teh bigbro blog(tm)
Bigbro's foray into the scary world of blogging

Thu, 05 Aug 2010

Google Chrome is Google's browser and provides a refreshingly fast interface to (in particular) Javascript heavy websites. It's also a pretty good general browser, but like many others presents dire warnings of doom if you attempt to view a https secured website which doesn't have a recognised certificate. (Or more correctly, doesn't have a certificate signed by an authority recognised by Google.)
Most other browsers provide a method of installing root certificates but Google decided that they would use an already established certificate management system external to the browser, the NSS Security Toolkit. So if you want to view websites secured by free CACert SSL certificates or have the need to browse to sites secured by self-signed SSL certs (like the https management interface for my Linksys WRT54g wireless router running Tomato firmware for example) then you'll want to add some certificates to your NSS database. Fortunately, it's pretty simple to do...
First, let's install the CACert root certificate. Installing this means that Google Chrome will trust the identity of sites signed by CACert issues certificates. This is a good thing and saves clicking the "Proceed anyway" button every time.

1. First, grab the root cert file from the CACert Root Cert page. You should verify that the file is correct and has not been tampered with; md5sums and SHA1 hashes are included, along with the fingerprint signed by the CACert GPG key. I'll leave it as an exercise for the reader as to how authenticity should be verified, but for the moment let's assume we have a good, trusted copy of the CACert Root Certificate (PEM Format) saved as root.crt in your home directory.
2. If you've not already, you should install the NSS tool set - a simple sudo aptitude install libnss3-tools should work nicely. You will be asked for your login password to ensure you have permissions to install software.
3. Install the CACert root key by running certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "CACert Root Certificate" -i root.crt
4. There is no step 4... you can now go to CACert secured web pages and Chrome will correctly verify that the SSL site cert has been signed by the CACert root certificate.

1. If you've not done so above, you'll need to install the NSS tools, using sudo aptitude install libnss3-tools or similar.
2. Next you'll need to get a copy of the certificate. Particularly with embedded devices, the easiest way to do this is by pulling the key directly from the device by pretending you're a web client. Thanks to tgulacsi78 who suggested echo QUIT | openssl s_client -connect hostname:443 | sed -ne '/BEGIN CERT/,/END CERT/p' - replacing hostname with the name of the host. In my case, I might use echo QUIT | openssl s_client -connect eeyore.han.signal2noise.ie:443 | sed -ne '/BEGIN CERT/,/END CERT/p' to get the cert from eeyore, my wireless router.
3. Copy and paste the lines between 'BEGIN CERT' and 'END CERT' into a file and save it as (say) router.crt
4. Now we import the cert in exactly the same way as previously, using a command line something like certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "My router web admin certificate" -i router.crt
5. Note that we have to use the C flag (i.e. mark it as a CA / Certificate Authority) due to a bug in NSS. Note also that you should replace the description after -n with something that means something to you, and the argument after the -i should be the file name and path to the file we created in step 3.
6. Test that everything has worked by using Chrome to access the site secured by the self-signed certificate again and notice that this time no warnings are given.

Mon, 28 Jun 2010

Like many people I run Ubuntu on a number of servers with DNS being just one of the services provided. Bind 9 has worked extremely well to date, though I recently came across a conflict between AppArmor (note American spelling) and bind which resulted in slave domains not being replicated correctly. This happened on my systems some time on or after 2009-07-29 (and I'm only getting around to writing up the blog post now... I know...) If you see lines similar to the following in the output of dmesg, or in your system log, you may have the same problem:
audit(1234567890.462:15891): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/zones/slave/tmp-bkTe208LbH" pid=123 profile="/usr/sbin/named" namespace="default"
audit(1234567890.460:15892): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/zones/slave/tmp-3VUN2uHFUI" pid=123 profile="/usr/sbin/named" namespace="default"

To explain briefly what this means: AppArmor is an extra layer of security which effectively makes sure that system programs are allowed only limited access to the system, even though they may run as root. This helps significantly in the case of a root escalation vulnerability being discovered, since if AppArmor is correctly configured your system is somewhat compartmentalised so damage should be limited. Without this, a root privilege escalation in a daemon would allow full read and write access to the entire system, with predictably bad results. Permissions for various daemons under AppArmor are configurable in files under /etc/apparmor/ and /etc/apparmor.d/ (on an Ubuntu system at least.)

Under Ubuntu it appears that AppArmor is misconfigured for BIND 9, specifically with regard to the default setting that slave zones - where your DNS server is acting as a secondary DNS server for some domain(s) - are stored under /etc/bind9/zones/slave/. From the log lines above it's clear that AppArmor is disallowing writes to this location for BIND, with the result that secondary / slave zones can never be updated. This is a bad thing.

Fortunately, there is an easy solution. Either update your BIND config to write slave zone files somewhere else, or update AppArmor to allow BIND to write to the slave zones directory. I chose the latter, accomplished by adding the following line to /etc/apparmor.d/usr.sbin/named
/etc/bind/zones/slave/** rw,

This allows bind to read and write to the slave directory, enabling it to create the files it needs to store updated zones coming via AXFR transfers from master DNS servers. You can test by running rndc reload and watching the syslog and file timestamps in the slave directory. You should also no longer see log writings with the denied_mask="W::" key-value pair as above.

Thanks to alphageek for the first clue as to what was going on and hopefully this blog entry will provide a more secure fix for the problem.

posted at: 13:31 | path: /technical | permanent link to this entry

Sun, 02 May 2010

Since moving to Ubuntu 9.04 and 9.10 I've had repeated problems with my Dell D430 being able to suspend. One of the things that Apple got right with their laptops was that when you close the lid, the computer goes to sleep and it wakes up again ready for use upon opening the lid again. I used to enjoy similar functionality on my Dell D430 until moving to the more recent versions of Ubuntu - which is a real pity. I always hate to see regression instead of progression, particularly when it comes to open source.

I thought the issues were resolved finally until a large update was issued which my laptop installed on 1st May 2010, and now I'm back to a laptop that I have to shut down to move about again - no suspend for me. This makes the laptop significantly less useful and is pushing me (and others) towards replacing portable hardware with Apple products, since they just work. I can't speak for the world in general, but I and the people I regularly deal with don't have time to deal with intermittently faulty systems and laptops that may or may not lock up when you shut the lid (losing any work that was not saved.)

I'll try and provide a better bug report to Ubuntu, but as a reminder to myself, the following update was what has killed suspend again. Also, if you're a Dell D430 owner running Ubuntu 9.10, DO NOT grab the latest updates!

I have installed 10.04 (Lucid) on a D420 but I can't say I've tested it properly yet. I'll get around to putting it on the D430 shortly - and hopefully will be posting a good news story about how suspend works again and proper regression testing has been instituted such that it doesn't get broken again.

Aptitude 0.4.11.11: log report
Sat, May  1 2010 12:35:10 +0100

IMPORTANT: this log only lists intended actions; actions which fail due to
dpkg problems may not be completed.

Will install 34 packages, and remove 0 packages.
172MB of disk space will be used
===============================================================================
[INSTALL, DEPENDENCIES] linux-headers-2.6.31-21
[INSTALL, DEPENDENCIES] linux-headers-2.6.31-21-generic
[INSTALL] linux-image-2.6.31-21-generic
[UPGRADE] aisleriot 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] compiz 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] compiz-core 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] compiz-gnome 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] compiz-plugins 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] compiz-wrapper 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] glchess 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] glines 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnect 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnibbles 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnobots2 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnome-blackjack 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnome-games 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnome-games-common 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnome-mahjongg 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnome-sudoku 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnometris 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnomine 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnotravex 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gnotski 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] gtali 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] iagno 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] libdecoration0 1:0.8.4-0ubuntu2 -> 1:0.8.4-0ubuntu2.1
[UPGRADE] libpq5 8.4.3-0ubuntu9.10 -> 8.4.3-0ubuntu9.10.1
[UPGRADE] linux-generic 2.6.31.20.33 -> 2.6.31.21.34
[UPGRADE] linux-headers-generic 2.6.31.20.33 -> 2.6.31.21.34
[UPGRADE] linux-image-generic 2.6.31.20.33 -> 2.6.31.21.34
[UPGRADE] linux-libc-dev 2.6.31-20.58 -> 2.6.31-21.59
[UPGRADE] same-gnome 1:2.28.0-0ubuntu1 -> 1:2.28.0-0ubuntu3
[UPGRADE] tzdata 2010h-0ubuntu0.9.10 -> 2010i-0ubuntu0.9.10
[UPGRADE] tzdata-java 2010h-0ubuntu0.9.10 -> 2010i-0ubuntu0.9.10
===============================================================================

Log complete.

Mon, 19 Apr 2010

...is a pile of epic fail (on Linux at least.) I like the idea of full-text searching - but I also like my laptop to not have the CPU at melting temperature all the time and the fans running at full speed as thunderbird burns through CPU indexing what I can only assume are the same messages over and over and over again. I also like to start blog posts with a hearty generalisation, even if the behaviour is something relatively specific to my situation - it grabs the reader's attention and makes sure they read the remainder of the article ;-)

Normal behaviour, and better use of your CPU can be restored by disabling full text search / indexing. You can do this by setting the advanced configuration option mailnews.database.global.indexer.enabled to false, or as this has obviously become a big enough problem for enough people, the Edit | Preferences | General tab now has a checkbox marked Enable Global Search and Indexer. Unchecking this will also turn off this feature.

More usefully, some exceptionally bright spark has made a plugin called GlodaQuilla available. It's experimental but has not yet set fire to my laptop or caused my pets to explode - your experience may be different of course and any use of experimental plugins is completely at your own risk. I did the following and now have a full indexed search of the subset of my mail that interests me, along with a much more responsive machine (and some 500MB of disk space no longer used by the full-text index)

1. Install GlodaQuilla in the usual fashion
2. Restart Thunderbird
3. Disable indexing completely (see above for how to do that)
4. Quit Thunderbird and wait a few moments to make sure it's definitely no longer running
5. Delete the old full-text database taking up space on your hard drive. It's a file called /home/$username/.thunderbird/random.default/global-messages-db.sqlite on my Ubuntu Linux machine. You'll need to find your own global-messages-db.sqlite yourself, but the path above should give you a clue as to where it is.
6. Start Thunderbird and right click on a folder containing mail you do not want indexed. (e.g. my Archive/ folders contain old mail that I don't really need searched or indexed.) Uncheck 'Inherit' and you can now individually enable or disable indexing of the mail folder.
7. Once you have set which folders you do and do not want indexed, remember to re-enable indexing and restart Thunderbird, just to be sure to be sure.
8. Leave your computer for a period of time, if possible, as Thunderbird will need to rebuild indices for those mail folders you left with indexing enabled. This may take some time. Expect performance to be poor during this time. You can track activity by selecting Tools | Activity Manager from the menu.
9. Enjoy a nice, fast, performant full text search of the mails you actually care about searching and indexing.

Sat, 17 Apr 2010

I set up my eeePC 701 as a fileserver in the house over the Easter weekend. It runs Ubuntu and with a little configuration happily shared a few USB disks over the home network with SAMBA and NFS. Most importantly it ran pretty cool and didn't use a lot of power - important for something that was going to be left on all the time.

All worked well until the last couple of days when I noticed some pretty strange messages appearing in the logs. A reboot resulted in GRUB giving me the dreaded Error 17. Further investigation seems to indicate that the SSD has shed its mortal coil. Poo! Cue research to determine whether it's more cost and time efficient to get a replacement SSD or just buy a Mac Mini.

posted at: 22:33 | path: /technical | permanent link to this entry

Thu, 01 Apr 2010

We at HEAnet labs have been testing 3G mobile broadband USB dongles for some time now, and the key weakness identified is the problem that data download is asymmetric. This means that while you can download content at high speed, uploading content is much much slower. This means that 3G dongles are unsuitable for things like uploading large photographs or video information to the interwebs. This severely restricts their usefulness - or at least, it used to.

While the technology of 3G and in particular the USB dongles means you are limited to an asymmetric connection, by changing the polarity of the USB power feed you can alternate between high speed upload and high speed download. This means making up a USB cable yourself, but as John Beale helpfully demonstrates, this is pretty easy. Just (carefully) swap the black and red wires.

This still leaves us with the problem that the connection is asymmetric, but that's easily solved by using iptables and a second USB dongle with the polarity set to normal. Effectively, we want to configure iptables to route the download traffic through USB dongle A (which is wired normally) and route the upload traffic through USB dongle B (wired with the polarity reversed.) Thanks to PaulJ on the ILUG list for providing a basic config for iptables:

ip route add default \
   nexthop via dev weight x \
   nexthop via dev weight y
change x and y so that x/y == bandwidth ISP1 / bandwidth ISP2

Tue, 09 Mar 2010

...disk has corrupted. that would explain its inability to run backups for some time. Thanks Apple for such useful error messages ("Failed!") - helpful. *sigh*
Fortunately it's only my backup that's corrupted, and hopefully a 'Disk Utility' repair will put that back in a working state.

posted at: 23:31 | path: /technical | permanent link to this entry

Wed, 10 Feb 2010

I'm going to try making a small project in Ruby on Rails, so first I need to install the development environment on my laptop. More for my own future reference than anyone else's benefit, here's what I did:

sudo aptitude update (because it's just a good idea)
sudo aptitude install ruby-full build-essential (This installs emacs. wtf?!? Oh well...)
wget http://rubyforge.org/frs/download.php/60718/rubygems-1.3.5.tgz (Find the latest RubyGems package from rubyforge.org)
tar xzvf rubygems-1.3.5.tgz
cd rubygems-1.3.5
sudo ruby setup.rb (It appears to hang for a while with no output but eventually works and returns you to a prompt. So far so good...)
sudo ln -s /usr/bin/gem1.8 /usr/bin/gem
sudo gem update --system (Should say nothing to update if you've pulled down the latest version)

sudo gem install rails (Install rails)

All done and nothing remaining but to check that MySQL is up and running and start developing actual code.

posted at: 18:19 | path: /technical | permanent link to this entry

Mon, 18 Jan 2010

I write in English and Irish reasonably frequently, with an occasional sojourn into German and French too. Of course, there is also a requirement that I be able to correctly punctuate and accent the names of colleagues with non-Anglicised names too - so that leaves me with some fairly extensive requirements for keyboard layouts. My operating system of choice is Ubuntu Linux and I consider myself fortunate that the international flavour of the developers appears to have rubbed off on its multi-lingual configuration.

If you want one language and layout, simply choose System | Preferences | Keyboard and choose the Layouts tab. There you can add or remove layouts at will - I prefer the Ireland UnicodeExpert layout as it allows me to type English, Irish, German and French (and probably other languages too) without changing layout at all. Note that if you want to add this layout 'by language' it's under English, rather than Irish or Gaeilge/Gaelic.

Once you have selected this keyboard layout you can, of course, type in English as normal. Note that it's a 'UK' keyboard layout rather than American (i.e. the quotation marks are above the number 2 and the @-sign is above the single quote character. Also, the hash is next to the Enter key and the monetary pound sign is above the 3.) To get letters with fadas on them, as required for Irish, simply use (usually) AltGr + vowel. AltGr + o produces ó for example. This makes typing as Gaeilge go han-shimplí ar fad. Níl a lán rudaí níos éasca ar chor ar bith.

As well as this feature - the ability to get fadas (or French acute accents) with a single key-combo, things like umlauts are not too difficult: a simple AltGr + : (colon) followed by a vowel will give an umlaut over the letter. AltGr + : followed by 'e' gives ë - easy-peasy. Note that AltGr + ; (semi-colon) will do - it 'implies' the Shift key, saving you from having to be a concert pianist or an emacs user to key the keystrokes right. AltGr + ^ (the 6 key) and an appropriate letter puts a hat over the letter. AltGr + ~ (tilde) puts a tilde over letters like 'n' for Spanish (I think...) There are lots more characters and languages supported without changing keyboard layout.

posted at: 12:25 | path: /technical | permanent link to this entry

Tue, 08 Dec 2009

Gwibber is a handy microblogging client, but it would be nice if it:

• Could be made smaller
• Allowed hiding of things like the tabs and menus and other useless bits
• Retried gets without constantly moaning about things failing. It's the internet - get over it. I don't need an orange triangle to warn me that the twitter API or the internet dropped a packet or two.
• Retried posts more than once - maybe even until they work - instead of logging a meaningless error and losing my post. Something more than an orange triangle would be good to say a POST failed.
• Could track whether I've read tweets or not - and maybe highlight the ones I've not read?
• Could get more than about 20 tweets on startup - maybe make it configurable, or even continue getting historical tweets as long as they are unread by me (up to a configurable max)

Sun, 20 Sep 2009

My external keyboard decided to stop recognising a number of keypresses, including the entire diagonal column including 'W', 'S' and 'X' - it's surprising how many words in English rely on the letters 'S' and 'W.' Not to worry though, for given my technical acumen and thorough knowledge of electronics, bashing it off the table a couple of times and then plugging it back in again seems to have made it recognise all the keys again. Hurrah!


posted at: 13:41 | path: /technical | permanent link to this entry

Sun, 19 Jul 2009

I've been working on a couple of new websites recently, including the Balbriggan Community Childcare Group website and the Internet Audio Network, both of which I've built on a base of Wordpress. Installation of the base wordpress package was relatively seamless, though I was a little disappointed that an upgrade was released only a day or two later. I'm still working on figuring out how best to do the upgrade. I suspect that it's going to require me to read documentation. Some kind of auto-update would be nice (for the record, an auto-update facility that does not clearly detail what file permissions you have to set to make it work is not truly useful.)

Like every software product these days, it seems that all the useful functionality is in themes and plugins, and it's here that the true horrors of what some PHP developers can produce becomes evident. While I've found some excellent code written in PHP and the WP core seems to be monitored carefully from a security point of view, the plugins seem to be a hit-and-miss affair. In fairness, perhaps I was just unlucky in the selection of plugins that I chose to download. I now have two plugins insisting that they be updated, despite me updating both to the latest respective versions. I suspect this might be a bug in wordpress in its handling of revision numbers for plugins (Major and minor version increments appear to work okay, for the record.)

Despite the not-quite-smooth ride, and the complications of learning yet another blogging / CMS / web framework, I'm finding WP a relative pleasure to work with. The featureset seems good, the plugins are prolific if nothing else, and I suspect the largest part of the learning curve is learning from others what plugins are good and which are more trouble than they're worth. The back-end MySQL database seems to work well and I'm contemplating moving this blog into something that uses a database for storage instead of the files-in-directories storage method of blosxom. That is, however, a task for another day.


posted at: 16:28 | path: /technical | permanent link to this entry

Sun, 28 Jun 2009

...I have created an account on Twitter, purely for scientific research purposes, of course. I have discovered the implications of @based and #based overloading and have already inexplicably amassed a small number of followers (no, I can't understand it either... perhaps cynicism and bitterness is the new comedy gold... who can say?)

Being the technology enthusiast that I am, I suggested we make better use of social networking and information dissemmination tools at our upcoming conference and besides, I can't justifiably mock things until I try them now, can I? ;-)


posted at: 19:53 | path: /technical | permanent link to this entry

Mon, 15 Jun 2009

Shortly after France brought in a three strikes rule for those allegedly downloading content in breach of copyright on the internet, it has been deemed unconstitutional by the French Constitutional Court.
Thanks to El Reg for the following:

France's constitutional court today deemed the Hadopi law illegal. Judges deemed that two parts of the legislation also nicknamed "Three Strikes" - the backers prefer "graduated response" - contravened two major areas of the 1789 Declaration of the Rights of Man and Citizen, articles 5, 9 and 11.

Wed, 10 Jun 2009

ANyone know how to disable a module (like ipv6) under Ubuntu 9.04? I thought I did, but it appears not. Firstly, ipv6 is now compiled as a kernel module, which is largely okay (except that Network Manager sucks and seems to like collecting multiple IPv6 addresses despite only one being routable. Of course, it gives the highest priority to the last one it discovers, so that means IPv6 is unusable on the network I'm now on...) But that's only the start of my issue...

I thought I could disable IPv6 by setting /proc/sys/net/ipv6/conf/all/disable_ipv6 to contain 1. Nope - that does absolutely nothing. Awesome!

So I compiled the latest kernel and put IPv6 in as a module, because on every other network in the world I do want to use it - just not here (until Network Manager is fixed.)
You can disable a module from loading in Linux by editing /etc/modprobe.conf - but that file has been removed and replaced with an /etc/modprobe.d/ subdirectory. Still no modprobe.conf file in there, because why leave things the same... but there is a blacklist.conf file, in which you can blacklist modules.

Of course, Ubuntu being Ubuntu, this does sweet sod all (I'm thinking much more rude words) so I'm still at a complete loss as to how to kill IPv6 in the face on this OS. Fedora 11 has just been released, so I think I'm going to take a break from Ubuntu for a little while and see if RedHat has less 'features' than the current Ubuntu release.

posted at: 16:42 | path: /technical | permanent link to this entry

Tue, 19 May 2009

Had I finally found love, or at least a truly overzealous stalker? Had one of my more contentious blog postings hit slashdot and elicited a flurry of responses from the internets?

Alas, no - a handful of e-mail addresses for one of my domains were abused as return addresses for spam originating in "SaudiNet, Saudi Telecom Company" - resulting in numerous poorly configured mail servers dutifully sending a flurry of backscatter towards my inbox. Fortunately, my spam filters caught most of it, though still allowing some 1,500 through.

Special bonus points for the likes of bmx.pvnet.cz who correctly identified the original message as spam, blocked its delivery but still felt it was appropriate to send backscatter in my direction. *sigh*

posted at: 05:51 | path: /technical | permanent link to this entry

Fri, 15 May 2009

Today I've disabled the IPv6 reachability of my blog and websites, removing the AAAA records from DNS temporarily. This is a temporary state until Easynet permanently fix their sixxs.net tunnel broker service. Apologies to those who use services on my machines via IPv6: this temporary disabling of DNS should result in your user experience getting better, since applications should no longer hang, or delay for long periods as they try in vain to route to the IPv6 address.

As a more permanent solution, I'll be looking to Hetzner, my hosting provider to provide native IPv6 connectivity to my equipment. Hopefully IPv6 services will be restored soon.

posted at: 08:24 | path: /technical | permanent link to this entry

Wed, 06 May 2009

Having upgraded my laptop to Ubuntu Jaunty a week ago, and having completely failed to find the time to do a clean install over the weekend I found myself contemplating whether the upgrade was worth it.

Currently, my opinion is no! If you're happily running Ubuntu 8.10 (Intrepid Ibex) then my recommendation is strongly to stick with it. It's not perfect, but it has a Network Manager that works (more than once per reboot) with 3G / HSDPA / HSUPA / GPRS / GSM modems, and if you use your machine with a secondary monitor or a projector, the Display configuration utility also works.

Since my upgrade to Jaunty, I've had to reset my display settings to something usable by manually copying in a known good /etc/X11/xorg.conf file every time I've attempted to use more than the internal laptop monitor and I still have the annoying X11 hang bug caused by Intel i915 hardware/firmware/drivers or DRM/GEM. I already documented the requirement to kill trackerd in the face, so the only real advantage I see to the release at the moment is an increase in prettiness of on-screen status reports (for volume, brightness, etc.) and OpenOffice.org 3.0. The upgrade doesn't even give me the latest version of Netbeans (probably only of relevance to people who develop software using Netbeans, I'll admit.)

My recommendation is to stick with Ubuntu 8.10 (Intrepid Ibex) and manually install OpenOffice 3.0 and Netbeans 6.5.1. While I have no intention of migrating away from Ubuntu, I do hope that perhaps the next release will be a little more tested prior to release.


posted at: 08:55 | path: /technical | permanent link to this entry

Wed, 29 Apr 2009

I upgraded two machines from Ibex (v 8.10) to Ubuntu Jaunty (v 9.04). First impressions of the uprade are largely good, but with a few caveats, some of which are quite damaging.

While the upgrade proceeded seamlessly on both machines, one a Dell D430 laptop and the other an Asus eeePC, I had to kill and uninstall the tracker tool, which errored, used up all the CPU and generally behaved like a completely untested and broken piece of software after the install. The system is unusable until you kill this piece of software, which is a very damning start for a supposed tested release of Ubuntu: this is the very first time I've had an unusable system after upgrarding / installing.
sudo aptitude remove libdeskbar-tracker libtracker-gtk0 tracker tracker-search-tool tracker-utils
will remove the tracker search tool and a reboot will complete the cleanup if you're not the type of person that likes finding and killing UNIX processes from the commandline.

Secondly, and something I've not yet managed to work around, my internal 3G modem will now fail to connect correctly every time after the laptop has been through a sleep/wake cycle. I use my Dell D430 while commuting and in the office each and every day, so it's well used to being put to sleep and woken again - if that feature did not work I would be seeking an alternate operating system/hardware platform. From my admittedly limited looking at logs, it appears that network Manager is (once again - *sigh*) at fault here. The 3G modem does connect, and even gets an IP address, but for some reason Network Manager or some associated piece of software decides the connection has failed, and disconnects the modem (which pretty much ensures that it's failed.) NetworkManager has had a checkered history, with many many problems, bugs, incompatibilities and 'features' resulting in it not playing nicely with other software and the system as a whole. It does a complicated job, but this is a regression bug - once which should and could have been flagged prior to the software being released. It works perfectly in Ubuntu 8.10... Fortunately, an old workaround of mine using wvdial / pppd directly works perfectly, though I then have to inform Firefox to stop pretending it's in Offline mode manually. Still - siginificantly better than having to reboot every time I need internet connectivity on a train.

Finally, there has been some breakage of the Display Settings application, which I found worked exceedingly well under Ubuntu 8.10, allowing me to hook my laptop at times into a projector, a second monitor and the TV at home. Fortunately, I have backups of my XOrg configuration files, so I was always able to restore to a stable working state - but again, these backup files were something I never needed to touch while using Ubuntu 8.10.

All in all though, Ubuntu Jaunty is a good leap forward. It upgrades OpenOffice.org to version 3.0, and about time too. I really like the on-screen notification in the top right corner, and all my hardware (excepting the 3G modem after a sleep/wake cycle) appears to work well. The Netbeans Programmer's Editor / IDE also sees a welcome upgrade to version 6.5, which is a pity in many respects seeing as how 6.5.1 has been around for a relatively long time now and 6.7 is already in beta. Still, I value stability over cutting edge on my every-day working machine.

I will hope one of two things will happen soon - either Ubuntu deploy a slew of updates that fix these regression bugs that have snuck into release 9.04, or that I will find the time this weekend to reinstall my laptop with a fresh install of Jaunty, which I suspect has been tested somewhat better than the upgrade scripts. I look forward once more to the simplicity I enjoyed with 8.10 of just clicking the NetworkManager icon and selecting the 3G network option to connect online wherever I might be.


posted at: 08:51 | path: /technical | permanent link to this entry

Fri, 10 Apr 2009

Many companies use RSA SecureID keyfobs to ensure a one-time element to all passwords, and thus increase security. (The three tenets of good security are, something you know - like a PIN - something you have - like a one-time code generator keyfob - and something you are - like a fingerprint or biometric. Using a PIN with the RSA SecureID achieves the first two of these vectors, and specifically prevents someone gaining access if they only get a user's password.)

These keyfobs are not cheap, and so I noticed they had the great idea of printing a little message on the back:

If found refer to: www.rsasecurity.com/found

copyright © 2005-2008, Gareth Eason