Oh, Marmalaade! - Technicalhttp://stef.thewalter.net/2021-02-10T18:35:00+00:00Your Service is not Open Source2021-02-10T18:35:00+00:00Stef Waltertag:stef.thewalter.net,2021-02-10:/open-source-services.html/<p>Open sourcing the code to your SaaS is insufficient. For a service to be truly Open Source, we need to effectively enable users to contribute to the running SaaS itself.</p>How to join Active Directory domains with a One Time Password2014-05-06T14:23:00+00:00Stef Waltertag:stef.thewalter.net,2014-05-06:/how-to-join-active-directory-domains.html/<p><a href="http://www.freedesktop.org/software/realmd/docs/">realmd</a> and <a href="http://www.freedesktop.org/software/realmd/adcli/adcli.html">adcli</a> allow you to join a domain with a one time password. </p>
<p>That is: a domain administrator can prepare a one time password, and
that one time password can later be used (usually by someone else) to
join a specific computer to the domain. </p>
<p><a href="http://www.freeipa.org/page/Main_Page">FreeIPA</a> supports this natively …</p>More secure with less “security”2013-08-16T16:23:00+00:00Stef Waltertag:stef.thewalter.net,2013-08-16:/more-secure-with-less-security.html/git-coverage: Useful code coverage2012-12-18T10:55:00+00:00Stef Waltertag:stef.thewalter.net,2012-12-18:/git-coverage-useful-code-coverage.html/<p>I’ve sorta dabbled in using code coverage off and on, but it never
really grabbed me as super useful and fit well within my workflow. </p>
<p>When hacking on open source I want to try out patches, run tests against
them, whether automatic unit tests or manually diddling things during …</p>How to create an Active Directory domain to test against2012-08-03T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2012-08-03:/how-to-create-active-directory-domain.html/<p>Many interested people want to help test the Active Directory work and
bug fixes we’ve been doing. But sadly there’s no public Active Directory
servers that I know of. So here’s how to setup a virtual machine with
your own Active Directory. It’s not that hard …</p>Kerberos and Active Directory Logins2012-06-15T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2012-06-15:/kerberos-and-active-directory-logins.html/<p>Ray and I and some others have been working on making it easy to use
Kerberos single sign on with <span class="caps">GNOME</span> 3.6. The feature itself isn’t super
revolutionary. You sign in with your realm login (eg: your Active
Directory user name and password) and then you can go …</p>VMWare Player on Fedora 162011-10-28T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-10-28:/vmware-player-on-fedora-16.html/<p>I have some VMWare <span class="caps">VM</span>’s I’ve been using here and there. I probably
should convert them to Virtual Box, but I’ve had a rough time getting
that working as well. </p>
<p>So … every time you upgrade the kernel, VMWare barfs because kernel
headers have changed. Usually I look …</p>Redesigning the Seahorse Experience2011-10-17T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-10-17:/redesigning-seahorse-experience.html/<p>As part of the work on getting smart cards into Seahorse, there’s some
design work that needs to be done to make the new functionality usable.
In particular, the overarching design goal is that Seahorse isn’t a tool
we expect users to “learn”. Actions should follow mostly from …</p>Importing certificates and keys2011-10-05T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-10-05:/importing-certificates-and-keys.html/<p>I’ve been working on an importer for keys and certificates that can work
with <span class="caps">PKCS</span>#11 key storage, such as smart cards, <span class="caps">NSS</span> or gnome-keyring. </p>
<p>Here’s a demo of it in action. If you want to try this out yourself,
you’ll need: </p>
<ul>
<li>latest gcr library from <a href="http://git.gnome.org/browse/gnome-keyring/">gnome-keyring …</a></li></ul>Introspecting Certificates2011-09-29T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-09-29:/introspecting-certificates.html/<p>Today I merged in a contribution from Evan Nemerson for GObject
introspection support into the Gcr and Gck libraries. I ended up
tweaking thousands of lines of comments and code,
<a href="https://bugzilla.gnome.org/show_bug.cgi?id=660436">filed</a> <a href="https://bugzilla.gnome.org/show_bug.cgi?id=581525">some</a> <a href="https://bugzilla.gnome.org/show_bug.cgi?id=660352">bugs</a> and so forth. </p>
<p>But the end result is you use <span class="caps">PKCS</span>#11 and stuff like the <a href="http://developer.gnome.org/gcr/unstable/gcr-GcrCertificateWidget.html">Gcr …</a></p>Smart card icons2011-09-23T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-09-23:/smart-card-icons.html/<p>I’ve been working on smart card integration into Seahorse, and as part
of that <a href="https://bugzilla.gnome.org/show_bug.cgi?id=659951">we need icons for smart cards</a>. I had fun putting together
something today: </p>
<p><img alt="Smart card icons" src="images/gcr-smart-card.png"></p>
<p>Obviously not perfect, but I’m happy with the result. The tools and info
in gnome-icon-theme are really nice. </p>
<p>At some point …</p>Ditching Certificate Authorities with Convergence2011-09-06T19:49:00+00:00Stef Waltertag:stef.thewalter.net,2011-09-06:/listened-to-moxies-talk-about-trust.html/<p>Listened to <a href="http://thoughtcrime.org/about.html">Moxie’s</a> <a href="http://www.youtube.com/watch?v=Z7Wl2FW2TcA">talk about Trust Agility and ‘Convergence’</a>.
Sounds like a viable candidate for ditching the Certificate Authority
mess, or at least part of a solution. Go <a href="http://www.youtube.com/watch?v=Z7Wl2FW2TcA">watch the video</a> if you haven’t already. </p>
<p>I was thinking about how we could implement support for
<a href="http://convergence.io/">Convergence</a> in <span class="caps">GNOME …</span></p>Viewer for Certificate and Key files2011-09-01T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-09-01:/viewer-for-certificate-and-key-files.html/<p>So a lot of the work I do doesn’t have any user interface. The best user
interface is no user interface, well one that isn’t needed. But recently
I’ve been working some tools to view the plethora of certificate and key
formats out there. So I couldn …</p>How to build telepathy-qt4 with alternate prefix2011-08-11T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-08-11:/how-to-build-telepathy-qt4-with.html/<p>Just figured out how to build telepathy-qt4 in an alternate prefix and
also look for dependencies in that prefix as well. Since I don’t use
cmake much these days, figured I’d post this so I could go and look back
at it later. Depends on <a href="https://bugs.freedesktop.org/show_bug.cgi?id=40008">this fix</a>. </p>
<div class="highlight"><pre><span></span><code><span class="nv">PKG_CONFIG_PATH …</span></code></pre></div>The security devroom at FOSDEM2011-02-13T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2011-02-13:/security-devroom-at-fosdem.html/<p>Went to <span class="caps">FOSDEM</span> last weekend. It was a cool and crazy conference: packed
rooms, great talks, good friends, much beer. I enjoyed finally meeting
the <a href="http://www.collabora.co.uk/">Collabora</a> guys I’m now working with. </p>
<p>I hung out in the absolutely packed security devroom the first day,
superbly <a href="http://www.opensc-project.org/opensc/wiki/FOSDEM2011">organized by Martin Paljak from …</a></p>Implemented trust assertions and certificate chains2010-12-11T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-12-11:/implemented-trust-assertions-and.html/<p>Trust assertions are bits of trust information used by applications to
make trust decisions about certificates. For example, trust assertions
can represent certificate authority anchors, pinned certificate
exceptions, or revocation lists. Trust assertions do not represent the
trust decision itself, but they’re used in a trust decision. </p>
<p>By using …</p>These aren’t the benchmarks you’re looking for2010-10-19T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-10-19:/this-arent-benchmarks-youre-looking-for.html/<p>I was evaluating use of <a href="http://library.gnome.org/devel/gobject/unstable/">GObject</a> for small plentiful
short-lived objects in <a href="http://stef.thewalter.net/2010/10/introducing-libgck-pkcs11-gobject.html">libgck</a>. I wanted to see how their performance
compared to custom reference counted structures. Turns out it’s not as
bad as I imagined. </p>
<p>The speed difference on my system, with a <a href="http://thewalter.net/stef/misc/test-gobject-speed.c">simple test program</a>, ended
up being …</p>Goals of the Keyring and Seahorse Projects2010-10-17T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-10-17:/goals-of-keyring-and-seahorse-projects.html/<p><span class="Apple-style-span" style="font-family: inherit;">In an
effort to get better organized, I’ve put together <a href="http://live.gnome.org/GnomeKeyring/Goals">a page listing the
goals</a> of the <a href="http://live.gnome.org/GnomeKeyring">gnome-keyring</a> and <a href="http://projects.gnome.org/seahorse/">seahorse</a> projects. </span>It’s
all broken down into tasks, plans, and what’s already done. </p>
<p>The basic jist of it is to make crypto and security a usable experience
on …</p>About Trust Assertions2010-10-13T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-10-13:/about-trust-assertions.html/<p>I’ve been working on some specifications for storage of ‘trust’. This a
sufficiently vague and abstract concept to require a hoity toity name:
<em>Trust Assertions</em> </p>
<p>Trust assertions are used to assign an explicit level of trust to a
public key or certificate. I’ll just refer to certificates below …</p>Certificate and Key Widgets2010-10-08T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-10-08:/certificate-and-key-widgets.html/<p>The new certificate and key view widgets are now merged into
gnome-keyring master. They live in <a href="http://git.gnome.org/browse/gnome-keyring/tree/gcr">libgcr</a>: a library for crypto <span class="caps">UI</span>
widgets and crypto helpers. </p>
<p>The goal of the widgets are to have a simple mode, where only the
information needed for a user to uniquely identify a certificate …</p>Introducing libgck: A PKCS#11 GObject wrapper2010-10-04T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-10-04:/introducing-libgck-pkcs11-gobject.html/<p>In gnome-keyring we use <a href="http://www.rsa.com/rsalabs/node.asp?id=2133"><span class="caps">PKCS</span>#11</a> for the storage of keys and
certificates. <span class="caps">PKCS</span>#11 is standard sort of a plugin <span class="caps">API</span> that allows
drivers or software to provide key storage and crypto algorithms to an
application.<br>
libgck is a GObject wrapper of <span class="caps">PKCS</span>#11. Still pretty low level but …</p>My Talk: Usable Crypto on GNOME2010-07-30T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-07-30:/my-talk-usable-crypto-on-gnome.html/<p>I gave a talk on Wednesday about using a common certificate and key
store across the desktop and using common widgets for crypto bits. </p>
<p>Sadly the talk was at the same time as a big release team
announcement/talk. Notwithstanding more people came than I expected. </p>
<p>The <a href="http://memberwebs.com/stef/misc/guadec-usable-crypto.pdf">slides are here …</a></p>Talk at GUADEC on Integration of Certificate and Key Storage2010-05-14T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-05-14:/talk-at-guadec-on-integration-on.html/<p>I’ll be attending <span class="caps">GUADEC</span> for the first time. Not only that but I’ll be
giving a talk. I’m a bit nervous, but excited!</p>
<p>The talk is about integrating various
applications using keys and certificates to use a common key storage.</p>
<p>Currently each application puts their
certificates and …</p>Part of Postgresql 9.0…2010-05-07T00:00:00+00:00Stef Waltertag:stef.thewalter.net,2010-05-07:/part-of-postgresql-90.html/<p>I’ve
contributed to another open source project, Postgresql. My first
contribution <a href="http://developer.postgresql.org/pgdocs/postgres/release-9-0.html">made it into version 9.0</a>.</span> </p>
<p>I
worked on the <code>samenet</code> and
<code>samehost</code>
host
based access control feature, which lets you grant database access to
hosts on the physical subnets that the postgresql server is attached to.</p>
<p>Previously …</p>