Archive for February, 2008

Thoughts on srcinst

Friday, February 8th, 2008

As eddyp wrote on Planet Debian, there is indeed a tool to roll custom builds of source packages. However, as he also mentioned, it’s written in Haskell, and may be unmaintained.

One of the most commonly heard complaints I have received about Debian (and Ubuntu) is that it does not allow for easily rebuilding source packages. So, I’m going to start writing a new debian package builder for this purpose soon. It’ll probably be a package similar to pbuilder, except aimed at end users instead of developers. Here’s my plan of action:

Phase 1:

  • Interface similar to apt. Creates a build lab based on the current operating system (using lsb_release or similar) using debootstrap if one does not exist, then caches that build lab. A weekly cronjob will be added to make sure the build lab is kept up-to-date. (This would be provided by ’srctool bootstrap’.)
  • Installing and building packages; dependencies will be resolved using gdebi. (This is provided by the ’srctool install package’.)
  • A configuration file allowing you to specify DEB_BUILD_OPTIONS and other parameters to influence the build.

Phase 2:

  • Some sort of policy proposal to add a common debian/rules option for declaring features. So that users can easily rebuild without LDAP support if they don’t want it.
  • General hook to note that a package was built with custom CFLAGS etc for reportbug.

Thoughts:

  • Is this harmful to Debian? I don’t think it is. Here’s why: most end-users will continue to use aptitude/apt-get and binary packages because they don’t care about building it. The key point here is, most Debian users just want their computer to work. As such, they won’t use srctool.
  • The main point for srctool is to allow for easily slipstreaming in patches and custom build options in an easy way. (Also maybe in the future, local bumps if they want newer upstream version than what Debian provides them.)

Anyway, that’s just a project I have planned on the side over the next few months.

Introducing dsyslog

Wednesday, February 6th, 2008

I’ve been writing my own syslog daemon for the last couple of weeks because the other daemons are not sufficient for my needs or require you to sign obnoxious CLAs in order to contribute.

I made a page about it on nenolod.net here. You can check out the repository using:

$ hg clone http://hg.atheme.org/dsyslog

Hopefully some of my blog readers might write some patches!

More proof that infosec people are just parasitic jerks…

Friday, February 1st, 2008

Today I was directed to a post written by at Errata Security concerning the lovely OLPC project. For those of you who don’t know what the OLPC guys are doing, e.g. you’ve been sleeping under a rock for the last four or five years, the OLPC guys are building a cheap laptop for kids to use, and it’s targeted at enabling thirdworld countries which do not have computing in their schools. Anyway, you can check out the wonderful example of trolling here, in a post titled “Why the OLPC promotes terrorism”. It ends with a nice picture of an XO running Metasploit, I guess this is intended to scare people into having an irrational fear of the OLPC project.

A fair warning before: I don’t own an OLPC XO, but I think that Sugar is a major innovation in human-computer interaction, and is certaintly welcome in the open source world, additionally, not all Infosec people are like this, just a large amount of them. (By large, I mean, it would easily overflow a “long long” value if you counted the amount.)

Right, well anyway, I’ve had it with this nonsense, and I intend to counter his argument in a few ways. I’ll start out by pointing out that:

Errata Security and it’s employees are parasitic of the work made by other people. These people work on projects that Errata Security (and other infosec people) blog about and discover vulnerabilities in. This in itself is OK, as long as you don’t slag the work done by the people you make your money from exploiting. As long as they stick to that guideline, people will view them as symbiotic, but when you write a blog post, or make a public comment, slagging a project, you do more than just anger that individual project. Theo de Raadt once said that “to stay open, you must stay vocal”. As such, when you slag a project, you harm your own reputation.

Metasploit will run at least equally well on the Intel PC as it does on the XO. Seriously, I don’t see how this is a flaw in the OLPC XO. When you own a computer, it is up to you if you use it for productive means or not. Also, lets consider that perhaps the fact that OLPC can run Metasploit means that it may teach proper security procedures to users of computers in developing countries. Oh. Wait. That might harm your business model, we can’t have that! Now I see why you want to attack people. It’s all about protecting your company from a new generation of clueful computer users. Brilliant.

Many infosec researchers release PoC code which is not defanged. This is arguably more harmful to America’s IT infrastructure than the OLPC XO is. To those people who release such PoCs, I will simply say that you are the most parasitic of all. I do not know if Errata Security has ever released such a PoC, I hope not for their sake, as I will point it out if I ever discover they do, they have annoyed me this much. Hopefully they have more sense than to put a live piece of shellcode into the hands of america’s script kiddies, giving them yet another worm for DroneBL to track.

Programming languages are not sentient beings, and therefore cannot be left or right wing, communist or capitalist. What utter tripe. Stop smoking crack before you further harm your company’s reputation. Maybe the creator of Python, Guido van Rossum, is left-wing, but that doesn’t mean Python itself is. Also, how the hell is C++ capitalist?

Is Open Source software in general communist? I invite Robert to comment on this. I really really do. Of course, I imagine that instead of commenting, or even better, apologizing to the open source world, he will probably blog about me, or post some nasty PoC about my software to bugtraq now. I’m sorry in advance for any damage he may do.

In closing, we have yet another infosec person making an arse of himself. I hope for his own sake that he reconsiders whether or not that was a wise move. Also, apologies to any legitimate infosec people who do what they do because they feel it’s important, trust me, this wasn’t about you.

Update: I just noticed that these Errata Security guys may be pro-Windows. So I guess that answers my question on whether or not this guy thinks Open Source software in general is communism.

Update 2: Craig Edwards noticed that Errata Security has instructions on how to run Metasploit on an Nokia N800 cellphone. Does this mean that cellphones are now a communist plot too?