MirOS News

Sponsored by
HostEurope Logo

MirOS News

All 1 2 3 4 5 6 7 8 9 10 11 12

Heartbleed vs. Startcom / StartSSL

09.04.2014 by tg@
Tags: bug debian news rant security work

First of all, good news, MirBSD is not vulnerable to The Heartbleed Bug due to my deliberate choice to stick to an older OpenSSL version. My inquiry (in various places) as to what precisely could leak when a vulnerable client connected to a nōn-vulnerable server has yet to be answered, though we can assume private key material is safe.

Now the bad news: while the CA I use¹ and a CA I don’t use offer free rekeying (in general), a CA I also use occasionally² refuses to do that. The ugly: they will not even revoke the certificates, so any attacker who gained your key, for example when you have been using a certificate of theirs on a Debian system, will be able to use it (e.g. to MITM your visitors traffic) unless you shell over lots of unreasonable money per certificate. (Someone wrote they got the fee waived, but others don’t, nor do I. (There’s also a great Twitter discussion-thingy about this involving Zugschlus, but I won’t link Twitter because they are not accessible to Lynx users like me and other Planet Debian authors.)

① I’ve been using GoDaddy privately for a while, paid for a wildcard certificate for *.mirbsd.org, and later also at work. I’ve stopped using it privately due to current lack of money.

② Occasionally, for nōn-wildcard gratis SSL certificates for HTTP servers. Startcom’s StartSSL certificates are unusable for real SSL as used in SMTP STARTTLS anyway, so usage isn’t much.

Now I’ve got a dilemma here. I’ve created a CA myself, to use with MirBSD infrastructure and things like that – X.509 certificates for my hosts (especially so I can use them for SMTP) and possibly personal friends (whose PGP key I’ve signed with maximum trust after the usual verification) but am using a StartSSL certificate for www.mirbsd.org as my GoDaddy wildcard certificate expires in a week or so (due to the aforementioned monetary issues), and I’d rather not pay for a limited certificate only supporting a single vhost. There is absolutely no issue with that certificate and key (only ever generated and used on MirBSD, only using it in Apache mod_ssl). Then, there’s this soon-to-be tax-exempt non-profit society of public utility I’m working with, whose server runs Debian, and which is affected, but has been using a StartSSL certificate for a while. Neither the society nor I can afford to pay for revocation, and we do not see any possible justification for this especially in the face of CVE-2014-0160. I expect a rekey keeping the current validity end date, and would accept a revocation even if I were unable to get a new certificate, since even were we to get a certificate for the society’s domain from someplace else, an attacker could still MITM us with the previous one from Startcom.

The problem here is: I’d really love to see (all of!) Startcom dropped from the global list of trustworthy CAs, but then I’d not know from where to get a cert for MirBSD; Globalsign is not an option because I will not limit SSL compatibility to a level needed to pass their “quality” test… possibly GoDaddy, ISTR they offer a free year to Open Source projects… no idea about one for the society… but it would solve the problem of not getting the certificates revoked. For everyone.

I am giving Startcom time until Friday after $dayjob (for me); after that, I’ll be kicking them off MirBSD’s CA bundle and will be lobbying for Debian and Mozilla to do the same.

Any other ideas of how to deal with that? I’d probably pay 5 € for a usable certificate accepted by people (including old systems, such as MSIE 5.0 on Win2k and the likes) without questioning… most of the time, I only serve public content anyway and just use SSL to make the NSA’s job more difficult (and even when not I’m not dealing with any payment information, just the occasional login protected area).

By the way, is there any way to access the information that is behind a current-day link to groups.google.com with Lynx or Pine? I can’t help but praise GMane for their NNTP interface.

ObFunfact: just when I was finished writing this wlog entry, I got a new eMail “Special offer just for you.” from GoDaddy. Sadly, no offer for a 5 € SSL certificate, just the usual 20-35% off coupon code.

Server and service moves

04.04.2014 by tg@
Tags: snapshot

I’m currently moving servers and services, and have just installed MirBSD natively on the new www-to-be, fish (part of FreeWRT’s legacy). This means that some services will be temporarily unavailable in the days (*cough*) to come. Also, we will temporarily be restricted to Legacy IP availability, losing IP connectivity until I manage to set up a tunnel at the new location. Sorry for doing this “at the last minute” but it’s an involved process. On the other hand, I did already get a new SSL certificate for www.mirbsd.org (from Startcom), and begun operating a MirBSD CA (for the forth time) for all our other X.509 needs (mostly, server-to-server SSL connections including auth’d SMTP relaying).

In true “rolling release” fashion, there is a new MirBSD snapshot for the i386 architecture available in the usual netinstall location. I removed all MirPorts binary packages for previous snapshots, since there were quite some changes (libc major bump, C++ removal, etc.) in base in the meantime. (Expect some fallout. I just realised I cancelled the Manitu server (for monetary reasons), which is blazingly fast, before I was able to finish doing a usable G++ 4.4 port…)

FreeWRT Archive

30.03.2014 by tg@
Tags: archaeology freewrt news pcli snapshot

As previously announced, the FreeWRT Project has been archived. You can access the content at the FreeWRT Archive Site on the MirWebseite.

ObRant: DST (Sommerzeit) sucks!

Thanks to Robert Scheck, jupp – the Editor which sucks less (a WordStar™-compatible Unix editor with lots of features, including a hex editor) is currently on its way to Fedora and EPEL (RHEL/CentOS 5 and 6).

Depending on your distribution, you will have it available within one to two weeks, I’m being told.

This adds another distribution to the list; jupp has been available in Debian and its derivates (some of which may not be named) for some time (due to user request), and the webpage contains Win32 binaries (made with Cygwin, an oldish version to be compatible to Win9x).

jupp is especially useful as programmers’ editor, but also used in teaching school-aged kids the joys of IT; Natureshadow has prepared a cheat sheet, which we will internationalise and localise, then link from the jupp homepage – so stay tuned! (I guess we’ll also need a concise list of jupp features, in lieu of advertising.)

mksh-current version "R48 2013/11/17" (only this version, no others) suffer from a now-known regression which can make your MirBSD system unbootable. Please immediately either revert to an earlier version (such as a stable release) or update to "R48 2013/11/29" from AnonCVS.

This reverts the fix for “x="X 1 2"; showargs ${x#X}”, which nevertheless is a genuine bug. Contributions fixing it without introducing any such regressions welcome…

Rolling is the new buzzword

18.09.2013 by tg@
Tags: snapshot

The MirOS Project is proud to announce that the NetInstall area contains a fresh snapshot of MirBSD-current for the i386 and sparc architectures. In due time, a hand-crafted Live ISO image, with some packages configured and grml-mir added, will be published here, so watch this space ;-)

As someone in IRC already mentioned, MirBSD is currently published on a “rolling release” schedule (although we’ll eventually release MirBSD #11… some day). The snapshots are intended mainly for people to use when installing, or trying out MirBSD, but also as an upgrade aid (so recompiling afterwards (to be even more up to date) is very easy) and a baseline for binary packages (although there have been few (though MuPDF is a recent noteworthy addition) MirPorts packages lately, and I somehow doubt bsiegert@ wants me to gift one of my SPARCstation boxen to him for building pkgsrc® quarterlies).


18.07.2013 by tg@

Michael Langguth and Scalaris AG asked me to publish the mksh/Win32 Beta 14 source and binary archive, and it is with joy I’m doing this.

Checksums and Hashes

  • RMD160 (ports/mksh-w32-beta14.zip) = 0dc8ef6e95592bd132f701ca77c4e0a3afe46f24
  • TIGER (ports/mksh-w32-beta14.zip) = 966e548f9e9c1d5b137ae3ec48e60db4a57c9a0ed15720fb
  • 1181543005 517402 /MirOS/dist/mir/mksh/ports/mksh-w32-beta14.zip
  • MD5 (ports/mksh-w32-beta14.zip) = b57367b0710bf76a972b493562e2b6b5

Just a few words on it (more in the README.1st file included): this is a port of The MirBSD Korn Shell R39 to the native WinAPI; it’s not quite got the full Unix feel (especially as it targets the Weihenstephan unxutils instead of a full Interix or Cygwin environment) but doesn’t need a full POSIX emulation layer either. It’s intended to replace MKS ksh and the MKS Toolkit. Source for the compatibility library is also included under The MirOS Licence; we aim at publishing it as OSI Certified Open Source Software like mksh itself. (There is a situation with dlmalloc/nedmalloc being resolved, and the icon is derived from the BSD dæmon which is a protected unregistered trademark, but we’re not Mozilla and allow distro packages to keep using it ☺) Rebasing it on a newer mksh(1) followed by (partial) integration into the main source code is a goal.

Have fun trying it out and hacking on it. It’s currently built with -DMKSH_NOPROSPECTOFWORK (so coprocesses and a few other minor things won’t work), but a SIGCHLD emulation is being worked on – but if you want to help out, I’m sure it’s welcome, just come on IRC or post on the mailing list, and I’ll forward things to Michael as needed. Reports on testing with other toolchain and OS versions are also welcome.

mksh R45 released

26.04.2013 by tg@

The MirBSD Korn Shell R45 has been released today, and R44 has been named the new stable/bugfix-only series. (That’s version 45.1, not 0.45, dear Homebrew/MacOSX packagers.)

Packagers rejoice: the -DMKSH_GCC55009 dance is no longer needed, and even the run-time check for integer division is gone. Why? Because I realised one cannot use signed integers in C, at all, and rewrote the mksh(1) arithmetics code to use unsigned integers only. Special thanks to the people from musl libc and, to some lesser amount, Natureshadow for providing me with ideas what algorithms to replace some functionality with (signed shell arithmetic is, of course, still usable, it is just emulated using unsigned C integers now).

The following entertainment…

	tg@blau:~ $ echo foo >/bar\ baz
	/bin/mksh: can't create /bar baz: Permission denied
	1|tg@blau:~ $ doch
	tg@blau:~ $ cat /bar\ baz

… was provided by Tonnerre Lombard; like Swedish, German has got a number of words that cannot be expressed in English so I feel not up to the task of explaining this to people who don’t know the German word “doch”, just rest assured it calls the last input line (be careful, this is literally a line, so don’t use backslash-newline sequences) using sudo(8).

I uploaded a full bulk build of binary packages for MirBSD/i386 corresponding to the pkgsrc-2013Q1 release. About 7,000 binary packages are available in this build, including the pkgin package manager that makes installing binary packages as easy as apt.

See the pkgsrc page for instructions on how to install pkgsrc for MirBSD. Build logs are available on S3.

mksh R42b and R41c released

15.02.2013 by tg@
Tags: mksh

The MirBSD Korn Shell must-have bugfix releases R42b (for the current formal release series) and R41c (for the last bugfix-only stable series) have been issued. Debian testing/unstable users get the fixes through their package management, versioned 40.9.20120630-7 targetting wheezy (hopefully). Debian experimental users will receive a 42b-1 upload, closer to what other distro packages provide, soonish, targetting jessie.

Since we lack anything better (that, unless Freshmeat, is actually usable), by request of our packagers, new mksh(1) releases will be announced on our miros-mksh@ mailing list starting now.

There is one week left to submit your talk proposals for the BSD devroom at FOSDEM 2013. We still have quite a few slots open, so do not be shy! See the original announcement below:

FOSDEM 2013 will take place on February 2-3, 2013, in Brussels, Belgium. Just like in the last years, there will be both a BSD booth and a developer's room (on Sunday).

The topics of the devroom include all BSD operating systems. Every talk is welcome, from internal hacker discussion to real-world examples and presentations about new and shiny features. The talks will be 45 minutes including discussion. Feel free to ask if you want to have a longer or shorter slot.

If you want to do a talk, please submit your proposal to

bsiegert at google.com

and include the following information:

  • Your name
  • The title of your talk (please be descriptive, as titles will be listed with ~400 from other projects)
  • A short abstract of one to two paragraphs
  • A short biography introducing yourself
  • Links to related websites/blogs etc.

The deadline for submissions is December 17, 2012. The talk committee, consisting of Daniel Seuffert, Marius Nünnerich and Benny Siegert, will consider the proposals. If yours has been accepted, you will be informed by e-mail within one week of the submission deadline.

mksh R41 released

30.11.2012 by tg@
Tags: mksh

The MirBSD Korn Shell R41 has finally been released. This is a major “everything” version with important fixes as well as new features and behavioural changes. Sorry for the delay.

See also the:

All 1 2 3 4 5 6 7 8 9 10 11 12

MirOS Logo