Sunday, December 13, 2009

» rtorrent with magnet support

I added unofficial (non upstream) patches to the rtorrent builds we have in the Packman repository to support magnet URIs as well as colored output.

Labels: , ,

Friday, December 11, 2009

» Packman: deleting 10.3 packages

openSUSE 10.3 has been EOL (end of life) since end of october, and we (Packman) are still hosting our packages for 10.3, even though we don't maintain them any more.

Hence we will remove them from our primary server and our mirrors, but will give you some time to make a copy if you need those packages for whatever reason (it is strongly discouraged to keep using an end of life distribution though, you have been warned).

In order to do a backup, I would recommend using rsync, as follows:
mkdir -p ~/packman/10.3
rsync -aP rsync://ftp.skynet.be/packman/suse/10.3/ \
~/packman/10.3/
We will delete the 10.3 packages end of this year, hence make sure that you make a backup until December 31st if you need it.

And if you wonder why we simply don't keep that old cruft around, well, it's using 36 GB of disk space, on our primary server and on each of our mirrors, respectively.

Labels: ,

Tuesday, December 08, 2009

» FOSDEM 2010 artwork



Just finished uploading the promo artwork for FOSDEM 2010. If you appreciate the event, please consider using a banner or web badge on your site to promote it.

On a side note, animation truly sucks. Flash simply isn't an option, and we're left with
  • GIF: awful quality, limited to 8bit, color bleeding, forget it,
  • MNG: purposeful standard but has been dropped from most browsers,
  • APNG: hardly a standard, only supported on Firefox and Opera, but works for those, and falls back nicely elsewhere

Hence I decided to go with APNG. But maybe the animation is a bad idea in the first place. Well, there are static banners to choose from as well ;)

Labels:

Monday, November 23, 2009

» Packman repository for KDE3 on openSUSE 11.2

openSUSE 11.2 doesn't ship KDE3 anymore, because it is barely maintained upstream. But you may still install and use KDE3 as your desktop environment as the packages are available in the openSUSE Build Service.

Which is why we decided to set up an additional repository that contains the Packman packages that require KDE3. If you want e.g. kde3-amarok, add the following repository: http://ftp.skynet.be/pub/packman/suse/kde3/11.2/packman-kde3.repo

Labels: , , ,

Friday, November 20, 2009

» osc and self-signed certificates the secure way

Obviously, a much more secure option to use the osc Build Service command-line client with your own server instances that have a self-signed certificate is to actually add that server certificate to the list of blessed ones.

To do so, do as follows, all of that as root in a shell:
umask 0033
cd /etc/ssl/certs
echo | openssl s_client -showcerts \
-connect YOUR.SERVER:SSL_PORT \
2>&1 |sed -n '/^-----BEGIN/,/^-----END/p' \
> SOME_FILENAME.pem
c_rehash .

Once you've done the above, osc will no longer complain about an invalid (server) peer certificate, as the certificate of your Build Service instance server is now accepted as a valid one.

Note that in order to be really secure, you need to ask an administrator of the server what the fingerprint (also called a hash) of the server certificate actually is, in order to compare and make sure you're not blessing an already compromised server or are already subject to a man-in-the-middle attack.

To do so, an user who has root access to the server should run the following command, obviously as root, and then give you the output of that command, ideally through a secure communication channel, or through several channels (e.g. SMS mobile text message and/or a signed email and/or IRC from a registered nickname):
cat /etc/ssl/private/lighttpd.pem\
| sed -n '/^-----BEGIN CERT/,/^-----END CERT/p'\
| sha1sum | cut -f1 -d" "

You can then run the following command and compare the output with what that trusted user has given you:
fp=$(sha1sum /etc/ssl/certs/SOME_FILENAME.pem\
| cut -f1 -d" ")
server="...paste what the trusted user has given you here..."
test "$fp" = "$server" && echo OK || echo COMPROMISED

If you have already patched your osc client as I described in my previous post, you can undo that patch with the following code (again, as root in a shell):
umask 0077
cd $(dirname $(rpm -ql osc|grep /conf.py\$))
mv conf.py.orig conf.py
chmod 0644 conf.py

Labels: , ,

» Patch for osc and self-signed certificates

If you are using your own Build Service instance as we do at Packman and if you are using a self-signed certificates for HTTPS, then this patch might come handy for you as well.

Note that it disables the peer certificate validation in osc, so don't use that with Build Service instances you down trust, and only if you are willing to take the risk of not detecting man-in-the-middle attacks.

In order to apply the patch, simply copy and paste the following block of shell code in a terminal where you are running as root:
cd $(dirname $(rpm -ql osc|grep /conf.py\$))
umask 0077
curl -s -o /tmp/o.patch \
http://linux01.gwdg.de/~pbleser/files/osc/\
osc-disable-peer-cert-check.diff
test $(sha1sum /tmp/o.patch | cut -f1 -d" ") = \
9812ef2a18c02799b9e33d1402509c3217c39194 \
&& patch -p1 -b -z.orig -i /tmp/o.patch


UPDATE: note that in my following blog-post I describe a secure option.

Labels: , ,

Wednesday, November 18, 2009

» webpin .= "11.2";

Just committed the webpin CLI client version 1.2.1, which only contains a single modification: it now also supports searching the Software Portal index for openSUSE 11.2.

Labels: ,

Saturday, October 31, 2009

» Packman: transition to 11.2

As you might have noticed already, we've been building our packages for openSUSE Factory for a couple of weeks now.

openSUSE 11.2 is almost there now, and we are currently re-building everything for 11.2 (against the openSUSE:11.2:Updates project on build.opensuse.org). Previously, our Packman repository for openSUSE 11.2 was merely a symbolic link to our factory repository, but two days ago I removed that symbolic link and, as mentioned above, in the process of building a proper repository there.

In the mean time, if you're on a Release Candidate of openSUSE 11.2, please use our factory repository for a couple more days, until we managed to at least build an essential set of core packages for 11.2.

Labels: ,

Tuesday, October 27, 2009

» Vote against big brother

If you're a Belgian citizen, sign the petition against forcing ISPs to store Internet connectivity information for 6-12 months.

» FOSDEM 2010 Distribution Miniconf

So there we are, the cat is out of the bag ;): for the upcoming FOSDEM 2010, we will organize a shared, common, mixed mini-conference-in-the-conference with distribution projects.

For further details, read here.

I already poked openSUSE, Fedora, CentOS, Exherbo, Debian, Ubuntu (*), Mandriva and ArchLinux (*) ... but if you read this and you're involved into another distribution project, please do join the party. The more, the merrier :)

(*) no reply yet

Labels:

Sunday, October 25, 2009

» Send mail to openSUSE Build Service project maintainers

Just wrote a little script that parses the output of osc meta prj or osc meta pkg, grabs the list of users in there and pokes the openSUSE Build Service API again to retrieve their email address.

All that is then used to call Thunderbird in compose mode with the appropriate list of email addresses (and real names, when available).

It also uses a cache file to speed things up.

Examples:
osc meta prj security | omail
osc meta pkg security keychain | omail

You can download that (Perl) script from here. Simply copy it to ~/bin or /usr/local/bin and do a chmod 755 on it.

Of course, you might as well add support for your favourite MUA (email client), which should be fairly trivial, given that the script already does the dirty work ;-)

An alternative would be to re-author that script as an osc plugin.

Labels: ,

Wednesday, October 21, 2009

» Packman upgrading to SVN OBS

Don't panic if you notice insane amounts of updates to packages in the Packman repository for openSUSE.

We are currently switching from OBS (openSUSE Build Service) version 1.6.0 to the latest SVN trunk HEAD, which requires some experimentation and also caused a complete rebuild (for unknown reasons).

Labels: ,

Saturday, October 17, 2009

» Packman: deleting 10.2 packages

We are going to delete the packages for openSUSE 10.2 from the Packman repository very soon because our builds for Factory are starting to kill off the disk space on some of our mirrors.

If you still want them, you must pull a local copy ASAP, e.g.:
rsync -avP rsync://ftp.skynet.be/packman/suse/10.2/ \
/some/directory/for/the/mirror/10.2/
Note that the 10.2 packages currently sum up to around 25 GB.

Labels: ,

» Updated openSUSE countdown image

Our infamous Jakub "jimmac" Steiner designed new openSUSE countdown artwork that is more in line with the look and feel of the upcoming openSUSE 11.2 distribution.

He also proposed using SVG templates and rsvg in order to render the various localized images, rather than the Python PIL script with crappy math I wrote a while ago, including the many ugly hacks to compute the coordinates text coordinates, font size adjustments, etc...

It is indeed much more comfortable and flexible now, simply by using Inkscape to design the templates (one for each image size, because it uses a raster background rather than a vectorized SVG), containing placeholders.
A plain Python script contains all the localization logic and replaces those placeholders with the appropriate content for each language, and then feeds that into rsvg-convert to render PNG files.

If you're interested by the nitty gritty of that script, it is available at forgesvn1.novell.com.

For details on how to include that openSUSE countdown image on your site, blog, ..., please consult the corresponding page on the openSUSE wiki.

Labels:

Thursday, October 08, 2009

» No internets

Just a quick post to say I'm not dead. But my Internet uplink is. Well... seems like my ISP (Belgacom/Skynet) is having a major, global tits up, and I have no idea when they'll manage to fix it.

It's already been 2 days without Internet at home. Feels like holidays :D

Friday, September 25, 2009

» Packman for Factory

It has often been requested in the past, and we're finally building Packman packages for openSUSE Factory (the openSUSE development tree).

As Factory is in almost permanent flux, we are building against openSUSE Factory snapshots instead.

We don't build everything against factory either, as we only have limited build power, but essential applications such as MPlayer are there :)
zypper ar -r \
ftp://packman.links2linux.org/pub/packman/suse/factory/Packman.repo

Note that the repository currently is not signed.

Labels: ,

Sunday, September 13, 2009

» openSUSE 11.2 countdown



Just updated our countdown server to 11.2

Labels:

Thursday, September 10, 2009

» Scripts for OBS monitoring

(yes, I'm back from holidays)

Marcus "}-Tux-{" Hüwe and I have been busy the last weeks to set up an openSUSE Build Service instance for Packman. While doing so, I wrote a few little scripts to monitor what is going on as far as building, the scheduler queue and such are concerned.

The most interesting ones are obs-building, that displays what is currently being built on all workers:
obs-building sample

as well as obs-queue, that displays what is currently being scheduled for build:
obs-queue sample

and finally obs-top, a simple hack that uses watch to display combined output from top, obs-building and obs-queue:
obs-top sample

Labels: ,

Friday, August 14, 2009

» Holidays

I'm away from any sort of keyboard from now until the 28th.

Saturday, July 25, 2009

» Packman: gamin: fix ABI compatibility with fam

There seems to be a very annoying ABI incompatibility between gamin and fam, which are packages that both implement the same API (gamin uses inotify and has per-user daemons, while fam has better NFS support).

That incompatibility is in the externalized FamErrlist char* array, where fam exports an useless char*[1] and gamin has more than one array element in it, as well as having typed as const char*[].

While the latter isn't causing any problems, the former does, which manifests itself through the following warning message at runtime:
Symbol `FamErrlist' has different size in shared object, consider re-linking

Apparently, it's not just a warning, but it also causes failures and crashes.

In the Packman repository, we ship the gamin package, while the openSUSE distribution only includes (and prefers) fam, precisely because of its better NFS support. All openSUSE packages and all packages that are built in the openSUSE Build Service are compiled and linked against fam. But if you have the Packman repository in your preferred package manager (e.g. zypper, smart or yum), you might end up with installing gamin and removing fam (because the gamin package in the Packman repository obsoletes and provides fam).

I have just committed a patch against the Packman gamin packages that changes the size of that FamErrlist array to have the same size as in fam, which effectively solves the warning messages, and should also fix the crashes.

The fix is included in gamin-0.1.10-0.pm.3 and above.

As an alternative, if you can't or don't want to upgrade the gamin package, do as follows to remove gamin and re-install fam instead:
rpm -e --nodeps gamin
rpm -q gamin-devel && rpm -e --nodeps gamin-devel
zypper install fam
zypper addlock gamin
zypper addlock gamin-devel
Note that all of those commands must be executed as root, and the last two commands prevent from ever installing the packages gamin and gamin-devel again (at least with zypper).

UPDATE: removed the Obsoletes:fam directive in gamin-0.1.10-0.pm.4

Labels: ,