KDE

Over the last few weeks we've been hit by web robots trying to traverse our bugs database, with different sophistication and query rate. I'm not sure what the point of that action is - since we're not serving any harvestable email address to anonymous visitors. Most likely this is a for the only reason of a pure DDoS attack - with increasing success. Therefore I've enabled more drastic counter-measures by filtering requests which match certain HTTP request header patterns.

Unfortunately this wasn't enough, so today I tried another (unintrusive) counter-measure: bugs.kde.org now requires SSL. I hope that the usual traversing bots do not support SSL. Thats just a guess of course, I might be wrong. We'll see. It's the last step (in my imagination) before requiring a login for viewing bug reports, which would be quite inconvenient to our users. If you have any better idea how to get rid of those robots, please post a comment.

This has been made possible by GoDaddy who kindly signed our SSL certificate for free. Finally no self-signed invalid certificates on KDE.org anymore!

Over the last few days I've spent some time developing DirkLinux, and I choose my birthday to name it v0.1. So you wonder, where is the download link?
To be honest, there is none. I've got a micro computer a few weeks ago. Its much smaller than an average edition of Stroustrups C++ book, and it is entirely free of cpu fans or hard disks, floppy disks or other medias. Nothing rotates, no mechanics, no noise. Originally it ran some commercial embedded operating system. It took me two hours to bootstrap it for the first time with a KNOPPIX CD booted over PXE, because there didn't seem to be a way to make it boot over anything else, mostly because the BIOS doesn't support USB sticks and there are no IDE or floppy connectors available. Normally, it boots over a builtin 16MB DiskOnChip flash chip.

After inspecting the hardware in detail and some early experiments with standard embedded distributions (mostly based on dietlibc, uClibc and busybox-stuff), I decided that I can go on faster by building it on my own. Additionally I want binary compatibility with standard glibc based distributions. Thats because I don't want to spend my time fixing portability and compatibility bugs in sources and compile everything on my own. DirkLinux v0.1 is currently a scripted assembly of binaries from debian (because they have all the applications I want as binary packages), where trivial stuff like /bin/false is stolen from a distribution compiled against dietlibc. After two days of hacking, I had a bare minimum 2.6 kernel and a bare minimum environment that runs cron, ssh, syslog, logrotate, dhcp, dns, NAT, QoS Shaping, PPPoe, bash, vi and NFS, it booted and ran entirely in RAM in a read-only compressed SquashFS image. And all that in 5MB. I was happy. Setting up PAM, terminfo, timezones and stripping it down to a bare minimum was an interesting adventure. Figuring out how to make a DiskOnChip bootable was another step, though that hasn't changed the last 5 years (did that years ago already).

After a week of uptime and fixing small bits here and there I decided to go nuts. I installed Squid, a web server, an AD Blocker, ClamAV, Postfix, Asterisk for my VoIP phones, Snort and Perl. Amazingly, the 16MB image still had free space, and it boots in less than 15s. The only items on TODO are a USB stick based UnionFS overlay so that I can modify everything without a reboot cycle. I finally decided to tell a few friends about it.
What was their first question?

"So.. does it run KDE?"

Damn.

Ugh. Lots and lots of German Nazi SPAM hitting our mail server right now. We're trying to filter them via the following rules:

header __SOBER_P_MSGID Message-ID =~ /<[0-9a-f\.]{15,22}\@/
header __SOBER_P_CTYPE Content-Type =~ /text\/plain.*charset=\"us-ascii\"/
header __SOBER_P_PRIO X-Priority =~ /^3 /
header __SOBER_P_IMP Importance =~ /^Normal/

meta SOBER_P_SPAM (__SOBER_P_MSGID && __SOBER_P_CTYPE && __SOBER_P_PRIO && __SOBER_P_IMP )
score SOBER_P_SPAM 18.0
describe SOBER_P_SPAM Rassistische Mail Sober-P

Let me know if you find any mail that still slips through.

Just a few words.. checkouts on our core KDE servers are crawling because the main svn.kde.org server is hammered by probably hundreds of developers checking out their sources. I've been waiting for 6 hours now for one single checkout to finish and its not even 30% finished yet. I'm trying to finish fixing the scripts as fast as possible, but there are so many open ends right now that we will probably take another day until the updating of web pages works fine again. Thanks for your patience.

Last night I continued to prepare the KDE CVS conversion to [http://subversion.tigris.org Subversion]. http://websvn.kde.org/ is now up and running and awaiting your testing!

David complained today about not being able to recieve mail from Laurent. I'm not sure why, but I bet one cent that the error is not on kde.org's mail setup. As it turned out after some debugging, I lost the bet. ClamAV decided that the attachment of the mail is encrypted, though it was not, and due to our configuration we block mails with encrypted zip archives as attachment. Investigation showed that this was again the very same bug in ClamAV I fixed over a year ago reintroduced in the CVS snapshot we use, which made it detect any zip archive containing a file with options to detect it as encrypted. How much use is a virus scanner that doesn't even have an automatic regression test for such lame things? So I went on and patched our installation and wrote a very angry mail with patch to the ClamAV developers. It seems the patch was included. Ok, at least something.