Ubuntu Traffic #20 For 2005/01/07

By Benjamin Mako Hill

Table Of Contents

Introduction

Welcome to the twentieth edition of Ubuntu Traffic. This issue covers the first week of the new year: January 1 - 7, 2005. Ubuntu Traffic summarizes the most important mailing list and IRC discussions involving the Ubuntu GNU/Linux distribution.

Ubuntu Traffic can be found on the web at http://people.ubuntulinux.org/~mako/ubuntu-traffic/. You can also receive in text form over email by signing up for the Ubuntu News mailing list at http://lists.ubuntu.com/mailman/listinfo/ubuntu-news. There is now an RSS feed for traffic available as well! You can find information on turning that on at the Ubuntu Hompage (http://people.ubuntulinux.org/~mako/ubuntu-traffic/) .

You can sign up for any of the mailing lists summarized here at http://lists.ubuntu.com. You can also join the IRC discussion summarized here in #ubuntu and other channels on the Freenode network: irc.freenode.net. Please join in and maybe you will be featured in the next traffic!

First, the following bits and pieces didn't get a full story but are worth mentioning:

 

1. Ars Technica Awards
2005/01/03 - 2005/01/05 (2 posts) Subject: "ArsTechnica Award"
People: Kevin Mulligan

Kevin Mulligan pointed people to the big news of the week: Ubuntu took home the big awards at Ars Technica's end of the year awards!

Ubuntu garnered two awards from ArsTechnica in their linux.ars year end round up.

This should be posted on the News page of the website. Not sure who to send it to, so here you go doc team! :D

http://arstechnica.com/columns/linux/linux-20050102.ars

  • Best Community: Ubuntu Linux forums
  • Distribution of the year: Ubuntu
  • Best Newcomer to the Community: Ubuntu

From the conclusion of the article: "We didn't have many surprises. Ubuntu Linux had a huge turnout owing to its raging popularity on the desktop. It is like Debian, but unlike the Debian Project, Canonical appears to actually get things done. The distribution is targeted squarely at the desktop without all the political red tape in which the Debian Project seems to have wrapped itself."

Sivan Green went ahead and added this information to the website in the correct place.

 

2. Supporting Different Pythons
2005/01/23 - 2005/01/06 (10 posts) Subject: "Obsoleting python2.1, python2.2 in Hoary"
People: Matt ZimmermanDavid MandelbergMatthias KloseSteve Alexander

Matt Zimmerman sent a message to the devel list making a proposal to reduce the number of different versions of Python that we will support in Hoary:

With the Python 2.4 transition well in hand in Hoary (thanks to Matthias and the others who worked on this), it is time to think about which versions of Python we will support in Hoary.

I propose that we drop Python 2.1 and Python 2.2 at least, and perhaps consider dropping Python 2.3 as well if we don't find any regressions in 2.4.

David Mandelberg suggested that we should not remove these at all but just move them to universe. Matt clarified his position by saying that this is what he was suggesting initially, "The pythonX.Y packages could, of course, continue to exist in universe. However, support for these versions would need to be dropped from native module packages (otherwise, they would require the corresponding pythonX.Y-dev packages in order to build)."

Matthias Klose replied weighing in on the issue and saying, "2.1 should be doable, the only reason for 2.1 modules is the jython package, but that's in universe as well. 2.2 can be dropped, when zope2.6 can be dropped." He added, "there are still some packages having problems with 2.4, with the upcoming 2.3.5 release we should get a 2.3 version, which is on par with 2.4 with regard to bug fixes. there is currently not much to gain to completely drop 2.3 besides touching a lot of packages. the launchpad team explicitly asked for some modules to be available for 2.3 and 2.4."

There was some discussion of the different versions of Zope and what version of Python they each require. Matt, after sorting out the issues on the list said, "OK, so the 'zope' package (which is version 2.6.x) should be in universe, and zope2.7 (zope 2.7.x) should be supported. Great."

Steve Alexander replied ending the thread and saying, "Sounds a bit odd to me, as there is an upgrade path from Zope 2.6 to Zope 2.7. But, that's a minor point. It would be straightforward for someone to explicitly upgrade a Zope instance from 2.6 to 2.7. I might even prefer it like that."

 

3. Documenting the Ubuntu Documentation Project
2004/12/39 - 2005/01/01 (7 posts) Subject: "Documenting the Documentation Project"
People: Sean Wheller

Sean Wheller made an announcement on the Ubuntu-doc mailing list saying:

As per peoples request, I have started documenting the documentation project. This is a great chance for me to get to know how things work in the project and make a few proposals of my own. It's also a great way to get to know the team. Thanks to everyone who has helped me with my induction so far.

Many of you will be still dizzy from all the changes recently introduced to SVN, so please do read the following wiki page:

http://www.ubuntulinux.org/wiki/AboutTheUbuntuCoreDocumentationProject

It's not a complete work, but I think it best to release soon before this doc grows to big. It is already long and many have suggested to break it into smaller pieces. I agree with this, but for now I am adding it all in a single place for people can read and focus on one area. It was generally agreed that we can 'slice and dice' it once we have a bigger picture of what to do with it.

Enrico replied with a longish email full of some good constructive feedback and a number of corrections. There was some disagreement about what the role of the wiki should and will be in the creation of documentation that will ultimately not be wiki-based (i.e., how the authorship and collaborative process should involve the wiki or web). The discussion was long and covered a lot of ground but everyone ended up in agreement in the end and with a great new piece of documentation for those who want to get involved in the creation of documentation for Ubuntu.

 

4. Ubuntu Minimum Specifications
2005/01/02 - 2005/01/05 (14 posts) Subject: "Fw: Minimum specs for Ubuntu"
People: Judy & Lindsay

Several threads on the Ubuntu-Users mailing list discussed the minimum system requirements for getting an Ubuntu PC up and running. Judy and Lindsay started the first thread saying, "What are the minimum specs for running the latest Ubuntu? If I can get an older Pentium 3 (600-700MHz) would that be suitable?"

A number of people suggested sane minimums by mentioning the speed of the slower computers on which they are currently successfully running Ubuntu. There seemed to be some consensus that a 500MHz machine with at least 192MB memory could run Ubuntu great out of the box (you should at least 2-3 GB of hard drive space to devote to Ubuntu as well). The limitations for the default desktop installation tend to hing on memory.

That said, servers and custom installations that do not use GNOME can easily run on much slower machines with less memory. Imagine trying to run the latest version on Windows on such hardware!

 

5. LSB and Ubuntu
2005/01/03 - 2005/01/07 (3 posts) Subject: "Linux Standard Base"
People: Erik BågforsMatt Zimmerman

The Linux Standards Base is a project to develop and promote a set of standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system. Information on LSB is at: http://www.linuxbase.org/

Erik Bågfors posted a message to the Ubuntu list asking about LSB support in Ubuntu saying:

What's the plan for LSB support in ubuntu. Warty has the following packages:

ii  lsb            1.3-9ubuntu7   Linux Standard Base 1.3 core support package
ii  lsb-base       1.3-9ubuntu7   Linux Standard Base 1.3 initscript functions
ii  lsb-release    1.4-7.1ubuntu3 LSB release command

yet lsb_release gives "N/A".

I'm in the situation where we have binaries that needs to run on a number of distributions and we have taken the oldest distribution we have as a "compile" box just because it's always worked on all distributions. Compiling on a newer dist sometimes gives us code that doesn't work on an older. Mostly due to libc.

I was hoping that LSB would solve this for us, therefore, what's the status of LSB plans for ubuntu?

Matt Zimmerman replied to Erik saying:

We are following the development of LSB, and have taken specific actions in order to comply with some versions of the specification, but as yet no specific effort has been made to test and certify Ubuntu with a particular version of LSB.

LSB standardizes what you can expect to be available on the system, but I don't currently know of any tools which will compile programs for you in such a way that they only use LSB interfaces. A book has been published on the subject, though:

http://www.linuxbase.org/modules.php?name=News&file=article&sid=46

This would be something to discuss for the release after Hoary

 

6. Beagle!
2005/01/03 - 2005/01/05 (11 posts) Subject: "beagle"
People: Chris JonesJeff Waugh

Beagle is the hot search tool for GNOME that lots of people are talking up. There were three threads on Ubuntu devel list this week on Beagle although they covered a lot of shared ground. Chris Jones started the conversation saying:

http://www.gnome.org/projects/beagle/

Beagle is working really well on my machine, almost all the dependencies are in universe. Is there any chance it could be in hoary??

Release manager Jeff Waugh replied saying:

We're actively tracking it (thus its almost completeness in universe), but it's pretty unlikely that it will be supported in hoary (it's targeted for release around the same time as the Preview, and it's not a feature goal).

However, it might be in hoary universe, in preparation for the next release...

 

7. Security "Hardened" Kernels
2005/01/04 - 2005/01/07 (17 posts) Subject: "Announcing security hardened kernels for testing"
People: Martin PittMike HearnMatt Zimmerman

Martin Pitt cross-posted to a few lists announcing security hardened kernels he had put together and that he was interested in having people test:

At the Mataró conference we discussed about various proactive security enhancements for Ubuntu (http://www.ubuntulinux.org/wiki/SecurityBOF) . Amongst other things we agreed to provide a security enhanced kernel that integrates PaX (http://pax.grsecurity.net) . By separating writable and executable memory, PaX prevents the exploitation of a whole class of common security vulnerabilities, the buffer overflows.

On a normal kernel, buffer overflows can very often be exploited to run arbitrary attacker supplied code, which can be used to compromise the user account, or even the whole system (if the buffer overflow occurs in a privileged process). On a PaX kernel, any attempt to execute such code immediately causes the process to be killed; this reduces the potential impact of a buffer overflow from system compromise to denial of service.

During the last days I played around with this. I ported the current beta release of Grsecurity (http://www.grsecurity.net) to the Ubuntu kernel and created a source package which builds kernels for various architectures. Grsecurity includes PaX, and also comes along with a role based mandatory access control system and various other improvements (chroot jail hardening, protection against symlink tmpfile attacks, /proc restrictions, randomized PIDs, randomized TCP ports, etc.) which improve the proactive system security.

Right now I built kernels for i386 (a generic 386 package and an optimized K7 one) and powerpc. These are the platforms I can test at home, but I will build kernels for other flavors (like 686, SMP and Power4) and architectures soon, too.

You can download the debs from http://people.ubuntu.com/~pitti/linux-hardened/ or you can add an apt source to install and upgrade them easily:

deb  http://people.ubuntu.com/~pitti/linux-hardened/ /
deb-src http://people.ubuntu.com/~pitti/linux-hardened/  /

Current packages:

  • linux-image-2.6.10-hardened-1-386 (generic i386)
  • linux-image-2.6.10-hardened-1-k7 (optimized for Athlon/Duron)
  • linux-image-2.6.10-hardened-1-powerpc (generic PowerPC)

(Note: I did not call the package -grsecurity because in the future we want to include additional improvements.)

Caveats:

  • The XFS file system does not work with these kernels at the moment, so do not install them if you rely on XFS. I try to sort that out soon.

  • Some programs (most notably X.org and OpenOffice.org) still rely on executing writable memory, so the PaX protection has to be disabled for them. You have to install the "chpax" package and execute the following commands before everything will work:

    sudo chpax -s /usr/X11R6/bin/Xorg
sudo chpax -p /usr/X11R6/bin/Xorg
sudo chpax -s /usr/lib/openoffice/program/soffice.bin
sudo chpax -p /usr/lib/openoffice/program/soffice.bin

    This will set flags in the ELF headers, so you have to repeat these commands after every X.org/OO.o package upgrade for now. These flags do not interfere with anything, so you can safely set them and use the programs on a normal kernel. In the near future I will try to make this happen automatically.

  • Framebuffer text console does not work on my i386 (it works fine on my iBook, though). So if you don't see any output, please boot with the normal VGA mode (remove the vga= kernel parameter). I appreciate feedback on this!

Testing:

You can install the "paxtest" package to check your kernel. It will try to execute various buffer overflow exploits and report whether they are successful.

Due to feedback and to popular demand, Martin Pitt quickly released versions of his new kernel for a number of different architectures saying, "Now there are flavours for 386, 686, 686-smp, k7, and k7-smp, the same as for the main kernel. Since I cannot test the 686 and the smp versions, I very much appreciate feedback about them!"

Mike Hearn asked, "Why was PaX chosen over exec-shield? The Linux community has much greater experience with this set of patches than PaX, I know we already dealt with some of the fallout of that in the Wine project." Matt Zimmerman replied before Martin got it saying, "PaX is what Martin chose to work on; if you would like to experiment with a different implementation, that is welcome as well."

 

8. Ubuntu on Servers
2005/01/05 - 2005/01/07 (18 posts) Subject: "The "It's Just a Desktop Distro" Problem"
People: Jorge O. CastroTollef Fog HeenMatt ZimmermanBenjamin Mako Hill

Jorge O. Castro raised the "Ubuntu is only for server" problem and threw out some of his suggestions for fixes to the problem:

OK, I've been using Ubuntu since the beginning, and while I haven't ruled it out as a distribution that I'd use as a server, but I always thought it was geared towards the desktop specifically. Apparently there's a kind of communication chasm here. I had always thought "Ubuntu for desktops, Debian for servers".

I'm a network administrator so I have some ideas on how to fix some of this. Of course, admin stuff is a very personal subject to admins, so naturally, we all have ideas on how to make this rule, so I thought I'd start a discussion on how to make Ubuntu more admin friendly for post-Hoary:

  • Market the administrator-features better
  • Server Tools
  • Fix the "Fame" Problem
  • Market the Debian Factor
  • Be as bold server side as you are on the desktop
  • High Value User
  • Reputation

Jorge went into a good deal of depth about each of the problem areas listed above with at least one large paragraph on each section and many suggestions and concrete plans of action.

Tollef Fog Heen replied to Jorge's post saying:

I think you hit the nail on the head here: conservative. If you're a server admin, you tend to be (or become) conservative. I think we'll have a lot more interest from server admins when hoary is out -- warty is the first release and so is something most server admins will stay away from. (Heck, I'm not ubuntuizing any of my servers yet, and I'm one of the developers :)

You have a nice list of suggestion as well, which should be worked on, but I think the main reason we aren't seeing people installing Ubuntu en masse on servers is that it's still a bit too new.

Matt Zimmerman also replied to weigh in on the issues:

We discussed exactly this issue during the Marketing BOF at December's Ubuntu conference. The notes are sparse on this particular subject, but they can be found here: http://www.ubuntulinux.org/wiki/UbuntuMarketing We identified a couple of concrete things that we could do to try to address this misconception:

  1. Rename the 'custom' install to 'server' (Colin has already done this)
  2. Create an Ubuntu "server edition" for Hoary, which (as I recall) would essentially default to the server installation, rather than the desktop

Matt continued in depth giving more information and some concrete replies to many of the suggestions and critiques that Jorge leveled.

In a final note, Benjamin Mako Hill replied pointing out that one way to raise visible of Ubuntu on servers is to encourage people who are already running Ubuntu on servers to put a icon on your page and he mentioned that Volvoguy had created a nice set of icons specifically for this purpose:

It's funny you mention this. I just put this page icons made by our own volvoguy onto the website/wiki: http://www.ubuntulinux.org/wiki/WebsiteButtons

Perhaps a "This Server Runs Ubuntu" icon would be a little less subtle -- in a good way and we can encourage people to use it on their website. That would be a good meme-squasher and we can definitely put it on our website to start with.

 

9. Encrypted Swap
2005/01/05 - 2005/01/07 (9 posts) Subject: "encrypted swap"
People: David MandelbergColin Watson

David Mandelberg sent a message to the devel list proposing that encrypted swap be set up so that it can be turned on by default in new installs:

One of my biggest desktop security peeves is how easy it is to get confidential data (e.g. credit card numbers) from swap devices. This is relatively easy to fix, all that's necessary is using cryptoloop or something similar with the first n bytes of /dev/random as the key for the swap device. Once the system shuts down, the key is gone (it is stored in RAM only), so recovering data from the swap partition is near impossible.

Encrypted swap is not hard to set up. Cryptsetup (in universe) only needs a small amount of configuring and, as long as the kernel is >= 2.6.4 and supports dm-crypt, it's easy to get encrypted swap.

The only OS/distribution that I know of that currently does this by default is OpenBSD, but there's no reason why Ubuntu shouldn't be the next.

If anybody is interested, I might make a patch to d-i to make it set up /etc/fstab correctly for encrypted swap and provide safe default configuration for cryptsetup.

David followed up to his own message to say that he had a working prototype: "I have a working prototype at http://code.eth0.is-a-geek.org/ubuntu/. Currently it won't work in d-i-ubuntu because cryptsetup isn't on the cd, but you can download and install my modified base-config and run it."

Colin Watson followed up to say:

Hm, shouldn't this be done in partman rather than after the first reboot? I think a lot of this code might be easier if it were done there, because you have register-module for dealing with /etc/modules, the partman infrastructure for dealing with /etc/fstab, apt-install for installing packages, etc., and you don't have to think about whether it's the first time base-config has been run or whatever. It could just be part of partman-basicfilesystems, which sets up the swap partition.

Also, I'm a bit lazy sometimes; a debdiff against the previous package would be great for review purposes. :-)

 

10. Documentation Team Happenings
2004/12/30 - 2005/01/07 (63 posts) Subject: "Faqguide is finished"
People: John HornbeckSean WhellerAlexander Poslavsky

John Hornbeck sent a message to the ubuntu-doc email list announcing that he was probably not going to be able to work on the Ubuntu Documentation project anymore saying, "Starting tomorrow I go back to school with a full time schedule. I am not sure how much, if any at all I will be able to do for Ubuntu, and would like to not be relied upon for sections of docs that will need to be ready."

Hopefully, in the future, when he has more time, he will get back involved so far. John's work has been highly valued so far. Enrico and others thanks John for his great work so far. I'll add to their messages and thank him as well.

The other big talk was around discussion of a separation of the user guide into two projects: an "admin guide" and a "user guide." Sean Wheller suggested:

In light of the original message posted by Matt (in its full length), I would like to resubmit my proposal to split the User Guide into User Guide and Admin Guide. My reasoning:

There are two audiences:

  1. User = Desktop
  2. Admin = Server

These audiences have different information requirements.

The idea seemed to be to use Xincludes to "share" the content between the two but not change the exising user guide project.

Alexander Poslavsky made the formal proposal saying:

We leave the three current guides as is:

  • Quick-guide - get to know guide, short fast
  • User-guide - for those who need some help with using ubuntu as their desktop
  • Faq-guide - fast answers, to the usual questions

With these we cover all grounds for end-users. We add:

  • Server-guide - how to use ubuntu as a server.

This new guide will cover all the advanced debian topics. Advanced installation, command line packaging, web-servers, mail-servers etc.

With this fourth guide we cover all our bases. It would be a complete documentation-solution.

With DocBook it is possible to use parts of one guide in another, link guide together etc. This will keep the writing environment stable and unchanging, while at the same time evolving our documentation in the right direction.

 

11. Ubuntu Security Notifications
2005/01/06 - 2005/01/07 (3 posts) Subject: "[many]"

tiff vulnerability

Ubuntu Security Notice USN-54-1 (CAN-2004-1183)

Affected Release: Ubuntu 4.10 (Warty Warthog)

Affected Packages are: libtiff-tools

Fix: The problem can be corrected by upgrading the affected package to version 3.6.1-1.1ubuntu1.2. In general, a standard system upgrade is sufficient to effect the necessary changes.

More Information: http://lists.ubuntu.com/archives/ubuntu-security-announce/2005-January/000056.html

imlib2 vulnerabilities

Ubuntu Security Notice USN-55-1 (CAN-2004-1025, CAN-2004-1026)

Affected Release: Ubuntu 4.10 (Warty Warthog)

Affected Packages are: libimlib2

Fix: The problem can be corrected by upgrading the affected package to version 1.1.0-12ubuntu2.1. In general, a standard system upgrade is sufficient to effect the necessary changes.

More Information: http://lists.ubuntu.com/archives/ubuntu-security-announce/2005-January/000057.html

exim4 vulnerability

Ubuntu Security Notice USN-56-1 (CAN-2005-0021, CAN-2005-0022)

Affected Release: Ubuntu 4.10 (Warty Warthog)

Affected Packages are:

Fix: The problem can be corrected by upgrading the affected package to version 4.34-5ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes.

More Information: http://lists.ubuntu.com/archives/ubuntu-security-announce/2005-January/000058.html

 

 

 

 

 

 

We Hope You Enjoy Ubuntu Traffic
 

Ubuntu Traffic is created and produced by Canonical Ltd. All pages are copyright Canonical.