Home Home
Sign up | Login

Deprecation notice: openSUSE Lizards user blog platform is deprecated, and will remain read only for the time being. Learn more...

Author Archive

openSUSE Build Service Build Checks

September 8th, 2008 by

Last week, Adrian announced that the openSUSE Build Service uses the same build checks that the internal autobuild uses and that these have been enabled for builds of factory and for builds of packages against factory.  This is an important step for building packages with the OBS since it means that a package that builds in the OBS, will not anymore fail once it has been submitted to build for factory.

We now have put all checks in packages so that they can be easily enhanced: brp-check-suse, rpmlint (the polices are in the rpmlint-Factory package) and post-build-checks.  The rpmlint checks are run after the package has been built, the brp-check-suse scripts might be run during the build since they contain specific rpm macros and finally post-build-checks is executed at the end.  The goal is to move everything to rpmlint checks.

(more…)

Lizards HowTo for Blogger

September 6th, 2008 by

I have started to create an initial HowTo in the openSUSE wiki to explain how to blog on lizards.openSUSE.org.

If you’re a blogger using lizards.o.o, I hope this information is helpful  for you – and I’d ask you to update it with everything you find useful.

openSUSE Board Election Comments

September 6th, 2008 by

The first openSUSE board has been appointed a year ago and now the elections are starting.  We have formed an election committee that is organising it (see here for details – thanks to Marko, Andrew, Claas and Vincent for running the elections!).

I had some good discussions with Pascal, Andrew and Marco during hackweek about the board and Pascal and myself have the same vision for the board.  Both Pascal and myself committed to blog about the board elections and Pascal beat me to it (see here and here for his two posts).  I’m not blogging to refute what Pascal wrote, I’m writing this to give my personal view as well – as the current chairman of the board.

(more…)

Hackweek Day 4

August 29th, 2008 by

Group photo from Hackweek community members and some Novell guysThursday was my last way of Hackweek since I went on FTO on friday. Jan had the great idea to take a group photo, so here you see a photo of all invited guests to hackweek together with some Novell folks they hacked together. After the photo it was time for a small ice-cream party.

While I think that many people will blog in more detail on what they’re been doing during hackweek but let me give a short summary of those folks that came to Nürnberg.  This is the status from Thursday afternoon:

  • Benji Weber: worked on the software portal with Pascal. He spend most of the time on mapping packages to applications – since users look for applications and not for packages. He wants to publish a test page soon. Btw. the software portal can use some help, so if you are a Java programmer or web designer and like to help, please contact Benji and Pascal.
  • Pascal Bleser called it  “Chatweek” – and was working also on the software portal.
  • Jan Weber, a GSOC student working on LTSP, created an education YaST module to create users and assign groups for kiosk/sabayon so that admins/parents can easily setup the system with the appropriate permissions for the kids. He showed that YCP is not such a complex language ;).
  • Andrew Wafaa wants to work on a documentary about openSUSE staff and started doing the first videos.
  • Marcus Hüwe worked on the openSUSE Build Service to resolve dependencies using metadata instead of downloading packages directly (works so far for Debian packages only)
  • Andreas Demmer started to redesign openSUSE web pages with Robert Lihm, the current version has been sent to the opensuse-wiki and -marketing lists for review.
  • Frank Karlitschek worked on the “Social Desktop” – community is a strength of Open Source but the desktops do not really show the community and enable easy interaction, this could allow different communities like GNOME, KDE or openSUSE, to better interact and grow.
  • Jörg Riedel worked with Alexander on KVM: Now KVM can run inside KVM.
  • Sebastian Trüg has been discussing and hacking on the KDE desktop.

I repeat myself but we spend indeed a great time together and discussed a lot besides all the hacking.

Hackweek Days 2 and 3

August 28th, 2008 by

Jan-Simon and Stephan On tuesday a couple of developers met to discuss cross-platform building in the openSUSE build service.

In the evening we had a BBQ and there Jan-Simon and Stephan discussed the openSUSE weekly news that Jan-Simon then wrote on wednesday – this time from Nürnberg.

Pascal left on wednesday and told me that he really enjoyed “Chatweek”.  He – and others including myself – used the chance to meet each other for many discussions.

I took part on wednesday afternoon in a rather long discussion on the different security defaults of server and desktop products, e.g. how to setup a laptop so that it allows a logged in user to install patches and a server that only the admin can install patches – and do this right out of the box.

Hackweek Day 1 in Nürnberg

August 26th, 2008 by

Yesterday hackweek in Nürnberg was for me not hacking but managing hackweek.  Let’s see whether I find time today to really hack on glibc as planned.

As I organised travels for some folks to come to Nürnberg, I welcomed everybody and showed them around in the office.  In the afternoon I talked with many folks about what they are doing at hackweek and like to point out some interesting projects:

  • Benji and Pascal are working on the software portal
  • Andreas and Robert have been using pen and paper the whole day – to discuss new designs for the openSUSE web server
  • Stefan is working on YaST as a service, this is basically the backend for e.g. a Webenabled YaST.
  • Sonja is working on a nice GUI for a vocabulary training program that uses some great algorithms but has a rather bad user interface.

We also discussed heavily the openSUSE project and what should be improved.  Pascal, Andrew, Marko and myself talked also about the board elections, it’s good that some members of election committee and of the board had the chance to meet face to face.

It was great to see so many openSUSE community members for the first time – and to see many people hacking happily on their projects.

Package Management Security on openSUSE

July 16th, 2008 by

There has been a report (with further information at this page and at the FAQ) looking at package management security on various distributions that IMO was rather condensed in its summary report and therefore raised some false alarms for various distributions including openSUSE.

Ludwig, one of our security experts, sent out a mail with a reaction to the report and I’d like to point out some of the things from the report and how it’s handled in the openSUSE 11.0 distribution.

Let me state first the major lines of defense that openSUSE uses:

  • Package downgrade is not possible, YaST will not do this automatically and therefore many of the attacks (installing an old and vulnerable package) are not possible.
  • The openSUSE download redirector serves the metadata from a known and trusted source.  I advise everybody to use the download redirector via http://download.opensuse.org.
  • The openSUSE updates have both cryptographically signed packages and cryptographically signed meta data – and YaST check these signatures and reject files that do not match the signature.

The described attacks are:

  • “Replay Attack: Metadata Replay”: Not possible since the openSUSE download redirector serves the metadata from a central location.  The only chance here would be a man-in-the-middle attack but this would not help since YaST will not do a package downgrade.
  • “Replay Attack:Mirror Control”: Yes, it’s easy to become an openSUSE mirror but this will not degrade your security since the metadata comes from the download redirector and we only redirect to mirrors that contain the right version of a package – and the redirector monitors that the mirrors contain the right files.  YaST is designed with mirrors going out of date or getting corrupted in mind.
  • Attacks called “Extraneous Dependencies”, “Unsatisfiable Dependencies”, “Provides Everything” on the other attacks page: Let me cite the page where it mentions protection against these attack: “The easiest way is to use a package manager that signs the repository metadata (like APT or YaST)”.
  • “Endless Data Attack”: This is basically a denial of service attack which the admin will soon notice and can then take appropriate action.  It cannot happen for metadata since those come from the download redirector but it could happen with openSUSE for packages since we do download the complete file and do not use the file size information contained in the metadata yet.  This is something we plan to address for our next release.

Note that when I speak about YaST I mean everything that uses the openSUSE package management library libzypp which includes YaST, zypper and the updater applets.

Note also that the FAQ has a question about the download redirector: “Q: What about OpenSUSE’s download redirector? Does it increase or decrease my security? A: OpenSUSE’s download redirector increases the user’s security…”.  I’d like to thank Christoph Thiel, Marcus Rückert and Peter Pöml for their work over the years on the redirector.  Peter is the current maintainer and did the last rewrite including the serving of metadata.

Note: if you use SUSE Linux enterprise products, then only servers owned by Novell are used via secure https connections which avoid all these attacks.

Our package management and security experts have been reviewing and improving the security aspects of the package management stack continuously – and the report shows that they were successfull.

Moving Forward with openSUSE 11.1

July 4th, 2008 by

Since both Coolo and Michl are on vacation for two weeks, I’m a bit more involved with the openSUSE distribution.  Besides announcing the openSUSE 11.1 roadmap, I was busy to stabilize the factory trees and get an installable distribution  after quite some major changes have been checked into factory. The goal was to have a snapshot of factory as internal Alpha0 release to see what’s working and what’s broken.

Factory has received the following visible major updates after 11.0:

  • The GNOME team prepares for GNOME 2.24 and updated to the development release GNOME 2.23.4
  • Similarly, the KDE team prepares for KDE4.1 and updated to KDE 4.0.84 (4.0.83 was KDE 4.1 beta2, not sure what .84 corresponds exactly to)
  • Installation-Images now have support for IPv6 so that you can install with IPv6 remote hosts

Besides that a large number of packages were updated, renamed, or removed.  In our effort to create small JeOS images, cracklib now uses compressed passwords to save space.

A number of updates are already queued but did not go into factory yet since they missed the deadline for Alpha0, I’d like to point out the following:

  • OpenOffice.Org 3.0 Alpha2 – in preparation for the OpenOffice.Org 3.0 release
  • NetworkManager update to current svn

Alpha0 is not yet released, we’re still hunting some bugs but I hope the above gives some impression where openSUSE 11.1 will go.

Have a lot of fun!

Andreas

Speed and Memory Usage of zypp in 11.0 Rocks!

May 15th, 2008 by

Duncan has done quick some measurements comparing zypper, yum and smart which show that zypper – the command line tool that openSUSE uses for package management – is now (finally 😉 not only comparable to yum and smart but even faster.

I would be very interested if somebody would do some extensive benchmarking to see whether zypper is faster overall and handles the corner causes as well.

Just compare: Setup for installation with yum is 19s whereas zypper needs 10s. Creation of meta data caches needs 4 minutes with yum and zypper rocks with 18s.

Memory usage: zypper needs maximal a bit over 18 MB while yum needs more than 180 MB and smart more than 60 MB.

If you run zypper – or the package management GUI applications, you really see that the team has done a great job to speed up and use less memory than before.

Talking bootloader – heard in Beta2

May 7th, 2008 by

Steffen announced today that as of openSUSE 11.0 beta2, the graphical bootloader (the one on the installation media) supports speech output via the pc-speaker – reading out all menu items, he says:

This feature is mainly there to aid visual impaired people.

It’s still experimental and I’d like to get your feedback whether it works or not on your machine.

To try it, simply press F9. (In the worst case, your machine will freeze at this point.)

I gave it a try and it worked fine. I just missed the German translations! 🙂

Great work, Steffen!