Planet Debian

Subscribe to Planet Debian feed
Planet Debian - http://planet.debian.org/
Updated: 1 hour 24 min ago

Craig Small: Debian, WordPress and Multi-site

16 May, 2015 - 15:07

For quite some time, the Debian version of WordPress has had a configuration tweak that made it possible to run multiple websites on the same server. This came from a while ago when multi-site wasn’t available. While a useful feature, it does make the initial setup of WordPress for simple sites more complicated.

I’m looking at changing the Debian package slightly so that for a single-site use it Just Works. I have also looked into the way WordPress handles the content, especially themes and plugins, to see if there is a way of updating them through the website itself. This probably won’t suit everyone but I think its a better default.

The idea will be to setup Debian packages something like this by default and then if you want more fancier stuff its all still there, just not setup. It’s not setup at the moment but the default is a little confusing which I hope to change.

Multisite

The first step was to get my pair of websites into one. So first it was backing up time and then the removal of my config-websitename.php files in /etc/wordpress. I created a single /etc/wordpress/config-default.php file that used a new database.  This initial setup worked ok and I had the primary site going reasonably quickly.

The second site was a little trickier. The problem is that multisite does things like foo.example.com and bar.example.com while I wanted example.com and somethingelse.com There is a plugin wordpress-mu-domain-mapping that almost sorta-kinda works.  While it let me make the second site with a different name, it didn’t like aliases, especially if the alias was the first site.

Some evil SQL fixed that nicely.  “UPDATE wp_domain_mapping SET blog_id=1 WHERE id=2″

So now I had:

  • enc.com.au as my primary site
  • rnms.org as a second site
  • dropbear.xyz as an alias for my primary site
Files and Permissions

We really three separate sets of files in wordpress. These files come from three different sources and are updated using three different ways with a different release cycle.

The first is the wordpress code which is shipped in the Debian package. All of this code lives in /usr/share/wordpress and is only changed if you update the Debian package, or you fiddle around with it. It needs to be readable to the webserver but not writable. The config files in /etc/wordpress are in this lot too.

Secondly, we have the user generated data. This is things like your pictures that you add to the blog. As they are uploaded through the webserver, it needs to be writable to it. These files are located in /var/lib/wordpress/wp-content/uploads

Third, is the plugins and themes. These can either be unzipped and placed into a directory or directly loaded in from the webserver. I used to do the first way but are trying the second. These files are located in /var/lib/wordpress/wp-content

Ever tried to update your plugins and get the FTP prompt? This is because the wp-content directory is not writable. I adjusted the permissions and now when a plugin wants to update, I click yes and it magically happens!

You will have to reference the /var/lib/wordpress/wp-content subdirectory in two places:

  • In your /etc/config-default.php:  WP_CONTENT_DIR definition
  • In apache or htaccess: Either a symlink out of /usr/share/wordpress and turn on followsymlinks or an apache Alias and also permit access.
What broke

Images did, in a strange way. My media library is empty, but my images are still there. Something in the export and reimport did not work. For me its a minor inconvenience and due to moving from one system to another, but it still is there.

 

 

Rogério Brito: A Small Python Project (coursera-dl) Activites

16 May, 2015 - 11:54

Lately, I have been dedicating a lot of my time (well, at least compared to what I used to) to Free Software projects. In particular, I have spent a moderate amount of time with two projects written in Python.

In this post, I want to talk about the first, more popular project is called coursera-dl. To be honest, I think that I may have devoted much more time to it than to any other project in particular.

With it I started to learn (besides the practices that I already used in Debian), how to program in Python, how to use unit tests (I started with Python's built-in unittest framework, then progressed to nose, and I am now using pytest), hooking up the results of the tests with a continuous integration system (in this case, Travis CI).

I must say that I am sold on this idea of testing software (after being a skeptical for way too long) and I can say that I find hacking on other projects without proper testing a bit uncomfortable, since I don't know if I am breaking unrelated parts of the project.

My use/migration to pytest was the result of a campaign from pytest.org called Adopt Pytest Month which a kind user of the project let me know about. I got a very skilled volunteer assigned from pytest to our project. Besides learning from their pull requests, one side-effect of this whole story was that I spent a moderate amount of hours trying to understand how properly package and distribute things on PyPI.

One tip learned along the way: contrary to the official documentation, use twine, not python setup.py upload. It is more flexible for uploading your package to PyPI.

You can see the package on PyPI. Anyway, I made the first upload of the package to PyPI on the 1st of May and it already has almost 1500 download, which is far more than what I expected.

A word of warning: there are other similarly named project, but they don't seem to have as much following as we have. A speculation from my side is that this may be, perhaps, due to me spending a lot of time interacting with users in the bug tracker that github provides.

Anyway, installation of the program is now as simple as:

pip install coursera

And all the dependencies will be neatly pulled in, without having to mess with multi-step procedures. This is a big win for the users.

Also, I even had an offer to package the program to have it available in Debian!

Well, despite all the time that this project demanded, I think that I have only good things to say, especially to the original author, John Lehmann.

If you like the project, please let me know and consider yourselves invited to participate lending a hand, testing/using the program or [triaging some bugs][issues].

Norbert Preining: Plex Home Theater 1.4.1 for Debian Jessie and Sid

16 May, 2015 - 10:28

Recently Plex Plex Home Theater was updated to 1.4.1 with fixes for some errors, in particular concerning the new music handling introduced in 1.4.0. As with 1.4.0, I have compiled PHT for both jessie and sid, both for amd64 and i386.

Jessie

Add the following lines to your sources.list:

deb http://www.preining.info/debian/ jessie pht
deb-src http://www.preining.info/debian/ jessie pht

You can also grab the binary for amd64 directly here for amd64 and i386, you can get the source package with

dget http://www.preining.info/debian/pool/pht/p/plexhometheater/plexhometheater_1.4.1-1~bpo8+1.dsc
Sid

Add the following lines to your sources.list:

deb http://www.preining.info/debian/ sid pht
deb-src http://www.preining.info/debian/ sid pht

You can also grab the binary for amd64 directly here for amd64 and i386, you can get the source package with

dget http://www.preining.info/debian/pool/pht/p/plexhometheater/plexhometheater_1.4.1-1.dsc

The release file and changes file are signed with my official Debian key 0x860CDC13.

Enjoy!

Sune Vuorela: Getting a Q_INVOKABLE C++ function reevaluated by QML engine

15 May, 2015 - 16:16

Unfortunately, with all the normal magic of QML property bindings, getting a property updated in a setup that involves return values from functions isn’t really doable, like this:

Text {
text: qtobject.calculatedValue()
}

I’m told there is a low priority feature request for a way of signalling that a function now returns a different value and all properties using it should be reevaluated.

I have so far discovered two different workarounds for that that I will be presenting here.

Using an extra property

Appending an extra property to trigger the reevaluation of the function is one way of doing it.

Text {
text: qtobject.calculatedValue() + qtobject.emptyNotifierThing
}

with the following on the C++ side:

Q_PROPERTY(QString emptyNotifierThing READ emptyString NOTIFY valueChanged)
QString emptyString() const {
return QString();
}

This is a bit more code to write and to remember to use, but it does get the job done.

Intermediate layer
Another way is to inject an intermediate layer, an extra object, that has the function. It can even be simplified by having a pointer to itself.

Text {
text: qtobject.dataAccess.calculatedValue()
}

with the following on the C++ side:

Q_PROPERTY(QObject* dataAccess READ dataAccess NOTIFY valueChanged)
QObject* dataAccess() {
return this;
}

It seems a bit simpler for the reader on the QML side, but also gets the job done.

I am not sure which way is the best one, but the intermediate layer has a nicer feeling to it when more complicated types are involved.

DebConf team: DebConf Open Weekend (Posted by DebConf Content Team )

15 May, 2015 - 12:35

The first two days of this year’s DebConf (August 15th and 16th) will constitute the Open Weekend. On these days, we are planning to have the Debian 22nd Birthday party, a Job Fair, and more than 20 hours of events and presentations, including some special invited speakers.

Given that we expect to have a broader and larger audience during the weekend, our goal is to have talks that are equally interesting for both Debian contributors and users.

If you want to present something that might be interesting to the larger Debian community, please go ahead and submit it. It can be for a talk of either 45 or 20 minutes; if you don’t have content for a full length talk, we encourage you to go for the half length one. If you consider that the event is better suited for either the OpenWeekend or the regular DebConf days, you may say so in the comment field. But keep in mind that all events might be rearranged by the content team to make sure they fit together nicely.

Call for proposals

The deadline to submit proposals is June 15th. Please submit your talk early with a good description and a catchy title. We look forward to seeing your proposals!

If you want to submit an event please go ahead and read the original CfP on DebConf15 http://debconf15.debconf.org/proposals.xhtml.

Ritesh Raj Sarraf: Drupal maintenance with Drush

14 May, 2015 - 20:10

Another of my articles for self. Writing it down on the website is much better than pushing it on a 3rd party social site. Your data is yours.

My site runs on Drupal. Given I'm not a web designer, it is not my core area. Thus I've always wanted to have minimal engagement with it. My practices have paid me well so far. And I should thank all the free tools that help do that. I like to keep a running snapshot of my website on my local laptop, to keep it handy when trying anything new. This means that the setup has to be almost identical to what is running remotely.

Thanks to Drush, managing Drupal is very easy. It allows me to easily try to out changes and push them from dev => staging => live withtout too much effort. It also helps me control the environment well. And since the whole transport is over SSH, no separate exceptions are required.

For long, the theme on my site had some issues. The taxonomy terms did not have proper spacing. See bug for details.

With the fix, this transformed into:

 

I wish Drush had support for revision control. Or maybe it already has, and I need to check ? Bug Fixes and Customizations would have been well recorded with a revision control system.

 

Categories: Keywords: Images: 

Craig Small: Hello world!

14 May, 2015 - 19:10

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

Raphael Geissert: On using https mirrors

14 May, 2015 - 18:32
On confidentiality:


So that they don't know what's inside

MJ Ray: Recorrecting Past Mistakes: Window Borders and Edges

14 May, 2015 - 11:58

A while ago, I switched from tritium to herbstluftwm. In general, it’s been a good move, benefitting from active development and greater stability, even if I do slightly mourn the move from python scripting to a shell client.

One thing that was annoying me was that throwing the pointer into an edge didn’t find anything clickable. Window borders may be pretty, but they’re a pretty poor choice as the thing that you can locate most easily, the thing that is on the screen edge.

It finally annoyed me enough to find the culprit. The .config/herbstluftwm/autostart file said “hc pad 0 26″ (to keep enough space for the panel at the top edge) and changing that to “hc pad 0 -8 -7 26 -7″ and reconfiguring the panel to be on the bottom (where fewer windows have useful controls) means that throwing the pointer at the top or the sides now usually finds something useful like a scrollbar or a menu.

I wonder if this is a useful enough improvement that I should report it as an enhancement bug.

Gunnar Wolf: Everybody seems to have an opinion on the taxis vs. Uber debate...

14 May, 2015 - 11:46

The discussion regarding the legality and convenience of Uber, Cabify and similar taxi-by-app services has come to Mexico City — Over the last few days, I've seen newspapers talk about taxi drivers demonstrating against said companies, early attempts at regulating their service, and so on.

I hold the view that every member of a society should live by its accepted rules (i.e. laws) — and if they hold the laws as incorrect, unfair or wrong, they should strive to get the laws to change. Yes, it's a hard thing to do, most often filled with resistence, but it's the only socially responsible way to go.

Private driver hiring applications have several flaws, but maybe the biggest one is that they are... How to put it? I cannot find a word better than illegal. Taxi drivers in our city (and in most cities, as far as I have read) undergo a long process to ensure they are fit for the task. Is the process incomplete? Absolutely. But the answer is not to abolish it in the name of the free market. The process must be, if anything, tightened. The process for granting a public driver license to an individual is way stricter than to issue me a driving license (believe it or not, Mexico City abolished taking driving tests several years ago). Taxis do get physical and mechanical review — Is their status mint and perfect? No way. But compare them to taxis in other Mexican states, and you will see they are in general in a much better shape.

Now... One of the things that angered me most about the comments to articles such as the ones I'm quoting is the middle class mentality they are written from. I have seen comments ranging from stupidly racist humor attempts (Mr. Mayor, the Guild of Kidnappers and Robbers of Iztapalapa demand the IMMEDIATE prohibition on UBER as we are running low on clients or the often repeated comment that taxi drivers are (...) dirty, armpit-smelly that listen to whatever music they want) to economic culture-based discrimination Uber is just for credit card users as if it were enough of an argument... Much to the opposite, it's just discrimination, as many people in this city are not credit subjects and do not exist in the banking system, or cannot have an always-connected smartphone — Should they be excluded from the benefits of modernity just because of their economic difference?

And yes, I'm by far not saying Mexico City's taxi drivers are optimal. I am an urban cyclist, and my biggest concern/fear are usually taxi drivers (more so than microbus drivers, which are a class of their own). Again , as I said at the beginning of the post, I am of the idea that if current laws and their enforcement are not enough for a society, it has to change due to that society's pressure — It cannot just be ignored because nobody follows the rules anyway. There is quite a bit that can be learnt from Uber's ways, and there are steps that can be taken by the company to become formal and legal, in our country and in others where they are accused of the same lacking issues.

We all deserve better services. Not just those of us that can pay for a smartphone and are entitled to credit cards. And all passenger-bearing services require strict regulations.

Andrew Pollock: [tech] LWN Chrome extension published

14 May, 2015 - 05:03

I finally got around to finishing off and publishing the LWN Chrome extension that I wrote a couple of months ago.

I received one piece of feedback from someone who read my blog via Planet Debian, but didn't appear to email me from a usable email address, so I'll respond to the criticisms here.

I wrote a Chrome extension because I use Google Chrome. To the best of my knowledge, it will work with Chromium as well, but as I've never used it, I can't really say for sure. I've chosen to licence the source under the Apache Licence, and make it freely available. So the extension is available to anyone who cares to download the source and "side load" it, if they don't want to use the Chrome Web Store.

As for whether a userscript would have done the job, maybe, but I have no experience with them.

Basically, I had an itch, and I scratched it, for the browser I choose to use, and I also chose to share it freely.

Jonathan Dowland: Amiga floppy recovery project

13 May, 2015 - 23:24

I've still got it!

Recovered floppy disks

My first computer was an Amiga A500, and my brother and I spent a fair chunk of our childhoods creating things with it. These things are locked away on 3.5" floppy disks, but they were also lost a long time ago.

A few weeks ago my dad found them in a box in his loft, so a disk-reading project is now on the horizon! Step one is to catalogue what we've got, which I've done here. Step two is to check which, if any, of these are not already in circulation amongst archivists. Thanks to Matthew Garrett for pointing me at the Software Preservation Society, which is a good first place to check.

When we get to the reading step, there are quite a few approaches I could take. Which one to use depends to some extent on which disks we need to read, and whether they employ any custom sector layout or other copy protection schemes. I think the easiest method using equipment I already have is probably Amiga Explorer and a null-modem cable, as this approach will work on an A500 with Workbench 1.3.

There are a variety of hardware tools and projects for reading Amiga floppies on a PC, but the most interesting one to me is DiscFerret, which is open hardware and software.

Ritesh Raj Sarraf: Gitolite and Gitweb

13 May, 2015 - 15:29

This article is for self, so that I don't again forget the specifics. The last time I did the same setup, it wasn't very important in terms of security. gitolite(3) + gitweb can give an impressive git tool with very simple user acls. After you setup gitolite, ensure that the umask value in gitolite is approriate, i.e. the gitolite group has r-x privilege. This is needed for the web view. Add your apache user to the gitolite group. With the umask changes, and the group association, apache's user will now be able to read gitolite repos.

Now, imagine a repo setting like the following:

repo virtualbox
    RW+     =   admin
    R   =   gitweb

This allows 'R'ead for gitweb. But by Unix ACLs, now even www-data will have 'RX' on all (the ones created after the UMASK) the repositories.

rrs@chutzpah:~$ sudo ls -l /var/lib/gitolite3/repositories/
[sudo] password for rrs:
total 20
drwxr-x--- 7 gitolite3 gitolite3 4096 May 12 17:13 foo.git
drwx------ 8 gitolite3 gitolite3 4096 May 13 12:06 gitolite-admin.git
drwxr-x--- 7 gitolite3 gitolite3 4096 May 13 12:06 linux.git
drwx------ 7 gitolite3 gitolite3 4096 May 12 16:38 testing.git
drwxr-x--- 7 gitolite3 gitolite3 4096 May 12 17:20 virtualbox.git
13:10 ♒♒♒   ☺    

But just www-data. No other users. Because for 'O', there is no 'rwx'. And below shows gitolite's ACL in picture...

test@chutzpah:~$ git clone gitolite3@chutzpah:virtualbox
Cloning into 'virtualbox'...
Enter passphrase for key '/home/test/.ssh/id_rsa':
FATAL: R any virtualbox test DENIED by fallthru
(or you mis-spelled the reponame)
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Categories: Keywords: 

Lucas Nussbaum: systemd: Type=simple and avoiding forking considered harmful?

13 May, 2015 - 15:29

(This came up in a discussion on debian-user-french@l.d.o)

When converting from sysvinit scripts to systemd init files, the default practice seems to be to start services without forking, and to use Type=simple in the service description.

What Type=simple does is, well, simple. from systemd.service(5):

If set to simple (the default value if neither Type= nor BusName= are specified), it is expected that the process configured with ExecStart= is the main process of the service. In this mode, if the process offers functionality to other processes on the system, its communication channels should be installed before the daemon is started up (e.g. sockets set up by systemd, via socket activation), as systemd will immediately proceed starting follow-up units.

In other words, systemd just runs the command described in ExecStart=, and it’s done: it considers the service is started.

Unfortunately, this causes a regression compared to the sysvinit behaviour, as described in #778913: if there’s a configuration error, the process will start and exit almost immediately. But from systemd’s point-of-view, the service will have been started successfully, and the error only shows in the logs:

root@debian:~# systemctl start ssh
root@debian:~# echo $?
0
root@debian:~# systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
 Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
 Active: failed (Result: start-limit) since mer. 2015-05-13 09:32:16 CEST; 7s ago
 Process: 2522 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
 Main PID: 2522 (code=exited, status=255)
mai 13 09:32:16 debian systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
mai 13 09:32:16 debian systemd[1]: Unit ssh.service entered failed state.
mai 13 09:32:16 debian systemd[1]: ssh.service start request repeated too quickly, refusing to start.
mai 13 09:32:16 debian systemd[1]: Failed to start OpenBSD Secure Shell server.
mai 13 09:32:16 debian systemd[1]: Unit ssh.service entered failed state.

With sysvinit, this error is detected before the fork(), so it shows during startup:

root@debian:~# service ssh start
 [....] Starting OpenBSD Secure Shell server: sshd/etc/ssh/sshd_config: line 4: Bad configuration option: blah
 /etc/ssh/sshd_config: terminating, 1 bad configuration options
 failed!
 root@debian:~#

It’s not trivial to fix that. The implicit behaviour of sysvinit is that fork() sort-of signals the end of service initialization. The systemd way to do that would be to use Type=notify, and have the service signals that it’s ready using systemd-notify(1) or sd_notify(3) (or to use socket activation, but that’s another story). However that requires changes to the service. Returning to the sysvinit behaviour by using Type=forking would help, but is not really a solution: but what if some of the initialization happens *after* the fork? This is actually the case for sshd, where the socket is bound after the fork (see strace -f -e trace=process,network /usr/sbin/sshd), so if another process is listening on port 22 and preventing sshd to successfully start, it would not be detected.

I wonder if systemd shouldn’t do more to detect problems during services initialization, as the transition to proper notification using sd_notify will likely take some time. A possibility would be to wait 100 or 200ms after the start to ensure that the service doesn’t exit almost immediately. But that’s not really a solution for several obvious reasons. A more hackish, but still less dirty solution could be to poll the state of processes inside the cgroup, and assume that the service is started only when all processes are sleeping. Still, that wouldn’t be entirely satisfying…

NOKUBI Takatsugu: Jessie installer with kvm/serial console

13 May, 2015 - 12:20

I tried to install Jessie on a brand-new virtual machine (kvm), but it has a problem about serial console login.

At least, wheezy installer worked fine because it adds getty entry on /etc/inittab. Jessie uses systemd but no care about getty service for serial console. The probrem is reported as #769406.

My solution is invoke “systemctl enable serial-getty@ttyS0.service” via ssh.

Zlatan Todorić: How to answer as a master

13 May, 2015 - 07:17

I have spent some fair amount of time during the life to explore making great responses to generic question (technical one included) and I can say without doubt that it is a pretty simple thing one could learn. First of all, answering question via email or in personal, it is very important that people feel that the person answering is there and is really "getting" their question. So a personal notice at beginning or at the end is not necessary but is a big plus. Particular part of answer should have 3 phases: straight yes or no answer, brief explaining why yes or no, and then explaining the opposite solution. Very important to keep it precise and simple as possible while explaining all what is needed for the person which asked question.

For example Joe asks:

Can I install library libfoo1.2 without breaking software foo1.1

And Jane would answer:

Hi Joe,

very good question as people often do try things like that and could end up in complicated situation.

So the answer is NO.

Pulling the libfoo1.2 would break foo1.1 because there were numerous changes from libfoo1.1 that break backward compatibility and there was also rewriting and porting to a newer version of language.

Now having that out of way, you can safely pull also foo1.2 and install it with libfoo1.2 which is tested and should work for you without any problems.

Best regards,

Jane

And that's it. Lean, clean, cyborg.

Steinar H. Gunderson: In all fairness

13 May, 2015 - 03:15

Since I had a long rant about Lenovo customer service a while back:

My laptop died again during travels; at first, it was really unstable (whenever I'd hold it slightly wrong, it would instantly crash), then later, it would plain refuse to boot (not even anything on the display).

So I called Lenovo, and after some navigating of phone menus I got to someone who took my details, checked my warranty (“let's see, you have warranty until 2018”—no months of arguing this time!) opened a case and sent me on to tech support. Tech support said most likely, the motherboard was broken, and that a technician would call me; today, the tech called, and arrived at work to swap my motherboard. 30 minutes on the phone, 20 minutes waiting for the technician to switch the motherboard (I would probably have used more than an hour myself). And voila, working laptop. (Hope it's stable from now on.)

My only gripe is that I forgot to remind him after the repair to give me new rubber feet—he'd already said it wouldn't be a problem, but we both forgot about it. But overall, this is exactly how it should be—quite unlike last time.

Simon Josefsson: Certificates for XMPP/Jabber

12 May, 2015 - 20:43

I am revamping my XMPP server and I’ve written down notes on how to set up certificates to enable TLS.

I will run Debian Jessie with JabberD 2.x, using the recent jabberd2 jessie-backport. The choice of server software is not significant for the rest of this post.

Running XMPP over TLS is a good idea. So I need a X.509 PKI for this purpose. I don’t want to use a third-party Certificate Authority, since that gives them the ability to man-in-the-middle my XMPP connection. Therefor I want to create my own CA. I prefer tightly scoped (per-purpose or per-application) CAs, so I will set up a CA purely to issue certificates for my XMPP server.

The current XMPP specification, RFC 6120, includes a long section 13.7 that discuss requirements on Certificates.

One complication is the requirement to include an AIA for OCSP/CRLs — fortunately, it is not a strict “MUST” requirement but a weaker “SHOULD”. I note that checking revocation using OCSP and CRL is a “MUST” requirement for certificate validation — some specification language impedence mismatch at work there.

The specification demand that the CA certificate MUST have a keyUsage extension with the digitalSignature bit set. This feels odd to me, and I’m wondering if keyCertSign was intended instead. Nothing in the XMPP document, nor in any PKIX document as far as I am aware of, will verify that the digitalSignature bit is asserted in a CA certificate. Below I will assert both bits, since a CA needs the keyCertSign bit and the digitalSignature bit seems unnecessary but mostly harmless.

My XMPP/Jabber server will be “chat.sjd.se” and my JID will be “simon@josefsson.org”. This means the server certificate need to include references to both these domains. The relevant DNS records for the “josefsson.org” zone is as follows, see section 3.2.1 of RFC 6120 for more background.

_xmpp-client._tcp.josefsson.org.	IN	SRV 5 0 5222 chat.sjd.se.
_xmpp-server._tcp.josefsson.org.	IN	SRV 5 0 5269 chat.sjd.se.

The DNS records or the “sjd.se” zone is as follows:

chat.sjd.se.	IN	A	...
chat.sjd.se.	IN	AAAA	...

The following commands will generate the private key and certificate for the CA. In a production environment, you would keep the CA private key in a protected offline environment. I’m asserting a expiration date ~30 years in the future. While I dislike arbitrary limits, I believe this will be many times longer than the anticipated lifelength of this setup.

openssl genrsa -out josefsson-org-xmpp-ca-key.pem 3744
cat > josefsson-org-xmpp-ca-crt.conf << EOF
[ req ]
x509_extensions = v3_ca
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=XMPP CA for josefsson.org
[ v3_ca ]
subjectKeyIdentifier=hash
basicConstraints = CA:true
keyUsage=critical, digitalSignature, keyCertSign
EOF
openssl req -x509 -set_serial 1 -new -days 11147 -sha256 -config josefsson-org-xmpp-ca-crt.conf -key josefsson-org-xmpp-ca-key.pem -out josefsson-org-xmpp-ca-crt.pem

Let’s generate the private key and server certificate for the XMPP server. The wiki page on XMPP certificates is outdated wrt PKIX extensions. I will embed a SRV-ID field, as discussed in RFC 6120 section 13.7.1.2.1 and RFC 4985. I chose to skip the XmppAddr identifier type, even though the specification is somewhat unclear about it: section 13.7.1.2.1 says that it “is no longer encouraged in certificates issued by certification authorities” while section 13.7.1.4 says “Use of the ‘id-on-xmppAddr’ format is RECOMMENDED in the generation of certificates”. The latter quote should probably have been qualified to say “client certificates” rather than “certificates”, since the latter can refer to both client and server certificates.

Note the use of a default expiration time of one month: I believe in frequent renewal of entity certificates, rather than use of revocation mechanisms.

openssl genrsa -out josefsson-org-xmpp-server-key.pem 3744
cat > josefsson-org-xmpp-server-csr.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ req_distinguished_name ]
CN=XMPP server for josefsson.org
EOF
openssl req -sha256 -new -config josefsson-org-xmpp-server-csr.conf -key josefsson-org-xmpp-server-key.pem -nodes -out josefsson-org-xmpp-server-csr.pem
cat > josefsson-org-xmpp-server-crt.conf << EOF
subjectAltName=@san
[san]
DNS=chat.sjd.se
otherName.0=1.3.6.1.5.5.7.8.7;UTF8:_xmpp-server.josefsson.org
otherName.1=1.3.6.1.5.5.7.8.7;UTF8:_xmpp-client.josefsson.org
EOF
openssl x509 -sha256 -CA josefsson-org-xmpp-ca-crt.pem -CAkey josefsson-org-xmpp-ca-key.pem -set_serial 2 -req -in josefsson-org-xmpp-server-csr.pem -out josefsson-org-xmpp-server-crt.pem -extfile josefsson-org-xmpp-server-crt.conf

With this setup, my XMPP server can be tested by the XMPP IM Observatory. You can see the c2s test results and the s2s test results. Of course, there are warnings regarding the trust anchor issue. It complains about a self-signed certificate in the chain. This is permitted but not recommended — however when the trust anchor is not widely known, I find it useful to include it. This allows people to have a mechanism of fetching the trust anchor certificate should they want to. Some weaker cipher suites trigger warnings, which is more of a jabberd2 configuration issue and/or a concern with jabberd2 defaults.

My jabberd2 configuration is simple — in c2s.xml I add a <id> entity with the “require-starttls”, “cachain”, and “pemfile” fields. In s2s.xml, I have the <pemfile>, <resolve-ipv6>, and <require-tls> entities.

Some final words are in order. While this setup will result in use of TLS for XMPP connections (c2s and s2s), other servers are unlikely to find my CA trust anchor, let alone be able to trust it for verifying my server certificate. I’m happy to read about Peter Saint-Andre’s recent SSL/TLS work, and in particular I will follow the POSH effort.

Michal &#268;iha&#345;: python-gammu 2.2

12 May, 2015 - 17:00

After recent porting python-gammu to Python 3, it was quite obvious to me that new release will have some problems. Fortunately they have proven to be rather cosmetic and no big bugs were found so far.

Anyway it's time to push the minor fixes to the users, so here comes python-gammu 2.2. As you can see, the changes are pretty small, but given that I don't expect much development in the future, it's good to release them early.

Filed under: English Gammu python-gammu SUSE Wammu | 0 comments

Bits from Debian: Debian Ruby team sprint 2015

12 May, 2015 - 05:00

The Debian Ruby Ruby team had a first sprint in 2014. The experience was very positive, and it was decided to do it again in 2015. Last April, the team once more met at the IRILL offices, in Paris, France.

The participants worked to improve the quality Ruby packages in Debian, including fixing release critical and security bugs, improving metadata and packaging code, and triaging test failures on the Debian Continuous Integration service.

The sprint also served to prepare the team infrastructure for the future Debian 9 release:

  • the gem2deb packaging helper to improve the semi-automated generation of Debian source packages from existing standard-compliant Ruby packages from Rubygems.

  • there was also an effort to prepare the switch to Ruby 2.2, the latest stable release of the Ruby language which was released after the Debian testing suite was already frozen for the Debian 8 release.

Left to right: Christian Hofstaedtler, Tomasz Nitecki, Sebastien Badia and Antonio Terceiro.

A full report with technical details has been posted to the relevant Debian mailing lists.

Pages

Creative Commons License ลิขสิทธิ์ของบทความเป็นของเจ้าของบทความแต่ละชิ้น
ผลงานนี้ ใช้สัญญาอนุญาตของครีเอทีฟคอมมอนส์แบบ แสดงที่มา-อนุญาตแบบเดียวกัน 3.0 ที่ยังไม่ได้ปรับแก้