October 2018 report: LTS, Monkeysphere, Flatpak, Kubernetes, CD archival and calendar project
Debian Long Term Support (LTS)
This is my monthly Debian LTS report.
GnuTLS
As discussed last month, one of the options to resolve the pending GnuTLS security issues was to backport the latest 3.3.x series (3.3.30), an update proposed then uploaded as DLA-1560-1. I after a suggestion, I've included an explicit NEWS.Debian item warning people about the upgrade, a warning also included in the advisory itself.
The most important change is probably dropping SSLv3, RC4, HMAC-SHA384 and HMAC-SHA256 from the list of algorithms, which could impact interoperability. Considering how old RC4 and SSLv3 are, however, this should be a welcome change. As for the HMAC changes, those are mandatory to fix the targeted vulnerabilities (CVE-2018-10844, CVE-2018-10845, CVE-2018-10846).
Xen
Xen updates had been idle for a while in LTS, so I bit the bullet and made a first discovery of the pending vulnerabilities. I sent the result to the folks over at Credativ who maintain the 4.4 branch and they came back with a set of proposed updates which I briefly review. Unfortunately, the patches were too deep for me: all I was able to do was to confirm consistency with upstream patches.
I also brought up a discussion regarding the viability of Xen in LTS, especially regarding the "speculative execution" vulnerabilities (XSA-254 and related). My understanding is upstream Xen fixes are not (yet?) complete, but apparently that is incorrect as Peter Dreuw is "condident in the Xen project to provide a solution for these issues". I nevertheless consider, like RedHat that the simpler KVM implementation might provide more adequate protection against those kind of attacks and LTS users should seriously consider switching to KVM for hosing untrusted virtual machines, even if only because that code is actually mainline in the kernel while Xen is unlikely to ever be. It might be, as Dreuw said, simpler to upgrade to stretch than switch virtualization systems...
When all is said and done, however, Linux and KVM are patches in Jessie at the time of writing, while Xen is not (yet).
Enigmail
I spent a significant amount of time working on Enigmail this month again, this time specifically working on reviewing the stretch proposed update to gnupg from Daniel Kahn Gillmor (dkg). I did not publicly share the code review as we were concerned it would block the stable update, which seemed to be in jeopardy when I started working on the issue. Thankfully, the update went through but it means it might impose extra work on leaf packages. Monkeysphere, in particular, might fail to build from source (FTBFS) after the gnupg update lands.
In my tests, however, it seems that packages using GPG can deal with the update correctly. I tested Monkeysphere, Password Store, git-remote-gcrypt and Enigmail, all of which passed a summary smoke test. I have tried to summarize my findings on the mailing list. Basically our options for the LTS update are:
pretend Enigmail works without changing GnuPG, possibly introducing security issues
ship a backport of GnuPG and Enigmail through jessie-sloppy-backports
package OpenPGP.js and backport all the way down to jessie
remove Enigmail from jessie
backport the required GnuPG patchset from stretch to jessie
So far I've taken that last step as my favorite approach...
Firefox / Thunderbird and finding work
... which brings us to the Firefox and Thunderbird updates. I was assuming those were going ahead, but the status of those updates currently seems unclear. This is a symptom of a larger problem in the LTS work organization: some packages can stay "claimed" for a long time without an obvious status update.
We discussed ways of improving on this process and, basically, I will try to be more proactive in taking over packages from others and reaching out to others to see if they need help.
A note on GnuPG
As an aside to the Enigmail / GnuPG review, I was struck by the ... peculiarities in the GnuPG code during my review. I discovered that GnuPG, instead of using the standard resolver, implements its own internal full-stack DNS server, complete with UDP packet parsing. That's 12 000 lines of code right there. There are also abstraction leaks like using "1" and "0" as boolean values inside functions (as opposed to passing an integer and converting as string on output).
A major change in the proposed patchset are changes to the
--with-colons batch output, which GnuPG consumers (like GPGME) are
supposed to use to interoperate with GnuPG. Having written such a
parser myself, I can witness to how difficult parsing those data
structures is. Normally, you should always be using GPGME instead of
parsing those directly, but unfortunately GPGME does not do everything
GPG does: signing operations and keyring management, for example, has
long been considered out of scope, so users are force to parse that
output.
Long story short, GPG consumers still use --with-colons directly
(and that includes Enigmail) because they have to. In this case,
critical components were missing from that output (e.g. knowing which
key signed which UID) so they were added in the patch. That's what
breaks the Monkeysphere test suite, which doesn't expect a specific
field to be present. Later versions of the protocol specification
have been updated (by dkg) to clarify that might happen, but obviously
some have missed the notice, as it came a bit late.
In any case, the review did not make me confident in the software architecture or implementation of the GnuPG program.
autopkgtest testing
As part of our LTS work, we often run tests to make sure everything is in order. Starting with Jessie, we are now seeing packages with autopkgtest enabled, so I started meddling with that program. One of the ideas I was hoping to implement was to unify my virtualization systems. Right now I'm using:
- Vagrant and Virtualbox for disposable VMs
- Docker for some services
- libvirt and KVM for other
- schroot for building packages (through sbuild)
Because sbuild can talk with autopkgtest, and autopkgtest can talk with qemu (which can use KVM images), I figured I could get rid of schroot. Unfortunately, I met a few snags;
- #911977: how do we correctly guess the VM name in autopkgtest?
- #911963: qemu build fails with
proxy_cmd: parameter not set(fixed and provided a patch) - #911979: fails on chown in autopkgtest-qemu backend
- #911981: qemu server warns about missing CPU features
So I gave up on that approach. But I did get autopkgtest working and documented the process in my quick Debian development guide.
Oh, and I also got sucked down into wiki stylesheet (#864925) after battling with the SystemBuildTools page.
Spamassassin followup
Last month I agreed we could backport the latest upstream version of SpamAssassin (a recurring pattern). After getting the go from the maintainer, I got a test package uploaded but the actual upload will need to wait for the stretch update (#912198) to land to avoid a versioning conflict.
Salt Stack
My first impression of Salt was not exactly impressive. The CVE-2017-7893 issue was rather unclear: first upstream fixed the issue, but reverted the default flag which would enable signature forging after it was discovered this would break compatibility with older clients.
But even worse, the 2014 version of Salt shipped in Jessie did not have master signing in the first place, which means there was simply no way to protect from master impersonation, a worrisome concept. But I assumed this was expected behavior and triaged this away from jessie, and tried to forgot about the horrors I had seen.
phpLDAPadmin with sunweaver
I looked next at the phpLDAPadmin (or PHPLDAPadmin?) vulnerabilities, but could not reproduce the issue using the provided proof of concept. I have also audited the code and it seems pretty clear the code is protected against such an attack, as was explained by another DD in #902186. So I asked Mitre for rejection, and uploaded DLA-1561-1 to fix the other issue (CVE-2017-11107). Meanwhile the original security researcher acknowledged the security issue was a "false positive", although only in a private email.
I almost did a NMU for the package but the security team requested to wait, and marked the package as grave so it gets kicked out of buster instead. I at least submitted the patch, originally provided by Ubuntu folks, upstream.
Smarty3
Finally, I worked on the smart3 package. I confirmed the package
in jessie is not vulnerable, because Smarty hadn't yet had the
brilliant idea of "optimizing" realpath by rewriting it with
new security vulnerabilities. Indeed, the CVE-2018-13982
proof of content and CVE-2018-16831 proof of
content both fail in jessie.
I have tried to audit the patch shipped with stretch to make sure it fixed the security issue in question (without introducing new ones of course) abandoned parsing the stretch patch because this regex gave me a headache:
'%^(?<root>(?:<span class="createlink">:alpha:</span>:[\\\\]|/|[\\\\]{2}<span class="createlink">:alpha:</span>+|<span class="createlink">:print:</span>{2,}:[/]{2}|[\\\\])?)(?<path>(?:<span class="createlink">:print:</span>*))$%u',
"who is supporting our users?"
I finally participated in a discussion regarding concerns about support of cloud images for LTS releases. I proposed that, like other parts of Debian, responsibility of those images would shift to the LTS team when official support is complete. Cloud images fall in that weird space (ie. "Installing Debian") which is not traditionally covered by the LTS team.
Hopefully that will become the policy, but only time will tell how this will play out.
Other free software work
irssi sandbox
I had been uncomfortable running irssi as my main user on my server for a while. It's a constantly running network server, sometimes connecting to shady servers too. So it made sense to run this as a separate user and, while I'm there, start it automatically on boot.
I created the following file in /etc/systemd/system/irssi@.service,
based on this gist:
[Unit]
Description=IRC screen session
After=network.target
[Service]
Type=forking
User=%i
ExecStart=/usr/bin/screen -dmS irssi irssi
ExecStop=/usr/bin/screen -S irssi -X stuff '/quit\n'
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
A whole apparmor/selinux/systemd profile could be written for irssi of
course, but I figured I would start with
NoNewPrivileges. Unfortunately, that line breaks screen, which is
sgid utmp which is some sort of "new privilege". So I'm running
this as a vanilla service. To enable, simply enable the service with
the right username, previously created with adduser:
systemctl enable irssi@foo.service
systemctl start irssi@foo.service
Then I join the session by logging in as the foo user, which can be
configured in .ssh/config as a convenience host:
Host irc.anarc.at
Hostname shell.anarc.at
User foo
IdentityFile ~/.ssh/id_ed25519_irc
# using command= in authorized_keys until we're all on buster
#RemoteCommand screen -x
RequestTTY force
Then the ssh irc.anarc.at command rejoins the screen session.
Monkeysphere revival
Monkeysphere was in bad shape in Debian buster. The bit rotten test suite was failing and the package was about to be removed from the next Debian release. I filed and worked on many critical bugs (Debian bug #909700, Debian bug #908228, Debian bug #902367, Debian bug #902320, Debian bug #902318, Debian bug #899060, Debian bug #883015) but the final fix came from another user. I was also welcome on the Debian packaging team which should allow me to make a new release next time we have similar issues, which was a blocker this time round.
Unfortunately, I had to abandon the Monkeysphere FreeBSD port. I had simply forgotten about that commitment and, since I do not run FreeBSD anywhere anymore, it made little sense to keep on doing so, especially since most of the recent updates were done by others anyways.
Calendar project
I've been working on a photography project since the beginning of the year. Each month, I pick the best picture out of my various shoots and will collect those in a 2019 calendar. I documented my work in the photo page, but most of my work in October was around finding a proper tool to layout the calendar itself. I settled on wallcalendar, a beautiful LaTeX template, because the author was very responsive to my feature request.
I also figured out which events to include in the calendar and a way to generate moon phases (now part of the undertime package) for the local timezone. I still have to figure out which other astronomical events to include. I had no response from the local Planetarium but (as always) good feedback from NASA folks which pointed me at useful resources to top up the calendar.
Kubernetes
I got deeper into Kubernetes work by helping friends setup a cluster and share knowledge on how to setup and manage the platforms. This led me to fix a bug in Kubespray, the install / upgrade tool we're using to manage Kubernetes. To get the pull request accepted, I had to go through the insanely byzantine CLA process of the CNCF, which was incredibly frustrating, especially since it was basically a one-line change. I also provided a code review of the Nextcloud helm chart and reviewed the python-hvac ITP, one of the dependencies of Kubespray.
As I get more familiar with Kubernetes, it does seem like it can solve real problems especially for shared hosting providers. I do still feel it's overly complex and over-engineered. It's difficult to learn and moving too fast, but Docker and containers are such a convenient way to standardize shipping applications that it's hard to deny this new trend does solve a problem that we have to fix right now.
CD archival
As part of my work on archiving my CD collection, I contributed three pull requests to fix issues I was having with the project, mostly regarding corner cases but also improvements on the Dockerfile. At my suggestion, upstream also enabled automatic builds for the Docker image which should make it easier to install and deploy.
I still wish to write an article on this, to continue my series on archives, which could happen in November if I can find the time...
Flatpak conversion
After reading a convincing benchmark I decided to give Flatpak another try and ended up converting all my Snap packages to Flatpak.
Flatpak has many advantages:
it's decentralized: like APT or F-Droid repositories, anyone can host their own (there is only one Snap repository, managed by Canonical)
it's faster: the above benchmarks hinted at this, but I could also confirm Signal starts and runs faster under Flatpak than Snap
it's standardizing: many of the work Flatpak is doing to make sense of how to containerize desktop applications is being standardized (and even adopted by Snap)
Much of this was spurred by the breakage of Zotero in Debian (Debian bug #864827) due to the Firefox upgrade. I made a wiki page to tell our users how to install Zotero in Debian considering Zotero might take a while to be packaged back in Debian (Debian bug #871502).
Debian work
Without my LTS hat, I worked on the following packages:
- integrate a NMU for libotr into a new upload which also did the usual housekeeping
- contributed a patch (in Debian bug #911418) to fix a startup error in rapid-photo-downloader
- investigated possible fixes for odd behaviors and limitations of apt-show-version (in Debian bug #783781 and Debian bug #827337)
Other work
Usual miscellaneous:
- Git-annex feature request and bug reports on Nextcloud integration
- Sigal + git-annex integration documentation
- Failed to convince GhostText to do proper releases
- Failed to resolve a naming conflict between two packages
named
yq, which both try to be the "jqof YAML" - Filed a bug regarding an impossible to fix deprecation notice in Feedparser (public service announcement: if you deprecate an API, make sure there's a way to use the new one properly without having warnings)
- I made small changes to the theme of this site to improve the print version and contributed a patch upstream to fix this as well
- Some housekeeping on feed2exec: fix the test suite which seems to bitrot on itself
- Review and update Koumbit's pre-receive-enforce-gpg-signatures
git hook to check OpenPGP signatures on git repositories, to
support running it as an
updatehook.
RSS
Comments on this page are closed.
Created .
Edited .