You probably know about heartbleed bug in OpenSSL as it is so widespread that it got to mainstream medias as well. As I'm running Debian Wheezy on my servers, they were affected as well.
The updated OpenSSL library was installed immediately after it has been released, but there was still option that somebody got private data from the server before (especially as the vulnerability exists for quite some time). So I've revoked and reissued all SSL certificates. This has nice benefit that they now use SHA 256 intermediate CA compared to SHA 1 which was used on some of them before.
Though there is no way to figure out whether there was some information leak or not, I have decided to reset all access tokens for OAuth (eg. GitHub), so if you have used GitHub login for Weblate, you will have to reauthenticate.
Today was jam packed, from the time Zoe got dropped off to the time she was picked up again.
I woke up early to go to my yoga class. It had moved from 6:15am to 6:00am, but was closer to home. I woke up a bunch of times overnight because I wanted to make sure I got up a little bit earlier (even though I had an alarm set) so I was a bit tired.
Sarah dropped Zoe off, and we quickly inspected our plaster fish from yesterday. Because the plaster had gotten fairly thick, it didn't end up filling the molds completely, so the fish weren't smooth. Zoe was thrilled with them nonetheless, and wanted to draw all over them.
After that, we jumped in the car to head out to The Workshops Rail Museum. We were meeting Megan there.
We arrived slightly after opening time. I bought an annual membership last time we were there, and I'm glad we did. The place is pretty good. It's all indoors, and it's only lightly patronised, even for school holidays, so it was nice and quiet.
Megan and her Dad and sister arrived about an hour later, which was good, because it gave Zoe and I a bit of time to ourselves. We had plenty of time on the diesel engine simulator without anyone else breathing down our neck wanting a turn.
The girls all had a good time. We lost Megan and Zoe for a little bit when they decided to take off and look at some trains on their own. Jason and I were frantically searching the place before I found them.
There was a puppet show at 11am, and the room it was in was packed, so we plonked all three kids down on the floor near the stage, and waited outside. That was really nice, because the kids were all totally engrossed, and didn't miss us at all.
After lunch and a miniature train ride we headed home. Surprisingly, Zoe didn't nap on the way home.
Jason was house sitting for some of his neighbours down the street, and he'd invited us to come over and use their pool, so we went around there once we got back home. The house was great. They also had a couple of chickens.
The pool was really well set up. It had a zip line that ran the length of the pool. Zoe was keen to give it a try, and she did really well, hanging on all the way. They also had a little plastic fort with a slippery slide that could be placed at the end of the pool, and the girls had a great time sliding into the pool that way.
We got back home from all of that fun and games about 15 minutes before Sarah arrived to pick Zoe up, so it was really non-stop day.
Today I gave a tutorial at PyCon 2014 entitled Search 101: An Introduction to Information Retrieval.
It was an experiment of sorts: the first workshop I've run primarily by myself, my first tutorial at PyCon, my first paid teaching gig. It was an opportunity to take some of the lessons I learned from teaching the Boston Python Workshop and apply them to a new situation.
The material itself is a distillation of many hours of frustration with the documentation for various open source search engine libraries, frustration that they didn't tell me where to start or about the big picture, they just jumped straight into the details.
Here's what worked:
- IPython Notebook. Oh em gee. I started writing the class's handout using IPython Notebook because it was a simple way to easily embed syntax-highlighted code into a markdown document that was viewable in a browser. Not only was it a super quick and fun way to write the handout, but many students used the interactive execution features to play around with the example code.
- Not having a paper handout. Saved trees, printing hassle, and no one seemed to mind.
- Putting everything in a git repo... git is sufficiently ubiquitous these days that students didn't really have trouble getting a copy, and appreciated having everything in one place, with simple setup instructions. I brought a clone of the repo on a USB stick as a backup plan.
Here's what caused problems:
- Mostly, the IPython dependency pyzmq, which requires compilation. I don't know what the current landscape is for Python distribution, but installing these libraries through pip is still a pain. I've heard rumour that more ubiquitous wheels may solve this in the future.
- Some people aren't used to using virtualenv everywhere. Even seeing that, I still think it's worth the confusion to put it forth as the recommended setup method.
Intermediate students are a different crowd than beginners. There was less of an air of discovery in the room, though I organized the class around open-ended tasks. Since the material allowed for folks to take it in the direction of their interest, I found it a bit difficult to gauge whether people were following or not. Overall though, everyone was attentive and studious. I had fun.
Ruben and Stuart, the PyCon tutorial organizers, had logistics running super smoothly, AV, lunch, everything. Thanks for that you guys, you rock. And thanks as well to my helpers: Leo, the tutorial host, Eben, my TA, and Roberto, on AV. It's impossible to pay adequate attention to 20+ people as a single person, couldn't have done a decent job without y'all.
I just released version 1.1 of Movit, my GPU-based video filter library. This is basically for two things: A bunch of accumulated small fixed and tweaks, and support for GLES 3.0 (think mobile).
So, what now? Well, perhaps unsurprisingly, releasing a library does not bring an army of interested developers to your door, so as a library writer, most of my time actually goes into projects further up in the hierarchy. In particular, when you start imposing unreasonable demands such as “working OpenGL” onto end users who like to use Gentoo but don't know how to install a package, there is some fallout.
However, it also exposes you to a lot of scenarios you never really thought about, which can be frustrating, but in the end also increases the quality and robustness of your code. In particular, I know there's some issue (probably in Kdenlive's Movit support and not Movit, though) where NVIDIA's OpeNGL drivers are much stricter than Mesa's with regards to multithreading, and it's damn near impossible to track down without having one in a desktop machine myself. (I have one in my HTPC, but it's Atom-based and only has the TV for monitor, so debugging there is something I'd rather not do.)
So, what's next? The answer is pretty simple: Probably a break. I have to go to travel now (vacation and work) for the next month or so, so I fear Movit will get less attention for a little while. Then again, it's in fairly good shape, so I'm not that worried that the world will be screaming for me when I come back. :-)
If Drupal adoption is going to increase, we’ll need to grow the community— and that means continuing to bring developers, web designers, and digital experts into the Drupal fold. For the finale of our series on Drupal training options, we spoke to several of the many experts in Drupal training, and wanted to share their thoughts with the community.
When it comes to increasing the amount of Drupal talent in the market, there are more options to learn the platform than ever before.
First of all, good news, MirBSD is not vulnerable to The Heartbleed Bug due to my deliberate choice to stick to an older OpenSSL version. My inquiry (in various places) as to what precisely could leak when a vulnerable client connected to a nōn-vulnerable server has yet to be answered, though we can assume private key material is safe.
Now the bad news: while the CA I use¹ and a CA I don’t use offer free rekeying (in general), a CA I also use occasionally² refuses to do that. The ugly: they will not even revoke the certificates, so any attacker who gained your key, for example when you have been using a certificate of theirs on a Debian system, will be able to use it (e.g. to MITM your visitors traffic) unless you shell over lots of unreasonable money per certificate. (Someone wrote they got the fee waived, but others don’t, nor do I. (There’s also a great Twitter discussion-thingy about this involving Zugschlus, but I won’t link Twitter because they are not accessible to Lynx users like me and other Planet Debian authors.)
① I’ve been using GoDaddy privately for a while, paid for a wildcard certificate for *.mirbsd.org, and later also at work. I’ve stopped using it privately due to current lack of money.
② Occasionally, for nōn-wildcard gratis SSL certificates for HTTP servers. Startcom’s StartSSL certificates are unusable for real SSL as used in SMTP STARTTLS anyway, so usage isn’t much.
Now I’ve got a dilemma here. I’ve created a CA myself, to use with MirBSD infrastructure and things like that – X.509 certificates for my hosts (especially so I can use them for SMTP) and possibly personal friends (whose PGP key I’ve signed with maximum trust after the usual verification) but am using a StartSSL certificate for www.mirbsd.org as my GoDaddy wildcard certificate expires in a week or so (due to the aforementioned monetary issues), and I’d rather not pay for a limited certificate only supporting a single vhost. There is absolutely no issue with that certificate and key (only ever generated and used on MirBSD, only using it in Apache mod_ssl). Then, there’s this soon-to-be tax-exempt non-profit society of public utility I’m working with, whose server runs Debian, and which is affected, but has been using a StartSSL certificate for a while. Neither the society nor I can afford to pay for revocation, and we do not see any possible justification for this especially in the face of CVE-2014-0160. I expect a rekey keeping the current validity end date, and would accept a revocation even if I were unable to get a new certificate, since even were we to get a certificate for the society’s domain from someplace else, an attacker could still MITM us with the previous one from Startcom.
The problem here is: I’d really love to see (all of!) Startcom dropped from the global list of trustworthy CAs, but then I’d not know from where to get a cert for MirBSD; Globalsign is not an option because I will not limit SSL compatibility to a level needed to pass their “quality” test… possibly GoDaddy, ISTR they offer a free year to Open Source projects… no idea about one for the society… but it would solve the problem of not getting the certificates revoked. For everyone.
I am giving Startcom time until Friday after $dayjob (for me); after that, I’ll be kicking them off MirBSD’s CA bundle and will be lobbying for Debian and Mozilla to do the same.
Any other ideas of how to deal with that? I’d probably pay 5 € for a usable certificate accepted by people (including old systems, such as MSIE 5.0 on Win2k and the likes) without questioning… most of the time, I only serve public content anyway and just use SSL to make the NSA’s job more difficult (and even when not I’m not dealing with any payment information, just the occasional login protected area).
By the way, is there any way to access the information that is behind a current-day link to groups.google.com with Lynx or Pine? I can’t help but praise GMane for their NNTP interface.
ObFunfact: just when I was finished writing this wlog entry, I got a new eMail “Special offer just for you.” from GoDaddy. Sadly, no offer for a 5 € SSL certificate, just the usual 20-35% off coupon code.
While trying to debug a bandwidth problem on a 3G connection, I tried speedtest.net, which ranks fairly high when one searches for “bandwidth test” on various search engines. I was getting very strange results, so I started wondering if my ISP might be bandwidth-throttling all traffic except the one from speedtest.net tests. After all, that’s on a 3G network, and another french 3G ISP (SFR) apparently uses Citrix ByteMobile to optimize the QoE by minifying HTML pages and recompressing images on-the-fly (amongst other things).
So, I fired wireshark, and discovered that no, it’s just speedtest being a bit naive. Speedtest uses its own text-based protocol on port 8080. Here is an excerpt of a download speed test:
< HELLO 2.1 2013-08-14.01
> DOWNLOAD 1000000
Yeah, right: sequences of “ABCDEFGHIJ”. How course, extremely easy to compress, which apparently happens transparently on 3G (or is it PPP? but I tried to disable PPP compression, and it did not see any change).
It’s funny how digging into problems that look promising at first sight often results in big disappointments :-(
Part 2 of 2 - I spoke with Richard Miller and Tom Kitchin, software engineers at SensioLabs UK and its parent company Inviqa respectively, via a Google Hangout on Air recently. Here, I learn the inside story on one of the first Drupal 8 sites online, www.sensiolabs.co.uk, what their goals were, how they built it and have kept it running since May 2013, and how Drupal 8 will change the way they design applications for clients going forward.
After three years of Drupal 8 development, we are finally closing in on a Drupal 8.0-beta1 release. Of about 150 critical issues that have blocked the first Drupal 8 beta release, only 32 beta blockers remain. Most of these remaining issues are too complex for any one developer to resolve alone, but we need help on numerous tasks that will accelerate them. Join us at the NYC Camp D8 Core Sprint to see firsthand the work that's in progress and contribute to our momentum. Look for the "IRL issue queue" on colored construction paper at the sprint. :)
(New to Drupal 8 or core contribution? Check out the Get Involved with Core sprint instead.)
We'd like to share this infographic we've made depicting interesting facts about the Blue Drop Awards. Without the wonderful community support, The Blue Drop Awards simply would not and could not exist; we appreciate it.Celebrating Drupal Innovationblue drop award, drupal, Planet Drupal
This blog post is the answer to a common request we get from people learning how to use Views.
The question is: "How do I automatically add a link to a field"?
The answer is straightforward ... once you know how.
Our old training site was looking a bit long in the tooth. It was not only Drupal 6, but also had an old Acquia design several versions behind the current main site. It was time for a major update.Step by step tutorials
Dave Myburgh, Lead developer for Acquia.com recently gave two webinars about the experience. He shares specific tips on what modules he used to keep the development lightweight and flexible.
Besides fixing Debian Bug #744018, the release fixes the following two vulnerabilities (as mentioned in the bug report):
- CVE-2014-0165 WordPress privilege escalation: prevent contributors from publishing posts
- CVE-2014-0166 WordPress potential authentication cookie forgery
I recommend if you use the Debian package to upgrade as soon as it is available.
- WordPress 3.8.2 Addresses 2 Vulnerabilities, Includes 3 Security Hardening Changes (news.softpedia.com)
- WordPress 3.8.2 now available to download and install (thewayoftheweb.net)
Today, I decided to set my X230 back to UEFI-only boot, after having changed that for a bios upgrade recently (to fix a resume bug). I then choose to save the settings and received several error messages telling me that the system ran out of resources (probably storage space for UEFI variables).
I rebooted my machine, and saw no logo appearing. Just something like an underscore on a text console. The system appears to boot normally otherwise, and once the i915 module is loaded (and we’re switching away from UEFI’s Graphical Output Protocol [GOP]) the screen works correctly.
So it seems the GOP broke.
What should I do next?
Filed under: General