tag:blogger.com,1999:blog-46957021965373982572024-03-13T23:35:05.284-07:00Notes from Underground ...Notes about Ubuntu and Debian development.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.comBlogger26125tag:blogger.com,1999:blog-4695702196537398257.post-87020878200598390922013-06-28T18:38:00.000-07:002013-09-30T18:37:18.702-07:00Spanish or Bust: Attaining fluency in 90 days or else ... <div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
"How do you have an adventure?"<br />
<br />
"You take a stupid idea, and follow through ..."<br />
<br />
Perhaps, I've truly lost my mind for once, but I've decided to embark on a personal project to try and achieve some fluency in Spanish in just 90 days, and posting it to the internet to try and keep me honest and on track towards doing so. I will post future updates as I go, and would welcome help from anyone who would be interested in helping!<br />
<br />
The cost of failure: being forced to praise Wndows 8 in a future video, and run it for one week on my laptop.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="//www.youtube.com/embed/ZIeWiJw_UGQ" width="560"></iframe>
<br />
<br />(I apologize for the quality, but I finally managed to find the nerve to record myself doing this, and just uploaded before I lost it again)
<br /></div>
<br />
<br />
</div>
NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com6tag:blogger.com,1999:blog-4695702196537398257.post-45665980257882710382012-06-22T16:02:00.000-07:002012-06-22T16:02:50.043-07:00Announcement of Calxeda Highbank Images for Quantal<div dir="ltr" style="text-align: left;" trbidi="on">
Hello all,<br />
<br />
As many of you are aware, Canonical, in coordination with Calxeda and others have been working to bring Ubuntu to this new class of high-performance cluster yet low power-consumption computers built around ARM processors. Many of you who were in attendance at UDS in Oakland may remember seeing Calxeda's talks and demonstration live, and the exciting news that this represents. The full presentation is available <a href="http://youtu.be/m3utPU99Wgg?t=8m47s">here</a>.<br />
<br />
In line of this work, I'm am extremely pleased to announce that the initial images for the Calxeda Highbank platform are now <a href="http://ports.ubuntu.com/ubuntu-ports/dists/quantal/main/installer-armhf/current/images/highbank/netboot/">available</a> for download, with <a href="https://wiki.ubuntu.com/ARM/Server/Install">installation instructions available here</a>. Please remember that Quantal is still in alpha development, and is not currently recommended for use in a production environment. As development of 12.10 continues, we will continue to refine these images, and our tools to fully embrace MAAS on ARM, and make 12.10 to be our best release yet.<br />
<br />
<br />
As an additional note, Highbank support for Ubuntu 12.04 LTS will be released as part of the 12.04.1 update in mid-August and will join our support for ArmadaXP from Marvell, which was released as part of 12.04.<br />
<br />
---<br />
Michael Casadevall<br />
ARM Server Tech Lead<br />
Professional Engineering and Services, Canonical<br />
michael.casadevall@canonical.com</div>NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com6tag:blogger.com,1999:blog-4695702196537398257.post-30734672311197565292011-11-20T02:20:00.000-08:002011-11-20T02:20:34.938-08:00Possible GLX Bug in Ubuntu; feedback needed (affects Intel video cards 2D/3D acceleration)So I've been recently screwing around with VirtualBox on a personal project, and I ran into an issue with not being able to enable 2D/3D acceleration on Ubuntu 11.10. After quite a bit of debugging and forum searching, the problem was that the NVIDIA GLX driver was being loaded instead of the standard MESA one, preventing any video acceleration from properly working on my Intel based video card.<br />
<br />
I just recently reinstalled Kubuntu on this laptop, and since its a fairly stock install at the moment, I suspect that this is a general (K)ubuntu bug, and not something related to me screwing around with my system. In addition, since I switched to using Kubuntu full time, this is the first time I've seen transparency and other desktop effects, and system performance has improved dramatically. While I can't say for certian, I suspect that my system was also affected on its previous install. Part of the issue may be related to what packages are seeded per flavour, so this bug may only affect those who installed Kubuntu over say Xubuntu or Ubuntu; without more information, its impossible to say.<br />
<br />
This is where you can help; if you are running any flavor of Ubuntu with an Intel based video card, you might be affected by this too.<br />
<br />
Here's how to check; open a terminal, and type:<br />
<br />
<blockquote>mcasadevall@daybreak:/var/log$ cat /var/log/Xorg.0.log</blockquote><br />
then find the section where the glx module is loaded. It looks something like this:<br />
<br />
<blockquote>[236901.570] (II) LoadModule: "glx"<br />
[236901.571] (II) Loading /usr/lib/xorg/modules/extensions/libglx.so<br />
[236901.578] (II) Module glx: vendor="X.Org Foundation"<br />
[236901.578] compiled for 1.10.4, module version = 1.0.0<br />
[236901.578] ABI class: X.Org Server Extension, version 5.0<br />
</blockquote><br />
(this is on a machine where the Intel acceleration is properly working). <br />
<br />
If it says 'ATi' or 'NVIDIA', you've run into the same issue I have. So dear readers, I ask that if you've had any issue with graphic performance, gaming, or simple UI lag and have an Intel video card, please post a comment with you video card, what flavor of Ubuntu you have installed, and the glx section of Xorg.0.log. If I get a few reports that confirm this, I'll file a proper bug in Launchpad, and then work to get this fixed.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com19tag:blogger.com,1999:blog-4695702196537398257.post-25926473664526809732011-11-16T08:00:00.000-08:002011-11-16T08:00:08.538-08:00Touch-friend apps in Ubuntu/Debian?I'm working on a personal pet project and wanted to get some feedback on the best apps to use in a touch only environment. I know that there are a few people who use Debian or Ubuntu on a tablet, and I was hoping to get suggestions on the best desktop environment and apps available. Please leave some comments with suggestions, and with a little luck, I'll have something to demo on this blog in a few weeks.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com5tag:blogger.com,1999:blog-4695702196537398257.post-7620800503299865632011-11-15T08:00:00.000-08:002011-11-15T08:00:12.315-08:00Secure Boot - its here and been here for quite awhile ...There's been a lot of noise with Microsoft requiring Secure Boot for Windows 8 OEMs. For those of you unfamiliar with it, Secure Boot requires that the boot chain is signed, and this 'feature' must be enabled by default. Although I have been unable to find specific details, it appears that the chain of trust needs to extend from BIOS/UEFI all the way down to the kernel. Obviously, requiring a signed boot chain makes using FOSS platforms like Ubuntu or Debian an impossibility short of having the UEFI Platform Key and resigning the entire chain.<br />
<br />
Steven Sinofsky's MSDN <a href="http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx">blog</a> has a fairly good overview how it works. Canonical and Red Hat also have a good <a href="http://blog.canonical.com/2011/10/28/white-paper-secure-boot-impact-on-linux/">white paper</a> on why secure boot is a serious problem for Linux distributions. Even if secure boot itself can be disabled, it *greatly* rises the bar for general end-users to successfully install Ubuntu on their machine. In addition, it is the responsibility of OEM and BIOS manufacturers to provide the option to disable it. <br />
<br />
There already has been a long history of OEMs removing BIOS options or introducing DRM; for instance, <a href="http://tjworld.net/wiki/Sony/Vaio/FE41Z/HackingBiosNvram">locking out VTx on Sony laptops</a>, or <a href="http://www.thinkwiki.org/wiki/Problem_with_unauthorized_MiniPCI_network_card">restricting laptops to only accept 'branded' wifi and 3G cards</a>. Given this track record, can OEMs realistically be trusted to have this option available?<br />
<br />
What most people don't realize is that secure boot itself is not a new concept; its simply part of the <a href="http://en.wikipedia.org/wiki/Trusted_Computing">Trusted Computing</a> initiative, and has been implemented on embedded platforms for many years. If you own any iPhone, or one of the vast majority of Android devices, you are using a device that either has the secure boot feature, or something very close. This especially painful in Android as Google's security system restricts users to a *very* limited shell and subset of utilities which can be used on non-rooted devices. WebOS, Maemo, and to my knowledge Meego give the end-user full unrestricted access to the boot chain and you can swap kernels and even the entire OS out if one was so motivated.<br />
<br />
Although it is still an ongoing problem, several vendors such as <a href="http://htcdev.com/bootloader">HTC</a>, <a href="http://www.androidpolice.com/2011/04/15/rumor-samsung-to-unlock-bootloaders-on-future-devices/">Samsung</a>, <a href="http://www.talkandroid.com/68550-droid-razr-will-have-unlockable-bootloader-for-international-version-only/">Motorola (kinda)</a>, and even <a href="http://www.androidpolice.com/2011/03/29/sony-ericsson-promises-unlocked-bootloaders-in-some-flavors-of-all-upcoming-xperia-devices-arc-play-neo-pro/">Sony</a>. In the Android community, having unlockable bootloaders has been a welcome middle ground in the traditionally restrictive and locked-down world of cellular devices.<br />
<br />
While some may argue that such locks are necessary to protect consumers, it is perfectly feasible to create devices with unlocked bootloaders that are still secure. The Nook Color's is an Android powered eReader. It's stock firmware doesn't allow sideloaded applications or even access to a user shell via adb, but the BootROM on the device attempts to boot from the microSD card before eMMC, making it possible for enterprising users to easily modify the underlying OS (as well as making it physically impossible to brick the device due to a bad flash). Barnes and Nobles even sells a book on rooting the Nook Color; it was right next to the devices on display at the time. In addition, they've continued the tradition of easily modifiable devices with both the Nook Simple Touch, and the Nook Tablet.<br />
<br />
One of the most impressive attributes is the possibility of running Ubuntu on it. The absolute poster child for this is the <a href="http://www.engadget.com/2010/06/21/toshibas-ac100-8-hour-smartbook-runs-android-2-1-on-a-1ghz-tegr/">Toshiba AC100</a>. For those of you unfamiliar, it ultralight netbook that shipped with Android 2.1/2.2 with easy access to the built in flash via the mini-USB port on the side of the device. Due to the valiant efforts of the AC100 community, Ubuntu was ported to this device, and became a supported platform with <a href="http://cdimage.ubuntu.com/releases/oneiric/release/"> images available on cdimages.ubuntu.com</a>. If you were an attendee at UDS, you likely saw several AC100s all running Ubuntu.<br />
<br />
This brings me to the point that motivated me to write this post in the first place. One of the most impressive tablets I've seen to date is the <a href=http://www.engadget.com/2011/04/18/asus-eee-pad-transformer-uk-edition-review/>ASUS eeePad Transformer</a>, an Android tablet with fully dockable keyboard. I have one of these devices, and its one of the most impressive and usable Android tablets I own. Sadly, such a powerful device was hobbled from its true potential due to ASUS's decision to ship the device with a locked and encrypted bootloader. Surprisingly, the Secure Boot Key (SBK) was acquired and released to the wild, making it possible to reflash the device. Sadly, even with the SBK, <a href="http://androidroot.mobi/technical/tf-secure-boot-key/">the device's bootloader</a> is still extremely hobbled compared to the AC100 making flashing a slow and difficult process.<br />
<br />
In response, ASUS refreshed the eeePad's hardware to the new B70 SKU, which has a new Secure Boot. Despite this, <a href="http://androidroot.mobi/2011/11/14/introducing-razorclaw-v1/">a root exploit was recently found</a> to allow people to circumvent these restrictions and install customs ROMs. It is however only a manor of time before ASUS responds and releases a new update that fixes this bug.<br />
<br />
Steven Barker (lilstevie) on <a href=http://www.xda-developers.com/>xda-developers</a> successfully created a <a href=http://forum.xda-developers.com/showthread.php?t=1280774>port of Ubuntu</a> to the Transformer. Currently, installing Ubuntu on the Transformer requires nvflash access, so its not possible to use his image on the newly liberated B70 devices. I am certain that a new method of installing via an update.zip will be developed for those of us with hobbled devices.<br />
<br />
It is a showcase of what is possible when you have open hardware, and also proves one indisputable point: any 'trusted boot' or DRM scheme can and will be defeated; at best you piss off your userbase, and at worst, you force users to exploit bugs to gain control of their device. As it is impossible to reflash these devices from the bootloader, a failed kernel flash WILL brick these devices, increasing warranty and support costs as users try to return their now broken devices.<br />
<br />
In closing, while there have been some victories in ongoing war of open hardware vs. trusted comptuing, the road ahead still remains very murky. Victories in the mobile market have shown that there is a market for open devices. Google's own Nexus One was sold as a developers phone and as a way to encourage manufacturers to raise the bar. <a href="http://www.engadget.com/2010/04/15/feel-goodroid-nexus-one-is-in-the-black-60k-android-devices-ac/">It sold well enough to recoup its development costs.</a>. While there is no official statements, <a href="http://talk.maemo.org/showthread.php?s=6404fbde3c35d28e0d32b619b6d7c279&t=41798">the Nokia N900 is suspected to have broken all sales expectations</a>, backed up by the fact that <a href="http://www.pocketgamer.biz/r/PG.Biz/Rovio+news/news.asp?c=17921">Angry Birds sold extremely well on the Ovi Store for the N900</a>.<br />
<br />
From the article in question:<br />
<blockquote>What reaction have you had in terms of sales and customer feedback?<br />
<br />
Angry Birds had already been launched on App Store before it came out on Ovi Store, and it had a great review average from iPhone reviewers and users alike, so we expected a good reception from N900 users as well.<br />
<br />
Even so, we were quite surprised by just how the N900 community immediately took the game to heart. The game obviously made many people very happy, and that is really the greatest achievement that anyone who creates entertainment for a living can hope for. Well, maybe the greatest achievement is huge bundles of cash, but making people happy comes a close second.<br />
<br />
In the first week that Angry Birds has been on the Ovi Store, it has been downloaded almost as many times as the iPhone version in six weeks. Given that most N900 users have not even used Ovi Store yet, we are confident that there will be many more downloads in the months to come, and are sure that the N900 version will be very profitable.</blockquote><br />
That being said, with Microsoft pushing secure boot and trusted computing down everyone's throats with Windows 8, it is hard to say what the future might hold for those of us who want to own our devices.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com20tag:blogger.com,1999:blog-4695702196537398257.post-85703369917871528872011-07-01T06:16:00.000-07:002011-07-01T06:16:38.104-07:00Pandaboard Netboot Images Now AvailableAs I mentioned in my previous blog post, OMAP4 netboot images were available, but non-functional. I'm pleased to announce that these bugs have now been resolved and it is possible to have a functional install on OMAP4. This also has the added advantage of allowing one special partitioning layouts such as RAID, LVM, or simply having a non-SD based root device. The images are available here: http://ports.ubuntu.com/ubuntu-ports/dists/oneiric/main/installer-armel/current/images/omap4/netboot/<br />
<br />
To use, simply dd boot.img-serial or boot.img-fb to an SD card, pop it in, and run, and the installer will pop up.<br />
<br />
There is still a known bug that partman will not properly create the necessary boot partition. During the partitioning step, you must select manual partitioning, then create a 72 MiB FAT32 partition, with no mount point, and the Bootable flag must be set to 'on'. This partition must be the first partition on the device. flash-kernel-installer will be able to find the partition on its own.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-17550334984822863902011-06-30T07:52:00.000-07:002011-06-30T08:45:05.301-07:00On porting the installer (Part 1)...So as Alpha 2 approaches, I find myself working towards porting the alternate installer/d-i to the pandaboard to support the netboot installer. There's not a lot of documentation that describes the internals of d-i, nor what bits are platform specific.<br />
<br />
This is especially true when working towards creating a new subarchitecture since lots of little places have to be touched, kernels usually have to be tweaked, and all other sorts of odds and ins. This post isn't a comprehensive guide to what's necessary, but just little tidbits of what I did, just some random odds and ends.<br />
<br />
The first step of any enablement is to have something you can run and boot. The netboot images, as well as the alternate kernel and ramdisk are built out of the debian-installer package. In the debian-installer package, several config files for driving the process are located in build/config/$arch/$subarch. For omap4, we have the following files:<br />
<br />
boot/arm/generate-partitioned-filesystem<br />
build/config/armel.cfg<br />
build/config/armel/omap4.cfg<br />
build/config/armel/omap4/cdrom.cfg<br />
build/config/armel/omap4/netboot.cfg<br />
<br />
boot/arm/generate-partitioned-filesystem is a shell script that takes a VFAT blob, and spits out a proper MBR and partition table.<br />
<br />
build/config/armel.cfg simply is a list subarchitectures to build, and some sane-ish kernel defaults for armel.<br />
<br />
build/config/armel/omap4.cfg is also a simple config file which specifies the type of images we're building, and the kernel to use in d-i. This file looks like this:<br />
<br />
<pre>MEDIUM_SUPPORTED = netboot cdrom
# The version of the kernel to use.
KERNELVERSION := 2.6.38-1309-omap4
# we use non-versioned filenames in the omap kernel udeb
KERNELNAME = vmlinuz
VERSIONED_SYSTEM_MAP =</pre><br />
As a point of clarification, 'cdrom' is a bit of a misdemeanor; it refers to the alternate installer kernel and ramdisk used by alternate images, and not the type of media. Other types of images exist such as 'floppy' and 'hd-install', but these are specialized images, and out of scope for this blog post.<br />
<br />
Each file in build/config/armel/omap4/* is a makefile thats called in turn for each image that created. The most interesting of this is the netboot.cfg<br />
<br />
<pre>MEDIA_TYPE = netboot image
SUBARCH = omap4
TARGET = $(TEMP_INITRD) $(TEMP_KERNEL) omap4
EXTRANAME = $(MEDIUM)
INITRD_FS = initramfs
MANIFEST-INITRD = "netboot initrd"
MANIFEST-KERNEL = "kernel image to netboot"
INSTALL_PATH = $(SOME_DEST)/$(EXTRANAME)
omap4:
# Make sure our build envrionment is clean
rm -rf $(INSTALL_PATH)
mkdir -p $(INSTALL_PATH)
# Generate uImage/uInitrd
mkimage -A arm -O linux -T kernel -C none -a 0x80008000 -e 0x80008000 -n "Ubuntu kernel" -d $(TEMP_KERNEL) $(INSTALL_PATH)/uImage
mkimage -A arm -O linux -T ramdisk -C none -a 0x0 -e 0x0 -n "debian-installer ramdisk" -d $(TEMP_INITRD) $(INSTALL_PATH)/uInitrd
# Generate boot.scrs
mkimage -A arm -T script -C none -n "Ubuntu boot script (serial)" -d boot/arm/boot.script-omap4-serial $(INSTALL_PATH)/boot.scr-serial
mkimage -A arm -T script -C none -n "Ubuntu boot script (framebuffer)" -d boot/arm/boot.script-omap4-fb $(INSTALL_PATH)/boot.scr-fb
# Create DD'able filesystems
mkdosfs -C $(INSTALL_PATH)/boot.img-fat-serial 10240
mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/uImage ::uImage
mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/uInitrd ::uInitrd
mcopy -i $(INSTALL_PATH)/boot.img-fat-serial /usr/lib/x-loader/omap4430panda/MLO ::MLO
mcopy -i $(INSTALL_PATH)/boot.img-fat-serial /usr/lib/u-boot/omap4_panda/u-boot.bin ::u-boot.bin
cp $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.img-fat-fb
mcopy -i $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.scr-serial ::boot.scr
mcopy -i $(INSTALL_PATH)/boot.img-fat-fb $(INSTALL_PATH)/boot.scr-fb ::boot.scr
boot/arm/generate-partitioned-filesystem $(INSTALL_PATH)/boot.img-fat-fb $(INSTALL_PATH)/boot.img-fb
boot/arm/generate-partitioned-filesystem $(INSTALL_PATH)/boot.img-fat-serial $(INSTALL_PATH)/boot.img-serial
# Generate manifests
update-manifest $(INSTALL_PATH)/uImage "Linux kernel for OMAP Boards"
update-manifest $(INSTALL_PATH)/uInitrd "initrd for OMAP Boards"
update-manifest $(INSTALL_PATH)/boot.scr-fb "Boot script for booting OMAP netinstall initrd and kernel from SD card. Uses framebuffer display"
update-manifest $(INSTALL_PATH)/boot.scr-serial "Boot script for booting OMAP netinstall initrd and kernel from SD card. Uses serial output"
update-manifest $(INSTALL_PATH)/boot.img-serial "Boot image for booting OMAP netinstall. Uses serial output"
update-manifest $(INSTALL_PATH)/boot.img-fb "Boot image for booting OMAP netinstall. Uses framebuffer output"</pre><br />
The vast majority of this is fairly straightforward. TARGET represents the targets called by make. There are tasks for creating a vmlinuz and initrd that must be included. The omap4 target then handles specialized handling for the omap4/netboot image. <br />
<br />
omap4 requires a VFAT boot partition on the SD card with a proper filesystem and MBR. The contents of the filesystem are straightforward:<br />
<br />
MLO - also known as x-loader, a first stage bootloader<br />
u-boot.bin - u-boot binary, second stage bootloader, used to book the kernel<br />
uImage - linux kernel with special uboot header (created with mkimage)<br />
uInitrd - d-i ramdisk with special uboot header<br />
boot.scr - special boot script for u-boot for commands to execute at startup. <br />
<br />
MLO and u-boot.bin are copied in from x-loader-omap4-panda and u-boot-linaro-omap4-panda which are listed as build-deps in the control file for d-i. boot.scr is generated from a plain-text file:<br />
<br />
<pre>fatload mmc 0:1 0x80000000 uImage
fatload mmc 0:1 0x81600000 uInitrd
setenv bootargs vram=32M mem=456M@0x80000000 mem=512M@0xA0000000 fixrtc quiet debian-installer/framebuffer=false console=ttyO2,115200n8
bootm 0x80000000 0x81600000</pre><br />
These are u-boot commands that simply load the uImage/uInitrd into RAM, set the command line, and then boot into it. <br />
<br />
When porting the installer, it is mostly a task of putting your subarchitecture name in the right places, then adding the necessary logic in places to spit out an image that boots. This provides a sane base to start working on porting other bits of the installer. When d-i is uploaded to Launchpad, these files end up in http://ports.ubuntu.com/ubuntu-ports/dists/oneiric/main/installer-armel/current/images/<br />
<br />
My next blog post will go a bit into udebs, and understanding how d-i does architecture detection, and introducing flash-kernel.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com54tag:blogger.com,1999:blog-4695702196537398257.post-68508919013283456012010-11-11T02:29:00.000-08:002010-11-11T02:30:22.660-08:00On Achieving Goals ...*blows the dust off his blog*<br />
<br />
It's been quite awhile since I last wrote anything in this thing, so I guess its a good time as any, off the tails of UDS-N, to finally sit down and write something down. Since my last blog posting in May, I've been travelling around the world, attending conferences, and trying to represent both Ubuntu and Debian itself, and Canonical in all my travels. I was recently posted to China for a full month where I lived and worked out of an office, made friends with fellow Ubuntu users, and tech enthusiasts, had a wonderful time meeting with people with the <a href="http://www.beijinglug.org/">Beijing Linux User's Group</a>, and worked hard within my team at Canonical, and the legions of Ubuntu Developers to help make one of the best releases we've ever had.<br />
<br />
As I was writing specs and drafting work items, I came to the point that I was reflecting on my own personal goals and growth in life. Two years and change ago, I was a struggling junior at Rochester Institute of Technology, a little less than two years ago, I started working full time with Canonical, and this year, I've gone and traveled to many places I've only dreamed about; Anchorage & Barrow, Alaska; Tampere, Finland; Prague, Czech Republic; and Brussels, Belgium, just to name a few. I packed up and lived in China for a month (an amazing experience, and I look forward to going back and visiting again sometime in the near future). Had you told the me of two years ago what I would be doing now, I'd probably think you were smoking something good.<br />
<br />
One thing I've discovered in my life is that if you want to do something, you need to get out there and just ****ing do it. This may seem simple, but I think of the dreams a lot of people have that never seem to come to fruition. When I have an opportunity, I take it; going to Alaska was a dream I harbored for many years, especially entering the arctic circle, and heading to Barrow. That entire trip was booked on roughly four days notice, and the side trip to Barrow was planned the day before it actually happen. I don't regret any of it; it was one of the best things I ever done. <br />
<br />
It brings me to what I consider the flux of this blog posting. For those who know me, I've had a goal of visiting every state within the United States. At this time last year, this map looked like this <img src="http://chart.apis.google.com/chart?cht=t&chtm=usa&chs=440x220&chf=bg,s,336699&chco=d0d0d0,cc0000&chd=s:99999999999999999999999999999999999999999999&chld=LAWYWIWVVAUTVTTXTNSDSCRIPAOHOKMEMDMAMIMNMSMOMTNENVNHNJNMNYNCALAZARCACOCTDEFLGAILINIAKSKY" width="440" height="220" ><br />
<br />
As of two weeks ago today, this map looked like this:<br />
<br />
<img src="http://chart.apis.google.com/chart?cht=t&chtm=usa&chs=440x220&chf=bg,s,336699&chco=d0d0d0,cc0000&chd=s:9999999999999999999999999999999999999999999999999&chld=LAWYWIWVVAUTVTTXTNSDSCRIPAOHOKMEMDMAMIMNMSMOMTNENVNHNJNMNYNCALAZARCACOCTDEFLGAILINIAKSKYAKORWAIDND" width="440" height="220" ><br />
<br />
Now, by the end of the day today, it will look like this:<br />
<br />
<img src="http://chart.apis.google.com/chart?cht=t&chtm=usa&chs=440x220&chf=bg,s,336699&chco=d0d0d0,cc0000&chd=s:99999999999999999999999999999999999999999999999999&chld=LAWYWIWVVAUTVTTXTNSDSCRIPAOHOKMEMDMAMIMNMSMOMTNENVNHNJNMNYNCALAZARCACOCTDEFLGAILINIAKSKYAKORWAIDNDHI" width="440" height="220" ><br />
<br />
The point I'm trying to make is if you want to do something, do it the first chance you get, or just don't do it; I say this because you never know when you will be able to do it again.<br />
<br />
As for completing a life goal, well, it feels pretty amazing :-). I may write about that in a future blog posting ...NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com2tag:blogger.com,1999:blog-4695702196537398257.post-41645604033170964072010-05-16T17:14:00.000-07:002010-05-16T17:18:28.846-07:00Mailing Lists and Newsreaders ....So for awhile, I've been questioning on why very few FOSS programs use newsgroups (or USENET on moderated groups) as their primary means of communication between developers. I personally find email to be a clunky way dealing with mass-mailings, and while switching to alpine and mutt have helped, I feel newsgroups would work better in place of mailing lists.<br /><br />In this spirit, I'm going to try to replace reading most of my public facing mailing lists with Gmane and see if my opinion actually holds true; if newsgroups are superior to bog-standard mailing lists, and post back in some time. I'm currently looking at various GUI and console based newsreaders to see which works best to meet my needs.<br /><br />I also need to blow the dust off the memories and remember how to setup leafnode so I can mimic OfflineIMAP. Any suggestions are welcome.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com57tag:blogger.com,1999:blog-4695702196537398257.post-86169273019254331292010-02-04T20:17:00.001-08:002010-02-04T20:17:21.156-08:001984It's been awhile since I last posted, but I felt the need to do so after my recent flight through ATL. While I was waiting for my connection the loudspeakers announced that we were at threat level "Orange" and that we, the people, had to be on guard for threats to our country.<br><br /><br><br />Does this remind anyone of anything? If your answer is 1984, then you win. When did we get to this point that our government is feeling more and more like the Party; I am just waiting for the day when we have telescreens constantly watching for terrorism and other threats ...<br><br /><br><br />I hope this day never comes but given the path we have been on since 9/11, I fear for the future ...NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com4tag:blogger.com,1999:blog-4695702196537398257.post-73531659191478130832009-08-25T18:41:00.000-07:002009-08-25T18:43:01.960-07:00Setting up a GPG smartcard ...So after having my trusty Sony VAIO do a bunk on me, its replacement, a Lenovo Thinkpad T400 has just arrived, and I'm now working through the process of getting it setup and ready to work as my main x86/amd64 machine, (for those wondering, my desktop machine, titan is an SMP ia64 that was donated to me to help improve the Ubuntu/ia64 port). I'm still getting things settled on it, but one of the nicest things about is it has a built in smartcard slot for me to use my GPG smartcard with, and figured now is a good time to write up howto get started with it.<br /><br />If your using a smartcard that can handle larger than 1024-bit keys, make sure you use gpg2 in place of gpg, as gpg can't handle moving large keys to the card. The primary key in all cases can and should be as large as possible, since only the subkeys will be moved to the GPG smartcard. gpg-agent MUST be running to access the smartcard.<br /><br />The first step is to install the correct packages for your smartcard; for me gpg2 and gpgsm did the trick. pcscd and gnupg-agent are also needed. If successful, you should be able to query your card:<br /><br /><pre>mcasadevall@daybreak:~$ gpg --card-status<br /><br />gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'<br />Application ID ...: D27600012401020000050000005D0000<br />Version ..........: 2.0<br />Manufacturer .....: unknown<br />Serial number ....: 0000005D<br />Name of cardholder: [not set]<br />Language prefs ...: de<br />Sex ..............: unspecified<br />URL of public key : [not set]<br />Login data .......: [not set]<br />Private DO 1 .....: [not set]<br />Private DO 2 .....: [not set]<br />Signature PIN ....: forced<br />Max. PIN lengths .: 32 32 32<br />PIN retry counter : 3 0 3<br />Signature counter : 0<br />Signature key ....: [none]<br />Encryption key....: [none]<br />Authentication key: [none]<br />General key info..: [none]<br /><br /></pre><br /><br />If you got this far, so far so good. The next step is to set your personal information on the card itself, and to generate new GPG keys for it. The first step can be done by typing the following commands:<br /><br />Couple of important safety notes: The card will accept up to three wrong PINs and then block, making it impossible to unblock without the admin PIN. Three wrong admin PINs and your card fries itself (like a SIM card with too many wrong PUK codes entered) so be VERY VERY careful!<br /><br /><pre><br />mcasadevall@daybreak:~$ gpg --card-edit<br /><br />gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'<br />Application ID ...: D27600012401020000050000005D0000<br />Version ..........: 2.0<br />Manufacturer .....: unknown<br />Serial number ....: 0000005D<br />Name of cardholder: [not set]<br />Language prefs ...: de<br />Sex ..............: unspecified<br />URL of public key : [not set]<br />Login data .......: [not set]<br />Private DO 1 .....: [not set]<br />Private DO 2 .....: [not set]<br />Signature PIN ....: forced<br />Max. PIN lengths .: 32 32 32<br />PIN retry counter : 3 0 3<br />Signature counter : 0<br />Signature key ....: [none]<br />Encryption key....: [none]<br />Authentication key: [none]<br />General key info..: [none]<br /><br />Command> admin<br />Admin commands are allowed<br /><br />Command> name<br />Cardholder's surname: Casadevall<br />Cardholder's given name: Michael<br />gpg: 3 Admin PIN attempts remaining before card is permanently locked<br /><br />Admin PIN<br />gpg: gpg-agent is not available in this session<br /><br />Command> lang<br />Language preferences: en<br /><br />Command> sex<br />Sex ((M)ale, (F)emale or space): m<br /><br />Command> quit<br />mcasadevall@daybreak:~$<br /></pre><br /><br />Now there are a few choices to make here. You can generate a key on the card itself (the generate command) and then use it by itself, move your private key to the card, and use it as above, or add a subkey, and then use that. I'm going to choose the later.<br /><br />For those of you who are not familiar, GPG subkeys as essentially private keys to be used while the primary key remains safe and sound. Subkeys can sign files, and encrypt/decrypt email as normal, but they can't be signed, nor can they sign other keys. They are trusted through signatures on the primary key.<br /><br />As an additional step, since my GPG key is in the somewhat old and dated DSA 1024 format, I feel the time has come to replace it with a newer 4096 bit RSA key (for my rationale, take a look at: http://74.125.93.132/search?q=cache:wA6b7rbT0p0J:www.debian-administration.org/users/dkg/weblog/48+http://www.debian-administration.org/users/dkg/weblog/48&hl=en&client=firefox-a&gl=us&strip=1 (the link is a google cache link as of writing debian-administration.org is down)<br /><br />So lets do that first. I'm generating my keyring onto an external device which will contain the primary key, and the subkeys on file. The primary key is the only one which can be used to sign other keys:<br /><pre><br />mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --gen-key<br />gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />gpg: keyring `/media/disk/gpg_keys/secring.gpg' created<br />gpg: keyring `/media/disk/gpg_keys/pubring.gpg' created<br />Please select what kind of key you want:<br /> (1) RSA and RSA (default)<br /> (2) DSA and Elgamal<br /> (3) DSA (sign only)<br /> (4) RSA (sign only)<br />Your selection? 4<br />RSA keys may be between 1024 and 4096 bits long.<br />What keysize do you want? (2048) 4096<br />Requested keysize is 4096 bits<br />Please specify how long the key should be valid.<br /> 0 = key does not expire<br /> <n> = key expires in n days<br /> <n>w = key expires in n weeks<br /> <n>m = key expires in n months<br /> <n>y = key expires in n years<br />Key is valid for? (0) 1y<br />Key expires at Wed 25 Aug 2010 07:57:17 PM EDT<br />Is this correct? (y/N) y<br /><br />GnuPG needs to construct a user ID to identify your key.<br /><br />Real name: Michael Casadevall<br />Email address: mcasadevall@ubuntu.com<br />Comment: <br />You selected this USER-ID:<br /> "Michael Casadevall <mcasadevall@ubuntu.com>"<br /><br />Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o<br />You need a Passphrase to protect your secret key.<br /><br />We need to generate a lot of random bytes. It is a good idea to perform<br />some other action (type on the keyboard, move the mouse, utilize the<br />disks) during the prime generation; this gives the random number<br />generator a better chance to gain enough entropy.<br />gpg: /media/disk/gpg_keys/trustdb.gpg: trustdb created<br />gpg: key 7B8E6A47 marked as ultimately trusted<br />public and secret key created and signed.<br /><br />gpg: checking the trustdb<br />gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model<br />gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u<br />gpg: next trustdb check due at 2010-08-25<br />pub 4096R/7B8E6A47 2009-08-25 [expires: 2010-08-25]<br /> Key fingerprint = C7A5 543F 2D33 3791 4EF0 C915 7B4D 847C 7B8E 6A47<br />uid Michael Casadevall <mcasadevall@ubuntu.com><br /><br />Note that this key cannot be used for encryption. You may want to use<br />the command "--edit-key" to generate a subkey for this purpose.<br /></pre><br /><br /><br />I *really* need a hardware entropy generator for when I generate keys. I recommend setting the preferences for generating signatures and the like with: setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br /><br /><pre><br />mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com<br />gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com><br /><br />Command> uid 1<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com><br /><br />Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed<br />Set preference list to:<br /> Cipher: AES256, AES192, AES, CAST5, 3DES<br /> Digest: SHA512, SHA384, SHA256, SHA224, SHA1<br /> Compression: ZLIB, BZIP2, ZIP, Uncompressed<br /> Features: MDC, Keyserver no-modify<br />Really update the preferences for the selected user IDs? (y/N) y<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@ubuntu.com>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1)* Michael Casadevall <mcasadevall@ubuntu.com><br /><br />Command> save<br />mcasadevall@daybreak:~$ <br /></pre><br /><br />Add any uids you need to your key. This can be done with the adduid command after issuing the edit-keys command<br /><pre><br />mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com<br />gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1). Michael Casadevall <mcasadevall@ubuntu.com><br /><br />Command> adduid<br />Real name: Michael Casadevall<br />Email address: michael.casadevall@canonical.com<br />Comment: <br />You selected this USER-ID:<br /> "Michael Casadevall <michael.casadevall@canonical.com>"<br /><br />Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@ubuntu.com>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (2). Michael Casadevall <michael.casadevall@canonical.com><br /><br />Command> adduid<br />Real name: Michael Casadevall<br />Email address: mcasadevall@debian.org<br />Comment: <br />You selected this USER-ID:<br /> "Michael Casadevall <mcasadevall@debian.org>"<br /><br />Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@ubuntu.com>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com><br />[ unknown] (3). Michael Casadevall <mcasadevall@debian.org><br /><br />Command> adduid<br />Real name: Michael Casadevall<br />Email address: mcasadevall@kubuntu.org<br />Comment: <br />You selected this USER-ID:<br /> "Michael Casadevall <mcasadevall@kubuntu.org>"<br /><br />Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@ubuntu.com>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (2) Michael Casadevall <michael.casadevall@canonical.com><br />[ unknown] (3) Michael Casadevall <mcasadevall@debian.org><br />[ unknown] (4). Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> save<br />mcasadevall@daybreak:~$ <br /></pre><br /><br />Now lets add an encryption and signing subkey for this keyring so you can send and receive encrypted emails. Make sure the size is small enough to fit on your card (my card can take 3072 per key*, your millage may vary); this step and the next use gpg2 due to incompatbilities with my card (see below for full story). In addition, I'm going to set these subkeys to expire after a year, partially because I intend to replace the subkey with a 3072-bit or 4092-bit subkey later (depending on smartcard support), and partially incase my smartcard is ever lost, the keys will expire themselves should I loose the private subkey (which is possible by accident due to gnupg moving keys to smartcards). <br /><br />* - for those of us with g10code 2.0 smartcards, there seems to be an issue with using 3072-bit encryption keys. I'm not sure if the problem with the card, the cardreader, or gnupg, but for now, I'll use 2048 subkeys, and replace them with 3072-bit keys later on.<br /><br /><pre><br />mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --edit-key mcasadevall@ubuntu.com<br />gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />gpg: checking the trustdb<br />gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model<br />gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u<br />gpg: next trustdb check due at 2010-08-25<br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> addkey<br />Key is protected.<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br />Please select what kind of key you want:<br /> (3) DSA (sign only)<br /> (4) RSA (sign only)<br /> (5) Elgamal (encrypt only)<br /> (6) RSA (encrypt only)<br />Your selection? 6<br />RSA keys may be between 1024 and 4096 bits long.<br />What keysize do you want? (2048) <br />Requested keysize is 2048 bits<br />Please specify how long the key should be valid.<br /> 0 = key does not expire<br /> <n> = key expires in n days<br /> <n>w = key expires in n weeks<br /> <n>m = key expires in n months<br /> <n>y = key expires in n years<br />Key is valid for? (0) 1y<br />Key expires at Wed 25 Aug 2010 08:12:37 PM EDT<br />Is this correct? (y/N) y<br />Really create? (y/N) y<br />We need to generate a lot of random bytes. It is a good idea to perform<br />some other action (type on the keyboard, move the mouse, utilize the<br />disks) during the prime generation; this gives the random number<br />generator a better chance to gain enough entropy.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> addkey<br />Key is protected.<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br />Please select what kind of key you want:<br /> (3) DSA (sign only)<br /> (4) RSA (sign only)<br /> (5) Elgamal (encrypt only)<br /> (6) RSA (encrypt only)<br />Your selection? 4<br />RSA keys may be between 1024 and 4096 bits long.<br />What keysize do you want? (2048) <br />Requested keysize is 2048 bits<br />Please specify how long the key should be valid.<br /> 0 = key does not expire<br /> <n> = key expires in n days<br /> <n>w = key expires in n weeks<br /> <n>m = key expires in n months<br /> <n>y = key expires in n years<br />Key is valid for? (0) 1y<br />Key expires at Wed 25 Aug 2010 08:12:51 PM EDT<br />Is this correct? (y/N) y<br />Really create? (y/N) y<br />We need to generate a lot of random bytes. It is a good idea to perform<br />some other action (type on the keyboard, move the mouse, utilize the<br />disks) during the prime generation; this gives the random number<br />generator a better chance to gain enough entropy.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> save<br /></pre><br /><br />*phew*<br />This step is optional, but if you want an authetication key, this is how you create one. A signing key can be used as an authetication key, but the reverse is not true. You need to use expert mode to create an authenication key.<br /><br /><pre><br />mcasadevall@daybreak:~$ gpg2 --homedir /media/disk/gpg_keys --expert --edit-key mcasadevall@ubuntu.com<br />gpg: WARNING: unsafe permissions on homedir `/media/disk/gpg_keys'<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> addkey<br />Key is protected.<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />4096-bit RSA key, ID 7B8E6A47, created 2009-08-25<br /><br />Please select what kind of key you want:<br /> (3) DSA (sign only)<br /> (4) RSA (sign only)<br /> (5) Elgamal (encrypt only)<br /> (6) RSA (encrypt only)<br /> (7) DSA (set your own capabilities)<br /> (8) RSA (set your own capabilities)<br />Your selection? 8<br /><br />Possible actions for a RSA key: Sign Encrypt Authenticate <br />Current allowed actions: Sign Encrypt <br /><br /> (S) Toggle the sign capability<br /> (E) Toggle the encrypt capability<br /> (A) Toggle the authenticate capability<br /> (Q) Finished<br /><br />Your selection? s<br /><br />Possible actions for a RSA key: Sign Encrypt Authenticate <br />Current allowed actions: Encrypt <br /><br /> (S) Toggle the sign capability<br /> (E) Toggle the encrypt capability<br /> (A) Toggle the authenticate capability<br /> (Q) Finished<br /><br />Your selection? e<br /><br />Possible actions for a RSA key: Sign Encrypt Authenticate <br />Current allowed actions: <br /><br /> (S) Toggle the sign capability<br /> (E) Toggle the encrypt capability<br /> (A) Toggle the authenticate capability<br /> (Q) Finished<br /><br />Your selection? a<br /><br />Possible actions for a RSA key: Sign Encrypt Authenticate <br />Current allowed actions: Authenticate <br /><br /> (S) Toggle the sign capability<br /> (E) Toggle the encrypt capability<br /> (A) Toggle the authenticate capability<br /> (Q) Finished<br /><br />Your selection? q<br />RSA keys may be between 1024 and 4096 bits long.<br />What keysize do you want? (2048) <br />Requested keysize is 2048 bits<br />Please specify how long the key should be valid.<br /> 0 = key does not expire<br /> <n> = key expires in n days<br /> <n>w = key expires in n weeks<br /> <n>m = key expires in n months<br /> <n>y = key expires in n years<br />Key is valid for? (0) 1y<br />Key expires at Wed 25 Aug 2010 08:15:34 PM EDT<br />Is this correct? (y/N) y<br />Really create? (y/N) y<br />We need to generate a lot of random bytes. It is a good idea to perform<br />some other action (type on the keyboard, move the mouse, utilize the<br />disks) during the prime generation; this gives the random number<br />generator a better chance to gain enough entropy.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> save<br /></pre><br /><br /><br />Ok. Now is a good time to export your keys, make backups of your .gnupg folder, generate revocation certificates and such. Once your done doing that, lets copy those keys to the card. What will happen specifically is the key will be moved to the card, and a stub key will be left in its place, which will require the card in place to be used. The backup you make here will be the full key, ready incase something ever happens to your card. <br /><br />As a second note this is just a guideline on how I generated keys, some people might want to make their keys expire as an additional method of protection just in-case normal revocation becomes impossible. Finally, I know people will question why I generated an authentication key, but my goal with this key is to use it to make smartcard SSH possible, allowing me to replace my .ssh folder with the smartcard.<br /><br />Anyway, take a drink, breath, and get ready to copy things to the card. We're going to take the secret subkeys, export them, then import them into the normal keyring, then move them to the card:<br /><br />Couple of important safety notes:<br />1. A signing key CAN be used as an authetication key. If you generated a separate authentication key, make sure you put that in the right spot, and the signing key in the signing key spot, or else you will have to back up and do it again<br />2. Once you toggle, you can't see the purpose of the keys, so make sure you refer to it before doing anything<br />3. The admin pin is needed to move the keys<br />4. You need to deslect each key after you move it and select the new one<br />5. You can't delete a key off the card once its there (as far as I can tell), but you can replace it.<br />6. NEVER use your primary copy of your keyring to move keys!<br /><br /><pre><br />mcasadevall@daybreak:/media/disk$ chmod a-w gpg_keys/*<br />mcasadevall@daybreak:~$ gpg --homedir /media/disk/gpg_keys/ --export-secret-subkeys > ~/tmp.key<br /></pre><br /><br />Unmount your pendrive or secure media with your private keys, and have it go be guarded by orcs. Now its time to import the subkeys into GPG, and then move them to the card. Since your not moving the trustdb, you'll also have to manually reset the trust of your private key once its imported.<br /><br /><pre><br />mcasadevall@daybreak:~$ gpg --import tmp.key <br />gpg: key 7B8E6A47: secret key imported<br />gpg: /home/mcasadevall/.gnupg/trustdb.gpg: trustdb created<br />gpg: key 7B8E6A47: public key "Michael Casadevall <mcasadevall@kubuntu.org>" imported<br />gpg: Total number processed: 1<br />gpg: imported: 1 (RSA: 1)<br />gpg: secret keys read: 1<br />gpg: secret keys imported: 1<br />mcasadevall@daybreak:~$ shred tmp.key<br />mcasadevall@daybreak:~$ rm tmp.key <br />mcasadevall@daybreak:~$ gpg --edit-key mcasadevall@ubuntu.com<br />gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: unknown validity: unknown<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ unknown] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> trust<br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: unknown validity: unknown<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ unknown] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Please decide how far you trust this user to correctly verify other users' keys<br />(by looking at passports, checking fingerprints from different sources, etc.)<br /><br /> 1 = I don't know or won't say<br /> 2 = I do NOT trust<br /> 3 = I trust marginally<br /> 4 = I trust fully<br /> 5 = I trust ultimately<br /> m = back to the main menu<br /><br />Your decision? 5<br />Do you really want to set this key to ultimate trust? (y/N) y<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: unknown<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ unknown] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ unknown] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ unknown] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ unknown] (4) Michael Casadevall <mcasadevall@debian.org><br />Please note that the shown key validity is not necessarily correct<br />unless you restart the program.<br />Command> quit<br />mcasadevall@daybreak:~$ gpg2 --edit-key mcasadevall@ubuntu.com<br />gpg (GnuPG) 2.0.12; Copyright (C) 2009 Free Software Foundation, Inc.<br />This is free software: you are free to change and redistribute it.<br />There is NO WARRANTY, to the extent permitted by law.<br /><br />Secret key is available.<br /><br />gpg: checking the trustdb<br />gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model<br />gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u<br />gpg: next trustdb check due at 2010-08-25<br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> toggle<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> key 1<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never <br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> keytocard<br />Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498<br />Encryption key....: 114E 692C D22F 89C1 F0EA 4AE8 83AA F05E A383 3408<br />Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08<br /><br />Please select where to store the key:<br /> (2) Encryption key<br />Your selection? 2<br /><br />gpg: WARNING: such a key has already been stored on the card!<br /><br />Replace existing key? (y/N) y<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />2048-bit RSA key, ID 1E2110C3, created 2009-08-26<br /><br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb* 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> key 1<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> key 2<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb* 2048R/C511F667 created: 2009-08-26 expires: never <br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> keytocard<br />Signature key ....: 3396 1F69 327C 1645 B0CF 057E 89D1 1A4A 4E4D 5498<br />Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3<br />Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08<br /><br />Please select where to store the key:<br /> (1) Signature key<br /> (3) Authentication key<br />Your selection? 1<br /><br />gpg: WARNING: such a key has already been stored on the card!<br /><br />Replace existing key? (y/N) y<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />2048-bit RSA key, ID C511F667, created 2009-08-26<br /><br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb* 2048R/C511F667 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> key 2<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> key 4<br />No subkey with index 4<br /><br />Command> key 3<br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never <br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> keytocard<br />Signature key ....: 60C1 8447 B8B5 619A AD0B DE9E 9DDA 9A07 C511 F667<br />Encryption key....: 90FE 16DC C170 7550 780A 94B4 A1EE 54A9 1E21 10C3<br />Authentication key: FFFC 04A6 3FE8 AF4C F9A6 F660 A3C2 A7CD 1A8B DA08<br /><br />Please select where to store the key:<br /> (3) Authentication key<br />Your selection? 3<br /><br />gpg: WARNING: such a key has already been stored on the card!<br /><br />Replace existing key? (y/N) y<br /><br />You need a passphrase to unlock the secret key for<br />user: "Michael Casadevall <mcasadevall@kubuntu.org>"<br />2048-bit RSA key, ID AF3D8E0C, created 2009-08-26<br /><br /><br />sec 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25<br />ssb 2048R/1E2110C3 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb 2048R/C511F667 created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />ssb* 2048R/AF3D8E0C created: 2009-08-26 expires: never <br /> card-no: 0005 0000005D<br />(1) Michael Casadevall <mcasadevall@ubuntu.com><br />(2) Michael Casadevall <michael.casadevall@canonical.com><br />(3) Michael Casadevall <mcasadevall@debian.org><br />(4) Michael Casadevall <mcasadevall@kubuntu.org><br /><br />Command> toggle<br /><br />pub 4096R/7B8E6A47 created: 2009-08-25 expires: 2010-08-25 usage: SC <br /> trust: ultimate validity: ultimate<br />sub 2048R/1E2110C3 created: 2009-08-26 expires: 2010-08-26 usage: E <br />sub 2048R/C511F667 created: 2009-08-26 expires: 2010-08-26 usage: S <br />sub 2048R/AF3D8E0C created: 2009-08-26 expires: 2010-08-26 usage: A <br />[ultimate] (1). Michael Casadevall <mcasadevall@kubuntu.org><br />[ultimate] (2) Michael Casadevall <mcasadevall@ubuntu.com><br />[ultimate] (3) Michael Casadevall <michael.casadevall@canonical.com><br />[ultimate] (4) Michael Casadevall <mcasadevall@debian.org><br /><br />Command> save<br /><br /><br /></pre><br /><br />At this point, all the secret subkeys have been removed, and only exist on your pendrive (along with the primary key), or on your smartcard. The secret keys on this machine have been replaced with stubs that tell gnupg to look at the smartcard for the secert key. If you export the secret keys now, you'll only export the stub, and not the secret key.<br /><br />If done correctly, any operations requiring your private key will now require you to put in the smartcard as that's the only copy of the subkeys available. You'll want to make sure both signing and encryption/decrption works:<br /><br />Decryption:<br /><pre><br />mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg <br />gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26<br /> "Michael Casadevall <mcasadevall@kubuntu.org>"<br />gpg: public key decryption failed: Card not present<br />gpg: decryption failed: No secret key<br /><br />*card is inserted*<br />mcasadevall@daybreak:~$ gpg2 -d examples.desktop.gpg <br />gpg: encrypted with 2048-bit RSA key, ID 1E2110C3, created 2009-08-26<br /> "Michael Casadevall <mcasadevall@kubuntu.org>"<br />[Desktop Entry]<br />Version=1.0<br />Type=Link<br />Name=Examples<br />Name[es]=Ejemplos<br />Name[fi]=Esimerkkejä<br />Name[fr]=Exemples<br />Comment=Example content for Ubuntu<br />Comment[es]=Contenido del ejemplo para Ubuntu<br />Comment[fi]=Esimerkkisisältöjä Ubuntulle<br />Comment[fr]=Contenu d'exemple pour Ubuntu<br />URL=file:///usr/share/example-content/<br />X-Ubuntu-Gettext-Domain=example-content<br /><br />mcasadevall@daybreak:~$ <br /></pre><br /><br />Signing with smartcard:<br /><pre><br />mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes <br /> signfile hello_2.4-1.dsc 7B8E6A47<br />gpg: selecting openpgp failed: ec=6.112<br />gpg: signing failed: general error<br />gpg: /tmp/debsign.voIxh9WX/hello_2.4-1.dsc: clearsign failed: general error<br />debsign: gpg error occurred! Aborting....<br />mcasadevall@daybreak:~/src$ <br /><br />*insert the card*<br />mcasadevall@daybreak:~/src$ debsign hello_2.4-1_source.changes <br /> signfile hello_2.4-1.dsc 7B8E6A47<br /><br /> signfile hello_2.4-1_source.changes 7B8E6A47<br /><br /></pre><br /><br />Your done! I hope you've found this guide helpful. I currently haven't released this GPG key into the wild JUST yet, but I likely will within this week once I make sure I've done everything correctly. Please leave comments if you see any mistakes or want to make any recommendations. Thanks for reading!NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com6tag:blogger.com,1999:blog-4695702196537398257.post-75920267613178053042009-08-01T17:29:00.000-07:002009-08-01T17:51:11.282-07:00On the topic of being prepared ...Disaster can strike at any time. Such as 00:00, in Ireland, thousands of miles away from home. I'm pleased to report my /usr/lib folder did a bunk, and simply vanished, leaving my system in an unusable state. I managed to check dmesg before my system crashed, seems my laptop's HDD reported a load of error messages before my system went and did a bunk. I'm not sure if this is failed hardware, a kernel issue, or something else.<br /><br />Fortunately, I'm prepared for such a disaster. I have a Kubuntu livecd which has been living in my bag since UDS, a spare netbook (with an SATA drive I can poach if I can confirm this one has actually failed or I can use it as a full blown replacement if need-be, although its slow), a USB HDD which I'm now backing up what remains of my data (the irreplaceables, that is, my GPG, SSH keys, and most of my writing are already safely backed up at home on my file server), and so forth. <br /><br />SMART status on the internal HDD is as follows:<br />ubuntu@ubuntu:/$ sudo smartctl -H /dev/sda<br />smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen<br />Home page is http://smartmontools.sourceforge.net/<br /><br />=== START OF READ SMART DATA SECTION ===<br />SMART overall-health self-assessment test result: PASSED<br />Please note the following marginal Attributes:<br />ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE<br />190 Airflow_Temperature_Cel 0x0022 054 031 045 Old_age Always In_the_past 46 (0 48 46 39)<br /><br />Looks like the drive probably overheated in the distant past, but SMART did pass so I dunno ... Anyway, given the state of things, I'll run badblocks on the drive once I finish backing up, and hope for the best. Its got to make it to the end of this week ...NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-70804580986896763982009-05-27T02:38:00.001-07:002009-05-27T03:05:28.492-07:00UDS Day 3 & KDE involvementHola all,<br />So this is my first blog post since UDS started (although I have been doing some work microblogging this session around (I find that if I treat it like multicast IRC using gwibber, it suddenly makes more sense to me). We're now three days into UDS, and working hard on defining what Ubuntu karmic will be, and I must say I am excited with the way things are shaping up to UNR discussions, to the Android Execution Environment (and if anyone has any questions on it, please direct those emails to Michael Frey and Debbie Beliveau as they are the people behind it, despite Slashdot's reports on the subject). <br /><br />There are loads going on, including Moblin (which you'll see this afternoon), Android (same), ports kernel handling, and loads of other cool things come up. I'll comment on some of the more interesting things as time goes on.<br /><br />In other news, as of late last night, I'm officially an upstream KDE developer with SVN commit writes. I've written an email detailing my plans for working on KDE to kde-core-deveonl, where is it is happily stuck in a moderation queue, so hopefully those involved in upstream KDE development will soon learn of my intentions :-).<br /><br />I'll write more later,<br />MichaelNCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-68582633799395997672009-04-24T07:57:00.000-07:002009-05-27T02:37:43.555-07:00Jaunty RetrospectGuess its my time to post something about my feelings on Jaunty.<br /><br />The Good:<br /> * armel successfully birthed<br /> * powerpc well on the way to be well maintained<br /> - Kernel and installer work mostly done by TheMuso (thanks :-))<br /> - Image testing by the people of #ubuntu-ps3, myself, and TheMuso<br /> - powerpc, and powerpc+ps3 both in the release annoucements for Kubuntu and Xubuntu :-)<br /> * Kubuntu upgraded to KDE 4.2<br /> * Xubuntu upgraded to Xfce 4.6<br /> * PowerPC FTBFS rate in main very low. ia64, and sparc looking more improved.<br /><br />The Bad:<br /> * SPARC, ia64, and HPPA remain fairly foobar w.r.t. to the installer and kernel<br /><br />The Ugly:<br /> * The drama over notifications and update-manager<br /><br />All and all though, I think its been a fairly good cycle. Looking forward to karmic.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com2tag:blogger.com,1999:blog-4695702196537398257.post-90537877396760471032009-01-15T19:03:00.001-08:002009-01-15T19:32:17.414-08:00Re-enginneering my network ...As I move to having more and more machines on my internal LAN, I felt the time had finally come that I sit down, and rebuild my network to take advantage of things such as gigabyte networking, LDAP, single-user sign on, and so forth. I'm doing partially for fun, and partially because its an interesting experiment to see how Linux from an IS environment compares to a Windows 200x IS environment (one of my former jobs was a 2000/XP/2003/Vista sysadmin position).<br /><br />So, here's my current network setup<br />blacksteel <- *wireless* ---------------------------------------------- cerberus <-> Internet<br /> /<br />dawn <------ *wired*-----------------------------------------------------<br /> /<br />360 <---- *wired* -----------------------------------------------------<br /><br />Online machines:<br />cerberus - WRT51GS<br />backsteel - My laptop<br />dawn - Development machine<br />360 - Xbox 360, used to play media from blacksteel<br /><br />Offline machines (aka, machines I have, but haven't fired up since moving:<br />helios (PowerMac G4)<br />apollo (old Dell P3)<br />junker (RS/6000 rescued from the dumpster, might be dead)<br />alexandria (NSLU2; gave up its plug for dawn)<br />coldfusion (Coldfire Board, might be dead; ethernet controller is faulty, but might be able to use a USB based one to breath some life into it; can't autoreboot due to built in bootloader not supporting it; and no JTAG to sanely change the default bootloader).<br />siren (old MacBook Pro, has a dead internal HDD, but runs fine from an external hard drive. Was my Debian test box until its HDD went to dawn) <br />exodius - second WRT54GS used to be part of a WDS bridge.<br />unnamed dev box (not here yet, but likely soon).<br /><br />Of all these machines, only apollo has a wireless card which ATM is non-functional. In addition, the wired bits of my network are 100Mbps, with a g based wireless hotspot (WPA secured). Futhermore, blacksteel, helios, and siren have gigabyte ethernet. apollo has 100MBps ethernet card. alexandria and dawn have 10MBps, which is painful, especially for NFS root.<br /><br />I'll drop another 1Gbps NIC into apollo, replacing its wireless card, and give dawn, alexandria, and maybe coldfusion USB based NICs once I get around to resurrecting systems (alexandria and coldfusion don't have hard drives at the moment)<br /><br />What I would like to do is use an Linux-based router and replace Cerberus. Helios has two gigabyte NICs, so it will take up this duty, as well as provide DHCPv4, and radvd (for IPv6) for the internal network. It's an old computer, and has an onboard model, and its position in my apartment will be close to a phone jack; maybe I'll set it up so I can dial in from outside the LAN in case something goes down (although my phones here are VoIP based so I dunno how useful that's going to be :-)).<br /><br />Another box (I might task this to apollo, or helios) will run LDAP and NFS services, providing both a netboot based installation with preseed for fast re-installation, and NFS home folders for all machines except blacksteel (unless someone knows a great solution for having a laptop sync NFS and local home folders. helios will run mail, news, and any other untrusted net facing services, with everything else shielded behind it. All machines will run IPv4 and 6. <br /><br />Anyway, this is the start of my plan in a nutshell, and I intend to continue discussion as I slowly build and implement this updated setup. Wish me luck :-).NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-18101671386686428392009-01-02T21:36:00.000-08:002009-01-02T22:51:31.771-08:00Notes from Underground, Part 1For those following d-devel, you may notice that I've recently been working on improving one of the cornerstones of Debian infrastructure; the Debian Archive Kit, or dak for short. Most DDs and DMs don't notice dak exists expect when trying to determine why their latest upload was rejected, and then yelling at the powers that be. I'm here to shead some light on this mythicial beast.<br /><br />First off, a quick history lesson:<br /><br />dak (also known as projectb) is a replacement for Debian's original archive software, known simply as dinstall. dinstall itself was a fairly large perl script that does what dak process-unchecked/process-accepted does today. James Troup did a fairly decent summary of dinstall, and its issues<br /><br />James Troup's README.new-incoming (from dak's git repo):<br /><br /><blockquote>The old system:<br />---------------<br /> o incoming was a world writable directory<br /><br /> o incoming was available to everyone through http://incoming.debian.org/<br /><br /> o incoming was processed once a day by dinstall<br /><br /> o uploads in incoming had to have been there > 24 hours before they<br /> were REJECTed. If they were processed before that and had<br /> problems they were SKIPped (with no notification to the maintainer<br /> and/or uploader).<br /></blockquote><br />dak's first commits were in 2000, and rolled out onto ftp-master.d.o sometime in 2001 or 2002 (I can't find an exact date for this). Since then, dak is also used on security.d.o, and on backports.org (fun fact for bpo people; the dak installation there is now up to date, and tracking git's tip).<br /><br />So now that you know the history lesson, what specificially does dak do is the next question. Simply put, dak is the glue that binds the rest of the Debian's backends together; both britney and wanna-build/buildd depend on it. It handles management of uploads to the archive, handles stable release updates, as so forth. It is also the only Debian archive software that uses an actual database backend, and scales fairly well handling over 10,000 packages, and 12 architectures. Unfortunately, there are also a lot of issues with dak as it stands.<br /><br />Sections of the code base have bitrotted over the years; legacy and legacy-mixed support have died, the import-archive function is shot (more so now than ever, see below), the test suite is non-functional (never a good sign), the docs are out of date, and in many places non-existant, doing a release (both point and full) requires editing the database and so forth.<br /><br />In addition, dak, while written in python, is written in a fairly procedural style, and and some very ugly code in some places. For instance, the original Debian Maintainer code was handled by having the uid's in the database prefixed by dm: vs having a flag somewhere, and had some hardcoded variables like checking for "unstable", as well as quite a few bugs which caused interesting behavior when uploading to a non-unstable suite such as experimental or one of the proposed queues. (for those of curious, I recommend checking the dak git tree to see what the old DM code looked like, and then aside from the design, find the two major bugs which caused a lot of the weirdness with DMs). It should be stated that the last merge from redid the DM code and design sanely using the new update framework.<br /><br />These issues have lead to the genesis of the dak v2 project, which is an attempt to replace dak with a module, rewritten from the ground up to be more secure and modular, although its not gotten very far as of writing. I personally don't believe that the current iteration of dak is so bad as scrapping and rewritting is necessary. Instead, I've been working to implement v2 features in dak by aggressive refactoring and cleanup, with the hope of negating the need for a rewrite.<br /><br />So now thats out of the way, I bet you probably are interested in my .plan for dak. Well, lets go over I've implemented so far.<br /><br /> * An update database framework for dak, which will allow for easy database upgrade and migration, vs the "does it work yet?" approach to applying schema updates. Simply type dak update-db, and your done!<br /><br /> * 822 formatted output for queues (http://ftp-master.debian.org/new.822); this information is now used on DDPO pages<br /><br /> * Rewriting DM management code to have more of a brain than the previous implementation.<br /><br />What's next on the TODO list<br /><br /> * Content file generation from the database (part of removal of apt-ftparchive, but thats another blog post ;-)).<br /><br />Oh, as a side note to my current readers, my blog has changed names to "Notes from Underground", after one of my favorite novels, and futher in reference to exploring the mysterious underground that is Debian's backend code. We're also now on Planet Debian :-).NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com2tag:blogger.com,1999:blog-4695702196537398257.post-67886848194269256912008-11-18T13:44:00.001-08:002008-11-18T14:41:27.164-08:00ARM and MID ...So for those of you playing along at home, we have a newly available ARM port, which has just reached the point of being able to debootstrap itself with a buildd varient (i.e., install build-essential and a few other packages). Now the fun begins with porting stuff.<br /><br />First up is mono. Mono has a port to ARM and ARMel already, however, this code obviously hasn't been compiled in sometime, as it FTBFS due to glibc 2.8+svn. *grumble*. Oh well, easy fix, and one that will help clear a bunch of other dep-waits and get us that much closer to a usable port.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com1tag:blogger.com,1999:blog-4695702196537398257.post-42137421106454923072008-11-10T19:32:00.001-08:002008-11-10T20:05:35.468-08:00WiiBuntu (Part 1), Ubuntu Ports MID, and lpiaSo here I am, with a wonderful Wii, complete with Twilight Hack and Homebrew Menu installed, wondering if I could do something crazy like run Ubuntu on it. After some trial and error, it appears possible to do a debootstrap of an Ubuntu PowerPC installation and have it work!.<br /><br />So now that I have a Wii with Ubuntu installed, what am I going to do with it, that is the question I am now pondering. The answer seems obvious, put Ubuntu MID on the sucker, install XWii (Wiimote Pointer Driver), and the WiiX display driver, and turn it into a very pretty multitouch system. Yay :-) So it should just be a matter of 'aptitude install ubuntu-mid'<br /><br />Sadly, its not quite that easy. Ubuntu-MID currently is only installable on lpia. I can hear the questions now, WTF is lpia. To answer that question, lpia is the <span style="font-weight: bold;">L</span>ow-<span style="font-weight: bold;">P</span>ower <span style="font-weight: bold;">I</span>ntel <span style="font-weight: bold;">A</span>rchitecture, also known as the Intel Atom processor family. For those of you familar with Atom, you might be double-taking, saying Atom is an x86 based processor. Again, your right, lpia is x86 based (you can run it on normal PCs), its essentially i386 Ubuntu with a few optimizations.<br /><br />The problem breaks down to the way some of the MID's compontents were packaged. The main problem comes in the form that the rules file, instead of properly splitting the packages out, the rules file checks for the lpia architecture, and then changes the configure options to build hildon support (hildon is the nifty library from Nokia that makes MID work). To fix MID on ports (and x86/amd64), each package with this lpia detector switch must be found, and then properly split. Sounds easily enough, right?<br /><br />Wrong. Most of the packages (such as evince) are CDBS packages. For anyone who knows anything about CDBS, you know it was never meant to split packages :-/. This *will* be fun :-/.<br /><br />As an added note, OpenOffice.org is broken on PowerPC, double fun, since compiling it will likely take longer than releasing Jaunty will take :-).NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com6tag:blogger.com,1999:blog-4695702196537398257.post-38665516785995281762008-11-05T23:51:00.000-08:002008-11-05T23:58:20.313-08:00More notes from the PIE party (Ubuntu bootstrapping howto) ...So after getting stuck and putting this work aside, I decided to take a second stab at it after meeting up with another Ubuntu developer in real life, and doing additional research. Using the experimental gcc-4.3 branch of Gentoo Hardened as a base, I'm now making extremely good progress bootstrapping amd64-pie, and the results look promising thus far.<br /><br />For those of us curious, bootstrapping the archive is a straightforward if time intensive project. Essentially the process requires three individual bootstraps, an inital one that you use to build debian package, a chroot from those package, and a final chroot that is the end result.<br /><br />Right now I'm working on the first part of this bootstrap, which is from a Linux host (without Debian) to generating the inital bootstrap packages. It requires compiling each build-dep from source with the proper configuration arguements, then building the packages with dpkg-buildpackage -d, and installing it, until you have build the entire base system.<br /><br />From there, you take the debs, place them in a repo, and debootstrap, and then rebuild again, which produces the final result debs. It's straightforward and fasicating work (if a little tedious)<br />MichaelNCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com1tag:blogger.com,1999:blog-4695702196537398257.post-70243429193049589142008-09-12T19:47:00.000-07:002008-09-12T19:48:54.886-07:00Well, I'm a (K)ubuntu member now :-)I figure I should break in my first post, that I'm now a Kubuntu member, and through that, also an Ubuntu member, and thus can post to Ubuntu Planet now :-).<br /><br />For all of those out there who helped make this possible, thank you. Next stop, MOTU.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-85967107489052500042008-09-06T00:31:00.000-07:002008-09-06T00:45:35.913-07:00PIE GCC stage two bootstrapping notes ...I figure I haven't explained what I'm doing at this point. I'm currently compiling GCC with a patch to have both it be PIC/PIE, and generate PIE binaries, a rather fun task requiring multiple compiler bootstraps, but should allow me to properly test the ability to compile the system PIE enabled. I suspect I can convince kees to see if all this bootstrapping isn't necessary and can generate comparable results to my test builds.<br /><br />Roughly speaking, the sequence of events that I'm following goes something like this.<br /><br />1. Build a compiler that generates PIC code by default from a non-PIC system (embyro compiler)<br />2. Use the PIC compiler to compile glibc, gcc/binutils depends (zlib, gmp, mpfr)<br />3. Build a compiler with the previous compiler to build a compiler that can generate PIE binaries. This will be used to build the equivelent of a Gentoo stage1 system. <- We are here<br />4. Build a temporary base system.<br />5. Using the PIE compiler, rebuild the base system with the proper paths (butterfly compiler).<br />6. Build Ubuntu specific tools (dpkg, apt, etc.)<br />7. Build Ubuntu base system with GCC patchs, generating debs<br />8. Using those debs, rebuild the base system againNCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-42210291868520390792008-09-04T21:34:00.000-07:002008-09-04T21:48:08.339-07:00A Look At the Specs ...(warning: GCC internals ahead. For ye who wishes to stay sane, stay away, stay very far away)<br /><br />Part of the major changes hardy->intrepid was the inclusion of hardening configurations in GCC. This was originally handled via a script called hardening-wrapper, which using the alternates system to replace GCC with a wrapper script, which passed a variety of options (see the wiki for the full list) and was controllable via environmental variables.<br /><br />After intrepid, all of these options (aside from PIE) was moved into GCC specifically via the spec mechanism. For those unaware, GCC (and binutils) is essentially several smaller programs, such as the C preprocessor, cc1, assembler, linker, etc. The specs strings is essentially a rules system that controls the arguements to each of these mini programs. Lets take a more specific look at these strings. You can view the gcc specs can be viewed with gcc -dumpspecs<br /><br />(Ubuntu GCC 4.3.1 Intrepid Alpha, for beverity sake, here's just a small section)<br /><br />*cpp_unique_options:<br />%{C|CC:%{!E:%eGCC does not support -C or -CC without -E}} %{!Q:-quiet} %{nostdinc*} %{C} %{CC} %{v} %{I*&F*} %{P} %I %{MD:-MD %{!o:%b.d}%{o*:%.d%*}} %{MMD:-MMD %{!o:%b.d}%{o*:%.d%*}} %{M} %{MM} %{MF*} %{MG} %{MP} %{MQ*} %{MT*} %{!E:%{!M:%{!MM:%{!MT:%{!MQ:%{MD|MMD:%{o*:-MQ %*}}}}}}} %{remap} %{g3|ggdb3|gstabs3|gcoff3|gxcoff3|gvms3:-dD} %{H} %C %{D*&U*&A*} %{i*} %Z %i %{fmudflap:-D_MUDFLAP -include mf-runtime.h} %{fmudflapth:-D_MUDFLAP -D_MUDFLAPTH -include mf-runtime.h} %{!D_FORTIFY_SOURCE:%{!D_FORTIFY_SOURCE=*:%{!U_FORTIFY_SOURCE:-D_FORTIFY_SOURCE=2}}} %{E|M|MM:%W{o*}}<br /><br />While this appears to a load of messy strings, it defines the command line arguements GCC accepts, and what it does. The last section for instance was added in Ubuntu to add the FORTIFY_SOURCE defines, as well as include the offswitch for it. Adding the PIE switch would be done under the cc1 section which is what handles the PIE processing, in a similar mechanism. This way, we can apply PIE to every package, and then manually add -fno-PIE on any package that requires it to be disabled.<br /><br />This is a quick overview of specs, and I hope you learned something by reading it, and understanding how this will be done.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com1tag:blogger.com,1999:blog-4695702196537398257.post-41719669044301407522008-09-04T15:55:00.000-07:002008-09-04T15:57:27.371-07:00More progress ...After further research, I attempted to use Linux from Scratch as a base for my attempts to compile the base system. This lead me to High Security LFS, which is the base chroot built with PIE, which is what I want. I can't find anyone who's done HLFS on amd64, so it will be rather interesting to see how well this works.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0tag:blogger.com,1999:blog-4695702196537398257.post-11229222586722865152008-09-04T09:21:00.000-07:002008-09-04T09:31:09.156-07:00GCC sucks.On my quest to build the archive with PIE, I discovered the first major headache, is that there is a rather interesting circular dependency in the compiler toolchain.<br /><br />Roughly speaking, libgcc is linked to to glibc, which is linked to libgmp, which the compiler is dependent on, making it not possible to directly build the compiler built with PIE (and as an additional fun fact, the three stage bootstrap makes hardened wrapper non-effective. CFLAGS can be passed to the second and third stage bootstrap so this isn't a huge limitation, but it will regular beating gcc's debain/rules2 into passing the flags correctly. I'm now at the point roughly where I can try to build perl from source, then dpkg and aptitude.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com3tag:blogger.com,1999:blog-4695702196537398257.post-27198653618826339522008-09-04T00:06:00.001-07:002008-09-04T00:18:50.700-07:00The -fPIE is a lie. Part 1For those playing along at home, I've been working with Kees Cook (from Canonical), on investigating the possibility of generating Position Independent Executables for the AMD64 architecture which would greatly help increase security for Ubuntu.<br /><br />Position independent code roughly means that there are no hard coded addresses in the binary, making a return-to-libc attack near impossible when combined with address space randomization, a technique that causes binaries and libraries to be loaded in random locations in memory. The upshot is that on 64-bit systems, even if a buffer overflow or other programming bug makes it possible to override the stack, a return-to-libc attack can't be done due to the randomized address space. Stack smashs and buffer overflows are of course properly avoided alrady in Ubuntu due to the stack protector.<br /><br />Now some people may be wondering why we're not doing this for x86. The reason is that there is a price to be paid by PIE code and that is that a register must be used to handle the locations and relative jumps in the executable. x86 has very few general purpose registers that could be used for this, and thus has a rather large cost. Architectures such as ia64, amd64, powerpc, and sparc have more than enough general registers to make the change fessiable without aversily affecting performance.<br /><br />Currently, I'm working on building a base chroot completely PIE enabled, and then rebootstrapping Ubuntu from scratch, a laborous, but hopefully successful attempt at rebuilding the archive with PIE.NCommanderhttp://www.blogger.com/profile/17676152296271896899noreply@blogger.com0