So I think this might be a good move. rsec is essentially a complete tool, but if we can swap in msec’s plugin functionality for the reports and make it so that is can be a standalone component separate from msec (be it that msec drops the reporting capabilities and adopts a refreshed rsec as a dependency, or whether msec permits building just the reporting capabilities separate from the msec stuff), then I’m definitely game. What might be interesting, however, is to see how msec and rsec can be merged with sectool in some way. To be honest, I’d never heard of sectool until Eugeni mentioned it… it’s a Fedora project so it might have a lot of Red Hat/Fedora-specific stuff in there, but if it is or could be more generalized to do what msec does as well as what rsec does, then maybe there’s a place for one tool to take the place of three tools and have a broader usage base and become a better tool.

The opportunity here to build a better tool out of two, or maybe even three, tools is quite interesting and one of the things I love about open source. Merging msec and rsec should be quite easy I think. Merging with sectool might be more difficult, but I see a lot of crossover in what msec and sectool both do already — there really is no reason to have a Mandriva-specific tool and a Fedora-specific tool that do the same thing. I suspect sectool might be good at creating decent reports which may even obsolete the need for rsec. Taking a closer look at sectool will help me determine if that is the case (and then it remains to be seen if there is a sectool build for EPEL or if it can be done since I’m currently using rsec on some Red Hat Enterprise Linux 5 and CentOS 5 systems).

Either way, I smell some possibilities here.

As the title indicates, never a dull moment. You get spoiled with new stuff, then have to go back and re-setup old stuff. Part of this switch for Oden is that the build system goes with him, but of course it’s cheaper to just get him new equipment than to send my aging stuff. No problem there, and probably better. Except that my host was 2008.1, his is 2009.0 due to some problems with 2008.1 he was having. Then all kinds of crap started going sideways.

Fortunately, I managed to get it all sorted out. Unfortunately, it came in really close as Mandriva only gave me a week to get Oden up to speed. I leave him in Gustavo’s capable hands because, well, I had my hands full getting the new machine up to speed, nevermind Oden himself. Oh well. Another week would have been great, but we weren’t given it. I’m sure he’ll be able to get his head wrapped around it all. =) If nothing else, it all seems to be working.

So my last week at Mandriva was exciting, frustrating as hell trying to get chroots of Corporate Server 3 installed on a 2009.0 host, and mind-numbingly slow with massive rsyncs that will end up taking about 5 days to complete (still not done).

Unfortunately, I will probably have zero time to do much of anything with Mandriva after this and, quite honestly, I don’t know if there is any desire on my part to, or any desire on my new employer’s part either. I should probably be spending any “leisure” time farting around with Fedora or RHEL at this point.

So good luck all my many friends, past and present, at Mandriva and in the Mandriva community! Strange and (hopefully!) wonderful things lie in store for me, I think. I’m excited and nervous, but up for the change and challenge moving to Red Hat will give me.

Farewell!

http://blog.mandriva.com/2009/01/23/goodbye-vincent-welcome-back-oden/

I am leaving Mandriva after almost 9 years. And I quote:

After nearly 9 years, Vincent Danen will be leaving Mandriva at the end of this month. Again we would like to thank him for his commitment and endeavour whilst at Mandriva. We wish him every success in his future activities. As he said himself, he was also largely “a pain in the developers’ collective backsides with his push for better security in the Mandriva products” and added that we may have forgiven him “because his heart was in the right place” .

This departure will not leave empty chair, as security is something essential for distribution. We would like to thank oden Eriksson who will be in charge of security team. Welcome back Oden!

Not much more to say than that. I am, actually, extremely happy with how this worked out (Oden coming back). I think it’s fantastic that my leaving makes way for Oden to come back. The only thing I’d like to add is that I’m leaving on my own terms… I have *not* been laid off (again). So this one actually is a good thing (well, maybe not so good for Mandriva, but…). Anyways, to make a long story short… I’ll still be doing security work, and open source stuff, but with a different company. I’ll be wearing a different hat, so to speak. I’ll leave it to the enlightened to figure out what that means. =)

Looking at bugfix updates, we’ve seen a steady increase since I’ve kept track (going back to 1999, although I think in 1999 it was only a half-year of doing updates).

• 1999: 13
• 2000: 24
• 2001: 25
• 2002: 27
• 2003: 44
• 2004: 64
• 2005: 65
• 2006: 67
• 2007: 144
• 2008: 214 (to-date)

For security updates, it’s not quite as drastic, at least not in the last few years (but compared to 1999… wow):

• 1999: 18
• 2000: 108
• 2001: 120
• 2002: 102
• 2003: 143
• 2004: 176
• 2005: 249
• 2006: 251
• 2007: 262
• 2008: 263 (to-date)

I have nothing really to say other than I like numbers and my last “statistical analysis” met with so much success (hi Adam!) =)

Anyways, I find it fascinating and it really indicates why I’ve spent so little time on development in the last few years. When the number of advisories were half what they currently are, or less, I was much more active in cooker, writing documentation, etc. Now, it’s hard enough just keeping up with the security updates and you guys are determined to keep me busy with these bugfix updates!

Of course, to put things into perspective, some of this has likely been off-loaded to the Club forums. I have no idea how many posts are there and how they change from year to year. It also looks like 2005->2006 was extremely significant, but my memory is hazy and I don’t remember what happened there (well, I’m too lazy to try and figure out what happened there… something negative anyways).

EDIT: Well, a few comments have put this more into perspective, especially for the cooker list. Anne reminded me that all the bugzilla mails used to go to cooker@ and they don’t anymore (having the bugs@ list). That accounts for the massive drop in “activity” on the cooker list. And it seems like forums are becoming so much more popular that the mailing lists are dying as a result (not necessarily a bad thing, but at the same time… maybe shut down the “support” lists and go for a straight-forum model?) Anyways, I’ll leave the numbers up as food for thought, but it’s not such a “sad metric” as I first said. My bad. =)

For cooker, the main development list:

• cooker-2008: 14288
• cooker-2007: 40088
• cooker-2006: 52681
• cooker-2005: 52225
• cooker-2004: 51977
• cooker-2003: 51180

For the expert list, which is a community-driven support list:

• expert-2008: 2274
• expert-2007: 5667
• expert-2006: 5798
• expert-2005: 16090
• expert-2004: 22190
• expert-2003: 22085

And for the newbie list:

• newbie-2008: 1460
• newbie-2007: 2342
• newbie-2006: 4860
• newbie-2005: 13687
• newbie-2004: 2823
• newbie-2003: 35134

Something else to chew on.

The second book, which I haven’t quite finished yet, but which absolutely blew me away, is “Do you matter? How great design will make people love your company” (ISBN: 978-0-13-714244-6). This book is freaking amazing.

Speaking in the context of Mandriva, this is a book every developer, manager, and CEO needs to read. It’s no revelation that we’re in a bit of a tough spot and I think (although I don’t know for sure) that the CEO is seeking to reinvent Mandriva in some way to make us profitable. Nothing wrong with the idea, but the execution may be up for debate. I have no doubt that he can do it (his track record shows he’s done it before), but the dynamics are different with this kind of company compared to a traditional company. Which makes the ideas and things brought up in “Do you matter?” especially relevant.

The basic premise is that “design” is the be-all and end-all, and the ultimate indicator of good design is customer experience and, more importantly, customer *emotion*. So much so that the first goal and focus, above all else, should be the customer experience/emotion. It’s no surprise to anyone that without customers, no company can survive. But without happy and satisfied customers, no company can *thrive*.

To use one of the authors examples, look at Microsoft vs Apple. In Microsoft’s case, there is extremely poor design… in all aspects of the company (we’re not just talking software here, but the whole “culture” — everything that brings the customer an experience, whether it’s good or bad). The basic consensus of people when they think of Microsoft is like that of the utility company — they don’t really like them, but they need them. Contrast that to Apple where most people love the products, be it the iPod, iPhone, hardware, OS… whatever. Apple takes the design-driven company all the way. From presentations at WWDC, to the box you get your iPod in, to the ease-of-use and look-n-feel of Mac OS X, the customer experience is the first thing in their minds. And this is why they can charge a premium on their stuff, and people will willingly pay it. For the *experience* the end user gets and the emotions it creates (think warm fuzzies).

You can contrast this to anything. If you had a rotten experience at one hotel, do you go back? Or do you try something that is more expensive and find a great experience there? In the future, do you save a few bucks for a crappy experience, or spend a few more for a great experience? What about the store you buy groceries from? Where you buy coffee? Sure, for some people price rules, but for many people it’s all about the experience. If you buy a car, and it’s a really great price and turns out to be utter crap, do you buy another car from this company? Or do you spend more to buy a better car, with a better experience? And what is your perception of the first company? That they sell crappy cars, have poor customer service, and you’re damn well going to tell everyone you know to avoid them like the plague.

So… bottom line is the customer experience and the emotions that experience generates.

I’ll probably blog more about this and break it up into a few pieces, but let me leave you with a few questions asked in the book “Do you matter?”

• Who are you?
• What do you do?
• Do your customers care if you live or die?

These are potent questions.

Who are you? An open source company? How about something deeper than that. An open source company that provides a Linux distribution? Still pretty vague. Who are you *really*? An open source Linux company that aims to bring the best possible Linux-based desktop experience? That sounds pretty good… but is that who we actually *are*?

What do you do? Provide a Linux distribution. Not deep enough. Think about it. What do we *do*? What is the actual end *goal*?

Do your customers care if you live or die? This is the real question. With the many blog posts, articles, forum threads, and so forth I have to say that yes, our customers/users care. Would their lives diminish somewhat if we weren’t around? I’d like to think that yes, it would. But would it *really*? There’s always Ubuntu. Always Fedora. I hear OpenSUSE is pretty decent. What distinguishes *us* from *them* to the point that there would be the equivalent of an online “riot” if Mandriva all of a sudden disappeared?

I don’t have the answers to these questions. I do know that we used to have pretty clear goals and really strove to meet them. And we also had a massive community then too. Extremely active mailing lists, you name it… Mandrake was *the* distro. And somehow, somewhere, we lost our way. Maybe we lost our focus on the customer experience. I don’t know. I do know that it can be turned around… it’s not too late. I think one solution is to become a design-driven company and put the user experience first and foremost, above everything else. And then design our technology, methodology, philosophy, business practices, etc. around it. It wouldn’t be easy, but it could work.

For anyone running a company, or starting a company, or even anyone involved in any kind of organization or community, I *highly* recommend reading “Do you matter?”. It provides insight into things I never before thought of and answers the one nagging question I’ve had for years: Why is Ubuntu so popular when it’s technologically inferior? I don’t mean to start a flamewar or anything here, but the tools Mandriva has blow away anything Ubuntu has. I’ve tried it, and didn’t like it (possibly because I’m jaded by too much Mandriva exposure, who knows). But that doesn’t change the fact that Ubuntu has had such wild success that to many people Linux == Ubuntu.

Makes you wonder… there are a number of tissue-creating companies out there… Scotties, Kleenex, the no-name brands you find at the grocery store. Yet what is a tissue commonly called, without even thinking? Kleenex.

I’ll leave that for you to chew on.

Anyways, I’ve setup both a private rsync repository to get stuff from and an IP-restricted anonymous FTP. Both instances didn’t work “out of the box” with urpmi. For one, with rsync it wasn’t possible to use the password transparently. That can be fixed with the $RSYNC_PASSWORD environment variable but it’s fugly. With curl, I’m behind a firewall and so is the remote system, and when it dropped into PASSV mode, it was using the remote’s internal 192.* IP address rather than it’s external IP, which was causing curl to do a whole lot of nothing.

The rsync fix consisted of writing the rsync password for the user into /root/.rsyncpw (only root calls urpmi anyways), then putting at the top of /etc/urpmi/urpmi.cfg this:


{
rsync-options: --password-file /root/.rsyncpw
}


Thanks, Pixel, for that. Which led me to figuring out the curl issue. At first I set “ftp-skip-pasv-ip” into ~/.curlrc and then realized (when it didn’t work) that urpmi calls curl with “-q” which basically tells curl to completely ignore any config files. Aaarg! So back to /etc/urpmi/urpmi.cfg to set:


{
curl-options: --ftp-skip-passv-ip
}


And now everything works peachy (if you need both, like me, then you’d have both options defined, one per line, in between the initial “{ … }” of the file. A comment in there indicating that’s for custom configuration would be nice. =)

Anyways, this may help a few people out there… googling for this led me nowhere.

Instead of integrating with bugzilla, we’ve used the mediawiki framework. The reasons for this many. The biggest reason is to make the “Testzilla” as accessible as possible to as many people as possible. It is also to lower the bar to usability… anyone can look at information on the wiki, but dealing with Testzilla can be trickier (perhaps). Also, Testzilla itself hasn’t been updated in many years, which means a lot of hacking to make it work. Other solutions were either too complicated (Testopia) or didn’t integrate with anything else we currently had (using mediawiki allows us to re-use our authentication from my.mandriva.com).

Anyways, the basic idea is to have a page per package (urpmi, eclipse, evolution, whatever) and on this page will be testcases — descriptions of ways to test programs in that package. Where possible, automated or semi-automated testcases should be written and these get committed to subversion and referenced from the wiki page (the downside here is we need a mechanism to get testcases from people without commit access in, but the upside is it is faster, provides versioning, and won’t bog down the wiki with (hopefully!) numerous testcases).

I’ve already implemented the main page, which can be found at wiki.mandriva.com/en/Testing, and from there you can get to the various testcases (there’s only one on there right now). There is a cookie-cutter template to be used to start new testcases pages, and there are some new macros that make integrating with subversion and bugzilla a little easier/nicer.

All in all, I think this has the potential to do really good things for Mandriva, and probably other distributions as well. With the ability for anyone to create testcase pages, testcases, send an email with an automated testcase attached to our new testcases_@_mandrivalinux_dot_org “exploder” to get committed to subversion, it should be extremely easy and straightforward for people to get involved.

This is something that quite a few people on the cooker list expressed an interest in, so I’m hoping this will nicely take off and become yet another useful resource for the Mandriva community.

The upgrade went quite smooth (due to the preparation and, most importantly, notes taken from the testing almost two months ago), so everything should be up and running in good order. If there are issues, feel free to comment to me directly or file a bug report. I think, however, that users will find the new version of Bugzilla contains some welcome features and I also took the opportunity to change the layout somewhat to make it adhere more to web standards (such as making font resizing easier, etc.). I also condensed the layout somewhat by using the default Bugzilla templates and re-working them from scratch.

I hope everyone likes it. There will probably be more tweaks coming and rc2 is supposed to be coming out fairly soon from what I’ve heard, so there will still be changes forthcoming, although I hope they are more minor than what changed tonight. I’m also hoping this will improve performance somewhat as Bugzilla 3.2 is using InnoDB rather than MyISAM storage types, which from my understanding should also help improve performance.

Anyways, this release was different in many ways. For one, I actually got my fingers into the pot in quite a “low level” way, which has never happened before (largely because it was never permitted in the past). I guess it’s probably due to the leaving of some people and perhaps a little more persistence on my part. I’d also like to think that earlier this year, for the first time in the 8 years of working for Mandriva, I actually met my co-workers in France face-to-face. Strangely enough, that made an amazingly huge impact on how we relate and work together. I guess for everyone we now know there are “real people” on the other side of that email message or IRC comment. I must admit, that face-to-face has really helped and I actually regret not having gone over there before.

Anyways, the development stuff I was involved in this time was some extra pam work (getting the tcb suite integrated which includes pam_tcb (to replace pam_unix) and the extras that come with it to offer a more secure authentication system (although we did find out that poorly designed screensavers meant we had to reduce some of the security benefits of using pam_tcb in order to accommodate their bad design)). Also, I was the one that incorporated the “know how” from Annvix to get blowfish support into glibc (which inadvertently broke the sha512c support in glibc.. we’ll get that fixed eventually). So now, Mandriva Linux 2009 uses tcb and blowfish passwords by default (although tcb is using the shadow scheme by default, not the tcb scheme). This is really important since the next version of Corporate Server will be presumably based on 2009, which means it will get tcb support and also means that Corporate Server 5 will be similar to Annvix in some of it’s hardening features).

I won’t deny it was trying and time-consuming… =) Juggling security updates, tcb integration/testing/debugging, and bugzilla maintenance has definitely taken it’s toll. I think the end result is really great though. I have two systems left to upgrade to 2009 before they’re all using it and have had very few problems (some minor issues with the EeePC that eventually got worked through was about it).

So congrats to everyone involved with the 2009 development! From what I can see so far, this is a really good release. Of course, now that it’s released, I’ll have a busy 2 weeks ahead of me doing all the bugfix updates, but it’s all good. There’s really only two times of the year that I get super busy in a 3 week stretch, and that’s the week prior and the two weeks after a release. This week has gone much smoother than past releases (despite the nasty cold I obtained from the Opeth concert last week!), so I’m hoping that the next two weeks are just as smooth (busy I expect, smooth would be an added bonus).

To get your very own copy of the shiny new release, head to the downloads page or the torrent list. To get the details of what’s all new in the release, check out the 2009.0 Release Tour. Enjoy!