Ubuntu garnered two awards from ArsTechnica in their linux.ars year end round up.

This should be posted on the News page of the website. Not sure who to send it to, so here you go doc team! :D

http://arstechnica.com/columns/linux/linux-20050102.ars

• Best Community: Ubuntu Linux forums
• Distribution of the year: Ubuntu
• Best Newcomer to the Community: Ubuntu

From the conclusion of the article: "We didn't have many surprises. Ubuntu Linux had a huge turnout owing to its raging popularity on the desktop. It is like Debian, but unlike the Debian Project, Canonical appears to actually get things done. The distribution is targeted squarely at the desktop without all the political red tape in which the Debian Project seems to have wrapped itself."

With the Python 2.4 transition well in hand in Hoary (thanks to Matthias and the others who worked on this), it is time to think about which versions of Python we will support in Hoary.

I propose that we drop Python 2.1 and Python 2.2 at least, and perhaps consider dropping Python 2.3 as well if we don't find any regressions in 2.4.

As per peoples request, I have started documenting the documentation project. This is a great chance for me to get to know how things work in the project and make a few proposals of my own. It's also a great way to get to know the team. Thanks to everyone who has helped me with my induction so far.

Many of you will be still dizzy from all the changes recently introduced to SVN, so please do read the following wiki page:

http://www.ubuntulinux.org/wiki/AboutTheUbuntuCoreDocumentationProject

It's not a complete work, but I think it best to release soon before this doc grows to big. It is already long and many have suggested to break it into smaller pieces. I agree with this, but for now I am adding it all in a single place for people can read and focus on one area. It was generally agreed that we can 'slice and dice' it once we have a bigger picture of what to do with it.

What's the plan for LSB support in ubuntu. Warty has the following packages:

ii  lsb            1.3-9ubuntu7   Linux Standard Base 1.3 core support package
ii  lsb-base       1.3-9ubuntu7   Linux Standard Base 1.3 initscript functions
ii  lsb-release    1.4-7.1ubuntu3 LSB release command

yet lsb_release gives "N/A".

I'm in the situation where we have binaries that needs to run on a number of distributions and we have taken the oldest distribution we have as a "compile" box just because it's always worked on all distributions. Compiling on a newer dist sometimes gives us code that doesn't work on an older. Mostly due to libc.

I was hoping that LSB would solve this for us, therefore, what's the status of LSB plans for ubuntu?

We are following the development of LSB, and have taken specific actions in order to comply with some versions of the specification, but as yet no specific effort has been made to test and certify Ubuntu with a particular version of LSB.

LSB standardizes what you can expect to be available on the system, but I don't currently know of any tools which will compile programs for you in such a way that they only use LSB interfaces. A book has been published on the subject, though:

http://www.linuxbase.org/modules.php?name=News&file=article&sid=46

This would be something to discuss for the release after Hoary

http://www.gnome.org/projects/beagle/

Beagle is working really well on my machine, almost all the dependencies are in universe. Is there any chance it could be in hoary??

We're actively tracking it (thus its almost completeness in universe), but it's pretty unlikely that it will be supported in hoary (it's targeted for release around the same time as the Preview, and it's not a feature goal).

However, it might be in hoary universe, in preparation for the next release...

At the Mataró conference we discussed about various proactive security enhancements for Ubuntu. Amongst other things we agreed to provide a security enhanced kernel that integrates PaX. By separating writable and executable memory, PaX prevents the exploitation of a whole class of common security vulnerabilities, the buffer overflows.

On a normal kernel, buffer overflows can very often be exploited to run arbitrary attacker supplied code, which can be used to compromise the user account, or even the whole system (if the buffer overflow occurs in a privileged process). On a PaX kernel, any attempt to execute such code immediately causes the process to be killed; this reduces the potential impact of a buffer overflow from system compromise to denial of service.

During the last days I played around with this. I ported the current beta release of Grsecurity to the Ubuntu kernel and created a source package which builds kernels for various architectures. Grsecurity includes PaX, and also comes along with a role based mandatory access control system and various other improvements (chroot jail hardening, protection against symlink tmpfile attacks, /proc restrictions, randomized PIDs, randomized TCP ports, etc.) which improve the proactive system security.

Right now I built kernels for i386 (a generic 386 package and an optimized K7 one) and powerpc. These are the platforms I can test at home, but I will build kernels for other flavors (like 686, SMP and Power4) and architectures soon, too.

You can download the debs from http://people.ubuntu.com/~pitti/linux-hardened/ or you can add an apt source to install and upgrade them easily:

deb  http://people.ubuntu.com/~pitti/linux-hardened/ /
deb-src http://people.ubuntu.com/~pitti/linux-hardened/  /

Current packages:

• linux-image-2.6.10-hardened-1-386 (generic i386)
• linux-image-2.6.10-hardened-1-k7 (optimized for Athlon/Duron)
• linux-image-2.6.10-hardened-1-powerpc (generic PowerPC)

(Note: I did not call the package -grsecurity because in the future we want to include additional improvements.)

Caveats:

• The XFS file system does not work with these kernels at the moment, so do not install them if you rely on XFS. I try to sort that out soon.

• Some programs (most notably X.org and OpenOffice.org) still rely on executing writable memory, so the PaX protection has to be disabled for them. You have to install the "chpax" package and execute the following commands before everything will work:

  sudo chpax -s /usr/X11R6/bin/Xorg
  sudo chpax -p /usr/X11R6/bin/Xorg
  sudo chpax -s /usr/lib/openoffice/program/soffice.bin
  sudo chpax -p /usr/lib/openoffice/program/soffice.bin

  This will set flags in the ELF headers, so you have to repeat these commands after every X.org/OO.o package upgrade for now. These flags do not interfere with anything, so you can safely set them and use the programs on a normal kernel. In the near future I will try to make this happen automatically.

• Framebuffer text console does not work on my i386 (it works fine on my iBook, though). So if you don't see any output, please boot with the normal VGA mode (remove the vga= kernel parameter). I appreciate feedback on this!

Testing:

You can install the "paxtest" package to check your kernel. It will try to execute various buffer overflow exploits and report whether they are successful.

OK, I've been using Ubuntu since the beginning, and while I haven't ruled it out as a distribution that I'd use as a server, but I always thought it was geared towards the desktop specifically. Apparently there's a kind of communication chasm here. I had always thought "Ubuntu for desktops, Debian for servers".

I'm a network administrator so I have some ideas on how to fix some of this. Of course, admin stuff is a very personal subject to admins, so naturally, we all have ideas on how to make this rule, so I thought I'd start a discussion on how to make Ubuntu more admin friendly for post-Hoary:

• Market the administrator-features better
• Server Tools
• Fix the "Fame" Problem
• Market the Debian Factor
• Be as bold server side as you are on the desktop
• High Value User
• Reputation

I think you hit the nail on the head here: conservative. If you're a server admin, you tend to be (or become) conservative. I think we'll have a lot more interest from server admins when hoary is out -- warty is the first release and so is something most server admins will stay away from. (Heck, I'm not ubuntuizing any of my servers yet, and I'm one of the developers :)

You have a nice list of suggestion as well, which should be worked on, but I think the main reason we aren't seeing people installing Ubuntu en masse on servers is that it's still a bit too new.

We discussed exactly this issue during the Marketing BOF at December's Ubuntu conference. The notes are sparse on this particular subject, but they can be found here: http://www.ubuntulinux.org/wiki/UbuntuMarketing We identified a couple of concrete things that we could do to try to address this misconception:

1. Rename the 'custom' install to 'server' (Colin has already done this)
2. Create an Ubuntu "server edition" for Hoary, which (as I recall) would essentially default to the server installation, rather than the desktop

It's funny you mention this. I just put this page icons made by our own volvoguy onto the website/wiki: http://www.ubuntulinux.org/wiki/WebsiteButtons

Perhaps a "This Server Runs Ubuntu" icon would be a little less subtle -- in a good way and we can encourage people to use it on their website. That would be a good meme-squasher and we can definitely put it on our website to start with.

One of my biggest desktop security peeves is how easy it is to get confidential data (e.g. credit card numbers) from swap devices. This is relatively easy to fix, all that's necessary is using cryptoloop or something similar with the first n bytes of /dev/random as the key for the swap device. Once the system shuts down, the key is gone (it is stored in RAM only), so recovering data from the swap partition is near impossible.

Encrypted swap is not hard to set up. Cryptsetup (in universe) only needs a small amount of configuring and, as long as the kernel is >= 2.6.4 and supports dm-crypt, it's easy to get encrypted swap.

The only OS/distribution that I know of that currently does this by default is OpenBSD, but there's no reason why Ubuntu shouldn't be the next.

If anybody is interested, I might make a patch to d-i to make it set up /etc/fstab correctly for encrypted swap and provide safe default configuration for cryptsetup.

Hm, shouldn't this be done in partman rather than after the first reboot? I think a lot of this code might be easier if it were done there, because you have register-module for dealing with /etc/modules, the partman infrastructure for dealing with /etc/fstab, apt-install for installing packages, etc., and you don't have to think about whether it's the first time base-config has been run or whatever. It could just be part of partman-basicfilesystems, which sets up the swap partition.

Also, I'm a bit lazy sometimes; a debdiff against the previous package would be great for review purposes. :-)

In light of the original message posted by Matt (in its full length), I would like to resubmit my proposal to split the User Guide into User Guide and Admin Guide. My reasoning:

There are two audiences:

1. User = Desktop
2. Admin = Server

These audiences have different information requirements.

We leave the three current guides as is:

• Quick-guide - get to know guide, short fast
• User-guide - for those who need some help with using ubuntu as their desktop
• Faq-guide - fast answers, to the usual questions

With these we cover all grounds for end-users. We add:

• Server-guide - how to use ubuntu as a server.

This new guide will cover all the advanced debian topics. Advanced installation, command line packaging, web-servers, mail-servers etc.

With this fourth guide we cover all our bases. It would be a complete documentation-solution.

With DocBook it is possible to use parts of one guide in another, link guide together etc. This will keep the writing environment stable and unchanging, while at the same time evolving our documentation in the right direction.