Author: Daniel Mettler

take a look at the remail website! this interesting project by ibm research comes close to my vision of an ideal “communication center client” :) remail is flow-based instead of just entity-based, integrates different kinds of communication facilities and information sources (i guess it’s modular and easily extendable), ties information to time/calendar functions and offers more flexibility and better customization (e.g. various message flags, better categorization, keeping track of important things etc.).

btw. ka-ping yee (of roundup fame) is credited as an intern.

let’s hope there will soon be a public (open source?) prototype to test-drive..

(source: symlink, infoweek.ch)

see this page (at the bottom) on how to get rid of the distracting color-flip-ads and make acrobat reader 6.0 advertising-free..

for those who are interested:

the dec 15-23: 4th international conference on unix at uninet [url revised] is looking for “irc speakers”. the virtual conference will be held in the following irc channel:

#linux @ irc.uninet.edu

irc logs of previous umeet conferences

unfortunately, i lack the time for holding a session.. probably even for following any.. i’m very short in time atm – the reason why i also couldn’t attend the devdays (which i’d really have been interested in a lot).. at least ben cares for logs of it :)

btw. wsis in geneva, dec 10-12.

i lack the time for an in-depth coverage, but it looks like the recent security issue had a beneficial effect in that it made some more people think about the future development inside gentoo :) nice!

portage-ng requirements sheet (natural language, sure ;). it’s really time for a re-engineered, modular architecture as a) this is probably a pre-condition for any production-quality package signing feature (now: module) in portage b) modularity will improve manageability and quality assurance of portage-ng in general
gentoo release roadmap 2004

regarding the compromised rsync mirror: the attackers seem to have exploited a heap overflow in rsync (glsa: exploitable heap overflow in rsync) to gain access to the box and the recent brk() vuln to gain root privileges. (btw another nice novelty, gentoo now lists glsas on a dedicated web page. yet another thing i’ve been asking for yesterday fullfilled today. thanks! :).

now we know what kind of exploit was used [my assumption that this might well concern all of us who run gentoo was absolutely right] and which box was compromised. i think we can qualify this as “full disclosure”).

all in all: much better now, folks! :)

(see also the news on ln -s)

[note: this server always runs the most current software available. if there are any security announcements (bugtraq, full-disclosure, glsa) regarding software used on this server, i usually update the said software within minutes/hours. further, it’s hardened against some kind of attacks and constantly monitored.]

recently we were discussing about the quality of websites of popular open source applications regarding their usefulness for stakeholders (end-users, devs, media etc.). we did both agree in our judgements.

an example of a very good site: the relaunched mozilla website.

some improvable sites: eclipse.org, openoffice.org (both sites are too much developer-oriented and confusing for end-users despite that the according applications have reached stable status long ago).

recently, i’ve stumbled over openvpn.sourceforge.net. first, this seems to be an interesting project (haven’t tested it yet), second they’ve done a good job in creating a useful website. some points:

* no silly claptrap (think of flash intros and such), just the information visitors expect
* concise, informative overview what openvpn is about
* information about users’ benefits of openvpn
* information why to choose openvpn instead of any other vpn implementation (differences)
* quicklinks to download the application. note that package signatures are also available.
* quick installation notes (who wants to read tons of manuals to install an app?)
* changelog/what’s new
* content-overview with direct deep linking
* language selection
* no frames, good for bookmarking (meaningful page titles)

so content-wise every important thing is accessible from within the main/entry page.

downside:

* the site is not valid xhtml/html
* the site doesn’t satisfy any web content accessibility conformance level. it’s not that bad though, i could easily view the site using lynx and links (both are text-based browsers)

talking about hacked debian (btw. isn’t it typical that the pgp signature was missing in the first post?):

according to ripclaw, the new debian-based linux distro adamantix (formerly known as trusted debian) supports package signing. nice to see that there’s finally a linux distro taking security seriously.

i tried to convince gentooers long enough to introduce package signing (the currently used portage architecture is highly insecure despite of sandboxing). i therefore made a (actually pretty simple – remember “kiss”) concept and a prototype, but i lacked interest to do the necessary clearing of the rampant portage code base (take a look at its “architecture” and source code and you know what i’m talking about ;) for a production quality implementation. several later attempts by gentoo devs to implement a production quality package signing feature for portage showed no success (probably for the same reason). now the core-devs are finally thinking aloud about a portage rewrite from scratch (this time hopefully using a more sophisticated architecture, wiser decisions and a better implementation), a thing gert suggested (and actually started doing) about 1.5 years ago already.

the trouble with package-signing is not only a technical one (implementing a secure architecture can be pretty difficult). depending on the chosen model there are also social consequences. for example my concept was to put users in control instead of devs which is the right thing to do considering that in the end, only users can decide whom they trust – through a decentrialized trust-model heavily leveraging the already existing openpgp web of trust (why re-invent the wheel?). note that my proposition didn’t make centralization impossible (you could still sign dev keys with a master dev key), but rather enabled decentralization.

one of my intents was to make secure (aka trustworthy), decentralized software development and deployment possible through a decentralized, user-centric package signing trust model. there are many reasons for this, among others (see also those mentioned above) the scalability (mostly qa) and security problems most distros suffer from.

btw recently i’ve been very pleased to read that markus aka maol seems to have a similar vision (at least regarding decentralized development and distribution) for crux :)