security and unusability

I’ve previously plugged [Security and Usability by O'Reilly](http://www.oreilly.com/catalog/securityusability/), a great book that anybody working in the security field should read.

Unfortunately it seems that the Fedora Core developers have not. Their latest release ships with execmod transitions denied by the default SELinux policy (we’ll probably have to work around this in autopackage). This configuration is questionable for three reasons:

* The error message printed might as well be a random number. The only people who will understand _cannot restore segment prot after reloc: permission denied_ are SELinux or glibc developers. It’s useless to anybody who isn’t fluent in ELF.
* The people who see it are the people least likely to know what it means
* The computer knows what’s wrong, and knows how to fix it, but won’t. Pretty much every usability textbook ever written advises against this.

The result is identical to last time – [masses of end users posting for help on the internet](http://www.google.co.uk/search?q=%22fedora+core+5%22+%22segment+prot%22). The predictable results are:

* People are told to switch SELinux off
* The upstream developers usually don’t understand what the issue is, how to fix it, or why they should care
* People don’t feel in control of their computer, and so the feeling of technology being dark and scary is propagated

For those who are wondering, this message is generated by the dynamic linker when it needs to apply _text relocations_ to the loaded process image. To do this it needs to make an area of code read/write/noexec and then shortly afterwards change it back to read/exec – this transition is denied by the kernel and startup fails. Text relocations are generated naturally by the toolchain in response to certain code constructs, usually without the developers even knowing what they are. [Mike Frysingers guide](http://www.gentoo.org/proj/en/hardened/pic-fix-guide.xml) explains how to remove them. Alternatively, in the install scripts mark the libraries that contain text relocs with the appropriate security context which will allow the transition for that file only.

The Fedora developers enabled this setting before but quickly disabled it again after it turned out that lots of software in the distribution was broken by it. Since then they’ve modified the software they ship and so enabled it again, screwing over anybody not a part of the “in club” in the process. It’s a shame but not surprising that the great work the desktop developers have done can be so easily unravelled by other parts of the project. It’s come to this thanks to the “if you’re not in the distro you don’t exist” mentality that pervades distro development, along with the SELinux developers unsettling habit of reclassifying anything they disagree with as broken or buggy.

A better solution would have been to invert the logic: mark libraries with no text relocs as not needing them, and so execmod transitions can be denied only for programs where it’s known to be safe. The error message should have been changed to output an English explanation of what’s wrong along with a URL where developers can find out more (though hopefully the first change would mean nobody ever saw the error).

The O’Reilly book (a collection of short essays on usable security) [can be read online for free](http://safari.oreilly.com/JVXSL.asp?x=1&mode=section&sortKey=rank&sortOrder=desc&view=section&xmlid=0596008279&k=20&g=&srchText=security+and+usability&code=&h=0&m=&l=1&j=list&catid=&s=1&b=1&f=1&t=1&c=1&u=1&r=&o=1&n=1&d=1&p=1&a=0&page=0).

lugradio live

I’m doing a main stage talk at [this years LugRadio Live](http://www.lugradio.org/live/2006/index.php/Schedule) on “Packaging and autopackage”.

This talk isn’t written yet, but it’ll probably quickly cover the technology (ie, a demo of it in action) and then go onto talk about the philosophies behind it. The interesting thing with autopackage isn’t the technology, it’s the distributed vs centralised debate. That debate is key to everything, and is worth spending some time on.

Towards the end I’ll probably touch on a few other Big Picture things that I’ve been pondering lately. Specifically how a distro might go about getting Firefox levels of market share.

If anybody has suggestions for what should go into it, let me know in the comments below.

bits and pieces – part iv

* [Akismet](http://www.akismet/) is an automated blog spam filter for WordPress and other blog engines. It’s astonishingly effective and is what lets me continue to keep comments available. If you run a blog that gets spam, then you need this software. The only downside is the need to register with wordpress.com for an API key, which is a bit of a pain. If I know you personally email me and I’ll give you my API key.

* If you ever wondered what is involved in making an app work on Wine, some time ago Lionel and myself wrote some debugging tutorials. Firstly there’s the [quickstart](http://winehq.org/site/developer-cheatsheet), then [debugging Reason 3](http://wiki.winehq.com/Debugging_Reason_3), [a file open dialog box issue](http://wiki.winehq.com/Debugging_the_PE_Explorer_file_open_dialog), and some [game debugging](http://wiki.winehq.com/Debugging_’Wild_Metal_Country’).

* Confused about Unicode? We all were once. Fortunately Joel Spolski has written an article explaining everything (it’s old but worth linking to again for those who haven’t seen it). [The Absolute Minimum Every Software Developer Absolutely, Positively Must Know About Unicode and Character Sets (No Excuses!)](http://www.joelonsoftware.com/articles/Unicode.html) is a 5 minute intro to the world of Unicode, ANSI, character encodings, code pages, and all that stuff that programmers are sort of expected to know but never taught in school.

* [Steam Brigade](http://steambrigade.com/) is a jolly 2D strategy game set in a world of steam powered warfare. It’s not really that serious – think lemmings – and has the player flying around in an airship picking up and dropping infantry with a big magnet This *almost* works on Wine, all except a slightly messed up mouse input which unfortunately renders the game unplayable. Sigh.

peak oil – part i

We recently had a most excellent talk from Naresh G. Giangrande on Peak Oil and its implications. The slides are in PPT format but are a good introduction to the topic which covers all the important points in a competent and concise manner. Get them here.

gpgpu sorting

[Using a GPU to efficiently sort lists of numbers](http://scholar.google.com/scholar?hl=en&lr=&safe=off&q=cache:QmTTT0bmgpgJ:www.cs.usask.ca/faculty/callele/gpusort/SortingOnAGPU.pdf+gpu+sort) is an interesting paper you may want to read sometime.

Parallel algorithms promise exponential speedup – in the general case you’d get O((log n)^k) (polylog time) instead of O(n). I’ve never tried it, but I suspect the reality is somewhat different. For one O notation can be very misleading, as it hides constant factors as being “irrelevant”. This is fine if you’re an academic but rather less fine if you’re an engineer. In this case the cost of uploading data to a GPU is so high that I suspect for many normal datasets it would offset any savings.

Another problem is that academics model parallel algorithms around a “PRAM”, a theoretical parallel computer that does not exist. PRAMs offer an unlimited number of processors, so, it’s not uncommon to find parallel algorithms requiring a polynomial number of processors (eg to sort a list of 1000 numbers you’d need 1000 squared = 1,000,000 processors). Obviously this is impractical so to implement them you must “fold down” the algorithm to the number of processors you have available, then simulate PRAM semantics on top. A GPU offers perhaps 6 shader units, and although these are aggressively SIMD themselves I doubt you’d get more than 32 real instruction streams running in parallel even on high end hardware. The cost of providing PRAM semantics (like concurrent write conflict resolution) is another big question mark.

Even so, as new bus technologies wipe out the bottleneck between CPU and GPU parallel algorithms could well become more important. Effects physics simulation has already been shown on high end video cards, and nVidia have a bunch of cool demos showing things like fluid dynamics simulations as well.

Won’t make autopackage any faster of course

alpha blended windows in python

Thanks to Henry Gomersall, there is now a python version of the GTK+ alpha demo. The comments and flow have all been maintained, but it works against PyGTK 2.9+ (not released yet). Thanks Henry!