2009-02-03 19:30:27

1/3 IPv6 traffic!

Checking the netstat counters on our router today, it seems that almost a third of our traffic is now IPv6:

3105502 packets received (IPv4)
2070329 packets received (IPv6)

Posted by Tonnerre Lombard | Permanent link | File under: network

2008-11-30 00:34:45

MySQL 5.1: few new features, but many new bugs

As Monty, who is apparently working at MySQL, wrote yesterday in his blog, there appears to be a rahter large number of quite devastating bugs left in MySQL 5.1 at the time of its release, many of which would have been declared release critical by open source projects.

In Oops, we did it again, Monty names a number of these bugs and outlines variety of bad management decisions which have lead to the current situation, and which apparently have lead to similar situations in the past.

To me, it does not really come as a surprise. As you may or may not know, I have been following the MySQL company, community and products for years, and haven't seen too many different types of releases so far. In any case, I strongly support the suggestion of Monty and also strictly recommend staying with MySQL 5.0 for now &mash; or to migrate to PostgreSQL, if possible.

Posted by Tonnerre Lombard | Permanent link | File under: broken, programming

2008-11-29 22:31:25

Trust based PGP key signing

As a visitor here at rgb2r is now moving to another planet a far-away country, the discussion came up again how to do PGP key signing properly. Originally, the requestor asked for passport based signing as done on most of the so-called PGP key signing parties. However, for the following reasons I will not sign passports and don't want passport based signatures.

Party signing

In the normal PGP key signing party based approach, all that is required to obtain a signature is a passport or identity card. The signer verifies that the signee looks like the person on the picture and then signs the key. For this, the signer does not have to know or trust the signee. The signer then submits the key to a key server and the signee can download it from there.

This method allows one to accumulate a lot of signatures over a short time, and to extend the network of signatures very quickly. However, it contains various flaws:

  • There is no trust relation between the signer and the signee, so the only thing that is attested by the signature is, that the signee has certain similarities with the documents he/she presented.
  • However, especially in multinational keysigning parties, these documents can rather easily be forged so that an untrained eye cannot detect the forgery.
  • There may be valid reasons not to want to show one's ID. For example if one's in possession of a diplomatic passport, one might not want to show it to everybody because it might be met with suspicion, or it might compromise the position of the owner of the passport to have everyone be aware of the status.
  • In some cases, people may have valid reasons not to disclose their real names, especially if they're working in IT security, if they are political activists or live in a totalitarian regime. But even under normal circumstances, it should be accepted if a person does not want to disclose his/her real name.
    Some people are not even known under their real name at all, and thus a signature on their real name would be rather pointless.
  • The associated addresses need not automatically belong to the signee.

There are probably many more problems this model is arising by its lack of trust dependencies or its focus on the passport as the sole base of trust, but these are the most apparent which came to mind.

Trust signatures

The so-called trust signature scheme follows an entirely different dogma. In this scheme, people knowing each other know enough will sign each other's key in order to testify that they are willing to testify that the signee is known as the person he/she claims to be. This of course implies a much greater level of familiarity between the signer and the signee.

Note that in this scheme, it is perfectly valid for the signer to sign a key belonging to a pseudonym — if that's what the signee is known as. That may sound suspicious to a person who's used to attesting passports, but in the end it is much more logical because in the end, the signer attests only what he knows about the other person, without relying on a paper he cannot verify.

Also, some more unrelated improvements come to play. In order to verify UIDs, the signer creates signatures for each individual UID and sends these individually to the mail address in the UID, in an encrypted mail. Then, the signer deletes the signature from the local keychain again. This sounds tedious, but there are good scripts to take care of that, such as, for example, caff from the pgp-tools package.

In this scheme, it is assured that the owner of the UIDs is at least aware of the signature that took place, and can decide whether or not to upload the signatures. On the other hand, a pseudonymous signer can participate without any loss of the trust relationship.

Posted by Tonnerre Lombard | Permanent link | File under: security, chaos

2008-11-26 12:31:18

MySQL build system command line wildness

Only seconds ago, the MySQL build system produced a ton of compiler command lines like this one:

gcc -shared -Wl,--whole-archive ndbapi/.libs/libndbapi.a common/transporter/.libs/libtransporter.a common/debugger/.libs/libtrace.a common/debugger/signaldata/.libs/libsignaldataprint.a mgmapi/.libs/libmgmapi.a common/mgmcommon/.libs/libmgmsrvcommon.a common/logger/.libs/liblogger.a common/portlib/.libs/libportlib.a common/util/.libs/libgeneral.a -Wl,--no-whole-archive -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lpthread -lcrypt -lnsl -lm -lpthread -Wl,-soname -Wl,libndbclient.so.0 -o .libs/libndbclient.so.0.0.0

It seems that it really desperately wants to link against libpthread.

Posted by Tonnerre Lombard | Permanent link | File under: broken, programming

2008-11-25 18:34:20

Your daily pot of MySQL insanity: Threading

I really know I shouldn't look into MySQL source code, but since there are customers who really entrust their data to this piece of software, I sometimes have to.

The task today: Updating PHP on Etch to version 5.2.6. Sounds easy, right? Wrong. Because after you put up with disabling all the new security extension which prevent the worst PHP scripts you've ever seen from running, and after fiddling half a day with weird compile time detection scripts which don't work in a uniform way, i.e. discover different environments under different circumstances, thus leaving you with a PHP which is in a constant debate with itself where its extension directory really is, …

…you finally come to the point where you have a working PHP package which waits infinitely on a futex on exit. A command as simple as php -v hangs indefinitely.

Following the code path further up, there is main(), php_module_shutdown(), zend_shutdown() (Why this stack order?!), zend_hash_graceful_reverse_destroy(), zend_hash_apply_deleter(), module_destructor(), zm_shutdown_mysql() (Argh, there's our other worst offender), mysql_server_end(), my_end(), my_thread_global_end(), pthread_cond_destroy(), …

Digging through the code a bit, and digging through the glibc code some more, it becomes clear that this is indeed one of the good old pthread_exit() NPTL bugs from older glibc days. For once, it seems that Debian has also shipped beta software to the world. At least it wasn't some important system component, only the libc.

Looking around some more, I stumbled over the PHP bug #42625. It is not very helpful, though, it only proclaims:

 Problem will solve itself when you rename /lib/tls to

Thanks for the suggestion, dear PHP people, but I have to get some work done first. Of course the above workaround does its job, but it is simply not what you would like to see in your server environment. And I don't mean the name.

So I dug out a different patch for mysql which adds code to detect whether or not the glibc NPTL is in use. In fact, it gets the check entirely wrong by checking if the OS is Linux, while the bug is certain to appear on other operating systems running glibc as well. In that precise moment, though, I couldn't have cared less.

Digging through the related header files, some more horrid things turned up which made it perfectly clear that I should not have gone there. One comment was rather odd:

/*Irena: compiler does not like this: */
/*#define my_pthread_getprio(pthread_t thread_id) pthread_dummy(0) */

Yeah, Irena, I can imagine perfeclty well why the compiler didn't like that. After all, typed arguments aren't really supported in preprocessor macros. It can be hacked in using tricks, but they will always be tricks. However, now that you found out that the compiler doesn't like it, why commit it?

Only a number of lines further, there is some code to handle a nonexistent errno:

#ifndef ESRCH
/* Define it to something */
#define ESRCH 1

Maybe it is not the best idea after all to define ESRCH to EPERM.

Then finally I am at the code I want to modify, but there is some oddity as well (there's always one more oddity). The added thread types for the header file are not flags or anything, they just enumerate types of libraries. However, no enum is used. That's ok, but the numbering is slightly odd:

#define THD_LIB_OTHER 1
#define THD_LIB_NPTL 2
#define THD_LIB_LT 4

Why bitwise numbering if it is not a flag? Or can a threading library be LT and OTHER at a time?

Of course, that's all not dangerous, but it gives a very odd impression …

Posted by Tonnerre Lombard | Permanent link | File under: broken, programming