|
Ubuntu Traffic Latest | Archives | People | Topics |
| currently untranslated |
Table Of Contents
| 1. | 2004/11/12 - 2004/11/26 | (7 posts) | Live CDs for PPC (And More!) |
| 2. | 2004/11/17 - 2004/11/22 | (4 posts) | Downgrading From Hoary |
| 3. | 2004/11/18 - 2004/11/22 | (54 posts) | Ubuntu Merchandise |
| 4. | 2004/11/19 - 2004/11/27 | (86 posts) | Documentation Team Update |
| 5. | 2004/11/19 - 2004/11/22 | (5 posts) | More On Language Packs |
| 6. | 2004/11/19 - 2004/11/27 | (25 posts) | Dropping Support For the Mozilla Suite |
| 7. | 2004/11/22 - 2004/11/23 | (8 posts) | Encrypted Home Directories |
| 8. | 2004/11/25 | (1 post) | Apt Authentication |
| 9. | 2004/11/25 - 2004/11/27 | (21 posts) | Concerns With Sudo |
| 10. | 2004/11/26 | (2 posts) | Archive Layout |
| 11. | 2004/11/23 - 2004/11/25 | (2 posts) | Ubuntu Security Notifications |
Introduction
Welcome to the fourteenth edition of Ubuntu Traffic. This issue covers the week of November 20 - 26, 2004. Ubuntu Traffic summarizes the most important mailing list and IRC discussions involving the Ubuntu GNU/Linux distribution.
You can sign up for any of the mailing lists summarized here at http://lists.ubuntu.com. You can also join the IRC discussion summarized here in #ubuntu and other channels on the Freenode network: irc.freenode.net. Please join in and maybe you will be featured in the next traffic!
First, the following bits and pieces didn't get a full story but are worth mentioning:
Mailing List Stats For This Week
We looked at 1329 posts in 7336K.
There were 389 different contributors. 194 posted more than once. 165 posted last week too.
The top posters of the week were:
1.
Live CDs for PPC (And More!)
2004/11/12 - 2004/11/26
(7 posts)
Subject: "PowerPC live CD (Re: again on livecd ;))"
People:
Marco Bonetti, Andreas Mueller
The desire for a PowerPC/Mac version of Live CD was brought up on ubuntu-devel and ubuntu-users (several times) and on IRC several times as well. In one thread, Marco Bonetti asked, "How's going the PowerPC ubuntu livecd? On IRC, I read it has low priority ATM but I think that a live linux-ppc is something that is really missing." Marco also offered to help.
Matt Zimmerman replied to say that as far as he knew, nobody was working on it but that Andreas Mueller was the person to talk to if he wanted to work on this as he is handling most of the Live CD creation tasks for Ubuntu.
Andreas Mueller replied to say, "For the moment a straight unfavorable time, we discuss at the momenta a redesign the CD. Probably it will become completely simple in the future, for all architectures, to provide liveCD's. In short, Andreas Mueller and Matt Zimmerman are working together on a new Live CD design that should be able to easily support PPC and just about anything else that we can install. That said, it will take a bit of work and won't be ready immediately."
2.
Downgrading From Hoary
2004/11/17 - 2004/11/22
(4 posts)
Subject: "How to downgrade from hoary to warty?"
People:
Olivier Vogel, Oliver Grawert, Danilo Piazzalunga
Olivier Vogel asked, "Is it possible to downgrade from hoary to warty without reinstalling a new system?" Oliver Grawert replied saying, "unfortunately there is no clean way of doing that, you will have to reinstall..."
While there is certainly no clean way, Danilo Piazzalunga pointed Olivier to a document that described one way saying, "Try reading https://www.ubuntulinux.org/wiki/DowngradingFromHoaryHowTo and see if it works well enough for you."
Of course, this is completely unsupported and could leave your system in a broken state but it's there for folks who want it and feel like living dangerously.
3.
Ubuntu Merchandise
2004/11/18 - 2004/11/22
(54 posts)
Subject: "merchandise"
People:
David, Louise McCance-Price
David asked, "What is the official position regarding merchandise for Ubuntu? I'm thinking specifically of T-Shirts. I made myself an Ubuntu T-shirt using one of the "iron on" sheets but silk screen print would be better."
That day, Louise McCance-Price replied saying:
Today, we have just launched the Ubuntu Shop! Please visit: http://www.cafepress.com/ubuntushop An upgrade to a premium shop with showcased designs from our community will be launched early next year.
We have gone with Cafepress as a first stop for merchandise (and we are aware that some folks think the quality could be better) but there aren't too many "shops" of this nature around. If you know of any others, please do share the info!
Commission on sales
The Ubuntu project receives a small percentage on these sales. All proceeds from the Ubuntu shop (as with donations) will go to top up the bounty fund. Visit http://www.ubuntulinux.org/community/bounties for more information.
Community merchandise
We would like to see our community creating Ubuntu merchandise, but please notify us to obtain permission to use the Ubuntu trademark in advance (trademarks@ubuntulinux.org). We will be tracking this. Please visit: http://www.ubuntulinux.org/ubuntu/TrademarkPolicy/ for more information.
We'd love to see your designs, logos and artwork - so please add links to your personal sites at: https://www.ubuntulinux.org/wiki/CommunityArtwork
Competitions
We will be running a T-shirt design competition and web design competition in the new year, details will be posted as soon as they are available.
Shango Oluwa voiced some concerns about the choice of Cafepress which serves many different groups including some that might be advocating political agendas that he and others might think go against the core concepts of Ubuntu. Louise replied to say:
Ubuntu has no political affiliation. Cafepress is merely and outlet for people to purchase merchandise. If you do not wish to use them, that is absolutely your freedom of choice. We are merely hosting a shop at Cafepress, not endorsing any of their other shops' merchandise, beliefs etc.
4.
Documentation Team Update
2004/11/19 - 2004/11/27
(86 posts)
Subject: "Guidelines for writing?"
People:
Enrico Zini, Matt Kirchhoff, John Hornbeck
The documentation team clocked in another week of busy discussion. Enrico Zini posted information on style and guidelines for writing documentation for Ubuntu saying:
Now, I wouldn't want to see a super-long style guide explaining how many spaces go after a full stop and if there should be a comma before the "and" at the end of a list[1]. However it would be nice to collect items like this "Ubuntu OS / Ubuntu GNU/Linux" thing in a document that everyone can quickly have a look at.
I started this page, where I can collect other similar items that pass around the list: https://www.ubuntulinux.org/wiki/StyleGuide
Matt Kirchhoff said, "As an aside, I'd be willing to serve as an overall style editor for finalized documents. I have experience in this area, and I could help ensure stylistic consistency across the wide range of documents we'll likely encounter. I agree that nitpicking over grammar/punctuation is unnecessary, but we should employ guidelines for person/tense/voice and other major stylistic concerns."
Elsewhere, John Hornbeck mentioned the fact that he was thinking of porting the entire Progeny User Guide over to Ubuntu since it is already a very good resource. Similar ideas have been leveled in favor of the GNOME documentation.
John Hornbeck posted a summary of the organization of the Ubuntu book that he is interested in writing. That outline contained:
- Installing Ubuntu
- Simple as pie
- Windows dual boot notes?
- Using Gnome
- Basic Anatomy
- Running Applications
- Managing Windows
- Finding Files
- Managing Files
- Common Tasks
- Listen to Music
- Create an Audio CD
- Check Email
- Instant Messaging
- Burn a Data CD
- Write a Letter
- Software
- Software Installation/Removal
- Keeping up to date
- Peripherals
- Digital Camera
- Scanner
- External Drives
- Printers
- Palm/Pocket PC
- System Configuration
- Boot
- Device Manager
- Disks
- Login Screen Setup
- Networking
- Printing
- Screen Resolution
- Synaptic Package Manager
- Time and Date
- Users and Groups
- More Information
- Command Line
- Applications for "Switchers"
- Hardware Compatibility
- Philosophy
Finally, Enrico Zini proposed using something like CIA to monitor the doc team subversion repository:
Some of you are probably aware that it's possible to hook some scripts into a subversion repository to get cool things like commit reports mailed to a list or cia.navi.cx statistics.
Sending commit reports here is a bit aggressive, although we could create an ubuntu-doc-commits list somewhere. A CIA bot posting commit reports in #ubuntu-doc instead could be really cute.
If we are interested in this, I don't have access to the server, but I can help in setting things up.
5.
More On Language Packs
2004/11/19 - 2004/11/22
(5 posts)
Subject: "Discussion destillation: Options for language packs"
People:
Martin Pitt, Carlos Perello Marin
Martin Pitt sent an update to the development list on the work being done on language packs -- one of the most important Hoary feature goals. Martin went through an IRC discussion and wrote up a structured overview about the possible alternatives, their pros (+) and cons (-). This included:
(F1) single source and binary deb contains program and all available
translations, no extra language packs (status quo)
+ no effort
+ no version inconsistencies
+ compatible to Debian and third party packages
+ users can compile fully functional packages on their own
- wastes installed space for unwanted translations
- updating translations for stable releases requires a lot of
redundant downloads (since the non-translation part of packages
does not change)
(F2) extract translations during package build to separate language debs
+ users can install just the translation(s) they want, space
efficient on installed system
+ can save space on CDs if we have per-language CDs
- requires Ubuntu-specific build system, modification of debhelper,
manual modification of packages that do not use debhelper
- incompatible to Debian and third party packages, Ubuntu packages
would conflict to them (because they ship the same files)
- security updates of packages would drag the need to update the
language pack(s) as well
(F2-1) one deb per language that contains translations of all packages
+ no significant increase of number of packages
- package must be rebuilt after any other package change to update
the translations; unbearable impact on buildds and mirrors
- users without huge bandwidth will not be able/willing to
download big language packs very often (for maybe only one or
two string updates)
(F2-2) one deb per package that contains translations for all languages
+ no significantly higher impact on buildds and mirrors
+ space-efficient updates of language packs for stable releases
o doubles the number of packages, but should be still bearable
o translation-only updates do not download code any more, but
still download unwanted translations
(F2-3) one deb per package and language
+ fine-grained updates with very little mirror and buildd overhead
+ space-efficient updates of language packs for stable releases
- increases number of packages by factor N (number of supported
languages, in the order of 10 to 20) -> it takes the 20fold
amount of bandwidth, time, space, and memory to download and
process the Packages file, which would probably make them bigger
than a monolithic per-language deb. However this could be
alleviated by providing new package sections for each language.
(F3) Leave original packages as they are and provide incremental
translation update packages
+ stays compatible to Debian and third party debs
+ only
- wastes user's disk for unwanted translations
- brings along translations we do not support
- same problems as above wrt. updating frequency and mirror impact
(single deb for all packages) or package number (one translation
deb per package)
(F3-1) use dpkg-divert in the language pack to replace changed
gettext files with newer versions
- wastes user's disk for the original copy of the translations (that
is shadowed by the update)
(F3-2) introduce alternative gettext hierarchy /usr/share/langpack
+ possible to ship po files which only contain the bits that
really changed, this alleviates the redundant copies
- necessary to change gettext for that, and all packages that
include a static copy of gettext
(F4) Leave original packages as they are and provide translation
updates without using debs; translations could be directly
downloaded from Rosetta to /var/cache/locales/, or a
similar place
+ since this does not touch the archive at all, there is no impact on
buildds, mirrors, build systems, Package files, etc.
+ can be made fine-grained to download only updates for languages and
software the user actually wants
- we need to develop a version control system which decides when to
use /var/cache/locales/ and when /usr/share/locales (updated
packages could have newer translations than the ones downloaded
from Rosetta); this could be done using the timestamp in the po
files
o version controlling and downloading should be done in the
language-support-XX packages (that we need anyway as a metapackage
for Mozilla/Firefox/etc.); this package should provide a simple
frontend for triggering updates
(F5) keep the status quo on the archive servers, but strip off all but
one/some translations in the debs that are shipped on the CDs
+ easy to achieve without any buildd/mirror hit
+ saves space on CDs (with per-language ones, at least)
- does not solve the "new translation upgrades" problem any
better
- apt will get confused if it sees two available packages with
same version, but different size
- insane amount of updated packages at first network update
(F6) Convert the world to use one common language
+ No technically solution necessary
+ can throw away all translations, saves huge amounts of space on the
CD that can be filled with indispensable gam^Wproductivity software
like TuxRacer and Frozen Bubble
- Sebastien insists to use French, but I do not understand a word of it
o (SCNR)
Side note that applies to all options: Translation updates for stable
releases can easily introduce security holes; if we do this, we must
review translations very carefully.
Carlos Perello Marin replied to say, "The option I really love is a mix of F2-1 and F2-3, we have a global package per language but based on tasks or groups of packages, for instance base-l10n-XX, gnome-l10n-XX, server-l10n-XX, etc..."
There is a BOF scheduled to really hash out this problem at the upcoming Ubuntu conference in Mataro.
6.
Dropping Support For the Mozilla Suite
2004/11/19 - 2004/11/27
(25 posts)
Subject: "Dropping support for Mozilla suite?"
People:
Martin Pitt, Martin Willemoes Hansen
Martin Pitt posted another message to the development and users lists explaining a plan with Mozilla and asking for comments. The message read:
In Tuesday's community we discussed about the future of Mozilla. The Mozilla foundation seems to fade out support for the legacy Mozilla suite (packages mozilla-browser and mozilla-mailnews) in favor of the splitted new FireFox and Thunderbird packages.
Therefore we would like to confine our attention to the new programs and drop support for Mozilla in Hoary if there are no serious regressions.
So we have a question to the community: are there any advantages that you see for Mozilla that FireFox/Thunderbird do not have? Would you seriously miss Mozilla if we dropped support for it?
Martin Willemoes Hansen objected saying that, "I can get java-applets from sun going in Mozilla, but not in firefox." psychoelmo pointed the group to the announcement up at http://www.mozilla.org/roadmap.html#what-all-this-does-not-mean which basically says that Mozilla will still be supporting the legacy suite for some time. The list also saw a deal of positive feedback on the proposasal to focus on Firefox and Thunderbird as well.
7.
Encrypted Home Directories
2004/11/22 - 2004/11/23
(8 posts)
Subject: "Interested in encrypted (home) directories?"
People:
Martin Pitt, Michael Banck, Moritz Muehlenhoff, Tollef Fog Heen
Rounding out a marathon week of posting to the list, Martin Pitt also raised the issue of encrypted home directories and whether this was something people wanted. He sent a message saying:
Today I installed and played around with encfs. It is a nice application of FUSE (Filesystem in Userspace) that provides transparent per-directory file encryption, which is a major part in providing offline data protection especially for laptops.
encfs is much nicer than using cryptoloop since it does not require allocating space for partitions, but directly works with the underlying file system. It is reasonably small, does not need any kernel patch or support apart from FUSE itself, works reasonably fast, is easy to install and provides a good cryptographic offline file system protection.
However, to make it really useful for Ubuntu, there is still some work to do:
- A newer FUSE version should be packaged; preferably the Ubuntu standard kernel should support FUSE right out of the box. It is a general virtual file system layer and has many applications other than encrypted directories.
- EncFs itself (and a depended-on library, librlog) must be packaged. Should be very easy, everything is autofoo'ed.
- There should be a nice integration to support encrypted home directories; this requires an easy user interface for switching to an encrypted home directory and transparently mount it when logging in (using a tweaked libpam-mount or sth. similar).
I think supporting encrypted directories (even complete home directories) out of the box would be a cool feature. This might not be something supportable for Hoary, because I have to extensively develop and test this. However, this should not stop us from developing it now, providing it in Hoary's universe and start to support it later.
If there is a general interest in supporting this, I would like to work on this if my other Ubuntu projects leave some time for it.
Michael Banck replied saying, "Wasn't there a policy of only including patches which are at least submitted upstream? Does anybody know what the Linux people think about FUSE? Has it entered one of the big branches or will it ever?" Moritz Muehlenhoff replied saying, "The author is currently attempting to merge it upstream. Linus has requested some cleanups, which seem to get taken care of."
Elsewhere in the thread, encrypted partitions was suggested. Martin Pitt replied to this saying, "The fact that I do not like about encrypting whole partitions (dm-crypt, cryptoloop, whatever) is that you either need to ask for the encryption password as boot time (when mounting the encrypted partition) or provide every user with his own encrypted partition (encrypted with his login password, using libpam-mount). The latter option would mean to preallocate space and partitions for every user. The per-directory based approaches (with LUFS and FUSE) are a bit more flexible in this regard. Is there any way to make device-based encryption similarly easy to handle?"
Tollef Fog Heen suggested that, "You could have a "master password" which is the one used to encrypt the device and then you have a number of different "slots" where the master password is encrypted using a user password. As long as the number of users is less than the number of slots, you should be fine and libpam-mount ought to work. This is basically the approach I was taking in magicmount, but I haven't had the time to actually code on that lately."
8.
Apt Authentication
2004/11/25
(1 post)
Subject: "apt authentication"
People:
Michael Vogt
Michael Vogt announced some ideas he'd be considering in terms of APT authentication on the development list:
I would like to raise some questions regarding the support for gpg signed repositories. The apt-secure patch that supports them was merged into the apt--authentication arch branch and the patch is used in debian/experimental for some time now. From a pure technical point of view it should be ready.
The outstanding issue is the key-management. Matt raised the following questions:
- How will keys be provided in a fresh install?
- How will keys be authenticated?
- How will new and updated keys be distributed to existing installations?
- How will keys revocations be processed?
The current version will ship with a gpg-keyring in the tarball that contains the debian archive signing key. If no keyring is present it will install the key in /etc/apt/trusted.gpg. If that file is present it will do nothing.
It will not depend on gpg but only suggest it. This is because it is fully functional without gpg.
As a example I looked at how Connective solves the problems 1-4. They use a forked version of apt-secure for some time now and they handle the key distribution issue a bit different. They do not ship with a keyring. They only have it on the install cd. There archive key is signed by a number of connectiva developers. I have not found out how they handle revocation or new keys. Apparently Conectiva Linux 10 uses a key created in 2000.
URPMI seems to solve the problem by having a pubkey file in the repository. It's then just downloaded and used. This (and any form of automatic key-updates) looks very dangerous as a attacker that e.g. captured a mirror may just sneak in a new pubkey file and sign his rogue packages with that.
Toward the end of the week in a seperate thread, Michael Vogt sent another message saying:
I put i386 packages of apt with the authentication code enabled at people.ubuntulinux.org. Testing is very welcome, please add the following line to your /etc/apt/sources.list:
deb http://people.ubuntulinux.org/~mvo/apt-authentication/ ./The package includes the ubuntu archive default signing key. There is also the "apt-key" tool included to add more keys. Most tools that depend on apt are rebuild against this version as well (aptitude, synaptic, python-apt, gnome-apt, libapt-pkg-perl). If you miss a package, please mail me, I will add it to this archive.
9.
Concerns With Sudo
2004/11/25 - 2004/11/27
(21 posts)
Subject: "sudo security concerns ?"
People:
Karl Hegbloom, Paul Sladen, Matt Zimmerman, Scott James Remnant
Karl Hegbloom posted a series of concerns he'd had with sudo onto the devel list. Similar concerns have been voiced several times in the past so I thought that summarizing the discussion and the results here would be worthwhile. Karl set up the conversation saying:
I'm concerned about the security of having 'sudo' available so easily. When I run a sudo command, it asks for my password. That's fine, but the second time I run it, it does NOT ask for it. Once you authenticate, it remembers that and you stay authenticated for a period of time.
I think that opens up a security hole that could be exploited by 'virus' or 'trojan horse' writers. When Ubuntu becomes very popular, it will attract virus writers just as Windows has. If anything has easy access to 'root', it can do pretty much anything it wants to.
Can sudo be configured, by default, to require a password EVERY time you run a sudo command?
Paul Sladen explained that you could set the timeout to zero but, "people get annoyed at having to enter their password every time; so they fire up a root/su window and leave it there."
Matt Zimmerman replied saying, "This was discussed months ago; the reality is that this doesn't open any holes which don't already exist due to the inherent design of programs like su and sudo. Anyone who has control over a uid with access to su or sudo has control of root as well.." Scott James Remnant replied saying, "If you run a root shell inside a terminal running as your own UID then if your account is compromised they can inject key-strokes into it and do things as root."
The short version is that while there are real weakeness to this strategy, most of them exist (or are worse) with alternatives to sudo or with any system that asks you type in your password repeatedly.
10.
Archive Layout
2004/11/26
(2 posts)
Subject: "cdimage.ubuntu.com is confusing"
People:
Jeff Waugh, Colin Watson
Jeff Waugh sent a message to the devel list saying:
I'm noticing a lot of people being confused by cdimage.ubuntu.com. We have a releases directory, which includes "hoary" and "5.04", so people looking for the latest release, or who have heard about this brand new hoary thing tend to download it. http://cdimage.ubuntu.com/releases/
Perhaps we could remove these from releases/ and have a development/ dir at the top level, rather like the current sounder-test/? So perhaps it could look like this:
code/ releases/ 4.10/ warty -> 4.10/ development/ sounder/ daily/ 20041125/ current/ 1/ 2/ 3/ array/ daily/ 1/ 2/ 3/Or something like that. Also, that means if someone's just mirroring the releases/ dir, they don't get lumped with the testing releases.
Colin Watson replied saying, "To some extent this is why we created http://releases.ubuntu.com/; especially your point about people just mirroring the releases." In terms of the rearrangement, he said: "I wouldn't mind doing that, although it kind of screws with already-published links. I suppose we could fix that up with .htaccess."
11.
Ubuntu Security Notifications
2004/11/23 - 2004/11/25
(2 posts)
Subject: "[USN-31-1] cyrus21-imapd vulnerabilities"
Martin Pitt posted another weeks worth of Ubuntu Security Notification to the list notifying folks of another rash of bugs and pointing to their fixes. These included the following:
Ubuntu Security Notice USN-31-1 (CAN-2004-1012, CAN-2004-1013)
Affected Release: Ubuntu 4.10 (Warty Warthog)
Affected Packages are: cyrus21-imapd
Fix: The problem can be corrected by upgrading the affected package to version 2.1.16-6ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes.
More Information: http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000033.html
Ubuntu Security Notice USN-32-1 (CAN-2004-0836, CAN-2004-0837, CAN-2004-0956, CAN-2004-0957)
Affected Release: Ubuntu 4.10 (Warty Warthog)
Affected Packages are: mysql-server
Fix: The problem can be corrected by upgrading the affected package to version 4.0.20-2ubuntu1.1. In general, a standard system upgrade is sufficient to effect the necessary changes.
More Information: http://lists.ubuntu.com/archives/ubuntu-security-announce/2004-November/000034.html
We Hope You Enjoy Ubuntu Traffic
Ubuntu Traffic is created and produced by Canonical Ltd. All pages are copyright Canonical. |