Public Rant: “RPM Hell”

The following is a public service announcement in rant format on a topic that I’ve reached my limit on:

If you believe “RPM Hell” already exists and say things like “Apt is better than RPM” you just announced to the world that you do not know what you are talking about. YOU ARE WRONG.

“RPM Hell” is a reference to the difficulty of taking a package file from one distribution family and trying to use it on the other. Newsflash: That was always a retarded idea. If the package wasn’t made for your distribution don’t freaking do it.

I don’t care what wizbang distribution you are using it, it’s always a bad idea. If it isn’t in the repository for your distribution and the software’s upstream provider doesn’t like your distribution enough to have a package for you, then sorry, you’ve just discovered the one way the Linux development model sucks. Whine at the people maintaining your distribution or pick a new one. The package management system we’ve all come to love was clearly designed with only server admins and developers in mind. And there is clearly no financial interest in making a desktop friendly system or someone would have paid to have it done already. Sorry, thems the breaks.

The Debian world has the same problem as it’s advocates claim “RPM” (what? tar.gz gets a pass?) has if you try to mix packages between distributions and versions. The only “Hell” that exists is when people do a google search and random grab a package from some random FTP site and give it a try. DON’T DO THAT. Apt will murder kittens and refuse to do anything for you ever again if you don’t uninstall the crap so don’t do it. Older versions of Yum will sulk at you and swear at you with a python traceback.

Why? You have taken a dependency management system and violated it. You’ve corrupted it. The relationships are no longer sane. There is a sad reality in why Windows and Mac apps carry so many libraries with them. This crap is hard and no one has figured out how to make it friendly to Joe Sixpack without compromising security by design with every app carrying around a complete library set which may never get updated or patched.

As a “workaround” any desktop distribution worth using has a massive repository enabled by default. And for those “questionable” things where you may or may not be violating federal law everyone “knows” of the ONE *cough*unofficial*cough* repository that you need. If you want a newer version of something from an upstream provider and they don’t have a dpkg or rpm file for your distribution version and you don’t want to compile it, sorry, you’ll have to do without.

If this is too hard for you, then sorry, Linux desktop is a failure for your use case. I feel for you, seriously. May I suggest an appliance or device if you really want an open source desktop? I hear EEEPCs have a decent out of the box experience if you want to buy something with Linux preinstalled. If you want an actual laptop maybe Dell installs media crap out of the box for Ubuntu. I would certainly hope they do.

And as for the other statement saying “Apt is better than RPM” is like saying “Fedex is better than a cardboard box”. Hello? Yum? Ever hear of it? It’s been around for years. Seriously, it’s god damn ignorant to make that statement. Please educate yourself if you’ve ever said this.

This public service announcement has been brought to you by the “Coalition for Schooling Ubuntu Fanatics That Spew This Crap In Response To Genuine Technical Complaints About Ubuntu’s Shitty Kernel Maintenance.” Hmm. Perhaps I should shorten that up a bit.

Time for me to go back to figuring out why on Hardy I can’t use two mac80211 stack using wireless drivers at the same time without hundreds of lines of crap in dmesg and nothing happening.

(Update: OK, I forgot to include the profanity.)

The Future of IPv4

Required reading for anyone who deals with networks: The Future Without IPv6 and IPv6 and NAT… Again!.

If we have any hope of getting out of the NAT trap how does IPv4 become painful enough to compel the transition? Will hitting NAT scalability issues be enough? Or will the attractiveness of forcing end-users to be consumers and not producers by making servers and p2p impossible through multiple layers of NAT mean IPv4/NAT will be attractive to upstream providers involved with media organizations? (Hello, Time Warner!)

Updated Security Analysis of Red Hat Enterprise 5

Mark Cox from Red Hat has published an analysis of the security updates release for RHEL 5.0 through 5.2:

• Enterprise Linux 5.0 to 5.1
• Enterprise Linux 5.1 to 5.2 risk report

The blog posts cover the effects of various exploit mitigation technologies. Sadly it seems the same software keeps having security holes over and over again. It would be a good idea not to use a web browser from an important server (No duh!). It also seems like Samba and Kerberos related daemons have some major issues and should be locked down with a MAC system like SELinux and removed from any system where they are not specifically needed.

Backing Up Bloglines Subscriptions

Bloglines, an online RSS feed reader, offers an easy way to export your RSS feed subscriptions in OPML format. The following extremely trivial Python script will spit out the OPML file to stdout:

#!/usr/bin/python
import mechanize

b = mechanize.Browser()

b.open("https://www.bloglines.com/export")

b.select_form(name="login")
b["email"] = "email@address"
b["password"] = "password"
b.submit()

print b.response().read()

Hopefully this will save someone else a few minutes of their time…

Wireless Drivers Suck

For those of us who plan and maintain wireless networks you are well aware of the problems presented by how limited you are with 802.11b/g in the 2.4ghz band. One way that many network administrators attempt to work around this is to leverage 802.11a which is in the much more wide open and spacious 5ghz bands. A common way to configure the wireless network is to have dual radio access points that support both 802.11b/g and 802.11a and have both radios broadcast the same SSID for the convenience of your end-users.

I’m beginning to give up on the idea of using the same wireless SSID for both 802.11a and 802.11b/g radios. On all three platforms that I care about getting the wireless driver to prefer 802.11a over 802.11b/g is a waste of time. The vast majority of drivers for all three platforms seem to blindly check the SNR (Signal to Noise Ratio) of all visible APs advertising the desired SSID and ignore which band they are on. Because signals in 2.4ghz attenuate less than 5ghz signals this means 802.11b/g radios will always have the highest SNR and thus will always be preferred with a simple SNR check. This means the band you really want your users to use more is used the least.

On Windows you can manually configure some drivers to prefer 802.11a for the same SSID shared between 802.11a and 802.11b/g radios but it’s specific to the driver and many drivers do not even offer the option. And some drivers that do offer the option sometimes choose to ignore it for reasons unknown. (I’m looking at you Intel.) On Mac none of this is exposed in the UI and I’ve yet to even get Google to cough up a command line way of influencing what band and channel to pick.

On Linux it depends on if you choose to use NetworkManager and let the wireless driver select the channel itself. Depending on the driver quality you have the ability to specify the channel manually. To do this requires you to set it each time you wish to use wireless and this prevents roaming in many cases. It also turns what should be a two click and wait operation into something involving multiple manual commands and watching dmesg. It’s simply not a viable option for anyone except the network administrator himself.

So I’ve given up on that front and I’ve decided the best thing to do is to just offer an SSID that is only served from 802.11a radios. Within most of our buildings 802.11a signal should be sufficient for roaming so while it’s not a great solution its a usable one at least. So now we have the usual SSID that is advertised from all of our 802.11b/g and 802.11a AP radios and in addition to that we have an SSID labeled with “(802.11a)” thats only advertised from 802.11a radios. The Aruba gear we use makes it pretty trivial to have both SSIDs dump clients onto the same VLANs with the same AAA profiles so all it takes is about 5 lines of configuration to have no outside visible differences between the SSIDs.

I really wish there was a more auto-magical way to get clients to prefer 802.11a but I’ve yet to find a viable way to do it. So for now the SSID kludge will have to do.

SELinux Presentation

A certain someone poked me enough times over the last 11 months that I finally decided to get around to uploading the slides of a presentation I gave back in June of 2007 to the MHVLUG. The topic was basic SELinux concepts.

Zenoss and Python: One Line Of Evil

The following lines of code when used within Zenoss’s zendmd environment will take a list of IP addresses from a text file and spit out a list of those IP addresses that do not yet have a corresponding object in Zenoss.

import string

print [devip for devip in map(string.strip, open("iplist.txt", "r").readlines())
    if not [True for device in dmd.Devices.getSubDevices() if device.manageIp == devip]]

This is useful for those cases where you are sure Zenoss discovery missed a few network switches due to a network administrator screwup and find that it’s too time consuming to find the handful among hundreds the manual way.

As for the code quality I beg forgiveness from the Pythonic gods for thinking a list comprehension within a list comprehension with a map thrown in was a good idea. But then again I’m sure there are some Ruby fanatics out there that think that looks like Hello World. ;)

Update on May 13th: A kind poster pointed out the presence of find() in zendmd and thus dmd.Devices.findDevice(). That means one can just do this instead:

import string

print [devip for devip in map(string.strip, open("iplist.txt", "r").readlines())
    if not dmd.Devices.findDevice(devip)]

Not only is it shorter its also a magnitude of order faster which shouldn’t be too surprising considering the evil in the original version. Thanks Erik!

Sun And Communities

If you had the misunderstanding that Sun’s idea of an open source community had anything to do with what the rest of the world called a community I’d strongly urge you to read this OpenSolaris mailing list thread.

I think the attitude from some Sun.com posters along with the CDDL + GPL + Proprietary kernel drivers mess should make it painfully obvious what the Sun “community” model is: Make all the decisions internally, throw some code over wall once in a while, and market the beta releases as “Community Releases”. And if some suckers from the outside world happen to fix a couple bugs for us all the better.

And They Wonder Why…

And the right-wing blogs wonder why they have so little influence in Republican politics:

Erick Erickson, editor of the popular conservative megablog RedState, conceded that progressives currently enjoy an advantage over conservatives online—though he attributed it to an asymmetry in free time, since conservatives “have families because we don’t abort our kids, and we have jobs because we believe in capitalism.” Erickson offered three means of reversing the trend.

Ummm yeah… Good luck with that. (Psstt… You are not supposed to say the crazy stuff in public.)

(Source: Arstechnica: GOP digerati call on party to emulate Dems by embracing ‘Net)

Hillary Clinton: Thanks For Nothing

On the FISA Amendment blocking Telco Immunity:

Clinton (D-NY), Not Voting
Obama (D-IL), Yea

She was apparently “too busy” campaigning to vote while Obama made a point to be around and make a stand on something.

Congratulations Hillary. I didn’t think it would be possible for me to vote Republican this presidential cycle but if you end up being the Democratic candidate I have both a vote and cash for McCain’s campaign.