Profile

Cover photo
George Dunlap
Lives in England
173 followers|15,799 views
AboutPostsPhotosYouTubeReviews

Stream

George Dunlap

Shared publicly  - 
 
"Despite the inherently functional character of all computer code, the Copyright Act makes clear that such code can be copyrightable. Nothing about the declaring code at issue here materially distinguishes it from other computer code, and petitioner has identified no genuine conflict of authority concerning Section 102(b)’s applicability to circumstances like these." -- the US DoJ simultaneously demonstrates the knowledge and ignorance about computer programming
1
Add a comment...

George Dunlap

Shared publicly  - 
 
"I do not want to be offensive.
I want to be helpful.
I believe this question needs to be asked."
[Haskell-cafe] how to make this work recursive ? Richard A. O'Keefe ok at cs.otago.ac.nz. Sun Mar 1 23:49:46 UTC 2015. Previous message: [Haskell-cafe] how to make this work recursive ? Next message: [Haskell-cafe] how to make this work recursive ? Messages sorted by: [ date ] [ thread ] ...
1
Add a comment...

George Dunlap

Shared publicly  - 
 
 
CVE-2015-3456 ("Venom") and Xen: why are you vulnerable?
#xen   #xenproject   #venom

Let me spend a few words on CVE-2015-3456, also known as "Venom". Poor choice of a false acronym, if you ask me. 

The vulnerability is caused by a bug in the QEMU floppy drive emulator.

This is exactly the sort of bugs that we are trying to prevent in Xen Project, by limiting, when not avoiding entirely, device emulation. This is why Xen on ARM does not do any emulation at all. This is also why Xen on x86 still provides the ability to boot good old PV guests, which do not come with a large, exploitable, emulated environment.

If you are using Xen on ARM, you are OK. If you are using Xen on x86 with just PV guests or PVH guests (the new, faster, flavour of PV guests), you are also OK. If you are using HVM guests (builder="hvm" in the VM config file), you are affected.

As you probably know, Xen HVM guests rely on QEMU for emulation. Nonetheless we still try to limit the surface of attack, by disabling as many device emulators as possible by default.

For example we disable the floppy drive emulator.

Yes, you have heard correctly: the Xen toolstack disables a bunch of QEMU devices, including the floppy drive emulator, to avoid security vulnerabilities like "Venom".

So is Xen really vulnerable? Unfortunately yes, because of another QEMU bug: QEMU does not actually disable floppy drives, even when you ask nicely.

Sigh. Oh well, at least we tried. :-/
1 comment on original post
1
Add a comment...

George Dunlap

Discussion  - 
 
Running into an issue at the "Installing recovery [something]" step.

I've got a Samsung Galaxy S2 (Intl) (GT-I9100) running Android 2.3.6, and a MacBook Air running the latest version of OSX.  Downloaded and installed the Android app, and the Mac beta installer.

Installer detected the device correctly and downloaded all the relevant images, then said something about installing a recovery image.  Phone to rebooted, and the screen has the Android logo and says "Downloading... Do not turn off target!!"  But at this point, the installer after waiting for a bit says, "We couldn't talk to your device."

I don't have another computer, and I don't have antivirus.  Clicking "try again" doesn't seem to help.

(Powering down the phone returns it to normal -- phew!)

I've tried this a couple different times now, and it has the same effect.

One thing I thought might be confounding things is that I do have the Android development kit installed, which has its own version of adb; and, the first time I tried this I had forgotten that I had Eclipse running in the other window.  But I get the same exact effect even after rebooting the whole system.

After getting to this state, there does seem to be an adb server running; but it seems to be the cm one, not the SDK one.  I killed the running one and ran "adb devices -l", and it didn't come up with anything; so it may indeed be that something is weird with the "downloading" mode that it doesn't talk to adb for some reason. 

Any ideas?  Would having the old version of Android (2.3.6) matter?

Thanks!
1
Ray Walters's profile photoSergey Brusentsov's profile photoGeorge Dunlap's profile photo
4 comments
 
Great -- I'll give that a try.  Thanks all!
Add a comment...

George Dunlap

Shared publicly  - 
 
So simplifying a lot:  Ubuntu takes a radically community-oriented distro and puts some company-written "patches" on it.  CentOS SIGs take a completely company-written distro and puts some community "patches" on it.
1
Add a comment...

George Dunlap

Shared publicly  - 
 
I just discovered what must be absolutely the most idiotic thing I've ever seen in my 20 years of programming.

Take the following text snippet from an RPM spec file:

# Xen is available only on i386 x86_64 ia64
%ifnarch %{ix86} x86_64 ia64
    %define with_xen 0
    %define with_libxl 0
%endif

Obviously, the first line is a comment, right?  So say you wanted to disable this bit of code, but keep it there just in case you wanted to use it later.  You might do something like this:

# # Xen is available only on i386 x86_64 ia64
# %ifnarch %{ix86} x86_64 ia64
#     %define with_xen 0
#     %define with_libxl 0
# %endif

Unfortunately, what you just did had no effect -- BECAUSE RPMBUILD PARSES THINGS INSIDE OF COMMENTS.   O_o
1
Paul Wright's profile photoGeorge Dunlap's profile photoPatrick D. Garvey's profile photo
5 comments
 
Just wanted you to examine your process for better practices.

By the time I retired, I had realized my job wasn't just doing my job, but also considering whether I was using my tools for maximum effect and changing my work flow to optimize efficiency without adversely affecting quality. That includes using tools like version control so I didn't leave a lot of confusing clutter for the next person who worked on it. That person, of course, could be me after I had forgotten the rationale for the code it had become. Structured documentation displayed side-by-side with the source might be more efficacious. Never got it to work, though. We were always too rushed. It takes time to save time, but the culture was hard to change. "Get the program working. We need it now!"

Certainly syntax that isn't respected doesn't help either. Looks like a bug report for upstream is warranted.
Add a comment...

George Dunlap

Shared publicly  - 
 
Xen Security update XSA-108 fix now available to all CentOS-6 Xen4CentOS users : http://lists.centos.org/pipermail/centos-announce/2014-October/020664.html … - CentOS5 and CentOS7 not impacted
[CentOS-announce] CESA-2014:X013 Important xen Xen4CentOS Security Update. Johnny Hughes johnny at centos.org. Wed Oct 1 12:08:23 UTC 2014. Previous message: [CentOS-announce] CESA-2014:X012 Moderate libvirt Xen4CentOS Security Update; Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] ...
1
Add a comment...
Have him in circles
173 people
Hannah Rone's profile photo
Rob Dobson's profile photo
Zhigang Wang's profile photo
Thiago Martins's profile photo
Oleg Gusak's profile photo
Charles Hardy's profile photo
Diego Ongaro's profile photo
Gordon Stretch's profile photo
Linus van Geuns's profile photo

George Dunlap

Shared publicly  - 
 
Spend all morning catching up on mail from xen-devel; finish just before lunch at 1pm.  By 3:30, 125 new unread messages. 
1
Add a comment...

George Dunlap

Shared publicly  - 
 
gpg is really easy to use if you do things the one exact way the author thinks you should do it.  For instance, if you want to sign someone's key and then publish your signatures directly to the keyservers, three simple commands; easy peasy.

If you want to sign someone's key and then just send them the signature, for them to do with what they want -- time to write a complicated script that involves creating a fake gpg root and importing and exporting things half a dozen times.  Even that's a bit redundant, because it includes all his own subkeys and self-signatures.  If you want a really minimal signature, you have to start manually splitting the file into bits and re-assembling it...
2
arsen stasic's profile photoGeorge Dunlap's profile photo
2 comments
 
Well there shouldn't have to be a script. :-)  But as it turns out, I had tried caff (the Debian keysigning party thing) some time before and it just failed with a mysterious error.  After going back and trying it again recently, I think I understand why it didn't work -- gpg2  has a bug where the code that spawns the agent doesn't pass on alternate home directories properly.  So if your master key is anywhere other than in your home directory, and you have a passphrase on it (which of course you should), then it will fail.
Add a comment...

George Dunlap

Shared publicly  - 
 
Oh what a tangled web we weave, when first we try to boot a modern x86 SMP system...
2
Add a comment...

George Dunlap

Shared publicly  - 
 
'So to reiterate: LLVM was created because of GCC's deliberately non-modular, non-reusable architecture, and not because GCC was GPLed. ...I think the lesson we can all draw is that architectural decisions made for political strategy reasons are of limited utility. Eventually, code designed for technical superiority will become more popular than code with features missing for "strategic reasons".' 
2
Add a comment...

George Dunlap

Shared publicly  - 
 
I'm not in the Debian community myself; but doesn't the fact at 31% of people voted for option 1 over option 4 mean that "procedures for decision making and conflict resolution" are not "working adequately"?

If you've got 10 people on your team, and you've chosen a restaurant for a team meal, and 3 people have expressed dissatisfaction with the restaurant, it's just not OK for the other 7 to say, "Nobody has any problems with the restaurant, so why are we even talking about this".

If we've got 10 people and 3 vegetarians, it's simply not OK for the other 7 to say "What's the problem with the steak house? They serve salad."

If anything, the fact that 133 of the 470 people chose 1 over 2 should make the other 337 consider that 1 is probably a measure they should adopt out of consideration for the fairly significant minority.
1
Add a comment...
People
Have him in circles
173 people
Hannah Rone's profile photo
Rob Dobson's profile photo
Zhigang Wang's profile photo
Thiago Martins's profile photo
Oleg Gusak's profile photo
Charles Hardy's profile photo
Diego Ongaro's profile photo
Gordon Stretch's profile photo
Linus van Geuns's profile photo
Links
Other profiles
Contributor to
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
England
Basic Information
Gender
Male
Really good food - interesting unusual local foods, good local beers. Large portions - plan on taking some home.
Public - a year ago
reviewed a year ago
1 review
Map
Map
Map