RC bugs 2010/41

Another week has passed, where is Squeeze? Sadly, I did even less than the week before, but here is the log anyways:

  • #599782 - pyopencl: FTBFS: ImportError: No module named pyopencl the build process imports the just built module to generate the docs but the build-path guessing in debian/rules is broken, after some testing Jakub has posted the right snippet needed. RT has to decide whether maintainer can upload a slightly updated upstream version with the fix, or the on in the archive (with the fix too ;))
  • #598202 - update-manager-gnome: will not start this one is from the last week - neither me nor the submitter can reproduce it any longer, thus closed
  • #599523 - update-manager-gnome: wants to downgrade packages without any notice submitters pinning seems broken, waiting for a reply
That's all. Sorry, I had a busy week.

RC bugs 2010/40

Let's join gregora and zack (and others, too lazy to search for links/names) and fix some RC bugs in Debian! So what happened last week?

  • passenger (#599024): passenger-doc: Package is empty - patch sent on 06.10.2010, lucas has uploaded it on the 07.10.2010 (with my name in Changed-By *g*)
  • cpu (#598173): cpu: FTBFS: Unable to locate package cracklib2-dev - NMU prepared and uploaded to DELAYED/10 on 06.10.2010 (10 because cpu has 2 important bugs I did not fix)
  • update-manager-gnome (#598202): update-manager-gnome: will not start - seems to be an issue with lsb_release, but I cannot reproduce it, asked submitter for more info
  • ktoon (#599303): ktoon: KToon crashes with Signal 11 - cannot reproduce either, asked submitter for more info
What does that mean? Two bugs are (almost) closed, two need more work. And this leads me to a feature I miss from http://udd.debian.org/bugs.cgi: a comment field as http://bts.turmzimmer.net/ has it. Will ping lucas about this later today. Oh, and on a side-note, I joined http://ask.debian.net - let's help our users :)

What to flattr?

The month is coming to an end, and I'd like to recommend you some things on flattr.com :) OpenRheinRuhr - Ein Pott voll Software Die OpenRheinRuhr ist eine Messe mit Kongress rund um das Thema "Freie Software". Die OpenRheinRuhr 2010 findet am 13. und 14. November im Rheinischen Industriemuseum in Oberhausen statt. Freie Software ist aus Firmen, Verwaltungen, Bildungseinrichtungen und Privathaushalten nicht mehr wegzudenken. In der bevölkerungsreichsten Region Europas bietet der OpenRheinRuhr e.V. durch Ausstellungen, Vorträge und Workshops Informationen über Freie Software. Auch Themen jenseits der Technik, wie "Bürgerrechte im Netz" oder die Handhabung von Lizenzen werden behandelt. Vorträge in mehreren Tracks sprechen Menschen mit unterschiedlichem Kenntnisstand an – vom Anfänger bis zum Profi. Entwickler & Projekte bekommen die Gelegenheit zum Erfahrungsaustausch. Weitere Informationen und Anmeldemöglichkeiten unter: http://openrheinruhr.de BitlBee The IRC geek's solution to instant messaging. Tunnels instant messaging traffic (supporting all popular IM protocols and Twitter) to a virtual IRC channel and virtual IRC queries. Can be installed locally, but also available as a public service for people who can't/don't want to install it. KiBi’s blog This blog mainly features Debian-related posts on various topics: X.Org package maintenance (including calls for help, and status updates towards users), Debian GNU/kFreeBSD (GNU userland running on a FreeBSD kernel), and Debian’s Graphical Installer (now based on X.Org). Also some upstream stuff, like the bugzilla replica type for SD (Simple Defects). phpMyAdmin phpMyAdmin is a tool intended to handle the administration of MySQL over the Web. It can create, rename, and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, create dumps of tables and databases, export/import CSV data, and administrate one single database and multiple MySQL servers. Debian Backports Over the last years I did numerous backports for Debian and also run backports.org. Since September 2010 we moved backports.org to backports.debian.org so its an official Descriptions shamelessly stolen from flattr. Some words on these things:

  • OpenRheinRuhr is a nice small FOSS event in my area
  • I'm using BitlBee every day as my main jabber client
  • KiBi just rocks ;)
  • phpMyAdmin is a tool I couldn't live/work without
  • formi runs backports very good :) (yes, I know, he is not the only one)

PokerTH in Debian and Ubuntu

If you do not play PokerTH yet, you might want give it a try :) If you already do, read on :)

PokerTH 0.8

PokerTH 0.8 was released a couple of days ago. The most exciting feature of this new release is the online ranking feature: you can register at poker-heroes.com and login with these credentials in PokerTH, now your games will be logged and you might reach place 1 at the ranking site. However, you won't see 0.8 if you do not have experimental (for Debian) or the pkg-games PPA (for Ubuntu) in your sources.list. As the release is only a few days old, it won't be included in Squeeze or Maverick. Sorry for that. But I plan to provide needed backports as soon they are needed (currently experimental and PPA should be sufficient, tell me if they are not).

PokerTH 0.7.1

As written above, 0.8 won't be shipped in Squeeze and Maverick, but 0.7.1 will be. With the release of 0.8, upstream has moved their server to 0.8. This means that Debian and Ubuntu users won't be able to play internet games on the official server (as long they did not install 0.8). I've set up pokerth.debian.net running 0.7.1 and have just uploaded 0.7.1-2 which uses this server as default one to unstable (sync to Maverick will follow in a couple of hours). However, default means default on new installs. If you have already played PokerTH, you have a ~/.pokerth/config.xml with the upstream server in it and you have to change this if you want to play on my server. Please read /usr/share/doc/pokerth/NEWS.Debian.gz for this:
pokerth (0.7.1-2) unstable; urgency=low

  The server at PokerTH.net now runs the 0.8 version of the software,

  which is incompatible with 0.7.x we ship in Squeeze.

  Because of that a 0.7.x server is running on pokerth.debian.net.

  On new installations this will be the default server used.

  On old ones you have to reconfigure your client yourself.

  Either set "Serverlist Address" under Settings → Internet Game to

  "pokerth.debian.net/serverlist.xml.z" or use the "Manual Server

  Configuration" using "pokerth.debian.net" as the server address.

 -- Evgeni Golov  <evgeni@debian.org> Mon, 27 Sep 2010 14:09:17 +0200
Sorry for that and enjoy nice flops and raises :)

Vier Plakate für ein ORR

Gestern bin ich endlich dazu gekommen, meine OpenRheinRuhr Plakate bei mir in der Uni aufzuhängen. Eigentlich sollten jetzt vier Bilder folgen, wie die Plakate angebracht sind, aber irgendwie meinte mein Milestone nur eins der Bilder tatsächlich speichern zu müssen, wodurch ihr euch die Plakate im Glaskasten beim Haupteingang zu 25.12, vor dem Sekretariat der Betriebssysteme und neben dem Seminarraum der Datenbanken/Rechnernetze jetzt vorstellen müsst. Hier ist nur das neben der Fachschaft Infromatik zu sehen: image Ein herzlicher Dank geht an die Fachschaft Informatik (für den Platz neben der Tür und im Glaskasten), sowie Frau Rennwanz (Betriebssysteme) und Frau Freese (Datenbanken/Rechnernetze). Wir sehen uns in Oberhausen!

How to bypass DNS-based spam-filters using DNS

I've been sitting on this one since more than a month. I've contacted upstream on the 19.08.2010 and the Debian maintainer on the 02.09.2010. No reaction from them till today, and no, my spamfilter does not eat mail ;) Still, I won't tell you the name of the software (but you could easily guess or check...) So let's put the grey hat on and begin ;) Foreword: when I write spam-filter, I mean some DNSBL/SPF/blah filter, not SpamAssassin, crm114 or other content-based filters.

common spam-filters

There are plenty of spam-filters out there which work after the following schema:
for check in checks:

    if check(mail) == BAD:


And the checks often look like this:
def check(mail):

    errors = False

    result = some_magic(mail)

    if not errors: return result

    else: return GOOD
Here some_magic is a function that do the actual checks (DNSBL lookups etc) and which stores possible happened errors in errors. If an error occurred, it's safer to say the mail was good (or at least not bad) than bad.

the problem

This looks like a sane approach on the first sight: iterate over all checks and execute them until a mail is found to be spam (and the corresponding check did not end up in an error (imagine some weird DNS error for DNSBL or SPF checks here)). But then the author realizes that the errors might be "global", like with DNS: when the first check notices that it can't resolve anything (ie. it ran into a DNS timeout three times in a row), the second check (which also utilizes DNS queries) will most probably result in an error too. After this he adds a global counter for DNS errors and skips all the checks that use DNS if this counter is >=3. "Great idea", you say, "saving resources is good". "Bad idea", I say... The reason is simple: DNSError != DNSError. Why? The local resolver might be broken, then every DNS query will end up with an error and DNS-based checks should be really disabled. The first three (out of eg. ten) DNSBLs might be down, but that's not a reason to skip the other seven and the SPF check. Etc... Now let's assume all configured DNSBLs are working properly, so is the local resolver and the checks are:
checks = [check_HELO, check_SPF, check_DNSBL]
How could one attack this filter?

the attack

Set up the following zone
spam.example.com IN NS ns1.example.com

spam.example.com IN NS ns2.example.com

spam.example.com IN NS ns3.example.com

spam2.example.com IN MX mx1.spam.example.com

spam2.example.com IN MX mx2.spam.example.com

spam2.example.com IN MX mx3.spam.example.com

spam2.example.com IN MX mx4.spam.example.com

ns1.example.com IN A

ns2.example.com IN A

ns3.example.com IN A
and greet the to-be-spammed-MTA with EHLO client1.spam.example.com What happens? The spam-filter tries to resolve client1.spam.example.com in check_HELO to check whether the hostname matches the IP-address the connection is coming from, fails three times (there are no reachable DNS servers in and continues with the next two checks, but these are skipped because of previous DNS errors. As no checks could identify the mail as being spam, the mail is delivered to the users mailbox. With some creativity this can also be used in SPF records (via spam2.example.com), sender-domains etc.


If you want to save resources by skipping DNS-based checks after another (DNS-based) check failed - don't! Think whether this is really the same error you are seeing... Additionally this can be used as a sort of DoS against the not said software: according to the logs each of my tries needed between 30 and 36 seconds (!) to complete - imagine some hundred simultaneous requests...

the end

You think I did something wrong with that post? Throw the first stone then, I don't care.

For Facebook's Sake

I must admit, I do not really get the point of the ongoing discussion about having an "official" Facebook page. In my understanding it should be a source of information about Debian for Facebook users, technically a mirror of www.debian.org/News and debian-devel-announce@lists.debian.org. Yes, Facebook is a piece of non-free, data-harvesting sh*t. But there are users, maintainers and developers who use that service (they also use Twitter, Xing, Linkedin, StudiVZ, MeinVZ and so on). Why should we prohibit them to have an official source of information on their platform? If there is someone who wants to run that kind of service: go for it! Or would we prohibit someone to run a mirror of ftp.debian.org on a Windows machine just because the surrounding environment is non-free¹? Most probably, that wouldn't be an official mirror listed on www.debian.org/distrib/ftplist, but it would still contain the official set of packages, signed with the official key of the archive. Btw, is @debian on Twitter "official"? And please, do not compare this situation to SourceForge, GitHub, Google Code etc. It's just not the same! On SourceForge etc one relies on a non-free service as the primary way of distribution (that's not perfectly true for DVCS based services, as here one can push the tree to every service one has access to). On Facebook we'd just have a mirror of the already "freely" available information. ¹) do not forget: almost every machine used for hosting/developing/whatsoever Debian has non-free hardware, firmware etc!

Using plugins.svn.wordpress.org with Git

So I got SVN access to plugins.svn.wordpress.org, but I hate SVN. Let's just use Git instead of SVN, especially when I already have my plugin as Git on github.com :)

git svn clone -s -r283636 https://plugins.svn.wordpress.org/statusnet-widget/

git remote add -f github git://github.com/evgeni/wp-statusnet-widget.git

git merge github/master

git svn dcommit
(note the -r283636 - it's very important, if you ommit it, git svn will fetch 280k revisions which takes ages, if you put it to something AFTER your repo was created, the log will be b0rked*) Done! Now you can work as usual, push to github and commit to svn via dcommit :) PS: Dear WordPress.org Team, you have working SSL, why do you still have http-links in your mails? *: You can find the revision you need by looking at http://plugins.trac.wordpress.org/log/statusnet-widget/ - you need the one when plugin-master created your repo :) Thanks nplus for reminding me about this on XMPP :)

The joy and pain of WordPress

As you may not have noticed, I migrated my site to WordPress some time ago as I did not want to maintain the old piece of crap I wrote myself when I was "young" ;) Today I want to tell you a story of the development of a plugin for WordPress. As the title says, it's much about joy and pain and I think I should start with the pain :) WordPress is written in PHP, so are the plugins for it. And PHP is REAL pain (but there is no decent blogging software for Django or Zope that would fit all my needs). It is especially pain when you work with Python every day. What the heck are those curly braces and dollar signs and "$this->"? That's just not the way Guido indented it ;) Additionally my last contacts with PHP were some time back in 2008 when I hacked on SysCP, which today result in commits like this:

-        if (is_int($new_instance['max_items'])) $instance['max_items'] = $new_instance['max_items'];

+        if (ctype_digit($new_instance['max_items'])) $instance['max_items'] = $new_instance['max_items'];
But I have to admit that the WordPress API is pretty good. Not very well documented (the wiki pages at codex.wordpress.org are sometimes outdated), so you have to read the source and google a bit, but when you found the needed sources, it's pretty straight forward. My plan was to write a simple widget, displaying my Twitter and identi.ca timelines. Yes, both together, not one widget per service. The reason for this is the fact that I mostly post via identi.ca and the messages get synced over to Twitter and only the local replies and retweets/redents differ. The basic WordPress widget would look like this (source: http://codex.wordpress.org/Widget_API#Developing_Widgets_on_2.8.2B):
class My_Widget extends WP_Widget {

    function My_Widget() {

        // widget actual processes


    function form($instance) {

        // outputs the options form on admin


    function update($new_instance, $old_instance) {

        // processes widget options to be saved


    function widget($args, $instance) {

        // outputs the content of the widget



One only has to modify the widget() function and here you go. From some other Twitter plugin I knew that I only had to include rss.php and call fetch_rss(url) for every feed URL to get the timelines as an array via MagPie. But when looking at rss.php, you notice the deprecation message in the header, saying one should use SimplePie now. Some google later I knew that I had to include feed.php and call fetch_feed(url) to get a SimplePie object representing the feed contents. But SimplePie is even cooler: I can call fetch_feed(array(url1, url2)) and get a merged feed, containing both. Now I added a duplicate filter to elliminate the messages posted to both, twitter AND identi.ca and my widget was ready. You can find the result on http://github.com/evgeni/wp-statusnet-widget and soon on http://wordpress.org/extend/plugins/statusnet-widget/ :)

That was FrOSCon 2010

Well, FrOSCon is over and it's time to sum up the event a bit. First of all: it was great! But it was also hot (I heard the air-condition is off during week-ends...) and busy. And still, it was great! :) Why? Mostly because of the people of course! It was esp nice to meet Rhonda in person (almost all other people [except the grml ones] in the Debian-and-Friends corner were the usual suspects who you see at every (big) FOSS/Linux event). I had some nice chats with Enrico (about Geany and Xfce) and Leo (about bley), besides of the usual "when will Squeeze be released?" and "how does X work in Debian?" with random people. When there are a lot of people, a key signing party isn't too far away. Thanks formorer for the orga! You still owe me a sig from FrOSCon 2008 ;) And if someone wonders why he/she got a sign-mail from me even when he/she wasn't at the FrOSCon KSP: I used the fact that I have to sign a lot of keys to sign even more (from the OpenRheinRuhr 2009 KSP and the BSP in Mönchengladbach at the beginning of this year [yes tg, I even signed yours, hope you liked the MIME]). As usual I missed almost every talk I wanted to hear and end up with just one (the one about RegEx), which sadly wasn't good at all. I guess that's all I have to say about FrOSCon. Oh wait, no, there was a questionnaire which included the question whether I'll visit future FrOSCons. Of course! Hope to see ya all at MRMCD, OpenRheinRuhr, 27C3 etc... So Long, and Thanks for All the Frogs!