Damien Miller's weblog
Thu, 27 Jul 2006
We are expecting a baby any hour now (literally), so at last I have an excuse for not updating this thing. I have been a little (sarcasm) busy preparing and moving out of our home ahead of a renovation. Moving out required that I relocate my ADSL connection, and I also took the opportunity to move all of the infrastructure services (email lists, OpenSSH bug tracker, rsync and CVS servers, etc.) from my home server onto a co-located server at Hostcentral. So far this has been very reliable, but I worry about backups now that I no longer have regular physical access to my system.
The scant free time that I have had has been spent trying to figure out how to build CPython modules (notably py-radix, py-editdist and the log reader module in flowd) on Windows XP (gag) with Microsoft's gratis Visual Studio Express compilers to no avail. I have also been trying to navigate the maze of Python Web Application Frameworks (Django, Pylons, TurboGears, etc., ad nauseum). This too has been a failure, largely because of the "improved" Python setuptools packaging format that all these projects seem to have adopted crashing into my bloody-minded need to build OpenBSD ports/packages of software I install on my systems. Python setuptools distribute modules as "eggs" ostensibly to make things easier for the user (à la CPAN), but they make life quite a bit more difficult for packagers. If I had a weekend to bash at it I could probably knock it over, but that is fantasy. Why am I looking at Python WAFs? I'd like to keep my skills sharp by developing a good cooking recipe site for my wife and some of our friends.
I have updated my OpenBSD TODO list. A few things have been done by others while I have been slacking. Darren Tucker has been busy improving OpenSSH over the last month or so (well, more busy than ever). He has implemented a simple but powerful policy system for sshd_config (search for the Match option). With this, it is possible to do things like:
# Don't trust this guy - only let him use sftp Match user djm AllowTcpForwarding no X11Forwarding no ForceCommand /usr/libexec/sftp-server -l INFO
What has been implemented so far it pretty basic, but is already useful. It will be better once matching on CIDR address ranges and control of pre-authentication options (in particular authentication types) is added.
I just found, and greatly enjoyed Charles Stross' A Colder War (full text online) - a very fun bit of science fiction, where the singularity meets the Dark Alliance and H. P. Lovecraft.
The situation in Lebanon saddens me greatly. Hezbollah's indiscriminate firing of rockets at civilians is wrong and obviously counterproductive. Gandhi showed them the weapons that they should be using against powerful opponents, and demonstrated that they work. On the other hand, Israel's response is immoral and even more ill-considered. Targeting civilian infrastructure (power stations, ports and airports) is pure state terrorism and a brutal demonstration of military force against a defenceless target. This sort of collective punishment of a nation that was taking tentative steps towards becoming an effective democracy and peacefully disarming Hezbollah will just embitter a generation and guarantee an ongoing supply of recruits to Israel-hating terrorist organisations. If you think that I am being unduly harsh on Israel, consider that Hezbollah is a terrorist organisation and so they cannot be expected to behave with any decency, *unlike* a democracy with a functioning constitution with working courts, UN membership, etc. One cannot justify brutality by saying "my brutal enemy struck first".
posted at: 06:41 | path: /life | permanent link