Annvix Development Blog

Been a while since there’s been any posts here. My apologies, but most of the development work has been sporadic and what has been done has been less than exciting. Well, there are a few moderately exciting things. One is the new kernel (2.6.22.12) which is exciting in the fact that it took a lot of time to get things updated to handle it (especially the installer, which consumed most of my day today). Anyways, I’m thinking this week a 2.1-CURRENT beta ISO may hit the mirrors so people can get a taste of what’s new in the installer.

Ok ok… I’ll spoil the surprise. Support for the 2.6.22.12 kernel is what’s new. Beyond that, there isn’t a whole lot. I’ve elected to remain with the old-style IDE drivers rather than the new (and less than perfect, or so I’m told) PATA drivers. That, of course, doesn’t prevent you from playing with it on your own — it just means the installer won’t set it up for you. Beyond that, nothing really has changed in the installer other than removing any references to RSBAC (since we no longer provide it) and installing AppArmor by default.

So when will 2.1-RELEASE (or, more likely, 3.0-RELEASE) be available? Can’t really tell. If I could get 2-3 weeks of solid work time on it, I’d say by the end of the year. As it stands, and since that likely won’t happen, I’d be wagering sometime late January or February — again depending on how much time I can find to work on it. This week I do plan to setup a live machine running 2.1-CURRENT and start messing around with the services and whatnot to start poking for bugs, and I’d like to get some AppArmor profiles definitely written and setup per default for the next release.

Anyways, it’s been a few months since there was a post here and before someone starts thinking Annvix is dead, I figured I should (somehow) indicate that it’s still alive. Like a snail we move forward… just slowly.

It’s taken a few months, but the library provides and development file naming policy has been fully implemented this afternoon. The details can be seen on the Spec Files page of the wiki. At any rate, this was a fairly big job and it turned out quite well, which should make it easier to manage the naming and building of packages now; at the very least keep them consistent. At the same time, some obligatory version upgrades were completed (of which I’m now beginning to recompile dependant packages).

As well, as of today, urpmi has officially been removed from Annvix. It wasn’t recommended for 2.0-RELEASE, and is no longer available in 2.1-CURRENT. As a result, apt-get is your friend. After a year or so of using apt, I’ve concluded that it’s much faster and behaves better than urpmi did. To be fair, I’ve not used urpmi on Annvix since implementing apt, and I know it’s received a lot of developer attention and improvement on the Mandriva side, but I much prefer apt (and it’s C-base) to urpmi (and it’s perl-base), even compared to yum and the others (python-based).

I’m quite a bit behind schedule for putting 2.1-RELEASE out; the initial idea was to have the 2.1 version be a bugfix build on 2.0, but a lot of changes have crept in and there’s more to come (updated kernel is one of the biggies). A lot has changed here, so I’m definitely considering renaming 2.1-CURRENT to 3.0-RELEASE when release time comes, as this is definitely not a .1 release.

Just for kicks, I downloaded Bastille 3.0.9 and tossed it on a vmware install of Annvix that’s a pretty basic un-tweaked default install (not too much extra installed). I had to muck with Bastille a bit since it doesn’t recognize Annvix, so I made it think it was a Mandriva 2006.0 install (Bastille doesn’t look to be overly updated in terms of keeping up with the distros).

Out of the box it gave Annvix a 7.11 score (out of 10) although some of it is a little bogus. A full assessment report can be seen on the Bastille site so you can see what its’ checking for.

Some of the bogus module responses included the “Are clear-text r-protocols that use IP-based authentication disabled?” (Bastille said no, but the r-protocols aren’t available on Annvix so it should have been a yes); “Are root logins on tty’s 1-6 prohibited” (Bastille said no, which is sorta accurate… root logins are only available on tty1, not any others); there was one question about xinetd and another about inetd that were both no’s, but since Annvix uses neither, they should have been yes instead. The combined score modifier there would have been an additional +3.00 at least, although I’d give it a +3.17 since 1/6 tty’s allow root.

Not quite sure where that would have put the overall score since these contribute a 1.00 score, but there are some 50+ items, so I assume it must be some kind of division although I wouldn’t want to put an arbitrary number on it.

Of course, a few things are quite simple and account for personal taste and wouldn’t be something I’d foster on someone by default, such as server-wide disabling of following symlinks, disabling SSI, and CGI scripts (all in apache), there’s an item about more restrictive permission on administration utilities, but doesn’t indicate all of the items and I’m assuming is only checking whether they’re mode 700, instead of being something like 750 and owned root:admin or something similar. Also, it mentions the default umask being minimal… well, tried that, and it somewhat borked a whole lot of services so that had been quickly reverted.

It did point out that perhaps we should password-protect single-user mode. That may be an item to add to the installer at some point. It also notes “Authorized Use” messages being displayed at login.. not something I would add by default. It also noted that process accounting wasn’t activated, and I just realized that Annvix is missing psacct, so should probably add that.

All in all, the assessment came out pretty good. A few little things that need to be dealt with I guess, but nothing critical or urgent. It’s a shame I don’t have a copy of Mandriva 2006 to see how it scored out of the box as a comparison.

Found an interesting article entitled The Economics of Open Source Donations. Very interesting read, especially for any non-commercial OSS project (like Annvix). I think most people don’t understand the actual cost of writing/hosting/developing/whatever an OSS project, and this brings it to bear a little bit, about why donating to OSS projects is good and helps the projects out, and also makes you understand a little bit of what it costs to the author(s)… which is often more than just “spare time”.

It’s an interesting read, regardless.

I have been watching ZFS (the new filesystem from Sun) for probably 6 months now.

http://en.wikipedia.org/wiki/ZFS

and looks like it is a filesystem of the future for sure., for some of the feature like ’self-healing’, ‘raid-X’ feature, just throw my mind (actually i was so tempted to gather old parts and try it)

well then, reality hits! due to license problems (no, i am not going to put any type of information here) that ZFS won’t be able to port to Linux natively (at least not for a while). but there is a userland port available http://zfs-on-fuse.blogspot.com/

but then, seems like FreeBSD already ported ZFS

http://wiki.freebsd.org/ZFSQuickStartGuide

I guess whatever I said regarding Linux has superior filesystems (back in Annvix on BSD comments) a while ago need to have reality check again =)

anyone has any experiences with ZFS?

Today the use of SSP is default for everything. The RPM %optflags macro now calls -fstack-protector –param=ssp-buffer-size=4, so everything will contain it. Packages that cannot use SSP for one reason or another can add “%define _ssp_cflags %nil” at the beginning of the spec file.

Glibc 2.5 works and seems to work well.

For a while, we’ve stored documentation from RPM packages in their own foo-doc package, which is available in it’s own repository. Those packages are getting a further refinement now in that documentation will be stored in /usr/share/doc/foo rather than /usr/share/doc/foo-1.0 (the version is being dropped).

There is discussion of possible moving from the 2.6.16 kernel to 2.6.22 (although this still needs to be fully determined).

Work has begun to integrate AppArmor profiles into the packages that need them, and to automatically reload profiles as they are updated, if AppArmor is running. This will take some time to fully accomplish, and anyone interested in helping generate profiles, the help would be welcome.

I think, with all of this, we might be jumping from 2.0-RELEASE to 3.0-RELEASE after all. It’s shaping up to be quite a big change. =) It’s also shaping up to be a welcome change. With SSP enabled by default, we’re (finally) back to where we were at with 1.0-RELEASE. And with AppArmor now being installed and enabled by default, and with default profiles in place, Annvix should come very hardened out-of-the-box.

As an aside, some of this is happening on the Mandriva side, so Annvix<->Mandriva integration is paying off. Hopefully some more stuff from Annvix will make it’s way into Mandriva (I’m thinking Openwall’s TCB suite and pam_passwdqc). Already the work done in integrating AppArmor in Annvix has paved the way a bit for Mandriva’s adoption, which is fantastic to see.