Ressources documentaires pour Mandriva Linux et les Logiciels Libres

Billets libellés mandriva

Ghost from the past : MSEC GUI mockup

I know that I tend to procrastinate a lot, but this time… I take nearly 1 year ! Last year I decide to draw a mockup of a new possible UI for msec. Why ?

Actual MSEC issues

Present MSEC GUI UI in Mandriva 2010

Present MSEC GUI UI in Mandriva 2010

Presently I do think that msec have several issues. IMHO most of theses issues are due to the fact that the target of these tools are not clearly defined. Here are, IMHO, the current list of issues :

  1. The UI is too much technical and require too much reading
  2. Whereas the UI is technically informative most users, even some of the skilled ones, won’t be able to tel if something is wrong or not
  3. The security parameter tab presents directly some low level settings, and even worse with a two-level tab layout. When you end up doing tabs of tab … it means that something is wrong in your UI
  4. MSEC will show the raw security check logs : this requires high technicals skills to understand, and with so many informations, you may not know if something is wrong or not. On top of that the list of world writable files is displayed, and this could be very big : users homes directories should be filtered out except $HOME/public_html if mod_userdir is installed.

 

New MSEC application UI proposal

So I decide to define the public which will use the application, and what do they expect to see. So let’s define the application goal and target:

  1. The application will be seen by the end user who may not be necessarily technically skilled
  2. As reference I will use the Microsoft Windows Security Center
  3. The application will be used to notify the user about the global security state of his computer, and only to perform some basics configuration settings
  4. More advanced/complete configuration settings should be handled by the CLI or another UI
  5. The UI should give clear visual hints to the user if something wrong or not

 

The mockup

MSEC UI mockup

MSEC UI mockup from july 2010

The mockup was done using OpenOffice.org Draw. The UI is in french but I will explain everything.

The status bar

We are going to begin … from the bottom with the status bar. The status will quickly give 2 informations: if MSEC is enabled and the current security level.

The main panel

Now we are going to detailed each elements in the main panel. All elements are constructed on the same layout :

  1. Status icon: it allows to know if the component is enabled, but also if there are some issues detected. The status icon have 5 states :
    • Green: Component enabled and no errors/issues detected
    • Orange: Component enabled but some errors/issues where detected
    • Yellow: Component enabled but there are some warnings ( not critical issues or some advised features are disabled )
    • Red: Component is disabled but it is strongly recommended to activate the component
    • Grey: Component is disabled and not required
  2. Component icon: the icon allow to easily identify the component. Most of the time the icon will be the one used by the application allowing to configure the component. This way the user will quickly recognize it when looking for it in MCC or KDE system settings ( if the component is integrated and displayed there )
  3. Component name or description: allow to see the component name or description. Some additional informations may be eventually displayed
  4. Fold/Unfold icon: the icon allow to show more about the component and notably the basics actions that can be applied to the component. Most of the time these actions will allow to enable/disable the component, consult the log concerning the components. To show the logs for a component, we’d better use a standard icon to avoid putting unnecessary text.

Now let’s have a look at the details for each components.

Firewall settings

This component will allow to know if the firewall is enabled and if there are issues.

  • status icon : red and green are straightforwards. Orange will be used if scan ports or attacked have been detected and no actions have been taken by the user or a possible system policy ( block or allow/whitelist ). It means that mandi-ifw will have to communicate about its status. Yellow will be when the firewall is enabled but some features are not enable : all ports are opened, scan port detection feature not enabled, Interactive Firewall not enabled
  • component name/description: quick summary for the firewall, may show the number of firewall rules
  • component actions: enable/disable firewall, enable/disable Interactive firewall, enable/disable scan port detection, number of detected attacks, number of rules, show firewall logs

Security Updates

This component will deal with the security update.

  • status icon : green = automatic security updates enabled and system up to date, yellow = automatic security updates enabled but system not up to date, orange = no automatic security updates and last security updates date from more than 1 or 2 weeks old, red = no automatic security updates and no security updates since 1 month or  updates disabled ( no security updates media defined ). No grey state as for me security updates should always be enabled
  • component actions : enable/disable automatic security updates, enable/disable security updates ( updates medias are defined and enabled/disabled in urpmi.cfg ), number of pending security updates, last security update check/installation, show security updates log

System integrity

This component allow to check for the system integrity and its global safety by relying on the MSEC security checks.

  • status icons: green = security checks enabled and no issues detected, yellow = security checks enabled but some warning from some security checks ( CHECK_WRITABLE, CHECK_SUID_ROOT, CHECK_USER_FILES, CHECK_PERMS, CHECK_RPM_INTEGRITY ). Orange = security checks enabled but some critical issues have been detected ( CHECK_PASSWD and CHECK_SHADOW, CHECK_CHKROOTKIT, CHECK_SUID_MD5 ), red = security checks disabled and eventually some critical issues have been detected from last manual check ( CHECK_PASSWD and CHECK_SHADOW, CHECK_CHKROOTKIT, CHECK_SUID_MD5 ) , grey = security check disabled
  • component actions: enable/disable periodic checks, security checks frequencies, enable security checks when on battery, enable/disable email notifications, enable/disable user notifications

MSEC security policy

This component allow to configure some basics MSEC security policies. The mockup lack some of the actions that should be available in this part, they will be detailed below.

  • status icons : green = msec enabled, no issues. Yellow = msec enabled but not at boot, grey = msec is disabled.
  • component actions: enable/disable msec, enable/disable msec at startup/boot show msec logs, msec security level,

Contrary to what can be seen in the mockup, I decide to replace periodic checks with system integrity as for me this is more meaningful.

Conclusion

Here was my proposal for MSEC GUI. I guess that with the new trend in Mandriva, the tool should be written using Qt Quick/QML.

Last but not least, the user notification issue should be taken care too. Indeed presently the desktop notification will just notify that a security have been done, however the user don’t know if something is wrong or not. I guess that instead we should have notifications when one of the component is in red or orange state.

So finally after nearly 1 year I do decide to talk about this mockup : I do hope this will give some interesting ideas to some Mandriva dev or contributors 🙂

 

 

 

 

 

Upgrading from Mandriva 2010.1 to Mandriva 2011 TP/Cooker

With the migration of Mandriva from rpm 4.6 to rpm 5.x, upgrading from a previous Mandriva release is not straightforward. So here are some tips to have a smooth upgrade :

  1. Install the perl-URPM 3.37 package available in main/testing repository ( 32 bits link, 64 bits link )
  2. remove all your current media : urpmi.removemedia -a
  3. add cooker media : urpmi.addmedia --distrib --mirrorlist 'http://api.mandriva.com/mirrors/basic.cooker.$ARCH.list'
  4. upgrade your Mandriva installation : urpmi --auto-update

If you have issues and error message like Unable to open /usr/lib/rpm/rpmrc for reading then it means that perl-URPM have not been updated and the rpm database conversion is not complete. Indeed part of the conversion of the rpm database is handled by perl-URPM, so if the new version is not installed, then your database end up not being completly converted. So to do this, you will have to download the latest perl-URPM version in cooker repository, extract its content with rpm2cpio, and then initiate the conversion :

  1. download the perl-URPM 4 and urpmi packages in cooker main/release repository in /tmp/rpm5
  2. as root, go the previous directory : cd /tmp/rpm5
  3. extract perl-URPM content with rpm2cpio in the current /tmp/rpm5 directory : rpm2cpio perl-URPM-4*.rpm | cpio -idmv
  4. extract urpmi package content with rpm2cpio in the current /rpm/rpm5 directory : rpm2cpio urpmi*.rpm | cpio -idmv
  5. in the /tmp/rpm5 initiate the rpm database conversion : perl -I. -Murpm -e 'URPM::DB::convert("/", "btree", 1, 1)'
  6. now install the urpmi and perl-URPM package : rpm -Uvh *.rpm
  7. You can finish to upgrade your system : urpmi --auto-update

Normally you system should be updated to the latest cooker release. Happy testing !!! 🙂

Some Mandriva 2010 Spring Reviews

Here are some Mandriva 2010 Spring reviews I found on the web thanks to http://www.tuxmachines.org/ :

Importing a SVN repository from one server to another one

As now I’m using Netbeans, I had issues with key based authentication for CVS project in Netbeans. That’s why I decide to import my CVS project to SVN. At some point, as the SVN repository was on my own personal computer, I decide to move it to a public server I had, but only allow SSH access to it. So here is the procedure to move a SVN repository to another SVN server, and only allow svn+ssh access ( no webdav, no network svnserve access ) under Mandriva.

  1. On your old SVN server, you have to dump the entire SVN repository : [bash light= »1″]svnadmin dump /path/to/your/repository > /tmp/repository.svn_dump[/bash]
  2. Now copy the dump file somewhere on the new SVN server. You may want to use scp if your SSH key based authentication is working correctly. For example : [bash light= »1″]scp /tmp/repository.svn_dump user@new-svn-server:/tmp[/bash]
  3. Once done, you may want to delete the dump file on the old server and eventually delete also the old SVN repo
  4. On your new server, install the SVN server package and its associated tools : [bash light= »1″]urpmi subversion-server subversion-tools[/bash]
  5. check that svnserve is not started at boot by xinetd. For this check /etc/xinetd.d/svnserve configuration file and check that you have disable = yes as follows : [plain]# default: off
    # description: svnserve is the server part of Subversion.
    service svnserve
    {
    disable             = yes
    port                = 3690
    socket_type         = stream
    protocol            = tcp
    wait                = no
    user                = svn
    server              = /usr/bin/svnserve
    server_args         = -i -r /var/lib/svn/repositories
    }[/plain]
  6. Now create the repository tree on the new server : [bash light= »1″]svnadmin create /var/lib/svn/repositories/[/bash]
  7. Import the dumped repository file in the new SVN repository : [bash light= »1″]svnadmin load /var/lib/svn/repositories/ < /tmp/repository.svn_dump[/bash]
  8. If the importation is successful, now you should ensure that the users connecting with SSH will have write access to the repository. For this add the users to the svn group : [bash light= »1″]usermod -G svn -a user[/bash]
  9. Now add a default ACL for the group to the repository giving read, write and execute ( rwX ) rights to all members of the svn group : [bash light= »1″]setfacl -R -m d:g:svn:rwX /var/lib/svn/repositories/[/bash]
  10. Check that from a remote computer you can list the content of the repository : [bash light= »1″]svn list svn+ssh://user@new-svn-server/var/lib/svn/repositories[/bash]

Happy coding with Subversion 🙂

Ressources :

Fixing computer freeze when using Intel chipset with dual view

Today I was willing to configure 2 laptop running Mandriva 2010 to do presentations during a meeting. So I was willing to use clone output. Unfortunately, doing so will result in an instant system freeze. Even worst, if the projector is plugged before powering on the laptop, the kernel will crash at boot ! Both laptop were using Intel chipsets ( Dell Latitude E6500, Asus A6VA ). The only solution is to disable KMS support. For this you need to generate an initrd without the i915 module ( use –builtin=i915 ), and then to eventually add in modprobe.conf : options i915 modeset=0. Once done, reboot the computer. Whereas you will not have KMS support, at least you will have dual ouput in clone mode support with no fear on freezing the kernel …

Mandriva: Nine Priorities for Mandriva Incoming CEO

As everybody^wnobody know, Hervé YAHI is no longer the CEO of Mandriva. So I decide to rip off an article from The VAR Guy to issue an open letter to the Mandriva direction. So here are 9 priorities for the new Mandriva staff :

  1. A New Community: Sure, Mandriva has a strong open source community. And ??? will should work to strengthen that community, especially when seeing the clashes between Mandriva and its community. Still the new staff needs to strengthen a different type of community — a Mandriva business ecosystem that includes hardware and software partners, service providers, channel partners and OEMs (original equipment manufacturers).
  2. Strengthen the Server Story: To date, Mandriva is known mostly as a desktop and mobile operating system, with relatively strong market share in the netbook market. But Mandriva recently launched its Mandriva Enterprise Server 5 and Pulse 2. Meanwhile, ???? offers some support of MES — as do upstarts like ??? and ???.
    But Mandriva needs more server partners… And whenever a noteworthy customer embraces Mandriva Enterprise Server, Mandriva needs to get the word out.
  3. Show CloudCluster/Grid Success or Mobile success: Mandriva has been working closely with grid partners like INRIA and BSC. XtreemOS 2 is available since November. As XtreemOS seems to be a very good Grid solution, maybe the CERN could use XtreemOS instead of Scientific Linux ! Let us see if a research lab is using some Mandriva products …But Mandriva needs to show some tangible examples of Grid/Mobile success. Who’s running MES/XtreemOS/InstantOn/Pulse and how are the deployments performing? Many people will be listening for answers.
  4. Recruit Application Providers: (…) Mandriva Enterprise Server needs more ISV (independent software vendor) support. Is Mandriva Software Partner Manager ???? has been working on the ISV effort ? But real progress will require folks like Oracle, IBM/Lotus, Bull, HP, NEC, and other traditional application providers to fully embrace Mandriva.
  5. Strengthen OEM Relationships: To Mandriva’s credit, ????. HP, Lenovo and other major PC makers haven’t shown much interest in Mandriva. Can a new staff change that? Hmmm…
  6. Compete and Cooperate with Google, Intel: When Google started talking about Chrome OS in greater detail, Mandriva reveals InstantOn. Sweet. At the same time, Mandriva is working on Moblin v2. Impressive.Somehow, Mandriva must both compete and cooperate as Google, Intel and other technology giants size up their own Linux strategies.
  7. Disclose Customer Wins: Which businesses are running Mandriva and which organizations are paying Mandriva/Edge-IT for support? Mandriva needs to brag more about customer victories as they happen.
  8. Related Services: Mandriva is building a range of services and dedicated products to generate more revenue : InstantOn, Pulse 2, Mini, and Edutice. But Mandriva has to stay aggressive with Mini/Pulse 2/InstantOne/Edutice communications and messaging.
  9. Mandriva Partner Program: Is Mandriva working with training centers — such as CESI and SUPINFO — to get more IT managers and resellers up to speed on Mandriva ? We want to hear from solutions providers that are building profitable Mandriva business practices…

No doubt, new staff will have a lot of work. Although it’s difficult to track Mandriva’s financial performance, buzz about Mandriva — particularly on desktop — is slowly growing.

The original articles but concerning new ubuntu CEO is available on the VAR Guy website : Ubuntu: Nine Priorities for Canonical’s Incoming CEO

The point on some Mandriva community projects

There are many communities based Mandriva derivatives, but few of them are known. So here is a ( not comprehensive ) list of some Mandriva based derivatives or projects :

  • One 64 community : 64bits edition of the Mandriva One LiveCD. A KDE edition and GNOME one are available for download.
  • LXDE LiveCD : The german community is releasing a Mandriva based LXDE LiveCD. It can be used also from an USB
    stick.
  • One XFCE 2010 Live : XFCELive is a XFCE Mandriva-based LiveCD created and maintained by the Mandriva community
  • Skiper’s Xfce 2010 : A fork of the XFCELive Mandriva project. This fork aims at integrating more testing features and
    offering extra customizations with the idea of improving the visual appearance of the environment.
  • MUD Netbook-Edition : a Mandriva based Netbook tailored edition. This edition from the Mandriba german community, based on
    the Mandriva One GNOME edition, features the Ubuntu Netbook UI. This edition can be used as a LiveCD or dumped on an USB key.
  • MUD (MandrivaUser.De) : As you can see, the Mandriva german community ( MUD ) is providing many projects based on the
    Mandriva distribution. They are also providing backported packages for older releases. To add their repositories, you can use SmartUrpmi.
  • Mandriva Community Moblin : A Mandriva-based Moblin edition aiming at improving Moblin integration in Mandriva. Some non-official sources are saying that a futur official Moblin LiveCD may be released by Mandriva. As usual, everything is secret in Mandriva offices : so we will see. Please consult the Changelog to know the pending issues or fixed bugs and enhancements.
  • MIB (Mandriva Italian Backports) : This project from the Mandriva  community provided backported packages for new and older Mandriva releases. Some packages, not even available in Mandriva official repositories, are also available. They do provide some repositories for those willing to install their RPMS.
  • MIB Live KDE 2010.0 : The MIB community is also providing a 64bits version of the Mandriva One KDE : it’s a LiveDVD with packages from Mandriva, PLF and MIB.
  • Mandrivausers Romanian Backports : Another project from the Mandriva romanian community which provide backports and packages for older Mandriva releases.

As you can see there’s many communities project around Mandriva products. Don’t hesitate to test them, review them, and speak about them. It would have been interesting to have a page listing all of theses projects on the Mandriva wiki. A community section or category would have been interesting and useful 🙂

Experimental Mandriva Moblin LiveCD

Thomas Lottmann is providing experimental Mandriva-based Moblin LiveCD images. Theses images are provided in order to help testing Mandriva Moblin implementation.

The announce has been done on the Cooker ML. Please note this is a Mandriva community initative. A tracker bug is available on Mandriva bugzilla for thoses willing to track and report bugs during their testings.

Here some links :

happy testing !

Lucky owner of the EasyNote TR 85

Since the beginning of the week, I’m the lucky owner of the Packard Bell EasyNote TR-85 Laptop. This laptop, designed by the famous designers : Pininfarina. This laptop have the following specs :

  • Intel Core 2 Duo T6500
  • 4Go of RAM
  • GeForce G105M with 512Mo dedicated video memory + 1Go of system memory
  • 15.6″ 16:9 HD LED LCD with a native resolution of 1366×768
  • 500Go SATA HD
  • 5 in 1 card reader
  • DVD-Super Multi DL drive
  • 1.3M webcam
  • Windows Vista

I’ve done the minimal setup for Windows Vista and applied the most urgent updates. I don’t install yet some new application like Firefox, but at least, I crate the restorations DVD. I do allocate 200Go for Linux, and keep about 300Go for Vista in NTFS format. I did install Mandriva 2009.1, but as the vesa driver was used, I upgrade to Mandriva 2010.0 RC1. Not everything is working correctly however under Linux.

I’m very happy by this acquisition : the design is top, I do like the silver keyboard a lot, the screen is beautiful. My only complaint is the fact that Linux will not support it efficiently. I will do my best to allow my notebook to be correctly supported by the next Mandriva 2010.0 release.

Packard Bell EasyNote TR-85 Packard Bell EasyNote TR-85 closed

KDE 4.3 final entering in Cooker

Yesterday, KDE 4.3 final packages begin to appear on Cooker mirrors. KDE4.3 will provide many bugfixes and new features. On top of that, some kde*-experimental are available :they contains some additions to the kde packages.

Catégories

My Tweets