Pondering: should I ever go back (regularly)?

I used to spend a lot of time at the PC-BSD tech support forums (forums.pcbsd.org). As some should know, it is not one of my ‘favorite’ projects for numerous reasons.

I haven’t been active there in I guess, nearly a year now. Should we say, shuffling though like 50 threads a day and being one of the few paying attention got quiet old, when I’ve so much else to worry about after work. Ending up as little more then a spam-patrol man wasn’t very interesting either. Although things have been realitively docile since FreeBSD opened their own forum, I hang my hat over at DaemonForums.org – a place that’s worth visiting.

One of the alarming things about forums.pcbsd.org even while I am inactive, I still have several orders of magnitude more posts then everyone else… Man I used to check that forum several times a day. At one point, I may have been the last skilled snook left, I hope that has changed….

What I hate about programming

Some months ago when it reached Kris Moore’s attention (late as usual) that I had brought up security issues with his Firefox3 PBI, he changed it to something almost as bad. A couple weeks ago, I heard back from Kris that he had [naively] changed the code for making Fx3 the users default browser would no longer run as “root”. After a little more conversation he split it off to something better.

Originally it was a part of the script that runs during PBI installation (and worse then the below script), probably tired of my replies he made an extra wrapper around the Firefox3, that asks the user if they want Firefox3 set default or not, rather then workin’ the user database at install time. (I refuse comment on the following scripts predecessors: if you want to know more, read his SVN). The solution he came up for that wrapper, was to invokes the following code as the user when necessary:

#!/bin/sh
# Helper script to make FF the default browser for a user
##############################################################################

# Get the users homedir
USER="`whoami`"
HOMEDIR="`cat /etc/passwd | grep ^${USER}: | cut -d ":" -f 6`"

if [ -e "${HOMEDIR}/.kde4" ]
then
KDEDIR=".kde4"
else
KDEDIR=".kde"
fi

if [ ! -e "${HOMEDIR}/${KDEDIR}/share/config/kdeglobals" ]
then
echo "ERROR: No kdeglobals file for $USER"
exit 1
fi


TMPKFILE="${HOMEDIR}/.kdeglobals.$$"
TMPKFILE2="${HOMEDIR}/.kdeglobals2.$$"
rm ${TMPKFILE} >/dev/null 2>/dev/null

cat ${HOMEDIR}/${KDEDIR}/share/config/kdeglobals | grep -v '^BrowserApplication' > ${TMPKFILE}

rm ${TMPKFILE2} >/dev/null 2>/dev/null
touch ${TMPKFILE2}
while read line
do
if [ "$line" = "[General]" ]
then
echo "$line" >> ${TMPKFILE2}
if [ "${KDEDIR}" = ".kde4" ]
then
echo "BrowserApplication[$e]=!/Programs/bin/firefox3" >> ${TMPKFILE2}
else
echo "BrowserApplication=!/Programs/bin/firefox3" >> ${TMPKFILE2}
fi
else
echo "$line" >> ${TMPKFILE2}
fi
done < ${TMPKFILE}

# all finished, now move it back over kdeglobals
rm ${TMPKFILE}
mv ${TMPKFILE2} ${HOME}/${KDEDIR}/share/config/kdeglobals

exit 0

which is more secure then the original implementation, and more efficient also. Tonight I sent Kris a casual (read: adapt to need, don’t take as is) suggestion from yours truly:

#!/bin/sh
# Helper script to make FF the default browser for a user
# Should work for KDE3 and KDE4.
##############################################################################

PROG="!/Programs/bin/firefox3"
FILE="./share/config/kdeglobals"

for D in "${HOME}/.kde" "${HOME}/.kde4"
do
cd $D 2>/dev/null || break;

if [ ! -e "$FILE" ]
then
echo "ERROR: No kdeglobals file, unable to set $PROG as default"
exit 1
fi

ed -s "$FILE" <<EOF
/[General]/
/BrowserApplication.*=/
s/=.*/=${PROG}/
wq
EOF
# write your own error handlers
done

exit 0

which should work as far as I can test; since I lack a working KDE install (compiling KDE4.2+ is on my todo list). It’s not perfect, but it sure is nicer then what he had a few months back. I included the a diff of the two scripts in my last message, which may very well go against my decision to “never” send these people patches. But I really don’t care if he accepts it or not, because while I believe in being helpful, I also I do not like doing peoples jobs for them.

I’m a lazy good for nothing creep, but I am lazy of muscle – not lazy of mind. The most productive code I have ever written, is the code I was smart enough /not/ to write in the first place.

lol@someproject

I don’t know what is more funny, reporting potential security errors to a project or looking at the even worse ‘solutions’ they cook up.

Annoyance with half assed work

I will never understand why so many people seem to do so much insecure $h|+ with temporary files…. for the love of petes sister, if the system provides secure alterntiives — use them for cryoing out !)%(!%)!(%Y)!ing loud. Is it really that hard? It’s not like you have to implement the damn wheel everwhere…. And if osme one is going to reimplement the damn wheel — make it a better one, not even worse one shaped like a triangle!!!

Some times… people really, really, really annoy me with what they do….

I really hate to tell people how to do their job

I really hate to tell people how to do their job, especially when they are the ones who should be getting paid to do it; but sometimes I can’t help but wonder, if some people have ever heard of the words race condition or predictability, being used in the same sentence as exploit or security vulnerability?

Getting playful

I’ve been experimenting with extracting PC-BSD PBI on FreeBSD; mainly because I would like to do a little postmortem analysis on a couple of PBI’s, to see if the “Officially sanctioned” PBI Developers are still following the rules.

The process is actually a lot simpler then I thought it would be, the only problem is doing it in a chroot lol. Already more then 200MB in files in /tmp/chroot, and I’ve found that PBI must “assume” the presence of a lot of shit, because it will segfault if even simple things like awk or whoami are missing, let along bigger things 8=), what ever happened to error checking? But anyway, it’s a fairly easy thing to sort out, even with having to take a fair number of libraries and programs into the chroot, in order to fool the thing into -extract’ing. So far, I’ve only hit one snag:

/home/0/.PBItmp/.pbistart: ./PBI: not found

which I have not figured out yet.

I think I’ve also found the origin of one of the more stupid elements of the PBC Sh API, and it seems to reflect the PBI sub systems source, judging by what I see in PC-BSDs Subversion >_>. It also reminds me, that some people seem to have never heard of a symbolic constant in their entire lives…. which also explains a few other things about the PBI Creation process and PC-BSD in general. Since PC-BSD, unlike a *real* BSD system, does not believe in documenting anything. I’ve had to go straight to the (also undocumented) source for answers, it also temps me to write a detailed review and commentary – but I’ll keep my mouth shut for now. The number of people they will probably buttfuck in the long run is their own concern, I’ve already left. I’m not really interested in shifting through several thousand lines of intermixed Bourne, Bourne Again, and C++ code just to audit a few PBI; let some other poor schlep, eh Good Samaritan deal with this schlockware.

If my post doesn’t make it obvious by now, the reasons why I was conducting the tests within a chroot environment, rather then sparing myself the trouble -> I wouldn’t let the PC-BSD developers, or most peoples PBI touch one of my systems with a ten-thousand foot cattle prod, and I don’t have time for setting up a jail. That is the kind of feelings I’ve got for the project, after using PC-BSD for years; now OpenBSD, FreeBSD, and NetBSD on the other hand, them I trust… and have seen the resulting work to warrant it lol.

– A strict son of a bitch.

Well, it’s been on my list for awhile, but I finally got around to posting it on the PC-BSD forum. Poll: Common problem/questions FAQ for each release branch. It was one of the things on my list of project short comings, that reminds me… I need to add more >_>

One reason why I use FreeBSD and OpenBSD on my machines, they do a professional job of things lol. Maybe it’s the nature of projects like PC-BSD and Ubuntu, to pay less attention to things then the systems they’ve ripped use Both FreeBSD and Debian do a much better job them PC-BSD and Ubuntu at many things, hell even Slackware and Windows does better lol.

As to the thread I started on forums.pcbsd.org, I also sent out a PM to 20~30 people in the forum regular, semi-regular, and past regular visitor range, asking for their inputs. With a little luck, between anyone that actually reads their PMs and our current crowd, that’ll help contribute feedback in the thread, to prove I’m not just talking out my ass…

Hmm, I was dreaming about being involved in a proper SAS assault this morning, nothing like that to get ya blood pumping before work lol. Managed to survive work, cut my other thumb (for korn skae!), got off work late and missed a tea appointment :, got dragged out grocery shopping *again*,m and I think my mothers finally finished spending all forms of savings lol; she also owes me money >_>.

I’m like the only one in my family that knows how to save money lol. Not looking forward to the rest of th eweek that much, but I’ll be off much of next week; I am really not looking forward to Christmas lol.

On a lighter note, I’ve been promoted from Moderator to an Administrator on forums.pcbsd.org along with jnixon. Kris Moore and James (jnixon) have been improving the spam protection, much to the relief of forum regulars; and there is now the big red button I’ve been longing for in dealing with spammers! With luck, jnixon will keep some activity on forum matters, so I won’t be the only active admin, which probably wouldn’t much nicer a task then being the only active moderator was lol. Admin on the forum, is a bit of a closer association then I want with the PC-BSD project…. but I also don’t want to see the forums go to pot, so I ain’t arguing. I personally prefer newsgroups (USENET) for such matters, but most PC-BSD users seem to hit the forums when they need help. Hmm, that reminds me, I need a new news reader lol.

Hmm… maybe, this means we can finally get a proper (sticky) F.A.Q. and Common Issues thread going when new releases come out; although me ablibing it myself, wasn’t my idea of how to fix the problem lol.

PC-BSD, 3 years of PBI corruption continues!

Username: mrhbit

Hi@

This is available in FreeBSD ports.

Here some screenshots.

http://www.ultimatestunts.nl/index.php?page=1&lang=en

regards Soeren

Username: mrhbit

Or a package for PC-BSD 7.x ?

Username: Gon

have done it. Gimme a week and i will approve it into pbidir.com

_________________
Gonzalo Martínez-Sanjuan Sánchez
PC-BSD Core Team Member

Problems with this:

  1. Getting a PBI approved is supposed to involve community testing, and review by those in charge of our PBI’safety (e.g. Gonzalo and a few others on the team page), which should also be impartial auditors – it’s called common sense.
  2. This would make Gonzalo a repeat offender in by-passing the normal approval procedures for his own PBIs, if he does what he says he will do.
  3. If he does as his record and choice of words suggests, this is a conflict of interest, which I deem unethical.
  4. This is not the first time. someone involved in the PC-BSD project has “bent” the PBIDir rules, or endorsed doing so… when they are supposed to be enforcing them, for everyone including themselves!
  5. In the past a number of PBI’s that have “skipped approval”, and have resulted in stinging users or violating the rules of the day (ref: Kris (Realplayer, Java, BSD4Win), Charles (Firefox, Thunderbird), Gonzalo (Gnome, …)), or just had half assed [lack of] testing that didn’t catch obvious problems (ref: the 2nd Amarok PBI, Gnome 2). Considering the state of Documentation (how many general users know how to extract PBI w/o install, or how to reach the scripts before they are run), users will not see the code executed when they install a PBI (and most woulnd’t understand it, or the implications), which IMHO is a major security risk — unaudited PBI.

Is it a wonder, that I never send patches to these people… I wouldn’t want my name associated with PC-BSD in any such capacity, period and end of quote. I remember I once compiled a list of the PC-BSD projects deficiencies, and took it up with one of the team members…. That was quite a while ago now; but no actual changes seem to have occured, beyond referencing revisions in the changelog for 7.0.1.

I think, if Gonzalo doesn’t go by the book, maybe I will just happen to go public with them this time — and expand the list!

I’ve had about enough of watching this chicken shit project. I may have mellowed in my increasing age, but not that far just yet.