Posted on

My Debian Activities in December 2014

FTP assistant

This month at the end of the year has been rather quiet as well. The holiday season is not suited for lots of REJECTs, so all in all I marked 91 packages for accept and rejected only 14 packages. But be aware, the period of grace is over now.

Squeeze LTS

This was my sixth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 20.5h and I spent these hours to upload new versions of:

  • [DLA 99-1] flac security update
  • [DLA 100-1] mutt security update
  • [DLA 101-1] jasper security update
  • [DLA 102-1] tcpdump security update
  • [DLA 105-1] graphviz security update
  • [DLA 107-1] unbound security update
  • [DLA 108-1] nfs-utils security update
  • [DLA 110-1] libyaml security update
  • [DLA 109-1] libyaml-libyaml-perl security update
  • [DLA 117-1] qt4-x11 security update
  • [DLA 121-1] jasper security update
  • [DLA 122-1] eglibc security update
  • [DLA 123-1] firebird2.5 security update
  • [DLA 124-1] unzip security update

This month I also sponsored the upload of [DLA 126-1] ettercap security update. As far as I know, this has been the first time that someone who is not (yet?) involved in Debian as a Debian Maintainer or Debian Developer prepared a patch for Squeeze LTS. So many thanks to Nguyen Cong for doing the work. Thanks to Toshiba as well, who allowed him to work on this package. I am sure there is more to come.

As December is the time of gifts, I also uploaded [DLA 104-1] pdns-recursor security update although no LTS sponsor indicated any interest.

Other packages

Unfortunately the Debian Med Advent Calendar wasn’t as successful as the years before. Only five bugs in packages python-mne, avifile , biomaj-watcher, trimmomatic and uc-echo have been closed. Things can only get better …

Posted on

My Debian Activities in November 2014

FTP assistant

In contrast to the last month, this month has been rather quiet and I really liked that :-). The stress has moved to the next team. So all in all I marked 101 packages for accept and had to reject 27 packages. As I mostly reviewed really new packages, I didn’t have to file any RC bug this month.

Squeeze LTS

This was my fifth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 14.25h and I spent these hours to upload new versions of:

  • [DLA 82-1] wget security update
  • [DLA 84-1] curl security update
  • [DLA 89-1] nss security update
  • [DLA 90-1] imagemagick security update
  • [DLA 94-1] php5 security update
  • [DLA 97-1] eglibc security update

I also uploaded [DLA 85-1] libxml-security-java security update, but as nobody of the LTS sponsors had any interest in this package, I did this in my “spare” time. A package with security in its name should not be affected by security issues.

This month my failure of the month has been the binutils package. Although the security team prepared the way for finding the correct patches for all those CVEs, I somehow managed to not find them. This is embarassing …

I am also a bit disappointed by current LTS users. All important packages have been made available for testing before uploading them to the archive. Apart from some brave fellow DDs, no other feedback was reported on debian-lts. Complaints arrived only when the packages have been finally uploaded. Do admins have enough time nowadays and don’t need to use some kind of testbed? Times are changing …

Other packages

This month I even found some time to sponsor uploads, so please welcome a new version of fastaq in experimental and patiently wait for aegaen and kmc to pass NEW.

At this point I also want to mention the Debian Med Advent Calendar, which was announced in this email and already mentioned by Andreas in his latest Debian Med bits. Everybody is invited to take care of as much as possible poor souls.

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

Manage own CA with Debian

Self signed SSL certificates are nice, but only provide encryption of retrieved data. Nobody knows who is really sending the data.

If one buys an SSL certificate for a website, the browser doesn’t complain as much as with a self signed certificate. But can you really trust the other side? Almost every commercial CA has some kind of “fast validation” or “domain validation, issued in minutes”, which is done by email or phone. So if required, within minutes everybody might become you. Even with putting money on the table your users can not be sure whether this server really belongs to the right guy.

Well, why wasting time and money? Just create your own Root CA and tell users that they need to add something in order to avoid some error messages. In Debian we basically have five packages who claim to be able to manage some kind of CA.

easy-rsa is mainly needed to manage certificates used by openVPN. Within this use case it works like a charm, but I don’t want to manage a more complex CA with it.

gnomint is dead upstream and only uses SHA1 as signature algorithm. This will cause lots of problems as Mircrosoft and Google want to deprecate SHA1 in their products by 2017. Besides, this package is already orphaned and maybe it can disappear now.

tinyCA uses more signature algorithms, unfortunately SHA1 seems to be the “best” it can. There are some patches to support up to SHA512, but they don’t work for all parts of the software yet. For example Sub-CAs still use SHA1 despite of choosing something different in the GUI. So nice, but not (yet) usable in Jessie.

FreeIPA seems to be great, but didn’t make it into Jessie in time. Unfortunately the Release Team has reasons to not unblock it. So nice, but not usable in Jessie.

xca is based on QT4. As announced in the 15th DPN of 2014 the deprecated QT4 will be removed from Debian Stretch (= Jessie+1). Apart from this, the software meets all my requirements.

Posted on

WLAN stick and hostapd in Debian Jessie

Notice to my future self: please think twice before you buy another LogiLink WLAN stick

In this case the LogiLink WL0049A did work as normal WLAN stick out of the box, but was rather unreliable using it together with hostapd. The All0234Mini seems to be much better.

Posted on

My Debian Activities in October 2014

FTP assistant

This month has been the month before the freeze. Lots of people uploaded a package at the last moment and wanted to have it in testing before everything is over. This resulted in even more processed package than in September. I was able to accept 407 packages and had to reject 77. The whole FTP team managed it to bring the NEW queue below 40 waiting packages. As the Release team doesn’t like to see binary-NEW packages appearing in unstable (at least those which change the soname of a lib), this number will increase again. But, that’s life …

I am glad that a freeze happens only every few years. So I would particularly thank my dear wife for her patience, when she saw me sitting in front of that damned computer again and again.

Squeeze LTS

This was my fourth month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

This month I got assigned a workload of 13.75h and I spent these hours to upload new versions of

  • [DLA 72-1] rsyslog security update
  • [DLA 72-2] rsyslog regression update
  • [DLA 78-1] torque security update
  • [DLA 80-1] libxml2 security update

I also prepared a new upload of wget and still wait for some feedback. In this case some default values had to be changed and I better wait a bit before I break some scripts.

Moreover five CVEs accumulated for php5, so I guess another upload has to be done for this package. This will be ready in the next days …

I also tried to work on libtasn1-3 and librack-ruby. There hadn’t been DSAs for these packages and I tried to dig into the upstream repositories. Unfortunately I failed to find the correct patches. Kudos to the Security Team who have to struggle with all kind of commit messages on a daily basis.

Other packages

I didn’t have time to do any work on my own packages. But during my ftp-time I saw one or another package that deals with some kind of home automation. Up to now there doesn’t seem to be a Debian group who deals with this topic. Maybe it is time to start one?

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

Xen toolstack

Notice to my future self: In the default Jessie installation of Xen a new toolstack called xl is introduced. More information about the motivation in doing this can be seen in the Xen Wiki. It should be backward compatible with the removed xm (=XEND) toolstack, so in any command just use xl insead of xm.

Posted on

Problem starting XEN guest

Notice to my future self: In case there are problems starting a domU, and /var/log/xen/xend.log says something about “Cannot allocate memory” then look at the memory consumption of dom0 with:

xm list

If this value is near the maximum available memory, just use

xm mem-set Domain-0 6500

or whatever looks good.

Posted on

Key transition, move to stronger key

Finally I was able to do the enormous paperwork (no, it is not that much) to switch my old 1024D key to a new 4096R one. I was a bit afraid that there might be something bad happening, but my fear was without any reason. After the RT bug was closed, I could upload and sent signed emails to mailing lists. So thanks alot to everyone involved.

old key, 0xD362B62A54B99890

pub   1024D/54B99890 2008-07-23
      Key fingerprint = 36E2 EDDE C21F EC8F 77B8  7436 D362 B62A 54B9 9890
uid                  Thorsten Alteholz (...)
sub   4096g/622D94A8 2008-07-23


new key, 0xA459EC6715B0705F

pub   4096R/0xA459EC6715B0705F 2014-02-03
  Schl.-Fingerabdruck = C74F 6AC9 E933 B306 7F52  F33F A459 EC67 15B0 705F
uid                 [ uneing.] Thorsten Alteholz (...)
sub   4096R/0xAE861AE7F39DF730 2014-02-03
  Schl.-Fingerabdruck = B8E7 6074 5FF4 C707 1C77  870C AE86 1AE7 F39D F730
sub   4096R/0x96FCAC0D387B5847 2014-02-03
  Schl.-Fingerabdruck = 6201 FBFF DBBD E078 22EA  BB96 96FC AC0D 387B 5847
Posted on

My Debian Activities in September 2014

FTP assistant

Starting an article with self laudation might be bad style, but this month I was busy as a bee and could accept 312 packages, 75 packages more than last month. 34 times I contacted the maintainer to ask a question and 51 times I had to reject a package. These numbers remain constant.

The number of packages in NEW dropped to about 180. If you want your package included in Jessie, please double-check it and upload an improved version.

Squeeze LTS

This was my third month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian.

All in all I got assigned a workload of 11h for September and I spent these hours to upload new versions of

  • [DLA 43-1] eglibc security update
  • [DLA 64-1] curl security update
  • [DLA 67-1] php5 security update
  • [DLA 68-1] fex security update

I further tried to upload a new version of python-django. Unfortunately I could not figure out why some of the internal tests of the package failed. So I fowarded the package to Raphael, who could resolve all issues.

The Squeeze version of PHP5 contains 140 patches. According to quilt 47 of them are identified to be already in 5.3.29 and 48 patches need to be revised. Some of them are really big, rather old and not really supported in the new 5.3.n version.
As nobody will talk about Squeeze LTS in a few months, I better better avoid the hassle of preparing a point release and concentrate only on security patches further on.

Other packages

This month I uploaded a new version of net-dns-fingerprint, which closes an RC bug. Unfortunately the package does not work with all DNS servers anymore. Patches or hints what happened are very welcome :-).

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.

Posted on

My Debian activities in August 2014

FTP assistant

By pure chance I was able to accept 237 packages, the same number as last month. 33 times I contacted the maintainer to ask a question about a package and 55 times I had to reject a package. The reject number increased a bit as I also worked on packages that already got a note but had not been fully processed. In contrast I only filed three serious bugs this month.

Currently there are about 200 packages still waiting in the NEW queue As the freeze for Jessie comes closer every day, I wonder whether all of them can be processed in time. So I don’t mind if every maintainer checks the package again and maybe uploads an improved version that can be processed faster.

Squeeze LTS

This was my second month that I did some work for the Squeeze LTS initiative, started by Raphael Hertzog at Freexian

All in all I got assigned a workload of 16.5h for August. I spent these hours to upload new versions of

  • [DLA 32-1] nspr security update
  • [DLA 34-1] libapache-mod-security security update
  • [DLA 36-1] polarssl security update
  • [DLA 37-1] krb5 security update
  • [DLA 39-1] gpgme1.0 security update
  • [DLA 41-1] python-imaging security update

As last month I prepared these uploads on the basis of the corresponding DSAs for Wheezy. For these packages backporting the Wheezy patches to Squeeze was rather easy.

I also had a look at python-django and eglibc. Although the python-django patches apply now, the package fails some tests and these issues need some further investigation. In case of eglibc, my small pbuilder didn’t have enough resources and trying to build the package resulted in a full disk after more than three hours of work.

For PHP5 Ondřej Surý (the real maintainer) suggested to use point releases of upstream instead of applying only patches. I am curious about how much effort is needed for this approach. Stay tuned, next month you will be told more details!

Anyway, this is still a lot of fun and I hope I can finish python-django, eglibc and php5 in September.

Other packages

This month my meep packages plus mpb have been part of a small hdf5 transition. All five packages needed a small patch and a new upload. As the patch was already provided by Gilles Filippini, this was done rather quickly.

Support

If you would like to support my Debian work you could either be part of the Freexian initiative (see above) or consider to send some bitcoins to 1JHnNpbgzxkoNexeXsTUGS6qUp5P88vHej. Contact me at donation@alteholz.eu if you prefer another way to donate. Every kind of support is most appreciated.