codeblog code is freedom — patching my itch

9/14/2010

my part in the ecosystem

I was asked to write about what I do at Canonical and what I do in the Free Software community at large. There is obviously a great deal of overlap, but I’ll start with the things I’m involved with when I’m wearing my “Ubuntu” hat.

My primary job at Canonical is keeping Ubuntu secure. This means that I, along with the rest of the Ubuntu Security Team, coordinate with other Free Software distributions and upstream projects to publish fixes together so that everyone in the community has the smallest possible window of vulnerability, no matter if they’re running Ubuntu, Debian, RedHat/Fedora, SUSE/openSUSE, Gentoo, etc. Between vendor-sec, oss-security, and the steady stream of new CVEs, there is plenty going on.

In addition to updates, the Security Team works on pro-active security protections. I work on userspace security hardening via patches to gcc and the kernel, and via build-wrapper script packages. Much of this work has been related trying to coordinate these changes with Debian, and to clean up unfinished pieces that were left unsolved by RedHat, who had originally developed many of the hardening features. Things like proper /proc/$pid/maps permissions, real AT_RANDOM implementation, upstreaming executable stack fixing patches, upstreaming kernel NX-emu, etc. Most of the kernel work I’ve done has gotten upstream, but lately some of the more aggressive protections have been hitting frustrating upstream roadblocks.

Besides the hardening work, I also improve and support the AppArmor Mandatory Access Control system, as well as write and improve confinement profiles for processes on Ubuntu. This work ends up improving everyone’s experience with AppArmor, especially now that it has gotten accepted upstream in the Linux kernel.

I audit code from time to time, both “on the clock” with Canonical and in my free time. I’m no Tavis Ormandy, but I try. ;) I’ve found various security issues in Xorg, Koffice, smb4k, libgd2, Inkscape, curl+GnuTLS, hplip, wpa_supplicant, Flickr Drupal module, poppler/xpdf, LimeSurvey, tunapie, and the Linux kernel.

With my Canonical hat off, I do all kinds of random things around the Free Software ecosystem. I’m a sysadmin for kernel.org. In Debian, I maintain a few packages, continue to try to push for security hardening, and contribute to the CVE triage efforts of the Debian Security Team.

I’ve written or maintain several weird projects, including MythTVFS for browsing MythTV recordings, GOPchop for doing non-encoding editing of MPEG2-PS streams, Perl’s Device::SerialPort module, and the TAP paging server Sendpage.

For a selection of things I’ve contributed to other project, I’ve implemented TPM RNG access in rng-tools, made contributions to Inkscape‘s build and print systems, implemented CryptProtect for Wine, wrote a PayPal IPN agent in PHP that actually checks SSL certificates unlike every other implementation I could find, added additional protocol-specific STARTTLS negotiations to OpenSSL, implemented the initial DVD navigation support in MPlayer, updated serial port logic in Scantool for communicating with vehicle CAN interfaces, tried to add support for new types of timeouts in Snort and Ettercap, fixed bugs in mutt, and added HPUX audio support to the Apple ][ emulator XGS.

As you can see, I like making weird/ancient protocols, unfriendly file formats, and security features more accessible to people using Free Software. I’ve done this through patches, convincing people to take those patches, auditing code, testing fixes and features, and doing packaging work.

When I go to conferences, I attend UDS, DefCon, OSCon, and LinuxCon. I’ve presented in the past at OSCon on various topics including security, testing, and video formats, and presented at the Linux Security Summit (miniconf before LinuxCon this year) on the need to upstream various out-of-tree security features available to the Linux kernel.

I love our ecosystem, and I love being part of it. :)

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2/3/2007

OpenID and goofy Claims

Filed under: Blogging,Inkscape,Ubuntu,Web — kees @ 8:33 am

I’ve been having fun fighting religious battles and confusing people with in-jokes at jyte.com. Other good claims:

Or just see what’s been claimed about linux in general. Yay for silly social networking sites! :)

© 2007, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

10/7/2006

art-creation pyramid scheme

Filed under: Blogging,Inkscape — kees @ 12:35 pm

Gib started a meme I think sounds like fun. If you’re one of the first 5 people who comment on this post, I’ll create an original piece of art for you, but only if you promise to offer the same deal in your own blog. (And I urge you to release it under a Creative Commons Share-Alike license while you’re at it.)

I’ll likely be using inkscape to get it done, since I need an excuse to play more with the tile cloner and tessellation filters.

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/30/2006

jabber to IRC bridge

Filed under: Inkscape,Networking — kees @ 11:16 am

I wrote a Jabber to IRC bridge a while back. It’s currently being used to bridge communication between the #inkscape freenode channel and the inkscape Jabber conference room. I’ve finally gotten around to cleaning up (read: getting configurable variable out of the script into a .conf file) and publishing it.

It’s a bit fragile since the POE/Jabber code seems to explode once in a while, and it doesn’t like losing connections with the Jabber server, but it works most of the time. Several people had asked me for copies of it, so there it is. Please don’t laugh at it/me too hard. Just send me lots of patches. :)

© 2006, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

7/22/2005

open clip art is everywhere

Filed under: Inkscape — kees @ 8:36 am

Although I’m only a user of the Open Clip Art Library, I’m close to the people involved in it since many of them are also involved in Inkscape. As a result, I’m always on the look-out for new places where OCAL is mentioned or OCAL art is used. Today while innocently reading Groklaw‘s response to Dvorak’s misunderstanding of the Creative Commons licenses, I saw OCAL mentioned as the first in a list of examples of useful CC-tagged sites. Very cool. :)

(This post, I think, has my highest ratio of links to words yet.)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

2/9/2005

Inkscape released

Filed under: Inkscape — kees @ 1:01 pm

Ah, it’s so satisfying to get a release out the door. Inkscape version 0.41 has finally been released. This time around, I was made a “Freeze Warden”, which means I have some input in the release process. (Are all the critical bugs fixed? Are the translations updated? Are the builds correct?)

Another task I kind of gave myself was packaging the Win32 binaries. That’s pretty cool, and I’m quite impressed with the NSIS package that does the bundling. I didn’t write the bundling scripts Inkscape uses, but I got to play with the NSIS compiler itself. It’s very slick, and I recommend it for anyone doing Windows installs. (And I should note that hundreds of other software packages are already using NSIS.)

One thing that Bryce Harrington has helped keep in my head during the Inkscape hard freeze was that any given release isn’t supposed to be Bug Free(tm). It’s just supposed to be a release. This is very hard for me to keep in my head, so hearing a few times during Freeze is a good thing. Bugs in the release that we know about are just “Known Problems”. They’re in the tracker, and we’ll get to them some day, but not today. It greatly relaxes me to think about it that way. The pressure to produce is relaxed, letting me actually enjoy the release process instead of worrying needlessly about all the people that will hate us because it crashes when they click like this.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/18/2005

It just Works

Filed under: Inkscape — kees @ 8:03 am

There is nothing quite as satisfying as refactoring a whole mess of code, fixing up the syntax errors and warnings, running the code, and having it Just Work. (In fact, it’s even better if there aren’t any syntax errors to fix.)

This is probably Why I code. I get such satisfaction out of having code do its little dance for me. It’s like training a dog, only I don’t need treats. Why it’s satisfying, I’m still not clear on, but it just is.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

1/2/2005

Inkscape icons

Filed under: Inkscape — kees @ 11:35 am

Today, I ended up tracking down all the unused XPM files in Inkscape. Kind cool to get everything down to just SVG files. I don’t think we’ll be able to ditch the XPMs for the mouse cursor replacements, though. Oh well.

Oops, I found another bug related to the svg: prefix addition. Just proves my metadata code is fragile. I hardened it a little more, so that should fix it for a while. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Powered by WordPress