Nordic Free Software Award nominee 2009

November 6, 2009 Daniel Stenberg 4 Comments

I’m proud and happy to mention that I’ve been nominated for the “Nordic Free Software Award” 2009. I’ve been nominated before, in 2007 and 2008, but it still feels very good.

Dear Daniel Stenberg
The Nordic Free Software Award jury is delighted to inform you that you have been nominated for the 2009 Nordic Free Software Award. The Nordic Free Software Award is given out every years at FSCONS to honor an individual or team who have made a significant contribution to Free Software.
Congratulations and warm wishes on behalf of the Nordic Free Software Award jury

The list of nominees is now published and contains a fair bunch of giants in our field against which I am just an ant in comparison. The list of nominees:

Qt development team
Simon Josefsson
Daniel Stenberg
Henrik Nordström
Björn Stenberg
Andreas Nilsson
Varnish
Ask Björn Hansen
Knut Yrvin
Jari “Rakshasa” Sundell

cURL and libcurl

curl and libcurl 7.19.7

November 4, 2009 Daniel Stenberg 6 Comments

Time again for a happy release event. Can you believeÂ this is in fact the 113th release?

Run over to the curl download page to get it!

This time, we bring happiness with the best curl and libcurl release ever and it features four changes and a range of bug fixes. The changes to note this time include:

-T. is now for non-blocking uploading from stdin
SYST handling on FTP for OS/400 FTP server cases
libcurl refuses to read a single HTTP header longer than 100K
added the –crlfile option to curl

And a collection of bugs fixed since the previous release involves these issues:

The windows makefiles work again
libcurl-NSS acknowledges verifyhost
SIGSEGV when pipelined pipe unexpectedly breaks
data corruption issue with re-connected transfers
use after free if we’re completed but easy_conn not NULL (pipelined)
missing strdup() return code check
CURLOPT_PROXY_TRANSFER_MODE could pass along wrong syntax
configure –with-gnutls=PATH fixed
ftp response reader bug on failed control connections
improved NSS error message on failed host name verifications
ftp NOBODY on re-used connection hang
configure uses pkg-config for cross-compiles as well
improved NSS detection in configure
cookie expiry date at 1970-jan-1 00:00:00
libcurl-OpenSSL failed to verify some certs with Subject Alternative Name
libcurl-OpenSSL can load CRL files with more than one certificate inside
received cookies without explicit path got saved wrong if the URL had a query part
don’t shrink SO_SNDBUF on windows for those who have it set large already
connect next bug
invalid file name characters handling on Windows
double close() on the primary socket with libcurl-NSS
GSS negotiate infinite loop on bad credentials
memory leak in SCP/SFTP connections
use pkg-config to find out libssh2 installation details in configure
unparsable cookie expire dates make cookies get treated as session coookies
POST with Digest authentication and “Transfer-Encoding: chunked”
SCP connection re-use with wrong auth
CURLINFO_CONTENT_LENGTH_DOWNLOAD for 0 bytes transfers
CURLINFO_SIZE_DOWNLOAD for ldap transfers (-w size_download)

Rockbox

Rockbox on the Mini 2440

November 3, 2009 Daniel Stenberg 2 Comments

Just recently, it was announced that the guys now have a Rockbox port with working sound on the Mini 2440 device. So it seems this port is already in a quite advanced state with most of the Rockbox functionality in place. The Rockbox Mini2440 page lists USB and SD drivers as notable missing pieces. So there’s still room for you to join in and help out!

Congratulations guys!

Rockbox

Rockbox on iPod Nano 4th gen

November 2, 2009 Daniel Stenberg 2 Comments

Michael “TheSeven” Sparmann is one of the primary magicians behind the recent linux4nano efforts and he has done a lot of the Rockbox port for the iPod Nano 2nd generation.

Some 10 hours or so he posted this neat picture:

… showing off custom code running on an iPod Nano 4th generation. If you want to keep track of his/their work on recent iPods, follow @linux4nano on twitter. I do!

While this is not yet Rockbox on the device, this is a least proof it can be done and this could indeed be seen as the first tiny steps towards a full port! Good job Michael!

Development

First month on my own

October 30, 2009 Daniel Stenberg 1 Comment

Yeah, it’s already been a month since I took off and started working for Haxx full time. Starting a company (even though the company already existed in the legal sense) certainly involves a lot of paperwork and talking to banks, insurance companies and getting arrangements with partners etc. A lot of that of course being just an initial phase, but some of it will be a more integrated part of my day now when I don’t have a well-oiled team of admins hired that deal with such matters.

I’m happy to say that I have had a whole slew of good talks with existing and potentially new customers, and I’m already cooperating with a few companies in very constructive ways – so that I can help others succeed with their undertakings. Several things that happened during this month involved open source (although I’m not able to talk about them in public), and I feel really good when my work and my beliefs can go hand in hand!

This said, I’m always ready for more and new missions. If you’re in need, you know where I am!

Mail

Spammers now subscribe

October 30, 2009 Daniel Stenberg 2 Comments

During several years I’ve been setting mailing lists I admin to only accept posts from subscribers i A can with spam n order to avoid having to deal with very large amounts of spam posts.

While that is slightly awkward to users of the list, the huge benefit for me as admin has been the deciding factor.

Recently however, I’ve noticed how this way to prevent spam on the mailing lists have started to fail more and more frequently.

Now, I see a rapid growth in spam from users who actually subscribe first and then post their spam to the list. Of course, sometimes spammers happen to just fake the from address from a member of a list – like when a spammer fakes my address and sends spam to a list I am subscribed to, but it’s quite obvious that we also see the actual original spammer join lists and send spam as well.

It makes me sad, since I figure the next step I then need to take on the mailing lists I admin is to either spam check the incoming mails with a tool like spamassassin (and risk false positives or to not trap all spams) and/or start setting new members as moderated so that I have to acknowledge their first post to the list in order to make sure they’re not spammers.

Or is there any other good idea of what I can do that I haven’t thought of?

Linux, Open Source, Security

null-prefix domino

October 19, 2009 Daniel Stenberg

dominos At the end of July 2009, Scott Cantor contacted us in the curl project and pointed out a security flaw in libcurl (in code that was using OpenSSL to verify server certificates). Having read his explanation I recalled that I had witnessed the discussion on the NSS list about this problem just a few days earlier (which resulted in their August 1st security advisory). The problem is basically that the cert can at times contain a name with an embedded zero in the middle, while most source code assumes plain C-style strings that ends with a zero. This turns out to be exploitable, and is explained in great detail in this document (PDF).

I started to work on a patch, and in the mean time I talked to Simon Josefsson of the GnuTLS team to see if GnuTLS was fine or not, only to get him confirm that GnuTLS did indeed have the same problem.

So I contacted vendor-sec, and then on the morning of August 5 I thought I’d just make a quick check how the other HTTPS client implementations do their cert checks.

Wget: vulnerable

neon: vulnerable

serf: vulnerable

So, Internet Explorer and Firefox were vulnerable. NSS and GnuTLS were. (OpenSSL wasn’t, but then it doesn’t provide this verifying feature by itself) (lib)curl, wget, neon, serf were all vulnerable. If that isn’t a large amount of the existing HTTPS clients then what is? I also think that this shows that it would be good for all of us if OpenSSL had this functionality, as even if it had been vulnerable we could’ve fixed a busload of different applications by repairing a single library. Now we instead need to hunt down all apps that use OpenSSL and that verify certificate names.

Quite clearly we (as implementers) have all had the same silly assumptions, and quite likely we’ve affected each other into doing these sloppy codes. SSL and certificates are over and over again getting hit by this kind of painful flaws and setbacks. Darn, getting things right really is very very hard…

(Disclaimer: I immediately notified the neon and serf projects but to my knowledge they have not yet released any fixed versions.)

Electronics, Open Source, Rockbox

Mini 2440 Lyre

September 29, 2009 Daniel Stenberg 5 Comments

On ebay there’s a fancy S3C244-based board named mini 2440 with a 3.5″ touch LCD attached on sale for 85 USD. 64MB ram, 400MHz CPU, a nand flash and more. Lots of stuff for the money.

The guys in the lyre project seem to have adopted this as yet another hardware platform to attempt to run Rockbox on. After their Atmel AT91SAM target was ditched, they went the ARMopendous route and now this seems to have entered. This third hardware platform is called the Lyre prototype 2…

You should note that this Mini 2440 board has no batteries or anything and thus is not really meant to be a portable device in this shape.

“Bob” seems to have initial Rockbox code running on this device, and well-established Rockbox hackers JdGordon and domonoky have both ordered their own kits so the future looks bright.

Linux, Open Source

Open Android Alliance

September 28, 2009 Daniel Stenberg 6 Comments

In the past: cyanogenmod made one of the most popular 3rd party Android ROMs for HTC devices. Personally I haven’t yet tried it on my Magic, but friends tell me it’s the ROM to use.

On September 24th 2009, Google sets their legal team on the ROM creator, asking him to stop distributing the parts of Android that aren’t open source but in fact are good old traditional closed source apps – made by Google. Cyanogen himself (Steve Kondik) responded something in the spirit that since the ROM only runs on hardware that already runs the apps users already have a license to use them. Google responded, saying they protect the Google Phone Experience.

This C&D act triggered a huge reaction in the Android communities as people suddenly became aware of the fact that A) parts of the Android core OS aren’t at all open (source) and B) Google is not the cuddly Teddy Bear we all want it to be.

In the xda-developers.com front, where a lot of the custom ROMs are being discussed and users of them hang out, they created the Open Android Alliance with the intent of creating a completely open source Android.

In another end and indepedently of the xda-developers it seems, lots of participants in the google group android-platform pretty much decided the same thing but they rather started out discussing exactly what would be needed to do and what code there is and so on.

Currently, both camps have been made aware of each other and there have been expressed intents of joining into a single effort. I don’ t think such subtleties matter much, but we just might see the beginning of a more open more free Android project getting started here. I’ll certainly be interested in seeing where this is going…

Updated: they now have their own domain. Link in article updated.

libssh2, Open Source, Rockbox

My Nordic Free Software Awards 2009 nominees

September 25, 2009 Daniel Stenberg 2 Comments

Hey, it’s really about time to nominate your favourite Free Software persons and projects from the nordic region for the 2009 awards before the time runs out.

This year, I decided to nominate the following “nordic” heroes:

Simon Josefsson

For his excellent work in GnuTLS, libssh2 and a bunch of other projects.

Henrik NordstrÃ¶m

For his work in the Squid project, and his efforts within IETF and its HTTP related struggles and more.

BjÃ¶rn Stenberg

As the primary founder of the Rockbox project. He started somehting special back in 2001 that now is a huge, thriving and succesful Free Software project.

As you might spot, I favor “doers”. I don’t believe in the concept of “nordic projects” when it comes to free or open software – the entire concept of open and free should mean that projects cross borders and regions.

In fact, it feels so out of the ordinary to think about open source people in a geographical context I find it hard to come up with a lot of names. It would be cool if ohloh had some ways to list people and projects based on where people live.

Then again, if a person from a nordic country moves somewhere else, is he or she still a nordic person? Does it depend on where the person lived during the actual act? Is Linus Torvalds a nordic person since he was born, lived many years and started his big project in Finland?

(yeah I already blogged about this subject but hey, it can’t hurt can it?)

M	T	W	T	F	S	S
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

daniel.haxx.se