October 31, 2014

Dice - A light weight build service

Last week was Hackweek on SUSE and for 2 days I hacked on Marcus' project "Dice - A light weight build service".

It was fun and Marcus code was very easy to understand, very well structured and with comprehensive tests.

Dice is a simple build service for KIWI images using virtual instances controlled by vagrant or a directly contacted build machine. It can be used to fire up build jobs on e.g public cloud instances.

What that means is that you can do:

>dice build myimage

and that will either:

1- start a virtual machine on your workstation/laptop and build your image IN that virtual machine

2- connect to a virtual machine on the cloud (i.e. google cloud) and build your image IN that cloud virtual machine

And why all the trouble? the reasons:

1- setting up an environment for building images on your laptop/workstation can be sometimes paintful

2- running multiple builds on your laptop/workstation will make your host performance get low. Builds take time, thus you normally are doing something else meanwhile, and running the build on the cloud can be very good so that you can use your resources for something else

3- security: building an image implies running custom scripts. If you have done this scripts, fine, but if not, better not run it on your laptop/ws.

4- availability: having a build service on the cloud, makes it available to others that won't have to invest time on setting it up

During those 2 days, I just implemented the ssh command as:

> dice ssh myimage

which will open an ssh connection to the build node, either virtual machine on you laptop/ws or in the cloud, so that you can easily debug when a build fails.

II Security on the nework Congress

Last October 16th I assisted to the "II Security on the network Congress" organized by Universitat Oberta de Catalunya (UOC) and Universitat Rovira i Virgili (URV).

This was held very close from where I live now and I was invited to give a speach there, which I happily did.

I explained the timeline of CVE-2014-081 (see my previous post on it).

There were about 300 people registered and was a very interesting event with very interesting talks on security.

I was also very happy to meet a friend from my home town.

Overall, it was fun and worth it.

Thanks to the organizers!

security issues on ruby gems

February 20, 2014

CVE-2104-0081 timeline

Two days ago, a new vulnerability on rails was made public. Since I am subscribed to different mailing lists, and use different security services, I got the information multiple times, and I though it could be interesting to draw a timeline on those alerts, to see which tools/services were faster and how the information flows:

12.Feb.2014 - 02:36 CET - Rafael Modença França commits the fix (private)[1]

14.Feb.2014 - 21:41 CET - RedHat create bugzilla entry (private)[2]

18.Feb.2014 - 17:06 CET - SUSE creates bugzilla entry (private)[3]

18.Feb.2014 - 20:00 CET - Rafael Modença França merges the fix to master[4]
                                         - version 4.1.0.beta2 is released [5]
                                         - version 4.0.3 is released [5]
                                         - version3.2.17 is released [5]

18.Feb.2014 - 20:03 CET - aaron patterson sends email to rubyonrails-security@googlegroups.com, oss-security@lists.openwall.com, secalert@redhat.com[6][7]

18.Feb.2014 - 20:10 CET - redruby.io service sends me an email[8]

18.Feb.2014 - 20:12 CET - aaron patterson sends email to ruby-security-ann@googlegroups.com[9]

18.Feb.2014 - 20:17 CET - Rafael França publishes on weblog.rubyonrails.org [10]

18.Feb.2014 - 20:33 CET - hakiri.io service sends me an email[11]

18.Feb.2014 - 20:36 CET - holepicker adds the security alerts in its database[12]

18.Feb.2014 - 21:06 CET - hacker news publishes in its blog[13]

18.Feb.2014 - 21:38 CET - RedHat removes embargoed[2]

19.Feb.2014 - 03:30 CET - Added to osvdb[14]

19.Feb.2014 - 09:03 CET - SUSE removes embargoed[3]

19.Feb.2014 - 11:49 CET - gemnasium.com sends me an email [15]

20.Feb.2014 - 15:24 CET - ruby weekly publishes the new (ruby weekly is released every Thursday)[16]

[1] https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1065520
[3] https://bugzilla.novell.com/show_bug.cgi?id=864433
[4] https://github.com/rails/rails/commit/1879c259b870938c42d5d52f63123bfa0b8c81c8
[5] http://rubygems.org/gems/rails/versions
[6] https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
[7] http://www.openwall.com/lists/oss-security/2014/02/18/8
[8] https://www.redruby.io
[9] https://groups.google.com/forum/#!topic/ruby-security-ann/1PWnwW4jRkY
[10] http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
[11] https://haikiri.io
[12] https://github.com/jsuder/holepicker/commits/master/lib/holepicker/data/data.json
[13] https://www.facebook.com/hnbot
[14] http://osvdb.org/103439
[15] https://gemnasium.com
[16] http://rubyweekly.com

El model de negoci del software lliure a Berga el 27 de Març

El 27 de Març a les 18:00 de la tarda faré una presentació al coworking loficina (loficina.cat) sobre com fer negoci amb software lliure. Animeu-vos a venir :) !