Posts for August 2010

2010-08-12: WebAuth 3.7.2

This release fixes an embarassing bug in option parsing in wa_keyring introduced in 3.7.0 that caused the utility to become basically unusable. It also fixes the option parsing so that negative values (for gc for example) don't require -- to disambiguate from options, at least on platforms that support + in the getopt() string.

Also fixed is an uninitialized variable in wa_keyring that caused wa_keyring to randomly default to verbose mode, portability to old MIT Kerberos and Heimdal libraries without krb5_get_init_creds_opt_free, and build problems with the Perl module on platforms where shared libraries need to be linked with explicitly.

This release also returns a user rejected error from the WebKDC if the account is disabled or expired in Kerberos, rather than a generic Kerberos error, which will allow WebLogin to return a better error message.

You can get the latest version from the official WebAuth distribution page or from my unofficial distribution page.

2010-08-13: git-pbuilder 1.13

This supporting script for using cowbuilder with git-buildpackage came up at DebConf, which also meant more attention on the bug requesting that it be included in git-buildpackage. I've therefore done a few new releases over the last few days including additional features that the example script in git-buildpackage supported that my version of the script hadn't.

Changes since 1.10 include adding support for update, create, and login options, which call cowbuilder with the corresponding flag instead of doing a build, and support for taking the distribution on which to act from the name of the script in case anyone wants to create symlinks to the script as supported by the git-buildpackage example script. I also switched the license to an MIT license instead of the same terms as Perl (which didn't make much sense, since it's not written in Perl).

You can get the latest version of the script from my scripts page, and will also be included in the git-buildpackage package directly down the road.

Thank you very much to Guido G√ľnther for his discussion, willingness to include the script, and bug fixes.

2010-08-16: Policy and time management

After reading Do It Tomorrow, I was inspired to try some of the techniques that Mark Forster proposes. I commented in the review about the closed list system, which I'm still mostly using with some success. But I also started playing with the initiative slot. In his system, the initiative slot is first thing in the morning each (eligible) morning, which is used for a special project that you want to make forward progress on.

There are several criteria for choosing a task for the initiative slot. One of the strongest is dealing with a backlog. Since I'd been feeling guilty about the backlog of Debian Policy work that had built up, that seemed like a good choice. I picked up Debian Policy backlog clearing as my initiative starting at the beginning of June after the AFS and Kerberos Best Practices Workshop, with a goal of getting the open bug count below 100.

This has been very instructive, both from a time management perspective and from a Debian Policy perspective. Here are a few things that I learned on the Policy side:

Things I learned on the time management side:

I stopped using the initiative slot while travelling and haven't gotten back into the hang of regular time management since I've gotten back. I haven't yet decided whether to leave Policy work in the initiative slot for right now but change the goal, or whether to swap it out for something else. I'd like to keep momentum, but I'd also like to start using that slot for other things. Still pondering.

2010-08-25: C TAP Harness 1.5

This is a relatively minor release with a couple of bug fixes to bring this package in sync with other work.

The ok_program function in the shell TAP library now only removes bits from error messages after the second colon instead of the first. This feature allows easier testing of programs whose error messages include the system error, but the previous version was cutting off too much since the program name followed by a colon generally starts error messages.

I've also now added several new GCC warning options and runtests.c will now compile without warnings with -Wswitch-enum.

You can get the latest version from the C TAP Harness distribution page.

2010-08-25: rra-c-util 2.6

This release rolls up various fixes from different projects. It adds Kerberos portability code for old MIT Kerberos and Heimdal releases without krb5_get_init_creds_opt_free, adds apr-config --includes to the Apache module build flags for Red Hat Enterprise Linux, and fixes probes for UNIX domain sockets on OpenBSD.

Also in this release is a new test function for listing the contents of a keytab and fixes to the test principal determination in the Kerberos and remctl test libraries.

Finally, the last few releases didn't properly update the contents of the distribution to include all the new M4 macro files in the release tarball. This has now been fixed.

You can get the latest version from the rra-c-util distribution page.

2010-08-25: wallet 0.12

I was hoping that this release would be the long-awaited 1.0 release, but I want to ensure that the server has database upgrade handling before I declare a 1.0 release. I ran out of time to finish that, so this is another beta release, although it's in production at Stanford.

The main change in this release is the addition of the wallet-rekey client program, which takes a keytab and retrieves new keys for every principal listed in that keytab that's in the local realm. The new keys are then merged back into the keytab. This is designed to make it easier to do periodic rekeying of service keytabs.

Thanks to Ian Durkacz, this version includes a new ACL type, krb5-regex, which is similar to krb5 but takes a Perl regular expression matching the authenticated principal instead of a simple string match.

There are two new reports in this version: objects unused, which returns all objects that have never been downloaded; and acls duplicate, which returns all sets of ACLs that have exactly the same entries. The wallet-report backend also now supports a help command which provides a summary of commands.

You can get the latest release from the wallet distribution page. I've uploaded new Debian packages to my personal Debian repository, although they're nearly ready to make it into Debian.

2010-08-26: krb5-sync 2.1

Sam Hartman ported the kadmin patch included in this package to MIT Kerberos 1.8.3, so that seemed like a good excuse for a new release. The patch is not yet heavily tested.

Also in this version are a few bug fixes from the previous release around use with Heimdal. Heimdal 1.3.2 will return an error about a missing service location plugin instead of the last error from Active Directory when changing passwords, which caused the plugin to fail the password change if Active Directory wasn't available. This release now correctly queues the change (and does so for any password change error, to work around problems like this).

Finally, there are some fixes for routine error suppression in krb5-sync-backend with the -s flag, and the Active Directory status manipulation code no longer uses deprecated OpenLDAP library functions.

You can get the latest version from the krb5-sync distribution page.

Last modified and spun 2017-02-20