Home Home
Sign up | Login

Deprecation notice: openSUSE Lizards user blog platform is deprecated, and will remain read only for the time being. Learn more...

Meeting By The Pond

July 16th, 2008 by

It’s been two weeks since our last soirée, so without further ado The next openSUSE-GNOME project meeting will take place at the official #opensuse-gnome IRC channel tomorrow Thursday: 2008/07/17 16:00 UTC (18:00 CEST)

For an overview what time this is in different timezones, use:

http://www.timeanddate.com/worldclock/fixedtime.html?day=17&month=07&year=2008&hour=16&min=0&sec=0&p1=0

Topics being covered are:

  • Feature review
  • Policy review
  • Pattern review
  • Patch tagging day
  • Package submission changes

Remember EVERYONE is welcome, new/old, hacker/user etc.  So please come along and join the fun, fancy dress and fishing rods are optional.

Tags:
Posted in Events, GNOME, Marketing | Comments Off on Meeting By The Pond

Package Management Security on openSUSE

July 16th, 2008 by

There has been a report (with further information at this page and at the FAQ) looking at package management security on various distributions that IMO was rather condensed in its summary report and therefore raised some false alarms for various distributions including openSUSE.

Ludwig, one of our security experts, sent out a mail with a reaction to the report and I’d like to point out some of the things from the report and how it’s handled in the openSUSE 11.0 distribution.

Let me state first the major lines of defense that openSUSE uses:

  • Package downgrade is not possible, YaST will not do this automatically and therefore many of the attacks (installing an old and vulnerable package) are not possible.
  • The openSUSE download redirector serves the metadata from a known and trusted source.  I advise everybody to use the download redirector via http://download.opensuse.org.
  • The openSUSE updates have both cryptographically signed packages and cryptographically signed meta data – and YaST check these signatures and reject files that do not match the signature.

The described attacks are:

  • “Replay Attack: Metadata Replay”: Not possible since the openSUSE download redirector serves the metadata from a central location.  The only chance here would be a man-in-the-middle attack but this would not help since YaST will not do a package downgrade.
  • “Replay Attack:Mirror Control”: Yes, it’s easy to become an openSUSE mirror but this will not degrade your security since the metadata comes from the download redirector and we only redirect to mirrors that contain the right version of a package – and the redirector monitors that the mirrors contain the right files.  YaST is designed with mirrors going out of date or getting corrupted in mind.
  • Attacks called “Extraneous Dependencies”, “Unsatisfiable Dependencies”, “Provides Everything” on the other attacks page: Let me cite the page where it mentions protection against these attack: “The easiest way is to use a package manager that signs the repository metadata (like APT or YaST)”.
  • “Endless Data Attack”: This is basically a denial of service attack which the admin will soon notice and can then take appropriate action.  It cannot happen for metadata since those come from the download redirector but it could happen with openSUSE for packages since we do download the complete file and do not use the file size information contained in the metadata yet.  This is something we plan to address for our next release.

Note that when I speak about YaST I mean everything that uses the openSUSE package management library libzypp which includes YaST, zypper and the updater applets.

Note also that the FAQ has a question about the download redirector: “Q: What about OpenSUSE’s download redirector? Does it increase or decrease my security? A: OpenSUSE’s download redirector increases the user’s security…”.  I’d like to thank Christoph Thiel, Marcus Rückert and Peter Pöml for their work over the years on the redirector.  Peter is the current maintainer and did the last rewrite including the serving of metadata.

Note: if you use SUSE Linux enterprise products, then only servers owned by Novell are used via secure https connections which avoid all these attacks.

Our package management and security experts have been reviewing and improving the security aspects of the package management stack continuously – and the report shows that they were successfull.

Posted in Distribution, Security, Software Management, YaST | Comments Off on Package Management Security on openSUSE

YaST module the C++ way

July 15th, 2008 by

From May 30th to July 4th we had a YaST workshop in Nuremberg. The workshop was basically a hackshop as we wanted to work on cool and new things for YaST during this week.

There is one big change in YaST in openSUSE 11.0 – yea, we found out that there are even more colors than gray, ok – but there is one that is not really visible to the end-user. Stefan Hundhammer, maintainer our YaST UI, completely separated the UI from the rest of the YaST infrastructure. This now makes it possible to use the UI directly, from anywhere, independent from our YaST-own-language YCP. So with a team of four hackers we wanted to prove that we can write a YaST module in plain C++ using the new modularized UI directly. And here is the outcome:

We went for rewriting the registration module (well, we chose it because I know it well, as I am the maintainer, and it will change anyhow for the next release). This module is not that integrated in the overall YCP world, so it should be feasible. First we had to find an alternative way to access system configuration files, as this is done by so-called SCR agents in YCP. To make life easier (and future development faster) we had to look for a replacement of our YCP Wizard Seqencer. And of course we redesigned all dialogs to make them more intuitive.

We solved all the issues and now have

  • a wrapper class for accessing different configuration files (currently only ini files)
  • an automatic wizard sequencer equivalent (using the advantages of an object oriented language, btw YCP is not)
  • three clear and intuitive dialogs, every user should understand

And as everybody wants to see screenshots, here they are:

Configure Update Source Send Hardware Information Register for Installation Support

The code is just a proof of concept and not yet reusable for new YaST modules but everything we wanted to show works great. We will continue to work on such kind of modules and in that process move the generic parts out into single libraries so that they can be reused and even may be exposed to scripting languages.

Writing YaST module this way has lots of advantages

  • YaST modules evolved into the object oriented world and can make use of it (the automatic sequencer is the first benefit)
  • the code is reusable
  • a huge bunch of documentation and lots of tools exist for C++
  • its a compiled language and has a better performance than an interpreted one
  • we can bind automatically to the most important scripting languages and give them access to the modules logic

If you are interested in the source code, have a look at my svn repo and if you want to help join the team and contact us on our mailinglist.

Tags: , , ,
Posted in Systems Management, YaST | 4 Comments »

LRLUK08 – Freeing The Lizard

July 14th, 2008 by

Yes peeps, this weekend is the penultimate LUG Radio show and event.

LRL Speaker

It is also an event where I will be speaking about the openSUSE project and its great community (yes there’ll be a bit about Novell and how good they are too 😉 ) You can see the full schedule if you want to know what’s going on or just turn up on Sunday at 1500 to hear and see yours beautifully 😀

I am planning on being helping Lord Whittaker who will be there with a Novell stand, so hopefully I can bring a dash of Green Geeko Goodness to the event. If you are planning on going, please say hello. It’d be good to meet other openSUSE users.

Posted in Events | 1 Comment »

Atheros AR 5007 EG on openSUSE 11.0

July 14th, 2008 by

openSUSE 11.0 failed detect this hardware and wrong identifying the device as AR242x 802.11abg Wireless PCI Express Adapter. I usually uses madwifi driver for Atheros chipset instead of ath5k but the standard madwifi driver could not be applied for the device. After Googling for a while, I could make it works with the special AR 5007 EG madwifi driver, http://snapshots.madwifi.org/special/madwifi-ng-r2756+ar5007.tar.gz.

How to make it works ?

  1. Disable or blacklist ath5k driver by add the blacklist ath5k to /etc/modprobe.d/blacklist
  2. Open konsole or terminal
  3. Install the driver

    4. su
    zypper in kernel-source make gcc gcc-c++
    wget -c http://snapshots.madwifi.org/special/madwifi-ng-r2756+ar5007.tar.gz
    tar -zxvf madwifi-ng-r2756+ar5007.tar.gz
    cd madwifi-ng-r2756+ar5007
    make
    make install
    modprobe ath_pci
    reboot

After reboot, you should be configure the wifi from YAST | Network Devices | Network Settings

Tags: ,
Posted in Documentation | 16 Comments »

Extract and Compress Right Click Menu on KDE4

July 12th, 2008 by

One of the functional menu that make my life more easier with KDE 3 are the Compress and Extract Menu. With this function, I could make an archive or extract zip file with Konqueror without opening Ark for manually extract or compress the file. Now, I enjoy the KDE 4 on openSUSE 11.0, with Kwin desktop effect and a lot improvement in various area, but I still missing the above menu.

How to add the similar function to KDE 4 so we could compress some file or folder, or extract a zip file both in Dolphin and Konqueror ? Here is the tips :

  1. Download the plugin here :
    http://www.kde-apps.org/content/download.php?content=84206&id=1&tan=96989998
  2. Open konsole / terminal
  3. Extract the plugin
  4. Go to the extract folder
  5. Copy all of .desktop file into /usr/share/kde4/services/ServiceMenus
  6. Copy the content of script folder into /usr/bin
  7. Test with dolphin or kde4

Compress and Extract

The above tips will make a system wide configuration. If you wish to make a local changes, just execute INSTALL_1.0.sh on the extract folder.

NOTE : The programs p7zip, bunzip2, bzip2, gzip, rar, unrar, tar, zip and unzip must be installed.

I don’t know if the function will be added into KDE 4.1 by default, but I hope so 😉

Tags: , ,
Posted in KDE, Usability | 8 Comments »

Buildservice and L3

July 10th, 2008 by

These days some people from various teams spent a lot of time the last days discussing topics around L3. L3 means Level-3 support and is one of the services that we offer for our enterprise product series. It is about bugs which are not solvable through our support organisation but require developer eyes to stroll through source code.

What that has to do with openSUSE you might wonder. Well, since we’re currently working on switching our internal build process to a Buildservice based solution, L3 comes into play as well as other parts that are hardly visible for the community but important for the business.

L3 is a really tough game: Customers are paying money for the service and if they call they expect premium service quickly. Often enough enterprise operations are endangered by L3 bugs (or it is said that it is 😉 and clearification is needed quickly to relax the situation.

For the brave guys offering this service that means that they need to replay the customer situation quickly, debug, find the bug and if needed provide a fix for the customer.

The customer of course can tell more or less accurate which system he is running on which hardware. But than it’s getting rough for us: Finding the correct source for this constellation might sound easy, but if one adds up the amount of products that we maintain, it’s subflavours and service packs and also considers the lots of maintenance updates that the customer is expected to install, it becomes clearer that there are lots of possibilities and huge hard drives with content ;-).
Having found the correct source debugging (often together with the customer under time preasure), fixing and providing a fixed package begins.

L3 is an impressive bussiness for me, done by courageous guys.

Even more nice that the Buildservice helps a lot here because it makes at least building of debug info packages and fixes easy. A well thought through project structure in the Buildservice linked together with sourcelinks and aggregrations (which is a science for itself which one where 😉 eases (at least) the source organisation a lot. Other things also sound promising.

There is still some work to do until all peaces fit together but we are looking forward to helping the L3 collegues to improve their processes with the Buildservice and maybe some other tools.
I know, this is not exactly related to community questions but I thought it might be interesting to read about these things from time to time as well…

Tags: , ,
Posted in Build Service | Comments Off on Buildservice and L3

new osc package released

July 10th, 2008 by

After two or three weeks of coding (not mine mostly, but by Marcus and Dirk), a lot of good stuff has accumulated in the osc development tree. Time to release a new package. It is a particularly good moment because today the 1.0 release of the Build Service has been announced.

The list of changes is long, the NEWS file has it all. Overview:

  • version 0.105
  • easier usage of osc submitreq: It is less picky on commandline arguments, can be called in working copies or project directories, figures out which build service instance to use, and has improved output. Also, there is a osc submitreq delete action now (which only works if you have write permissions on the destination though)
  • osc search: added option -i|–involved, to show in which projects/packages a developer is involved
  • osc importsrcpkg: no signature check anymore
  • osc linkpac: –revision option added.
  • osc copypac: use the correct userid when copying to another api host
  • osc build: double check the buildinfo for local builds.
  • osc buildhist: change the output into a format which better matches actual RPM filenames.
  • osc commit: give commit message tempfiles a “.diff” suffix, so syntax highlighting automatically works in capable editors
  • don’t expand/unexpand if the working copy has local modifications – this is a workaround for #399247 but this way the working copy isn’t screwed up. Also, make sure no _linkerror files end up in working copies.
  • better error reporting in a whole number of cases, especially printing out more available detail. For instance, osc meta now prints out a concrete text why something you submitted was not accepted.

Have a lot of fun with it.

And just a note, remember that it is very easy to write osc plugins in order to extend or alter the functionality! Here’s the documentation.

Tags:
Posted in Build Service, Packaging | Comments Off on new osc package released

Moving Forward with openSUSE 11.1

July 4th, 2008 by

Since both Coolo and Michl are on vacation for two weeks, I’m a bit more involved with the openSUSE distribution.  Besides announcing the openSUSE 11.1 roadmap, I was busy to stabilize the factory trees and get an installable distribution  after quite some major changes have been checked into factory. The goal was to have a snapshot of factory as internal Alpha0 release to see what’s working and what’s broken.

Factory has received the following visible major updates after 11.0:

  • The GNOME team prepares for GNOME 2.24 and updated to the development release GNOME 2.23.4
  • Similarly, the KDE team prepares for KDE4.1 and updated to KDE 4.0.84 (4.0.83 was KDE 4.1 beta2, not sure what .84 corresponds exactly to)
  • Installation-Images now have support for IPv6 so that you can install with IPv6 remote hosts

Besides that a large number of packages were updated, renamed, or removed.  In our effort to create small JeOS images, cracklib now uses compressed passwords to save space.

A number of updates are already queued but did not go into factory yet since they missed the deadline for Alpha0, I’d like to point out the following:

  • OpenOffice.Org 3.0 Alpha2 – in preparation for the OpenOffice.Org 3.0 release
  • NetworkManager update to current svn

Alpha0 is not yet released, we’re still hunting some bugs but I hope the above gives some impression where openSUSE 11.1 will go.

Have a lot of fun!

Andreas

Posted in Distribution | 2 Comments »

Showing package dependencies

June 27th, 2008 by

In order to give an answer about “Why this package will be installed and who needs it?” I have added a new Dialog in the QT single package selector:

Select one item (pattern, package) in the single selection frame, use the right mouse button and select “Show solver information”. A solverrun will be made for this item and the result will be shown with this dialog.

  • Black arrow : This item will be required by….
  • Green arrow: This item will be recommended by…
  • Green boxes: This package is already installed
  • Grey boxes: This package will be installed
  • Blue boxes: Patterns

You can navigate through the tree via the overview frame:

After you have selected one item in the tree you can see more information about:

e.G. this item will install two further patterns due to the shown dependencies.

In order to decrease the complexity of the tree you can blind out:

  • already installed packages
  • recommended packages/patterns

So you will get a shrinked tree:

Technical Background:

This is a simple Qt Dialog widget which can be used in other programs too. ( Package libqdialogsolver1)

YaST uses this widget as a YaST plugin. So if this package is not available you will get a popup in single selection only.

Posted in Software Management | 4 Comments »

« Older Entries
Newer Entries »