The Substantially Similar Weblog

Is anyone aware of an MP4/AAC sound file ID tag editor for Linux? There doesn’t appear to be anything in Debian; a Google search doesn’t reveal any obvious candidates.

Steve and I have decided to write and package freevite. Freevite will be a web-based event invitation/RSVP system licensed under the GPL. Before we start, though, I’m soliciting suggestions on the program. As far as I know, there is no free-as-in-speech web-based invitation package, and the world sorely needs one as commercial proprietary competitors brainstorm new ways to build a revenue stream from their product. It shouldn’t be that hard or time consuming to code, and it seems to me that we need a free-software standard product for this.

The program will probably be coded in perl, and give the administrator the choice of a simple file-system based data storage system or MySQL/PostgreSQL for better performance and data integrity. It should be possible for the administrator to plop the perl script down in a cgi-bin directory and set the proper permissions on the data storage directory and have a totally functional system, but also provide options for more secure (e.g., against cross-site scripting vulnerabilites) and sophisticated installations. The program will also be available as a Debian package, and support various ways of doing site-wide and user-specific installations (this will be tricky—Debian doesn’t seem to have a good solution for having packaged perl scripts like blosxom run on a per-user basis).

Administrators can configure the system so that anyone can create an event or only authorized users can create an event. There will be configurable privacy settings—if the user doesn’t want the inviter to know they’ve opened the invitation, they can indicate that, and the inviter will also have the choice of deciding whether to track opened invitations at all. You will be able to respond to an invitation without any registration or authentication process (having received the token for your invitation by email), but eventually there will probably also be a way to create a persistent identity linked with an arbitrary number of email addresses if you desire.

All presentation will be done with mailman-like templates, and the package will ship with some standard, clean, templates. Content will be properly separated into stylesheets and HTML.

Everything will be HTML standards compliant, and should render properly in text-based web browsers like w3m. There will be no required Javascript or any plugins, although there might be some optional Javascript content (my web-based photo gallery software, salonify, works this way).

Please leave suggestions, ideas, or recommendations as comments to this entry or email me. If there already exists a free-as-in-speech product that does all this, please let me know and I’ll stop right now.

Apologies to any Planet Debian readers for having just monopolized the front page with several stories; I moved a bunch of old stories to a new blog topic, and apparently Planet Debian thinks they are all now new stories, even though they have their old timestamp. If anyone knows a remedy for this, please let me know. (I guess this entry is further compounding my overpresence!)

I’ve tried several solutions for reading broken HTML mail in mutt, including my own custom Python hack, addMIMETextToHTMLEmail (this was actually the first Python program I ever wrote). Reasonably nice mail clients will send a plaintext part in addition to the HTML mail for us textophilic email users, but the dominant Microsoft Hotmail and Microsoft Exchange send HTML-only mail with no plaintext part. I wonder if they do this because they expect anybody worth writing to these days is using Microsoft Outlook or Microsoft Hotmail.

I think I’ve recently discovered the best solution, since my addMIMETextToHTMLEmail script doesn’t always work properly and is probably unnecessarily complex:

• Download and install demoroniser. You may need to tweak it slightly, since it expects perl to be in /bin/perl.
• Install html2text (Debian package, separate source available from Martin Bayer).
• Add to ~/.mailcap (this all needs to go on one line):
  

   text/html; /home/adam/bin/demoroniser.pl -q -w0 '%s' | /usr/bin/html2text -width 90 -style pretty; copiousoutput; description=HTML Text 

  You may prefer a wider output; the person who suggested this to me uses 158.

• Edit ~/.muttrc and add:
  

   set implicit_autoview=yes 

• You should now be able to view HTML-only emails in mutt without having any extra steps.

I’m considering packaging demoroniser for Debian, although it may fall below people’s ‘this script is too small to be its own package’ threshold.

Thanks to Alec Thomas, author of xchg2mail (which I’m also planning on packaging for Debian), for the tip.

Freevite is a web- and email-based invitation and RSVP system, licensed under the GPL.

Details will appear here shortly.

At long last, my bug #184361 is fixed and my one line patch has been accepted! This is a happy day for me. I receive dozens of hits per day related to this bug, which prevents users from cancelling their own print jobs without authentication. I’ve also had to respond to a lot of email over the last couple of years helping people rebuild cups with this patch.

My only regret is that my useful linux page is slightly less useful now that my patch has been accepted.

Alas, the meanies have finally started to invade bostoncoop.net, my own little web/mail/email list server. I knew it would happen sooner or later, but I just wish attackers would focus on the bad guys.

First, I’m starting to see more and more spam in the various wikis hosted at bostoncoop.net. Apparently, the spammers have developed bots that insert commercial links into common wikis that don’t restrict access. I’ve gone through and manually removed the commercial links (although of course they persist in the wiki history).

I feel like I deeded my back yard as an open nature conservancy in public trust, and people are leaving cigarette butts all over the place.

I’m also experiencing fairly regular attempts to crack into the system by people who scour the web for PHP vulnerabilities. None of them have been successful, and I’ve been learning more and more about what I need to do to better lock down the system, but it’s still sad to have more and more volunteer sysadmin time going to these sorts of “nonproductive” uses.

A word of advice to any server admin newbies out there: if you have any place where people are allowed to upload files on your site, don’t call it “upload.php,” “upload.html,” or anything similar. I expect I could have avoided 99% of the PHP-based cracking attempts just by renaming the upload URL to something nonobvious. (I know this isn’t “real” security, but just about every attack I’ve seen starts with a google search for upload.php or something similar).

Another tip: most Apache/PHP installations run PHP as an Apache module rather than as a CGI script. This means that the standard means for controlling CGI—Options ExecCGI in httpd.conf and .htaccess—are ineffective. If you allow anything with a .php extension to run by default, you are inviting trouble (trust me). You would think it would be well documented and easy to find how to turn off PHP execution except where enabled, but in fact it wasn’t. The best solution I found was to put the following in httpd.conf for your site’s directories:

php_flag engine off

Then any user who needs PHP enabled can enable it on a directory-by-directory basis by putting the following in .htaccess:

php_flag engine on

I tried disabling PHP per-directory with RemoveType .php RemoveHandler .php in the .htaccess file, but this apparently had no effect.

As GNU/Linux and other free software enters the mainstream, it’s important for all of us to do what we can to maintain proper hygiene. There are plenty of people interested in exposing security failures in the free software world, and we should give them as little fodder as possible. The recent Mozilla shell glitch (affecting only Mozilla on Windows systems) may be only the tip of the iceberg.

To be added to my ongoing useful linux omnibus page:

• Firefox 0.9 remote newtab syntax
  When I open a link from another application (gnome-terminal or evolution, for example), I would like it to open in a new tab in Firefox, so I had a script which I called newmoz:
  

  firefox -remote “openURL($1,new-tab)”

  This is my default web browser. With Firefox 0.9, the syntax has changed. You now need:

  firefox -a firefox -remote “openurl($1,new-tab)”

  I believe this has something to do with the confusion of the possibility of several related Mozilla applications running all at once, although I’m not entirely convinced. To make it really snazzy, try:

  firefox -a firefox -remote “openurl($1,new-tab)” || firefox $1

  This way, if firefox isn’t already running, it will still work.

• Email yourself after a long task
  This is a really obvious one, but I only recently thought of it. Due to several recent failed hard drives, I’ve been moving a lot of data around from one drive to another, some through NFS, and some over my cable modem. Moving 200 gigabytes, even within a LAN, takes a long time—even longer if you throttle it so as not to congest the network too much. I would find myself checking back on the process every few hours, even though I knew it probably wasn’t done. So why not append a mail command after a long process? E.g.:
  

  rsync -Pa / storage.system.somewhere:backup ; echo done | mail adam

  Since I’m always checking email, I’ll find out as soon as it’s done, and waste less time continually checking back on the process, especially when the transfer might take three or four days.

• ssh timeout error/connection reset by peer with rdiff-backup and D-Link DI-604 router
  Backing up bostoncoop.net over a cable modem takes a long time. If something goes wrong, rdiff-backup has to roll back the previous backup and start over. As best I can tell, rdiff-backup first makes the connection, then starts the roll back, but doesn’t send or receive any data during the roll back. On my system, the roll back can take longer than the timeout period for my DI-604 router—the consequence being that the connection is reset before the backup can start and rdiff-backup fails out.

  There’s an easy fix, which should come in useful to anyone with a router that is too vigilant about timing out ssh connections (for example, if you ssh to get your email and often leave the window alone for an hour at a time). Add the following to your .ssh/config:

  serveraliveinterval 300
  serveralivecountmax 10

  This will insure that ssh will occasional send an ACK type request every 300 seconds so that the connection doesn’t die.

• Fixed font in gnome-terminal
  I’ve wanted to use gnome-terminal for a long time, primarily because of the tabbed terminal feature (many terminals in one window) and because of the URL recognition (open a URL by right clicking on it). I also like being able to paste into the window with the keyboard.

  There was always one problem, though. The font. I know some people like the new fixed-width GNOME fonts, but I don’t. I just wanted plain old fixed, which I use with xterm (10×20). But that font never showed up in the list of available fonts.

  I finally found the solution in /etc/fonts/local.conf—namely, the following lines:

  Just uncomment the path, run fc-cache as root, and you should see fixed in the output of fc-list.
  I’m not sure how a naive user would ever figure this out, but then again, maybe a naive user wouldn’t care that much about having fixed font in gnome-terminal. I also don’t understand why we wouldn’t users to have access to bitmapped fonts by default—why not just set the default font to something the GNOME people like, but have the other choice in there to start?

Okay, now I’ve really got to study for the bar exam.

I just recently discovered qemu·, and the result is that I’m a happy camper. I’m preparing for the Bar Exam using antiquated software from MicroMash·, the “other” bar prep company (cf. Barbri·, at about twice the cost). The program is basically a Visual Basic quiz application written originally for Windows 3.1 and updated slightly in the intervening time (the questions, of course, are entirely up to date to current law). It’s not a bad system—it tracks your progress as you go, and feeds you questions in the areas where you need to focus.

Obviously, there is no GNU/Linux version of the program. Less obviously, but perhaps predictably, the program doesn’t run under WINE· either. I’ve found that new, highly complex software like Microsoft Office XP works much better under WINE than old, very simple programs like this quiz program. There was also no easy way to extract the questions so that they could be presented by some other Linux-native software.

Enter qemu, a virtual machine emulator included in Debian·. With qemu, I can run a full-fledged Windows 98 box (or any other version of Windows that I might own) in a window on the Linux X desktop, and the bar prep program runs fine. Because my laptop is pretty fast, the resulting system is faster than any Windows 98 system I ever had in my Windows days, despite the emulation layer. Network and sound work as well. I had previously tried this on bochs, a similar emulator, but it was painfully slow (I think there are other advantages to bochs).

Plus, no worry about viruses and other forms of Windows pestilence, since the whole system is contained within a single file. Backup or “snapshot”? Just copy the file. Want to take a break? Just pause the whole machine. It’s all quite clever.

qemu is also in various stages of emulating several other common processors, including the PowerPC, so someday you could run Mac OS X Panther (or Jaguar, or whatever they call it), on a GNU/Linux system on a commodity PC… Even, say, an XBox·.

It strikes me that these sort of emulators are crucially important to the eventual world domination of linux. Just as today the only way I can run my old Commodore 64 software is with vice·, someday the only way to run the thousands of obscure Windows programs now extant will be with WINE and virtual machines like qemu and bochs.

I just tried ‘evil’, and to my dismay (but not surprise) my custom built kernel is vulnerable. My system locked before I could even see the results of having pressed ‘return’ after typing the ‘evil’ command.

If you’re in charge of a public Linux system, please get patches immediately—they’ve got one for 2.6.7-rc3 as well as 2.4.25 and 2.4.26.

I wonder if the mainstream press is going to pick up on this and say “Look, Linux is just as insecure as Windows!” It’s basically impossible to get the mass media to understand that even a major exploit like this one pales in comparison to any one of the dozens of trivial Outlook or IE cracks that are circulating.