Saturday, January 28, 2012

Sigul Key Server Setup - Part 1

Ok, am going through the process of setting up a sigul key signing server. Am using the following two resources for the initial setup. Given how important this piece of the puzzle is, care and caution needs to be taken here.

Sigul setup instructions form Open Source @ Seneca Centre for Development of Open Technology

Fedora Project pages on how to use Sigul

Sigul uses a CA to generate SSL certs for the server, bridge, and clients to authenticate and encrypt communications. The server itself provides GPG keys for signing packages. In this case, I am going to setup a separate CA for sigul with respect to the CA we use for koji. The reasoning here is that koji's CA is used often, to create end user certs for access into koji. That means it's exposed often to an admin, either directly via the cli or indirectly via a webapp or other utility, when user certs are created.

The sigul CA should be kept fairly isolated in my opinion, since it's only used to add new server, bridge, and client instances. These additions should be fairly rare. Exposing the sigul CA often, as when a new end user cert is being created, opens up opportunities to create new certs that could be used to get rogue sigul clients the ability to get unauthorized rpms signed with our keys.

The bridge setup is pretty much spot on from the Seneca Sigul Setup link above. One thing you may have to do is change the sigul user's default shell in order to create the db as the sigul user using the defaults from the Fedora install of the packages.

usermod -s /bin/bash sigul
Next for the server setup. First problem I need to resolve is that the server we're using for the sigul is an EL5 system. Python's sqlalchemy module that ships with EL5 is 0.3.11. There is an updated version in EPEL that also has a slightly different name - python-sqlalchemy0.5-0.5.8. Not sure if this is what's causing this error, I suspect so:

# sigul_server_create_db
Traceback (most recent call last):
  File "/usr/share/sigul/", line 21, in ?
    import server_common
  File "/usr/share/sigul/", line 107, in ?
    sa.Column('name', sa.Text, nullable=False,
AttributeError: 'module' object has no attribute 'Text'
I've installed the EPEL python-sqlalchemy and just doing that did not solve the issue. I also cannot un-install the python-sqlalchemy provided with the OS. I am pretty sure that the issue here is that version of sqlalchemy on the OS is missing the functionality that we need for sigul tools.

To be continued...

Thursday, January 19, 2012

Traveling and food

Sometimes traveling sucks... then you find something that just makes it worthwhile.

I travel for work. A lot. About 9 months out of the year I am on the road. Finding decent places to eat is a challenge in many if the lesser known destinations that us road warriors end up in.

And then, every once in a while, you find something that makes you forget the 70-80 hour week you just endured.

This is one of those.


Friday, January 13, 2012

Changing the interval for desktop display dimming on gnome-shell

Ok, after dealing with the Fedora 16 gnome-shell timer of 10 seconds for changing the screen brightness, herlo (Clint Savage) helped me (read solved) the timeout issue.

We figured out that that we change the timeout by using the following command line to update the dimmer time.

Set it to X secs:

gsettings set org.gnome.settings-daemon.plugins.power idle-dim-time

Verify or get the current timeout:

gsettings get org.gnome.settings-daemon.plugins.power idle-dim-time

Enjoy and thanks to herlo!

- Ivan

FUDCon NA Blacksburg, VA 2012

Attending my first FUDCon and am having a great time so far.

I was able to setup my company as a sponsor for the conference, Endosys is sponsoring the lunch for FUDCon on Sunday. Thanks to everyone for coming to the CON, participating in Fedora and making it possible for Endosys to exist. Your work is amazing and we really appreciate it!


- Ivan

Wednesday, January 4, 2012

Goose Project Goals for 2012

Ok, so most folks come up with a list of New Years goals for themselves. Being as I am a geek at heart, I have put together a list of goals for my participation in the Goose Linux Project.

Here they are:

- Improve documentation via maintenance or creation of a few wiki pages/docs.

- Automate the build of the build environment, Koji. Either by basing off of Ascendos' fantastic work or from scratch.

- Examine the authentication schema for the build env, perhaps FreeIPA.

- Koji patch/plugins for 2012, submit at least 5.

In addition to that, the team has come up with a rather ambitious list of overall goals for the project for this year as well. Here are some of them (reminder to self - start goose wiki page with these listed there):

- Project Goal GoOSe 6.0 Alpha release imminent (Jan 15, 2012).

- Project Goal Coordinate better cooperation with other el rebuild projects.

- Project Goal Start targeting release of GoOSe 6.1, 6.2, 6.x closer to our declared 60 days after upstream.

- Project Goal Automate contributor management. Spin up from joining to contributing much faster.

- Project Goal Improve upstream process by contributing patches and improving build tools.

And those are just a few of the more ambitious goals for the project. The list will evolve as time goes on, so keep an eye out and join us on #gooseproject on IRC when you have time to contribute or just want to learn more.

- Ivan

Monday, January 2, 2012

Laptop BIOS modding

Really, H/w manufacturers? You now make it difficult for me to buy my own upgrade components for MY laptop?

Fortunately, there are folks out there who figured out how to work around this awful practice. It turns out, that BIOS firmware is just software after all. And modifying that software is possible. (It did require I installed an OS I haven't run or supported in over 12 years... alas, what's one to do? I know, figure it out or write the tools necessary for doing this.)

So here's how I was able to use a wifi nic in laptop that isn't *approved* by the company that doesn't *OWN* my laptop.

Finally figured this out.

1. Download the bios mod: w520 bios mod

2. Download official bios

3. Flash official bios

4. Edit environment.dll with hex editor (the one in the flash tools dir), per this page: environment.dll

5. Create flash.bat per this page: flash.bat

6. Run flash.bat as admin.

7. Profit!

Took almost a week to find these nuggets and figure out the process.

Pretty unhappy that h/w manufacturers would cripple my hardware - whitelisted hw stiffles innovation and is completely anti-competitive. Not to mention downright rude and invasive.