Slashback: Aptitude, Consolation, Security

A handful of updates and new nuggets await you below, on everything from Iraqi PlayStation purchases to package manager news of the week, in tonight's release of Slashback.

apt-get install common.sense According to this message from Pixel in the apt-rpm mailing list, Linux-Mandrake is the second RPM-based distro to use APT, after Conectiva's own distro. So, despite the existance of non-free similar products recently covered in /., APT is gaining acceptance to be the unified package manager front-end for Linux.

Can your parents install Debian?

Now there's some smidgeon of Justice for ya Foggy Tristan writes "

According to Wired news story, Uzi Nissan has won a battle, but not the war, against Nissan in a domain name dispute over nissan.com.

For now, however, Uzi Nissan must display a prominent banner on his site that tells people he has nothing to do with the car company and where people can find Nissan.

" You knew this was going to happen ... RobM9999 writes: "The BugTraq mailing list over at SecurityFocus is reporting what appears to be the first vulnerability in the NSA's Security-Enhanced Linux that was originally written about here. The original post to the BugTraq mailing list is here."

What would have been more surprising is if no security bugs were found when a project like this has its source opened to the world. Best to get that laundy clean, eh?

Could be they're just serious gamers tech81 writes "Here's an article on MSNBC that has an update to this story previously posted on Slashdot concerning Iraq possibly buying and stockpiling PS2's for military purposes. Looks like they weren't able to get an PS2's, so they grabbed the originals. . ."

So that's why the bidding on eBay went so high, eh?

Read 'em and weep The next part of our continuing reprint of Jon Katz' Hellmouth series is up.

Re:Stupid question...

[The+Troll+Catcher]

Both of the other replies are wrong (Advanced Packaging Technology and Another Package Tool).

But both got it half right.

According to 'man apt', it's "Advanced Package Tool".

The funniest line in the nissan story

[morcheeba]

"We registered nissancomputer.com and offered it to him for free," Schindler said. "But he has no interest in being Nissan Computer -- his real name -- because he wants to exploit the substantial confusion.... If Ui Nissan was using nissancomputer.com, there would not be a lawsuit."

Ok, so Nissan Motor Co Ltd wants Nissan.Com, when it hasn't registered NissanMotorCoLtd.com and NissanMotor.com and NissanMotors.com isn't good enough? I think Uzi's got a good case.

Re:The Iraq embargo is ridiculous

[Throw+Away+Account]

Er, no. We just sold him arms when he was fighting Iran in the late Eighties. He seized power quite well on his own, and the Soviets provided him with arms and military advisors for his first fifteen years or so.

Re:APT

[DennisZeMenace]

> And the first person to bitch about GUI vs. Console get's slapped with a trout.

Slapped with a talking Boogie Bass, actually.

Re:Playstation article

[cpeterso]

People would assume from that article that Sadam could take a Gameboy, put the right cartridge in it and fly to the moon.


He could if was playing Lunar Lander on his Gameboy!!

Re:new and improved package management.

[fluxrad]

no. i was thinking more along the lines of

#tar -zxf foo.tar.gz
#cd foo
#configure
...
#make
...
#make install
...
#echo Precompiled binaries are for the weak.


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

Somebody's an idiot here

[El]

Military experts say PlayStations could provide the kind of sophisticated graphics for missile guidance systems, or remote control of pilotless drones for surveillance or bombing runs.

I'm no military expert, but it seems to me that hardware optimized for converting data into 3D images (console games) is NOT the best harware to use for converting 3D images into models of the real world (optical recognition/computer vision systems mentioned above). What good is rapid pixel fill rates, texel rates, polygon rates etc. when you're not trying to generate pictures, but rather decompose pictures into atomic components, which is pretty much the reverse process. So either a) I'm an idiot. b) The "miltary experts" are idiots, or c) Jim Miklaszewski and the MSNBC editorial staff are idiots. Which is it?

Re:The Iraq embargo is ridiculous

[dgoodman]

I DO want my government imposing strict protocols with regards to rogue nations. Embargos DO have an affect, and it is NOT just on the poor common people of those nations.

Define for me please what a rogue nation is exactly. One that does not abide by U.S. desires? Technically, all nations are "rogue" in that they are all sovereign...rogue implies that there is some international government dictating thier actions. (The U.N. doesn't count, because it rules by consent: you don't /have/ to be a member).

Iraq, lest you forget, invaded another sovereign nation with every intention of keeping it. Overwhelming force from a large coalition of nations forced them to abandon Kuwait. Not content to have their parade rained on, the Iraqis systematically set fire to many of the oil fields in Kuwait. These require explosives to quench -- not a simple task.

But then, you also forget that Iraq didn't always used to be the "bad guys". Prior to the whole Kuwait thing, we had actually told (our close ally) Saddam Hussein that we (the U.S.) would look the other way when Iraq moved to retake the disputed territory that Kuwait held at the time. We told them to go ahead and take it. This was taken, however, by Saddam Hussein to mean we wouldn't care if he took /all/ of Kuwait...which was a mistake. If Hussein had bothered to notice that Bush's ranking in the opinion polls in the U.S. had been slipping, he might have forseen that his actions provided a convienent excuse for Bush to try to make himself look good...

The only reason Hussein was ever vilified was because the Bush family was getting antsy about thier chances for re-election.

We won't even go into the Bush family's ties with the Texas (vs. Iraqi) oil industry...

Since Saddam was, unfortunately, not removed from power during the war, it is not unreasonable to assume he might be a little bitter. Imposing an embargo helps contain him and his ability to threaten other nations. No it isn't perfect, but it is certainly better than letting him freely buy any military hardware he needs.

He wasn't removed from power because of treaties the U.S. is party to that prevent us from directly interfering with another /sovereign/ nation's government.

Iraq has shown the capacity to use weapons of mass destruction (nuclear / biological / chemical), just ask some of their own people. Additionally, it has shown it has, and is willing to use missiles to attack other nations (Scuds on Israel during the Gulf War).

Hiroshima. Nagasaki. Don't forget the U.S. is the only nation to have ever used atomics on another nation. Don't see any embargoes being put on us...because we won. These embargoes have nothing to do with Hussein or what he's done: they are not punishment; they are poltics. Cheap Oil. Texas versus OPEC. We are trying to force Iraq's oil prices down, at the expense of the civilian population.

enough rambling. I await your repsonse. =)

have fun
dongoodman

new and improved package management.

[fluxrad]

as a user, i think i may have found a solution to the whole apt-get vs. rpm argument that has been boiling over for ever so long. this package management system could possibly change the world:

*.tar.gz


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

Can your parents install Debian?

[QuantumG]

of course not. But they could give it a good go. Unfortunately they would be stuck on a command line because when the question comes up "What are the vrefresh and vsync rates for your monitor?" they would have no clue. Am I the only one who doesn't immediately scramble for the monitor manual on the first day that I buy a new monitor and write these numbers above the screen? WTF is with that?

Re:The Iraq embargo is ridiculous

I DO want my government imposing strict protocols with regards to rogue nations. Embargos DO have an affect, and it is NOT just on the poor common people of those nations.

Iraq, lest you forget, invaded another sovereign nation with every intention of keeping it. Overwhelming force from a large coalition of nations forced them to abandon Kuwait. Not content to have their parade rained on, the Iraqis systematically set fire to many of the oil fields in Kuwait. These require explosives to quench -- not a simple task.

Iraq has shown the capacity to use weapons of mass destruction (nuclear / biological / chemical), just ask some of their own people. Additionally, it has shown it has, and is willing to use missiles to attack other nations (Scuds on Israel during the Gulf War).

Since Saddam was, unfortunately, not removed from power during the war, it is not unreasonable to assume he might be a little bitter. Imposing an embargo helps contain him and his ability to threaten other nations. No it isn't perfect, but it is certainly better than letting him freely buy any military hardware he needs.

One of the biggest complaints I hear is that the Iraqi people are starving -- the oil for food program doesn't work. On closer examination you'll find that Iraq is rarely selling up to its capacity under this program because Saddam refuses to rebuild / upgrade / maintain his oil refineries. He would rather redirect this money to his elite forces. So don't you dare accuse Americans of "starving poor Iraqis". Their own government got them into this situation and keeps them in it.

Don't get me wrong - in no way am I condoning the actions of loose cannons like Oliver North or other corrupt individuals who were in power positions in the U.S. Criminals should be punished. But you are trying to make an embargo sound criminal, when in fact it IS the punishment. Don't confuse the two.

selinux bug already fixed

[Barbarian]

That SELINUX bug is already fixed ... go to http://www.nsa.gov/selinux, go to download page, and there's new stuff...

Off the mailing list:

Date: Tue, 2 Jan 2001 17:28:48 -0500 (EST)
From: pal@epoch.ncsc.mil (Pete Loscocco)
To: selinux@tycho.ncsc.mil
Subject: Updated release
Sender: owner-selinux@tycho.nsa.gov

An updated release of Security-enhanced Linux that corrects some of the minor problems in the original release has been posted on the NSA web site (www.nsa.gov/selinux).

Changes include:

- moving the numbers of the new system calls to avoid conflicts
- fixing the buffer overflow problem discovered in the find_default_type function in libsecure
- removed extra ';' in policy grammar
- minor adjustments in kernel/flask/Makefile

...

Why ACs don't run SecurityFocus

[srichman]

Oh my god, a 1 byte buffer overflow!!! How devastating.

"Buffers can be overflowed, and by overwriting critical data stored in the target process's address space, we can modify its execution flow. This is old news. This article is not much about how to exploit buffer overflows, nor does it explain the vulnerability itself. It just demonstrates it is possible to exploit such a vulnerability even under the worst conditions, like when the target buffer can only be overflowed by one byte."

-- first four sentences of The Frame Pointer Overwrite, Phrack 55

So lets see.. to make an exploit all we need to do is get root and modify that /etc/security file...

You don't need to write the file. In theory, if you can read that byte, you know the know the incorrect address at which code will be executed. When the program that you're exploiting takes input from you, give it input that puts the code you want executed in the location in the buffer that will be jumped to.

So, no, it's not trivially exploitable. But, no, it's probably not something to be summarily ignored.

Re:On package management

[Raleel]

Mandrake is very up to date, as said above, but another thing that should be noted is that apt-rpm has the ability to only install packages that are signed. this should cut down in the bad quality issue substiantially.

Re:On package management

[dbarclay10]

Mandrake is up-to-date in Cooker. Would they release Cooker? Will Cooker eventually be on CD as Mandrake 8 or somesuch? That's the question.

The entire point of 'apt' is two things:

1) Easy installation of package x.
2) Easy upgrade of package x to the latest version.

In order for the easy installation of package x, it has to be available in a place where 'apt' can find it. You mentioned that you'll only be able to download packages that are signed? Does that mean Mandrake will devote 3-4 developers, full time, to package all the various 10000+ utilities/applications/etc that are available for Linux? That's where my doubts lie. Debian's package maintainers do have the time an efforts - there are hundreds of them, all working on their own little packages. So, sure, if you can only download signed packages the quality can have some guarantee, but that's only if the package you want is available from a certified source(like your distribution maker's computers). But as soon as they don't have something packaged, all that guarantee goes out the window. If it was there in the first place.

As far as easy upgrades, it doesn't matter that Mandrake has Cooker. Ever tried to get a Cooker RPM to work on a regularily installed Mandrake 7.1 distribution? Never went well for me. So not only do they have to have it packaged, but it has to be packaged for all the various versions of their distributions.

A lot of work.

Dave

Barclay family motto:
Aut agere aut mori.
(Either action or death.)

On package management

[dbarclay10]

Just a bit of background:

Four/five years ago I installed Linux on a *huge* 730MB hard drive(yeah, nifty, eh? ;). Well, that's a lie. I got to the "fdisk" part of the install, and promptly lost 230M that I never got back :)

A year or two ago, I installed Caldera 1.3. Then I installed Caldera 2.2. Then I installed RedHat version 5.2, then Mandrake 6.2, then Red Hat 6.2, and now Debian. In each case, I had the distribution installed for a minimum of a month or two.

So, while I'm no guru, I have used a reasonable number of Linux distributions(and I'm not counting the dozens of "mini-distributions" that I've tried out and tweaked[plug: ramf, available at ftp://ftp.ibiblio.org/pub/linux/system/recovery , is my current favorite]).

Anyways, you can add all the automation to package management you want, but it all comes down the the package maintainers. Generally, when you're using Debian packages made by Debian maintainers, a certain quality can be expected. Packages will be dependant on what they need - and they will suggest packages that allow for full functionality. You can be reasonably sure that you'll get a man page for most commands, even if it's a simple "please refer to online documentation available at: http://www.foobar.com/foo/bar.html".

So, while I'm glad that other distributions are adopting 'apt', and the ability to automatically install packages and automatically update ones available, it will all come down to maintainer commitment. Commitment to quality, commitment of time. Red Hat, Mandrake, and friends usually don't update packages after a distribution has released. Sure, if there's a security bug found, they'll release an update, but that's pretty much it. I was never able to go to Red Hat's site and download the latest set of GNOME packages for my Red Hat 6.2 install.

However, when you run the Debian 'testing' or 'unstable' distributions(neither are as bad as their names suggest), when a new app is released, it'll generally be packaged and available through regular Debian mirrors within a few weeks. The Debian 'stable' distribution is targetted at a different audience, and is updated much less frequently.

Ok, so, enough of this. My point is that unless these distribution makers are willing to invest considerable time and money in keeping their packages up-to-date and well done, then 'apt' is probably just overkill.

Dave

Barclay family motto:
Aut agere aut mori.
(Either action or death.)

apt-get

[XoXus]

apt-get install common.sense

Well, I'm still waiting for

apt-get install athlon-1GHz

Hmmm... doesn't seem to work - Must be a bug. I'll see what I can do... look out for my patch (any day now...)

Stockpiling the PS2

[durstann]

As a friend of mine pointed out, the funniest thing about the U.S. government wanting to put export control on PS2s, is that the machine is Japanese.

Playstation article

[tolldog]

I found the article to be poorly worded. The author, I assume, intended to express that the PS2 is more powerfull than many home computers, not the Playstation.
Also, telling people that a Gameboy has more computing ability than all of what sent the Astronauts to the moon is a bad example. It is apples and oranges.
People would assume from that article that Sadam could take a Gameboy, put the right cartridge in it and fly to the moon.

The Iraq embargo is ridiculous

[influensa]

And for that matter, counter-productive. By cutting Iraq (or any country run by a dictator for that matter, including Cuba) out of the global economic loop, all the United States has succeeded in doing is punishing the Iraqi people it says it's trying to protect.

Hussein does not suffer due to lack of food, medicine, or a real economy. In fact, embargoes like this only serve to make the dictator stronger. It's very easy to point a finger of blame at the US for all of Iraq's problems. Creating an embargo weakens the public and allows the dictator to villify the developed nations (read USA), further securing his base of power.

If free-trade is supposed to lead to the democratization of the whole world, then what's wrong with Iraq?

i think you boys forgot something....

[happystink]

Uh, where is the discussion of the Apple suing Freetype magic missing link? If you're going to have a Slashback, for god's sake actually discuss the biggest screwup of the week. It's the story which generated the most discussion of slashdot already.

sig: