vorlon is currently certified at Master level.

Name: Steve Langasek
Member since: 2001-01-31 18:23:28
Last Login: N/A

FOAF RDF Share This

Homepage: http://web.dodds.net/~vorlon/


Geek of all trades, master of none. I've been tweaking code under Linux for just about as long as I've been using Linux (going on six years now). This has mostly involved me contributing patches and small features (Wine, Samba, FreeTDS, ProFTPD, mod_ssl, freeradius, nss_ldap, etc., etc....), or working on glue code that doesn't typically require coordinating multiple developers (php_pam, pam_smbpass).

Maybe that explains why I now do lots of Debian work, which mostly involves... twiddling code and submitting patches for bugfixes and small features.

Maybe that also explains why I currently work at an ISP, where there's much less need (and budget) for a hard-core hacker than there is for someone who can take a bunch of pieces of software and kick them into working.


Recent blog entries by vorlon

Syndication: RSS 2.0
On foreign policy

When you defend the death of a civilian
and say
he should have known better
he should have left his home
and his life
in the land of your enemy
that is hate.

When you say the boy's death was justified,
for daring to be born in that country
with such people
and such policies
it is because you hate.

When the war comes to your town
and you are caught in the cross fire,
I too will say,
you had it coming.

PGP keys I won't be signing... or trusting

This is the keysigning exchange service at Biglumber.

The owner of key F5538629A12E35418DFBF242FA89FA5556F42D8B has signed your key (DEA27BAA479CCA5876E5DE5628DEAE7F29982E5A). Your key with this signature on it will be emailed to you once you have uploaded a signed copy of their public key to Biglumber.

Log in to biglumber.com and look for the key exchange link.

Ah, the great democratization of PGP. Who needs security when we can just collect signatures like baseball cards and hawk our identities on eBay instead? Should be an easy profit, apparently I don't even have to show that I'm me to get in on the signature exchange market.

This PSA brought to you by the committee for not trusting Ryan Ward. ...whoever that is.


Are you using bind9-host? If so, which version?

If you're using the sarge version of bind9-host, with the sarge version of libssl0.9.7, and running all this on an i686-class system, then you're looking at bug #321721. The issue is that, if a binary includes hand-written assembly, gcc will assume by default that the code requires an executable stack unless you set a .note.GNU-stack section in the assembly file which says otherwise. And the i686 version of libcrypto includes (surprise!) hand-written assembly.

This bug is already fixed for etch, both in libcrypto.so.0.9.7 and libcrypto.so.0.9.8.

I've watched with growing dismay as Debian's press officer continued to blog prognostications of doom for the future of Debian security, which have done nothing but whet the press's appetite for a story of impending disaster. I find this kind of blogging to be irresponsible in the extreme; not only does it not help fix the problems, it doesn't even help users make informed decisions because it doesn't contain salient facts.

Here are a few facts to go along with Joey's blog entry "Debian Security still broken":

  • Three security advisories had already been issued for sarge on July 1. Binaries for the arm architecture were not included, but most users were covered by the binaries that were made available.
  • The arm autobuilder has since caught up with those advisories, so updated advisories will probably be available soon. In addition, three more security advisories were issued for sarge on July 5 that include binaries for all architectures, and two more have been issued so far today.
  • Security updates for woody were not being built on ia64 and arm because no buildd was configured to do so. (These are the missing builds Joey blogged about.) Once this issue was identified, it was quickly resolved; in any case, it had no impact on the infrastructure for sarge updates.
  • Joey correctly identified in his blog that there was an issue with two packages (one each from woody and sarge) not being picked up for building. Once this issue was identified to the people responsible for the infrastructure, it was quickly resolved.
  • There was one last missing sarge build on m68k, for zlib. This was a case of the package going missing after being built; this is something that happens from time to time with the autobuilders; it doesn't point to a (fixable) software failure, the only thing to be done is to re-try the build. This was done, and the advisory was issued today as DSA 740, before the corresponding advisory from Red Hat...
  • Lest this be seen as a fluke instead of being representative of Debian's security support going forward, it looks like there are six more advisories in the queue for sarge and about a dozen pending for woody.
  • While I agree that there's a need for Debian to expand its security team, following the controversy in June we now have three security team members actively working on security (two full members and a security team secretary), which AIUI is a 50% increase over where we'd been earlier this year.
  • And let's not forget Joey Hess's reminder that quantity isn't everything where security is concerned.

I share Joey Schulze's dissatisfaction with the state of security support for this past month, but his blog smacks of bitterness, not of measured objectivity. So here we are, five days after the first security advisories have been published for sarge, and new stories are still appearing in the press reporting that Debian is OMFG broken.

Is there any hope that the press will give the same coverage of the story that Debian's security infrastructure is not broken?

13 older entries...


vorlon certified others as follows:

  • vorlon certified vorlon as Journeyer
  • vorlon certified Cardinal as Journeyer
  • vorlon certified camber as Journeyer

Others have certified vorlon as follows:

  • vorlon certified vorlon as Journeyer
  • Cardinal certified vorlon as Journeyer
  • camber certified vorlon as Journeyer
  • Jordi certified vorlon as Journeyer
  • pau certified vorlon as Journeyer
  • Sam certified vorlon as Journeyer
  • moshez certified vorlon as Journeyer
  • daniels certified vorlon as Journeyer
  • Barbwired certified vorlon as Master
  • ctrlsoft certified vorlon as Master
  • kov certified vorlon as Master
  • infinity certified vorlon as Master
  • jochen certified vorlon as Master
  • faw certified vorlon as Master
  • meebey certified vorlon as Master
  • mones certified vorlon as Master
  • kclayton certified vorlon as Master
  • adl certified vorlon as Master
  • mako certified vorlon as Master

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page