packages

Finally, I've found some time to update phpMyAdmin packages in Debian to 3.5 series. For long it was not possible due to licensing reasons, but recently this issue was resolved upstream by using jqPlot instead of Highcharts.

While packaging new version, I've also replaced all embedded libraries to use corresponding packages from Debian. I've done some testing and everything seems to work fine, but still this frightens me as some versions are slightly different than upstream.

Anyway new version is available in experimental for now. Ubuntu users can get it from phpMyAdmin PPA.

Going to FOSDEM 2013

I've just confirmed my flight and hotel bookings for FOSDEM 2013, so I'm looking to meet all great people there again.

This year my schedule is not that packed as I have no talks (Weblate lightning talk was not accepted) and also there will be no big phpMyAdmin team meeting, so get in touch if you want to discuss anything with me.

As most of the rooms still don't have a schedule, I can't give you hint where I will be present, but I definitely won't miss Friday beer event and Dieter's talk about phpMyAdmin in MySQL room. The rest pretty much depends on who I will meet :-).

Free software plans for 2013

Year 2013 has just started and it's time to think how to spend my free time during this year.

Weblate

Weblate was my toy project number one in last year and I expect it to stay for next year as well. I have several ideas for new features, but all that depends on free time. I will most likely spend my hackweek on that as well.

phpMyAdmin

I think my involvement will stay at about same level at phpMyAdmin - doing few random bugfixes, mostly security ones, taking care of infrastructure for translations and wiki and mentoring few GSoC students.

Gammu and Wammu

Gammu and Wammu has not seen much activity from me in past year and it will probably not change. I don't use the program anymore and this pretty much limits my interest in adding new features. In case somebody active will pop up on mailing list, I'd be happy to transfer the project ownership.

Mobile apps

I'd like to make some progress here, I was also thinking about making some of them working on Android as well, but this involves lot of learning and time is always an issue here. Anyway this might be good challenge for hackweek as well.

Debian

No changes expected here :-).

Others

I consider pretty much anything else from my software projects abandoned or finished.

Secure your phpMyAdmin

phpMyAdmin is quite popular software (to give some numbers let's mention 10000 downloads daily on SourceForge.net or 122685 reports in Debian's popcon) and as such is quite attractive target for various scripted attacks. If you run phpMyAdmin installation somewhere you should really make sure it is enough secured, so that these script kiddies don't get through.

In past month I've looked at what kind of attacks are these guys trying and in all cases these are pretty old vulnerabilities, some of them fixed years ago. So the first thing you should do is to update. It is always good to run latest stable version, but in case you can not for whatever reason, try at least taking the most important fixes and using them.

In ideal world your distribution would do this job for you, but in case it did not, you can for example take patches from Debian, which is pretty good at taking our patches (surprisingly it is not much related to my involvement there). To check which patches they have applied you can use excellent patch-tracker tool, which exposes patches from all released packages.

To give you overview of which issues are mostly being attempted to exploit by script kiddies right now, here is the list:

  • PMASA-2010-3 - yes, more than two years old, but still unpatched in some places
  • PMASA-2011-5 - "only" half year old
  • PMASA-2011-6 - only useful together with wrongly configured PHP

If you have fixed these, you should be pretty safe for now, but follow our security announcements for possible future issues (you can use RSS feed or subscribe to news mailing list, where all security issues are announced as well).

However there are more things you can do to keep you safer:

  • remove setup directory from phpMyAdmin, you will probably not use it after initial setup
  • prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
  • properly choose authentication method - cookie is probably the best choice for shared hosting
  • in case you don't want all MySQL users to be able to access phpMyAdmin, you can use AllowDeny rules to limit them
  • consider hiding phpMyAdmin behind authentication proxy, so that MySQL credenticals are not all users need to login

So these are the basic steps which will help you against possible compromise, I might return to some of these in more details in future posts.

ColorHug with non English locales

Since infamous erasing of factory calibration in my ColorHug device and restoring calibration matrix, I noticed it did screen calibration wrong. However I did not find time to properly investigate the issue. Yesterdays mail from Richard was actually trigger for me so I've opened up this topic.

In the end it turned out to be caused by Little CMS wrongly parsing CCMX in case you are using locales which use something else than . as decimal point.

After lot of googling, I've realized there is probably no good way of parsing floats independent on current locales, so I used one of hacks I found and I think it's less intrusive - get current decimal point by printing float string using printf and then convert the string to it. I know it looks ugly, but including own implementation of strtod is also not nice and playing with locales is definitely something not thread safe to do within widely used library.

Anyway I've asked upstream to merge my patches, so let's see what they think of it.