X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/c45d612103d5da571a8e742a3754bade838b1df2..d4be2f19fd87f7f2dde0380094ecabcb25e76a8b:/blog/archive/2011/01/01.rss
diff --git a/blog/archive/2011/01/01.rss b/blog/archive/2011/01/01.rss
index d3506f0778..dc639269e9 100644
--- a/blog/archive/2011/01/01.rss
+++ b/blog/archive/2011/01/01.rss
@@ -1130,5 +1130,238 @@ Det er eit godt produkt, brukt av mange og godt likt.»</p>
+
+ Which module is loaded for a given PCI and USB device?
+ http://people.skolelinux.org/pere/blog/Which_module_is_loaded_for_a_given_PCI_and_USB_device_.html
+ http://people.skolelinux.org/pere/blog/Which_module_is_loaded_for_a_given_PCI_and_USB_device_.html
+ Sun, 23 Jan 2011 00:20:00 +0100
+
+<p>In the
+<a href="http://packages.qa.debian.org/discover-data">discover-data</a>
+package in Debian, there is a script to report useful information
+about the running hardware for use when people report missing
+information. One part of this script that I find very useful when
+debugging hardware problems, is the part mapping loaded kernel module
+to the PCI device it claims. It allow me to quickly see if the kernel
+module I expect is driving the hardware I am struggling with. To see
+the output, make sure discover-data is installed and run
+<tt>/usr/share/bug/discover-data 3>&1</tt>. The relevant output on
+one of my machines like this:</p>
+
+<pre>
+loaded modules:
+10de:03eb i2c_nforce2
+10de:03f1 ohci_hcd
+10de:03f2 ehci_hcd
+10de:03f0 snd_hda_intel
+10de:03ec pata_amd
+10de:03f6 sata_nv
+1022:1103 k8temp
+109e:036e bttv
+109e:0878 snd_bt87x
+11ab:4364 sky2
+</pre>
+
+<p>The code in question look like this, slightly modified for
+readability and to drop the output to file descriptor 3:</p>
+
+<pre>
+if [ -d /sys/bus/pci/devices/ ] ; then
+ echo loaded pci modules:
+ (
+ cd /sys/bus/pci/devices/
+ for address in * ; do
+ if [ -d "$address/driver/module" ] ; then
+ module=`cd $address/driver/module ; pwd -P | xargs basename`
+ if grep -q "^$module " /proc/modules ; then
+ address=$(echo $address |sed s/0000://)
+ id=`lspci -n -s $address | tail -n 1 | awk '{print $3}'`
+ echo "$id $module"
+ fi
+ fi
+ done
+ )
+ echo
+fi
+</pre>
+
+<p>Similar code could be used to extract USB device module
+mappings:</p>
+
+<pre>
+if [ -d /sys/bus/usb/devices/ ] ; then
+ echo loaded usb modules:
+ (
+ cd /sys/bus/usb/devices/
+ for address in * ; do
+ if [ -d "$address/driver/module" ] ; then
+ module=`cd $address/driver/module ; pwd -P | xargs basename`
+ if grep -q "^$module " /proc/modules ; then
+ address=$(echo $address |sed s/0000://)
+ id=$(lsusb -s $address | tail -n 1 | awk '{print $6}')
+ if [ "$id" ] ; then
+ echo "$id $module"
+ fi
+ fi
+ fi
+ done
+ )
+ echo
+fi
+</pre>
+
+<p>This might perhaps be something to include in other tools as
+well.</p>
+
+
+
+
+ Skolelinux-intervju: Morten Amundsen
+ http://people.skolelinux.org/pere/blog/Skolelinux_intervju__Morten_Amundsen.html
+ http://people.skolelinux.org/pere/blog/Skolelinux_intervju__Morten_Amundsen.html
+ Sun, 23 Jan 2011 12:00:00 +0100
+
+<p>Denne gangen er det Tromsøkontoret til Friprog-senteret, og nyvalgt
+styremedlem i <a href="http://www.friprogramvareiskolen.no/">foreningen
+FRISK</a> jeg har fått i tale i min intervjuserie med
+<a href="http://www.skolelinux.org/">Skolelinux</a>-folk.</p>
+
+<p><strong>Hvem er du, og hva driver du med til daglig?</strong></p>
+
+<p>Jeg heter Morten Amundsen og jobber i
+<a href="http://www.friprog.no/">Friprog.no</a>, men er for tiden leid
+ut til <a href="http://www.bredbandsfylket.no/">Bredbåndsfylket
+Troms</a> der jeg jobber med ett prosjekt som heter
+"<a href="http://www.bredbandsfylket.no/skolefjoela.157417.no.html">Skolefjøla</a>"
+Vi ser på en åpen løsning som integrerer eksisterende lukkete
+løsninger sammen med fri programvare. Målet er å gi elever og lærere
+en plattform som de kan tilpasse utfra behov.</p>
+
+<p><strong>Hvordan kom du i kontakt med Skolelinux-prosjektet?</strong></p>
+
+<p>Skolelinux har jeg møtt ved flere anledninger opp gjennom åra, både gjennom
+entusiastiske skolelinuxbrukere og skeptiske "forståsegpåere" :-)</p>
+
+<p>Jeg husker en leverandør av et stort OS for noen år siden mente at
+Skolelinux var kun for hackere og nerder og at ingen seriøse skoler
+kunne ta dette i bruk. Heldigvis er kunnskapen større nå og
+skikkelige "IT-folk" søker alltid å utvide sin kunnskap.
+
+<p><strong>Hva er fordelene med Skolelinux slik du ser det?</strong></p>
+
+<p>Ja det er mange fordeler. Uavhengighet, stabilitet, åpenhet, standarder
+osv. Tror det er viktig at man ikke begrenser mulighetene på den plattformen
+elevene skal jobbe.</p>
+
+<p><strong>Hva er ulempene med Skolelinux slik du ser det?</strong></p>
+
+<p>Det største hinderet er det vi opplever på andre områder rundt
+fri programvare, nemlig kunnskap. For mange er det trygt å velge det vi
+alltid har valgt. Fordi leverandørene rundt oss sitter på den kunnskapen og
+de vi støtter oss på har den samme. Hvis vi klarer å riste løs litt og
+glemme gamle kriger mellom operativsystemer og leverandører, men sette ned
+hva som er viktig og velge ut fra det, så hadde man kanskje kommet ut med
+litt andre resultat. Jeg tror IT-folk er konservative og velger tradisjonelt
+og det er synd.</p>
+
+<p><strong>Hvilken fri programvare bruker du til daglig?</strong></p>
+
+<p>Jeg bruker Ubuntu, Android, Jolicloud, Open Office, Zimbra, Picasa
+og Firefox samt en bråte med tjenester som er webbasert. Det eneste
+som er betalingslisens for er OSX. Ser at jeg jobber mer og mer i
+skyen og setter pris på alt jeg slipper egen klient til. Derfor er
+jeg veldig sjarmert av små kjappe operativsystemer som krever minimalt
+av maskinvaren.</p>
+
+<p><strong>Hvilken strategi tror du er den rette å bruke for å få
+skoler til å ta i bruk fri programvare?</strong></p>
+
+<p>Tror en blanding av krav og informasjon er veien å gå. Krav om
+sikkerhet, oppetid og åpne standarder. Informasjon om muligheter og
+alternativer. Her har leverandører, IT-avdelinger og pedagoger en vei
+Ã¥ gÃ¥ sammen. Det er til slutt LÃRING det dreier seg om, og da mÃ¥ man
+få mest mulig læring for pengene man har.</p>
+
+
+
+
+ Using NVD and CPE to track CVEs in locally maintained software
+ http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html
+ http://people.skolelinux.org/pere/blog/Using_NVD_and_CPE_to_track_CVEs_in_locally_maintained_software.html
+ Fri, 28 Jan 2011 15:40:00 +0100
+
+<p>The last few days I have looked at ways to track open security
+issues here at my work with the University of Oslo. My idea is that
+it should be possible to use the information about security issues
+available on the Internet, and check our locally
+maintained/distributed software against this information. It should
+allow us to verify that no known security issues are forgotten. The
+CVE database listing vulnerabilities seem like a great central point,
+and by using the package lists from Debian mapped to CVEs provided by
+the testing security team, I believed it should be possible to figure
+out which security holes were present in our free software
+collection.</p>
+
+<p>After reading up on the topic, it became obvious that the first
+building block is to be able to name software packages in a unique and
+consistent way across data sources. I considered several ways to do
+this, for example coming up with my own naming scheme like using URLs
+to project home pages or URLs to the Freshmeat entries, or using some
+existing naming scheme. And it seem like I am not the first one to
+come across this problem, as MITRE already proposed and implemented a
+solution. Enter the <a href="http://cpe.mitre.org/index.html">Common
+Platform Enumeration</a> dictionary, a vocabulary for referring to
+software, hardware and other platform components. The CPE ids are
+mapped to CVEs in the <a href="http://web.nvd.nist.gov/">National
+Vulnerability Database</a>, allowing me to look up know security
+issues for any CPE name. With this in place, all I need to do is to
+locate the CPE id for the software packages we use at the university.
+This is fairly trivial (I google for 'cve cpe $package' and check the
+NVD entry if a CVE for the package exist).</p>
+
+<p>To give you an example. The GNU gzip source package have the CPE
+name cpe:/a:gnu:gzip. If the old version 1.3.3 was the package to
+check out, one could look up
+<a href="http://web.nvd.nist.gov/view/vuln/search?cpe=cpe%3A%2Fa%3Agnu%3Agzip:1.3.3">cpe:/a:gnu:gzip:1.3.3
+in NVD</a> and get a list of 6 security holes with public CVE entries.
+The most recent one is
+<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0001">CVE-2010-0001</a>,
+and at the bottom of the NVD page for this vulnerability the complete
+list of affected versions is provided.</p>
+
+<p>The NVD database of CVEs is also available as a XML dump, allowing
+for offline processing of issues. Using this dump, I've written a
+small script taking a list of CPEs as input and list all CVEs
+affecting the packages represented by these CPEs. One give it CPEs
+with version numbers as specified above and get a list of open
+security issues out.</p>
+
+<p>Of course for this approach to be useful, the quality of the NVD
+information need to be high. For that to happen, I believe as many as
+possible need to use and contribute to the NVD database. I notice
+RHEL is providing
+<a href="https://www.redhat.com/security/data/metrics/rhsamapcpe.txt">a
+map from CVE to CPE</a>, indicating that they are using the CPE
+information. I'm not aware of Debian and Ubuntu doing the same.</p>
+
+<p>To get an idea about the quality for free software, I spent some
+time making it possible to compare the CVE database from Debian with
+the CVE database in NVD. The result look fairly good, but there are
+some inconsistencies in NVD (same software package having several
+CPEs), and some inaccuracies (NVD not mentioning buggy packages that
+Debian believe are affected by a CVE). Hope to find time to improve
+the quality of NVD, but that require being able to get in touch with
+someone maintaining it. So far my three emails with questions and
+corrections have not seen any reply, but I hope contact can be
+established soon.</p>
+
+<p>An interesting application for CPEs is cross platform package
+mapping. It would be useful to know which packages in for example
+RHEL, OpenSuSe and Mandriva are missing from Debian and Ubuntu, and
+this would be trivial if all linux distributions provided CPE entries
+for their packages.</p>
+
+
+