Month: August 2006

setuid() time bombs

When the setuid() bug hit vixie-cron I was sure we were going to have a lot more of those exploits in the near future. It seems I was too pessimistic, though; there were only one or two discovered since then, although I think auditors will keep an eye on that from now on. Anyway, I’d like to recommend some (IMHO) good reading:

http://www.csl.sri.com/users/ddean/papers/usenix02.pdf

Update: Next in line is mit-krb5 … more to come, I guess 🙁

Well, I’ve had it. Enough of the Oblivion hype, that is. You’d probably argue that an old fart like me [he he] shouldn’t be playing games anymore, but I still do, from time to time.

Less often, lately, du to the increasingly fast downfall of the games industry. The best example for that has been Oblivion, which demonstrates the complete menace called the game industry today.

Oblivion is the successor the the rather successfull RPG Morrowind. When Morrowind was released it was critically acclaimed one of (if not the) best RPGs ever, and players all over the world followed that sentiment, despite obvious glaring problems (most of which have never been resolved).

Oblivion set out to redefine the genre again, and, according to games magazines and online media, succeeded. That, unfortunately, only shows how all the stuff works together these days.

First of all, the game itself. The graphics, you may have heard of it, are nice. But not *too* nice, actually. The reportedly jaw-dropping moment you step out of the sewers failed to drop my jaw. Only after installing some big texture replacements I felt me jaw move a little. If you have seen the NPC faces you’ll know how to define “ugly”. Those are, if it was reported correctly, 128×128 textures, and they look like I-won’t-say-what on my 21 inch display running 1600×1200.

Then there’s the game mechanics. The Morrowind system was dumbed down somewhat, which in itself probably wasn’t such a bad idea. But Bethesda managed to retain some *really* useless stuff in there, so maybe they dumbed down the wrong things …

Then there’s the console port. Usually, when I see a PC game with a console version I avoid it like the plague. Should have done that with Oblivion, too. Everything is just GIANT (as to be of any use on a TV screen), making for example the inventory a bad joke with like 7 entries displayed at once. Another mod needed (actually, I used two) to make it bearable. And I could rant about the mind-blowing stupidity of “minigames” for about 12,000 more characters. Which I won’t.

What Bethesda didn’t fix is the level(l)ing mechanics. It’s basically still the same stuff Morrowind suffered from; getting multipliers completely distracts from game immersion … there’s another mod to fix it, though I didn’t try it.

The worst thing of all, though, ist the new “leveled content” system. It’s the laugh of the century. It basically does nothing else than keep your progress in a very small corridor, and completely takes away any good RPG experience, since you really can’t get in over your head, except by messing up your character build (since the leveling system is supposed to feel “natural”, but to really benefit from it you have to put a lot of thought into it). So you can basically go anywhere at any point in time and don’t have to fear you’re not prepared for the challenge. A good thing if you don’t like surprises and need something to lull you into sleep. Oh, I forgot that your special quest rewards are leveled to your character, so anything interesting you do early on leaves you with a kid’s weapon or armor later.

I have to admit that some of the quests are really the best any RPG has ever seen, especially the Thieves’ ones. But, after I played my first (and only) character through all guild quests, the main quest, and virtually all other quests (there may be a handfull that I missed) … there’s nothing left to do. My character execlled in everything – without cheating, of course – so what’s left to discover? Nothing. That didn’t happen with Morrowind. But now, my copy of Oblicion is for sale, since I saw it all – and it was quite shallow.

Which brings us back to the beginning – why was this game hyped so much? Probably the result of good PR (and a prior success). To understand that you have to understand how the media works, at least (but not limited to) the gaming sector. If a magazine (print or online) pisses off a distributor, they won’t get ads and reviewer’s copies (often beta versions). If you don’t get reviewer’s copies, you’re bascially out of business, since everybody else writes how great a game is, only you can’t. If you don’t get ads … well, figure that out for yourself .-) So, you can’t afford to piss them off (only the minor players who are still happy to be mentioned at all) … ’nuff said. Plus, you usually get to review beta versions that don’t tell you about the quality of the finished product. The german version of Oblivion, for example, reportedly suffers from extremely bad text translations. The voiceovers seem to be fine (the german distributor managed that), but the text seems to be a major mess (Bethesda managed that). No german media hinted to that, since they all had english copies to review only. (Luckily, I played the english version .-)

Resume? The industry is in shambles and there’s little hope. Mosnters of money grinding like WoW are going to dominate the future. Let’s see whether there’s hope (like a small developer like Piranha Bytes with Gothic III) …

While we’re at it … security and speed

Since SearchSecurity’s ranking is dragging some attention, I’d like to share my opionion. Though being part of the security team I can only present my personal point of view (as always in this blog .-).

You can doubt or disagree with the ranking in any form you like, and there may be some strange points in there. But that, frankly, is not important.

What is important is to ask how good we do compared to how good we can do . And then make changes accordingly

First of all, note that we will not be able to deal with vulnerabilities like Ubuntu. Or other companies that pay their employees for doing that stuff. We’re community-based. People spend their time digging into vulnerabilities, getting new ebuilds ready and testing them in their free time.

Second, we do have a lot more architectures than other distros to care about. Not all are supported security-wise, but still, it’s a nice list if you want to make an impression.

Third, fixes are often available way ahead of any GLSA. That is not true for every arch, it is not true for any case, and it is not generally true .-) Still, users who update often are indeed not so seldomly protected even if no GLSA has been issued yet. The GLSA is only the last step in the whole process.

That being said, it should be clear we are not aiming to be #1 on that list.

But there’s things we could make better.

  • Work faster. That’s kinda hideous to say to somebody who is spending his free time on a project, of course. At least it applies evenly to sec team, herds and arch teams :] The latest vulnerabilities in the Mozilla products were a good example that shows a nice mix of problems:
    • The mozilla herd recently reformed itself and was thus hampered in action.
    • Arch teams can’t always stabilize on time regarding the vulnerability policy.
    • Sec team isn’t always as fast as can be. (In this case the GLSA could have been ready once the last arch went stable, but it wasn’t. I do admit, for example, that I had not commented on the GLSA at that point in time yet, as I should have.)
  • Collect a little love for Security. Security bugs are fascinating to those who discover them, try to exploit them or try to defend against them. For developers interested in the progression of a piece software, they are a boring nuisance that blocks the way ahead. Still we might want remind everybody that there is the Vulnerability Treatment Policy, and it’s agreed upon to be an important part of Gentoo.
  • Enforce the policy. Another hideous suggestion, I know. But we might want to adhere stricter to our own rules. We might want to mask apps with vulnerabilites that don’t get fixed in due time. This is of course bad, because it will break things. A lot. And I hate broken things.

All this may, of course, be complete bull from someone who hasn’t been around long enough, at least from a dev’s perspective. And I don’t want all that “in there” like I wrote it. Nevertheless it might get one or two of you to think about it, poke me in the eye and suggest something better. Please!

Just how “difficult” is Gentoo?

I’ll try to make it short this time and share some experience I’ve had with the ‘new user’ side.

Installation

  • I’ve had absolute Linux newbies successfully install Gentoo as their first Linux ever, with *very* little input from my side. (I guess I should just praise the efforts of the documentation team at this stage: You’ve done a nice job!)
  • I’ve also had more experienced users fail on the installation, even multiple times.

Conclusion

  • The Gentoo Handbook will reliably get you up and running if you follow it closely. It’s easy to stray off, though, simply by skipping a line. You’re also very much in the dark if ‘something bad’ happens (grub won’t install, for example) or you’re on non-mainstream hardware. I think the first part can be helped, the second part only to little degree, of course.

Suggestion

  • Maybe a bit of simple formatting could already help, meaning whitespace. If you install Gentoo, chances are that you’re using links to view the documentation, and it’s very easy to get lost there. Really, this is not a joke. I’ve seen it multiple times: People follow the doc, skip a line and end up in a mess.
  • Maybe some more background info (even better maybe to have a background document/wiki to link to, although that only works for online users) could make things clearer, too. Meaning if I don’t know about grub I can get some hints or read what others have written in the gentoo-wiki, for example. That might also help the ‘in the dark’ part a bit. If anybody from docs is interested I’d be willing to contribute.

Maintenance

I run Gentoo on multiple servers and workstations. It is by far the best manageable Linux on the planet. Here’s the pros & cons:

Pros

  • I call Gentoo a ‘streaming distro’, since there are no releases (okok, there *are* releases, but you know what I mean .-), resulting in Gentoo being the only distribution that completely misses to make me explode in anger because I need to go through an ‘upgrade’. I have had dangerously high blood pressure with any other distro, SuSE being notoriously ugly in wrecking systems (back in the < v.7 times, at least). Even Ubuntu failed to upgrade from 5 to 6 in a really smooth manner (it worked, but there were quite some quirks left that were difficult to figure out). I can even upgrade the toolchain without fearing for my life. So far Gentoo has prolonged my life quite some, since blood pressure that thigh sure ain’t healthy.
  • Portage is just great. It figures out dependencies and (almost always) does ‘The Right Thing (TM)’. Probably I’m just too stupid to use rpm, but I’ve had the hell of a time with that thing. Need some extra feature? USE it, build it, done. Great, great, great. I don’t even have to figure out obscure packet names of dependencies .-)

Cons

  • You really need to keep updated. There’s no real path of *not* updating. No security backports, for example. That is a little dangerous on the servers. If you don’t keep up, you may easily be buried under a lot of changes; especially since you need to keep updated on those changes, too (mailing lists/announces etc.). Chances are, you don’t have all the information at hand if you wait too long before updating. It gets problematic on stuff you might not want to update, say PHP. When PHP6 comes it, it will break a lot of apps, presumably. Now, we still have 4.x in the tree (and 5.x didn’t break as many apps as 6 will do, IMHO), but for how long?
  • That also means Gentoo is still high maintenance. I have little problem with that, but I think some may have. I use to update all boxes frequently (at least once a week), so it’s basically continuous work, but short periods only. Nevertheless, you need to have some time to put aside for maintenance.
  • Things break. This comes in waves. All can be fine for months, and then you have a week where everything breaks. I have no clue how this happens, but it happens. The bad thing is that with all the configurability you can’t test everything (unless you have completely redundant servers). I have some ‘single’ machines that are backed up by standby hardware and backups, though, that don’t have a test environment assigned. An update that merges fine on 4 test and 4 productive machines may still break on the next box due to a different USE flag, for example.
  • Design changes. Those really hurt. Like Apache. Reminds me of the SuSE times again (every release did everything completely different; it was so unbelievably bad to have to look for all the stuff in different places every time …). Sure, if you make a bad design choice, you’ll have to fix it at some time. It’s probably better for everybody’s sanity than keeping wrong stuff around for ages (see Windows .-). But it hurts.

Suggestion

  • Most if not all b0rkage can be avoided by using portage logging or ELOG. I have wanted this from the beginning, and now it’s been around for some time, it’s great, and everybody should use it. Though none of the new Gentoo users around here knew about it. That’s bad. It needs to go somewhere in bold and big.
  • Given the number of times you need to revdep-rebuild something, ‘gentoolkit’ should IMHO be in the default profiles.
  • Users need to be informed of changes, so something like GLEP 42 would be more than helpful.

Verdict

Gentoo is not a ‘dumb user’ distro, and I guess we all know that, and I guess we’re not really aiming for that, either. Nevertheless, we still fall a small step short of what we can do for the ‘educated user’, what is what I’d call the Gentoo target. If we can push it a little more, we’re on solid ground. I think it’s amazing how mature this project has become already.

Nevertheless, I’d like to remind everybody that we should not ignore users with low level of expertise. Our forums are known as one of the top resources to get Linux help. Our users are known to be helpful, our devs are know to be skillful. There is no need to ignore the lower end, and, seeing that the 2006 releases contain a graphical installer (didn’t try it, though), it seems we aren’t, either.

So, in my opinion, we should do whatever is possible to help new users (and gain new users, in that regard). I’m about to discuss some ideas with the re-formed PR project and we’ll see how that goes. My two cents are simply: Don’t redline somebody when in doubt, only when you’re sure you have very good reasons .-)

-frilled (hmm, was that ‘short’?)