March 2010 - YaST Development - openSUSE Mailing Lists

[yast-devel] Re: [studio-devel] ephemeral keying for apache2
by Thomas Biege 31 Mar '10

31 Mar '10

Hello Peter, Am Mittwoch 31 März 2010 16:45:47 schrieb Peter Bowen: > On Wed, 2010-03-31 at 14:08 +0200, Thomas Biege wrote: > > Am Mittwoch 31 März 2010 13:21:56 schrieb Peter Bowen: > > > On Wed, 2010-03-31 at 10:51 +0200, Thomas Biege wrote: > > > > during the secure development workshop last week in Prague > > > > the question came up how to configure ephemeral keying using > > > > apache2/mod_ssl. > > > > > > Thomas, > > > > > > Unfortunately I was not in Prague, so I don't have the background on > > > this. Can you please explain a little about what ephemeral keying is > > > and why one wants it? > > > > > > Thanks, > > > Peter > > > > It influences the ssl handshake and creates something that is called > > 'perfect forward secrecy' (PFS). > > The perfect forward secrecy means that an adversary can capture the > > encrypted traffic and when she gains access to your private key is not > > able do decrypt the already sent data as well as data from future > > transmissions. (But she can of course spoof the identity of the SSL- > > enabled server with the key.) > > So we have the following right now for Studio: > > SSLCipherSuite ALL:!ADH:!EXP:!LOW:!MEDIUM:+HIGH:+SSLv2 > > After a little poking, it looks like: > > SSLCipherSuite kEDH:@STRENGTH:ALL:!ADH:!EXP:!LOW:!MEDIUM:!MD5:!3DES: > +SSLv2 > > is what we want. It will put the DH key exchange algorithms first > (OpenSSL docs note "non-ephemeral DH modes are currently unimplemented", > so this mean ephemeral keying), sorted by strength, then all the other > ciphers. We exclude export-grade (40 bit), low, and medium ciphers as > well as those using MD5 hashing and those using 3DES bulk cipher. > > Admittedly this effectively disables SSLv2 (as most v2 implementations > only offer MD5), but anything that only supports SSLv2 is likely full of > security holes at this point. From a security perspective this looks good! What was the reason behind disabling 3DES? BTW, you are right having SSLv2 in the CipherSuite doesn't make sense if we disallow MD5, LOW, MEDIUM and 3DES. Additionally SSLv2 is insecure and obsolete since more than 11 years now. Bye Thomas -- Thomas Biege <thomas(a)suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] Re: [studio-devel] ephemeral keying for apache2
by Thomas Biege 31 Mar '10

31 Mar '10

Am Mittwoch 31 März 2010 13:21:56 schrieb Peter Bowen: > On Wed, 2010-03-31 at 10:51 +0200, Thomas Biege wrote: > > during the secure development workshop last week in Prague > > the question came up how to configure ephemeral keying using > > apache2/mod_ssl. > > Thomas, > > Unfortunately I was not in Prague, so I don't have the background on > this. Can you please explain a little about what ephemeral keying is > and why one wants it? > > Thanks, > Peter It influences the ssl handshake and creates something that is called 'perfect forward secrecy' (PFS). The perfect forward secrecy means that an adversary can capture the encrypted traffic and when she gains access to your private key is not able do decrypt the already sent data as well as data from future transmissions. (But she can of course spoof the identity of the SSL- enabled server with the key.) This sounds a bit weired but it works simply by generating an ephemeral key for encryption (using Diffie-Hellman key exchange (kex)) and verifying the authenticity of the keys by using the RSA/DSA key in the certificate. Because the ephemeral key is only used once per session and it is never transmitted over the wire (DH kex) the sessions confidentiality is assured even if the key used for signing (RSA/DSA) is known. In the case of DSA SSL certificates it is also mandatory to support ephemeral keying because DSA can only be used for signing and not for encryption. HTH Thomas -- Thomas Biege <thomas(a)suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] WebYaST status call - 2010-03-31
by Jiri Srain 31 Mar '10

31 Mar '10

jsrain, tgoettlicher, mzugec, jdsn, mschmidkunz, vgorobets, schubi, jsuchome, jreidinger, mvidner, kkaempf jsrain: non-WY stuff tgoettlicher: tested + reported bugs mzugec: fixed some issues, testing latest build, to fix more bugs jdsn: fixed certificate creation mschmidkunz: web-yast bugs vgorobets: testing latest build, jquery validator WIP, testing schubi: documented plugin report mechanism, will be bugfixing jsuchome: non-WY jreidinger: testing with MSIE, XML serialization, will be fixing mvidner: base product link WIP, new snapshot to be ready shortly kkaempf: tested daily build with Chrome, layout fixes, to continue REMINDER: don't commit to master except bugfixes explicitly asked for -- Regards, Jiri Srain YaST Team Leader --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: jsrain(a)suse.cz Lihovarska 1060/12 tel: +420 284 084 659 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] Webyast Test report 30.3. daily build for IE8
by Josef Reidinger 30 Mar '10

30 Mar '10

Hi, this test I try IE8 to look for possible problems. test result: verify fix of old bugs: verified that filtering by status works in IE8 - bnc#579464 new bugs: layout of radio buttons and checkboxes is broken, also accordion never "end" - bnc#592275 there is no graph in status due to some problem in jqplot - bnc#592276 (otherwise status looks working) system buttons is almost out of screen - bnc#592278 I don't test whole plugins, but I plan do it ( run virtual win7 takes huge amount of ram, so it is quite slowly). Josef -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] Webyast: Bind model to form
by Josef Reidinger 30 Mar '10

30 Mar '10

Hi, during study our views and controller in webclient I found that we almost never use helpers which bind model to form. You can read it here - http://guides.rubyonrails.org/form_helpers.html#binding-a-form-to-an-object Then you can benefit from matching names and you can in controller simple use <model>.load params[:model] which set matching attributes. It also produces cleaner views. And last but not least is that it pressure to have data handling functionality in model ;) -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] webyast and DRY code
by Josef Reidinger 30 Mar '10

30 Mar '10

Hi, I am interested how DRY is our code. So I use flay tool to analyze all our sources for webclient. You can find filtered (as some report is unrelevant or in generated part) report with my suggestion how to fix it at the end of email. My general impression is that our code doesn't contain much duplications which is good. Except some minor problems I see two major things which could be improved. The first one is sharing test_helper and add there some helpers which is quite often repeated in tests. Does anybody know how to share test_helper in easy way (so no hardcoded path from __FILE) ? The second one is that we have quite lot of data manipulation (like serializing to string, collecting things from arrays or filtering) in controllers. I think this manipulation should have descriptive methods in models and controller just call simple method. e.g. in status checking if something is changed and if so, then save it. I think it could be created method conditional_save, which inside check if something is changed and if so then call save, otherwise just return true. Another good example from status controller is method evaluate values, where many lines could be moved to model. Moving functionality to model has two main advantages. The first one is that if another developer want use some your functionality it use model, so everything which is not in model is just copied instead of sharing in model. The second one is that functionality in model is much easier to properly test then action in controller. some minor problems found in flay output: 4) Similar code found in :defn (mass = 306) ./plugins/mail/test/functional/mail_controller_test.rb:10 ./plugins/time/test/unit/systemtime_test.rb:7 ./plugins/time/test/unit/ntp_test.rb:7 ./plugins/software/test/unit/repositories_test.rb:8 ./plugins/software/test/functional/repositories_controller_test.rb:8 ./plugins/eulas/test/unit/eulas_test.rb:7 ./plugins/eulas/test/functional/eulas_controller_test.rb:9 ./plugins/roles/test/unit/role_test.rb:7 ./plugins/roles/test/functional/roles_controller_test.rb:8 ./plugins/users/test/unit/groups_test.rb:8 ./plugins/users/test/unit/users_test.rb:8 ./plugins/users/test/functional/groups_controller_test.rb:9 ./plugins/users/test/functional/users_controller_test.rb:9 ./plugins/firewall/test/unit/firewall_test.rb:7 ./plugins/network/test/unit/interface_test.rb:8 ./plugins/network/test/functional/network_controller_test.rb:8 ./plugins/status/test/functional/status_controller_test.rb:11 ./plugins/services/test/functional/services_controller_test.rb:10 same method to load xml fixture to mock rest-service. If we found solution for sharing test_helper then we should add this method to generic test_helper. 5) IDENTICAL code found in :resbody (mass*3 = 297) ./plugins/software/app/controllers/repositories_controller.rb:57 ./plugins/software/app/controllers/repositories_controller.rb:72 ./plugins/software/app/controllers/repositories_controller.rb:100 Handling ResourceNotFound exception and same output. Could be moved to one method which define action if this happen like rescue ActiveResource::NotFound report_not_found return end 7) IDENTICAL code found in :if (mass*3 = 216) ./plugins/software/app/controllers/repositories_controller.rb:42 ./plugins/software/app/controllers/repositories_controller.rb:61 ./plugins/software/app/controllers/repositories_controller.rb:88 same if before each action which expect id. I think it should be moved to method like check_params and then you can simple use check_params || return in these methods.. 8) IDENTICAL code found in :call (mass*3 = 216) ./plugins/time/test/functional/time_controller_test.rb:62 ./plugins/time/test/functional/time_controller_test.rb:78 ./plugins/time/test/functional/time_controller_test.rb:108 same checking of xml request in test. Should be refactored to method which found and return simple hash. 10) IDENTICAL code found in :iter (mass*3 = 198) ./plugins/users/app/controllers/users_controller.rb:59 ./plugins/users/app/controllers/users_controller.rb:104 ./plugins/users/app/controllers/users_controller.rb:146 same manipulation with groups string. Should be moved to separate method. 20) Similar code found in :defn (mass = 136) ./plugins/system/app/controllers/system_controller.rb:12 ./plugins/system/app/controllers/system_controller.rb:32 Reboot and restart actions looks very similar 28) Similar code found in :iter (mass = 114) ./webclient/test/dummy-host/host.rb:182 ./webclient/test/dummy-host/host.rb:224 ./webclient/test/dummy-host/host.rb:240 ./webclient/test/dummy-host/host.rb:249 ./webclient/test/dummy-host/host.rb:263 ./webclient/test/dummy-host/host.rb:389 mocking host in sinatra. Does we need this file. 30) IDENTICAL code found in :and (mass*2 = 104) ./plugins/status/app/controllers/status_controller.rb:139 ./plugins/status/app/controllers/status_controller.rb:224 same condition. I think that you can benefit from ClientException which has methods to detect type of error. 37) Similar code found in :iter (mass = 84) ./plugins/status/app/controllers/status_controller.rb:57 ./plugins/status/app/controllers/status_controller.rb:63 same block and almost same methods. I think it is possible to refactor it to more readable code. Especially move to separate method with proper name "magic" code which multiply and divide by numbers and then convert it) 50) Similar code found in :if (mass = 72) ./plugins/mail/app/controllers/mail_controller.rb:50 ./plugins/administrator/app/controllers/administrator_controller.rb:62 similar as above, I suggest to use ClientException which has method which helps to easier check type of backend exception. 51) IDENTICAL code found in :return (mass*2 = 72) ./plugins/registration/app/controllers/registration_controller.rb:91 ./plugins/registration/app/controllers/registration_controller.rb:99 Could be moved to some flash constructor for registration. It easier possible future improvements 53) IDENTICAL code found in :attrasgn (mass*2 = 68) ./plugins/users/app/controllers/groups_controller.rb:155 ./plugins/users/app/controllers/groups_controller.rb:198 same loop for set members of group. I think that you can add method to model, which takes string representation of groups and parse it inside. 54) Similar code found in :iter (mass = 68) ./plugins/users/app/controllers/users_controller.rb:32 ./plugins/users/app/controllers/users_controller.rb:67 ./plugins/samba_server/app/controllers/samba_server_controller.rb:33 ./plugins/samba_server/app/controllers/samba_server_controller.rb:74 These two plugins provide also xml output for webclient. I think it is confusing if only one of published module provide this behavior and I recommend remove it unless we decide that we need it for more plugins. 69) Similar code found in :block (mass = 46) ./plugins/users/app/controllers/users_controller.rb:167 ./plugins/users/app/controllers/users_controller.rb:210 same as above for generate xml. I think we should provide same behavior for all plugins. 73) Similar code found in :not (mass = 42) ./plugins/mail/app/controllers/mail_controller.rb:65 ./plugins/administrator/app/controllers/administrator_controller.rb:72 I think that test should be moved to administrator model to share functionality. 83) Similar code found in :if (mass = 34) ./webclient/lib/client_exception.rb:26 ./webclient/lib/client_exception.rb:27 same one line test. It could be rewrite to avoid unnecessary test. -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] WebYaST status call - 2010-03-30
by Jiri Srain 30 Mar '10

30 Mar '10

jsrain, tgoettlicher, mzugec, mvidner, mkudlvasr, jsuchome, kkaempf, lslezak, jreidinger, schubi, vgorobets, jdsn, mschimidkunz jsrain: testing, non-WY stuff tgoettlicher: non-WY, going to test next build mzugec & mkudlvasr: finished groups management, going to test + legacy mvidner: non-WY stuff, will work on product files + L3 status jsuchome: fixing mainly UI bugs kkaempf: non-WY stuff lslezak: redesigned repositories module according to Martin's mock-up, just submitted, testing requested jreidinger: fixed build in hudson, looking into new bugs schubi: checked in service plugin report mechanism, updated translations vgorobets: testing builds jdsn: fixed registration testcases, added email validation for registration mschmidkunz: non-WY, will work on WY bugs next build ETA: tomorrow, today's build is ready today: fix bugs which pop-up -- Regards, Jiri Srain YaST Team Leader --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: jsrain(a)suse.cz Lihovarska 1060/12 tel: +420 284 084 659 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] WebYaST status call - 2010-03-29
by Jiri Srain 29 Mar '10

29 Mar '10

jsrain, tgoettlicher, mzugec, mvidner, vgorobets, mschmidkunz, schubi, kkaempf, jdsn, mkudlvasr, jsuchome (listen-only) jsrain: testing tgoettlicher: non-WY mzugec: groups almost ready for master + build (1 test missing) mvidner: fixing product set-up for registration vgorobets: common JavaScript stuff for all plug-ins mschmidkunz: testing, working on main navigation buttons, fixing bugs schubi: status module kkaempf: just back, sorting stuff out jdsn: bugfixing mkudlvasr: groups configuration with Michal, ETA today jsuchome: finished service dependencies UI REMINDER: deadline for package submission today 5PM Please, test latest build and report bugs -- Regards, Jiri Srain YaST Team Leader --------------------------------------------------------------------- SUSE LINUX, s.r.o. e-mail: jsrain(a)suse.cz Lihovarska 1060/12 tel: +420 284 084 659 190 00 Praha 9 fax: +420 284 084 001 Czech Republic http://www.suse.cz -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0

[yast-devel] yast2-installation and lxde installation
by Andrea Florio 28 Mar '10

28 Mar '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, As LXDE maintainer i would like to ask you to apply that patch to improve lxde user experience Best Regards Andrea - -- - ------------------------------------------ Andrea Florio QSI International School of Brindisi Sys Admin CISCO CCNA Certified openSUSE-Education Administrator openSUSE Official Member (anubisg1) Email: andrea(a)opensuse.org Packman Packaging Team Email: andrea(a)links2linux.de Web: http://packman.links2linux.org/ Cell: +39-328-7365667 - ------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkuvbDIACgkQyCZT87TFPug8lACgxMRbPvN/b9fi11f55kGue8Qf /DwAn179P+4P1EJ2c+poCYVo21Ih6e2B =cbAb -----END PGP SIGNATURE-----

1 0

[yast-devel] Webyast in hudson resurrected
by Josef Reidinger 26 Mar '10

26 Mar '10

Hi, I found where is problem that cause problems of hudson during webyast tasks. So now I enable again building. So fresh doc is again generated and also test is executed. Please look what cause fail of test and try to fix it ASAP, so we have green hudson which should help us watching test suite condition. JFYI problem is that our top level Rakefile run for each directory in plugins rake <task> but if directory doesn't contain Rakefile (like if it contain only garbage after plugin rename) rake search for rakefile in upper directory so it cause endless loop. Josef -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe(a)opensuse.org For additional commands, e-mail: yast-devel+help(a)opensuse.org

1 0