Category: Linux

Adobe 居然決定加碼投入資源更新 Linux 上 NPAPI 版的 Flash (也就是舊版 API)

在「Beta News – Flash Player NPAPI for Linux」這邊看到 Adobe 要投入資源處理 LinuxNPAPI 版的 Flash Player...

先前 Linux 下是 NPAPI 與 PPAPI 兩個版本都有 Flash Player,但是 NPAPI 維持在 11.2,只做安全性更新:

Linux users have access to both NPAPI and PPAPI versions of Flash Player. However, for the last four years, the NPAPI version has been held at 11.2 and regularly updated with only security fixes while the PPAPI version (used in Chrome and Chromium based browsers), is in line with the standard Windows and Mac releases.

然後決定加碼讓兩邊同步:

Today we are updating the beta channel with Linux NPAPI Flash Player by moving it forward and in sync with the modern release branch (currently version 23). We have done this significant change to improve security and provide additional mitigation to the Linux community.

Flash Player 你趕快退場啊啊啊...

用 Docker 跑 Skype 講電話

Update:中文的部份是有問題的。之前以為是跑 Docker 版本時,實際上跑到很久前裝的 skype... 移除後發現 voice 沒問題,但沒有中文字型...

因為 Skype 裡面不知道跑了什麼東西,所以想要用 Docker 包起來放在 container 裡面跑,但之前測起來不穩定,而且中文字型的問題一直沒解決,所以就先一直丟著。

而剛剛測了一下 sameersbn/docker-skype 這邊的版本,發現之前遇到沒辦法看中文的問題也解決了。

安裝的方法非常簡單,先拉下來,然後執行他:

$ docker pull sameersbn/skype:latest
$ docker run -it --rm --volume /usr/local/bin:/target sameersbn/skype:latest install

這樣就會產生 /usr/local/bin/skype,直接跑他就好了,登入後再拿自家電話撥號,測了一下沒什麼問題。另外中文輸入法也是吃 host 的,所以也很順,弄得頗不錯的...

PGP 短 ID 的安全問題

PGP 短 ID 的安全問題出來了,不見棺材不掉淚啊:「Fake Linus Torvalds' Key Found in the Wild, No More Short-IDs.」。

重點在這段,已經有人發出攻擊了:

Search Result of 0x00411886: https://pgp.mit.edu/pks/lookup?search=0x00411886&op=index
Fake Linus Torvalds: 0F6A 1465 32D8 69AE E438  F74B 6211 AA3B [0041 1886]
Real Linus Torvalds: ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 [0041 1886]

Search Result of 0x6092693E: https://pgp.mit.edu/pks/lookup?search=0x6092693E&op=index
Fake Greg Kroah-Hartman: 497C 48CE 16B9 26E9 3F49  6301 2736 5DEA [6092 693E]
Real Greg Kroah-Hartman: 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 [6092 693E]

另外作者給了還蠻重要的觀念:

DO NOT TRUST ANYTHING SHORTER THAN THE FINGERPRINTS.

Debian 提供 Tor Hidden Service 更新 Apt

DebianTor Project 都宣佈了這個消息,兩邊的稿子都一樣:「Debian and Tor Services available as Onion Services」、「Debian and Tor Services available as Onion Services」。

站台列表在 https://onion.debian.org/ 這邊可以看到,當你有安裝 apt-transport-tor 時,可以透過 Tor 更新:

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Tor Hidden Service 本身就有一定的安全強度,而透過 APT 抓 Debian 套件的安全性還有 GnuPG 驗證把關,這樣看起來頗不賴...

讓 Tor 的流量變大也是讓 Tor 的隱私性變得更好的一種方法 (因為目前看到新的攻擊都是靠分析 traffic pattern,所以流量變大有機會讓雜訊變多一些)。

不知道 Ubuntu 有沒有機會也上一份...

GitHub 對抗 TCP SYN Flood 的方式:synsanity

GitHub 提出了自己對抗 TCP SYN Floord 的方式:「SYN Flood Mitigation with synsanity」。

synsanity 是一個 netfilter (iptables) 用的 target,利用現有的理論阻擋 TCP SYN Flood 這種 DDoS:

synsanity is a netfilter (iptables) target for high performance lockless SYN cookies for SYN flood mitigation, as used in production at GitHub.

前人的作法 (SYNPROXY) 以 module 形式運作,需要過濾每一個封包,而這在 GitHub 這種規模上會導致效能不足並且 kernel panic:

This is quite an intrusive way of solving the problem since it touches every packet during the entire connection, but it does successfully mitigate SYN floods. Unfortunately we found that in practise under our load and with the amount of malformed packets we receive, it quickly broke down and caused a kernel panic.

GitHub 所開發的 synsanity 則是透過 netfilter (iptables) 的 target,只處理 initial packets,在撰寫的時候考慮多 CPU 的 lock 問題:

BitKeeper 的 Open Source 行為

LWN 上看到這個消息:「BitKeeper's open source release」,BitKeeper 網站上也已經看到 open source 的消息了。

從 2005 年跟 Linux 分家後,走了十年走到這條路... 在「This is to answer this question and all the "too late" comments.」這邊看到是這樣做出來的決定,看起來沒救了:

Git/Github has all the market share. Trying to compete with that just proved to be too hard. So rather than wait until we were about to turn out the lights, we decided to open source it while we still had money in the bank and see what happens. We've got about 2 years of money and we're trying to build up some additional stuff that we can charge for. We're also open to being doing work for pay to add whatever it is that some company wants to BK, that's more or less what we've been doing for the last 18 years.

Will it work? No idea. We have a couple of years to find out. If nothing pans out, open sourcing it seemed like a better answer than selling it off.

Ubuntu 桌機的 Split DNS

Split DNS 指的是某個 DNS domain 使用另外一組 DNS servers,常用在 Partial Route 的 VPN 上,讓內部網域的 DNS domain 正確的被解出來。一般商業的 VPN Software 都會處理掉這塊,不過有時候還是希望可以自己設定...

Ubuntu 桌機上的 Split DNS 可以透過 Dnsmasq 做到,在我的機器上因為透過 ps awx | grep dnsmasq 可以看到 --conf-dir=/etc/NetworkManager/dnsmasq.d,表示設定的目錄在 /etc/NetworkManager/dnsmasq.d 下,所以我把檔案 mysplit 放到 /etc/NetworkManager/dnsmasq.d 下:

#
server=/mysplit.com/10.1.2.3

然後在 dnsmasq 的 manpage 裡面有提到,SIGUSR{1,2} 是拿來分析用的,而 SIGHUP 不是拿來給你重新讀設定檔用的 XDDD

SIGHUP does NOT re-read the configuration file.

所以就砍掉他,隨便對 NetworkManager 做個動作,就會重新把 dnsmasq 帶起來了,或者重開機也可以... 再跑 dig 查的時候就可以查到資訊了。

Docker 在 Mac 與 Windows 上使用 xhyve 與 Hyper-V

DockerMac OS XWindows 上開始支援其他的 VM Host 了:「Docker for Mac and Windows Beta: the simplest way to use Docker on your laptop」。

之前在 Mac OS X 與 Windows 上必須使用 VirtualBox 跑一個 Linux Host 起來,而現在可以用 xhyveHyper-V,另外剛剛發現 Linux 的部份也換到 Alpine Linux 上了 (不知道是不是這次才換的):

Faster and more reliable: no more VirtualBox! The Docker engine is running in an Alpine Linux distribution on top of an xhyve Virtual Machine on Mac OS X or on a Hyper-V VM on Windows, and that VM is managed by the Docker application. You don’t need docker-machine to run Docker for Mac and Windows.

Microsoft SQL Server 出 Linux 版...

微軟的 Microsoft SQL Server 將會推出 Linux 版:「Announcing SQL Server on Linux」。

看到 Ubuntu 這個關鍵字:

“We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.”

目前是 private preview,申請後測試:

The private preview of SQL Server on Linux is available starting today and we look forward to working with the community, our customers and our partners to bring it to market.

Software Freedom Conservancy 對 Ubuntu 認定 ZFS 相容性的反對意見

在「Ubuntu 搞定 ZFS 授權問題,將直接納入系統中使用」這邊提到了 Canonical 的律師們認為搞定 ZFS 的授權問題。

Software Freedom Conservancy 則是提出反對意見:「GPL Violations Related to Combining ZFS and Linux」。

主要是討論 GPLv2CDDLv1 的感染性相容問題。

我是覺得 Ubuntu 的說法比較合理,但這種事情沒上法院前誰都不知道... (而且第一仗的結果會特別重要)