Archive for October, 2008

Switching your kids to Linux

Based on some of the feedback on my previous postings, there seems to be some interest in this topic. I’m sure that this is more like Perl than Python (there is more than one way to do it), but this is how I managed it….
Step 0: Decide you’re going to switch them. There will be push back because it’s not what all their friends have. Make your decision and stick with it. If you aren’t going to stick with it, stop here.
Step 1: Get them using FOSS on Windows. In my case it was Firefox, Thunderbird, and Open Office. They still use these apps on Linux today. You need to find out what they are doing on the computer (you should know this anyway, but I digress …) and figure out how you are going to support it on Linux.
Step 2: Gap analysis – There may be some things that just aren’t happening. In our case my nemesis was iTunes and the particular iPod that Child #2 owned. At the time, it just wasn’t happening. If they need to dual boot, let them dual boot and don’t get very excited about it.
Step 3: Migrate their data and tell them the have to use Linux. In our house the response was very ho hum. You’ll either get resistance (see step 0) or acceptance. Here we got mostly acceptance because the applications they use every day mostly didn’t change and I helped them figure out how to use the applications that did change (AIM to Kopete took a little training).
Step 4: Relax. One thing I’ve told the kids is that because they are using Linux, I’m less worried about looking at exactly where they are surfing or what they are downloading because the operating system they are using is more secure. Teenagers see this as a feature.
Today the kids still dual boot for iTunes (now that we have Wine 1.0, that’s doable, i just haven’t gotten to it yet).
System configuration notes:
By default, Ubuntu inherits from Debian world readable Home directories. You’ll want to change this if you have multiple children so they have some privacy from each other.
Change Open Office to use the MS Office file formats. This may be FOSS heresy, but the first time you don’t get a call from your kid at school with a file on their memory stick in ODF and they can’t turn in their homework, you’ll be happy you made this change.
Policy considerations:
We treat the kids computer much like I would an employees. We’ve made it clear to them that it’s our computer that we let them use and they should have no expectation of privacy. That doesn’t mean that I sift through their Home directories on a daily basis, but I definitely reserve the right to go look and they know that.
The house rule is that they must have parental permission to boot into Windows. This is partly for security reasons (don’t run Windows if you don’t have to) and partly to make sure they don’t kill off their sibling’s homework project in an open session when they reboot.
P.S. They all seem to like KDE4 in Intrepid. If you haven’t tried KDE4, you really ought to give it a shot even if you’re a true Gnome fan. I suspect you may be pleasantly surprised.
Update: I guess someone liked this enough to translate it into Polish (they did ask and I said it was OK).

Kubuntu Intrepid – Teenager Ready

After the final freeze on Sunday I started looking at pre-release testing. I decided it was time for the kids to experience KDE4. This mostly affects the teenagers (we have two). Our five year old is happy if I open Kate for her and she can practice typing (she also loves Mr. Potato Head).
They’ve been using Linux as their primary operating system for about 3 years now. They like it OK, but get frustrated with the ocassional incompatibilites with the things their friends (all on Windows) do. The younger of the two has borrowed my Kubuntu laptop and taken it to school to give presentations using OOO.
The upgrade itself is an interesting story having to do with some hardware specific regressions that will end up in the Intrepid release notes (yeah for testing).
The cool part was last night when one of them (who is not very technically minded at all) turned to me and said, “Dad, guess what? I figured out widgets. They are SO cool!”. It’s the first time I recall her excited about something she could do on the computer. Dad thinks that is “SO cool”.
KDE4 – Making computers fun again.

Done

Unless some crisis in Universe/Multiverse erupts that is more unlikely than my imagination can, um, imagine, Universe/Multiverse is done for Intrepid. As of this writing, the MOTU Release Team bug list is empty (please don’t add more, there’s nothing we can do except point the bug at MOTU SRU and you can do that yourself). Thank you to everyone who worked hard on making Universe wonderful for Intrepid.
Each release seems to go a bit better. For Hardy we had some late library transitions that kept us busy up until final freeze (and even post release). This time we got it all done well in advance. We’ve come a long way since Feisty were MOTU were uploading all the way to final freeze with no coordination and we had some packages that were built on i386 and not on amd64.
It looks like we did a really good job of picking up RC bug fixes from Debian. Much better than I’ve seen in any previous release. Thanks to ajmitch for providing the RC bug tracker, to wgrant for significantly improving it’s usability, and for everyone who worked on getting these fixes into Ubuntu (even if you only did it to bump your rank in Ubuntu Top Uploaders (you know who you are).
Thanks again everyone. Time to get busy looking at intrepid-updates until Jaunty opens.

Easy SMTP Filter and Policy Server Intregration with Postfix

As I mentioned yesterday, the Intrepid postfix package has a couple of new scripts to make it easier to integrate SMTP filters and policy servers. They are easy to use, but not very flexible. My goal was to provide something that would pretty well just work for common use cases and at least give you a basis for other uses. Patches welcome.
The bad news is that due to a packaging bug, the man pages for the scripts are not in the Intrepid package. Each filter will give a help output if run with no arguments, however.
postfix-filter-add is meant to assist in integrating content filters such as amavisd-new with Postfix. It is specifically tuned for amavisd-new, so if using it for something else, be sure to check your /etc/postfix/master.cf afterwards and make sure it gave you a suitable result. After installing amavisd-new, you just run the script and then reload postfix. For example, if you want to call your smtpd service for amavisd-new ‘amavislistener’ and you want Postfix to listen at 127.0.0.1:10025 for return traffic from amavisd-new, you run:
sudo postfix-add-filter amavislistener 10025
All the needed master.cf entries will be added.
For policy server integration you have to provide the name of the policy server service you want to use, what user the policy server should run under, and the argument to use to spawn the policy server. Using my postfix-policyd-spf-python as an example package, it would look something like:
sudo postfix-policy-add policyd-spf policyd-spf /usr/bin/policyd-spf
Once again, the needed master.cf entries are added.
The changes needed for main.cf can either be done manually via your favorite editor or via postconf. For the SMTP filter example above, that could be:
sudo postconf -e “content_filter=amavislistener:[127.0.0.1]:10026”
Policy server main.cf entries need to be integrated into your smtpd_*_restrictions. In the case of an SPF policy server as above, doing it in smtpd_recipient_restrictions so it’s done after recipient validation is recommend. You would add a check_policy_service unix:private/policyd-spf in the appropriate place, for example:
smtpd_recipient_restrictions =
reject_authenticated_sender_login_mismatch
check_policy_service unix:private/policyd-spf
permit_sasl_authenticated
permit_mynetworks

reject
It’s not all just clickety-click just yet, but I hope this makes it easier. One capability these scripts do provide is the ability to fully script (in conjunction with postconf) filter and poilcy-server integration. I can imagine that might be of some assistance in large scale deployments (I could envision using these in a FAI installation script).

New on the mail server stack

One of the premises of Ubuntu is to pick one particular tool to do a particular job and focus on making that tool do the job well. For mail servers we’ve been gradually fleshing out a complete, solid stack to do the job. The long standing lineup is:
MTA (Mail Transfer Agent – the mail server): Postfix
MDA (Mail Delivery Agent – puts mail in the mailbox) Dovecot
In Hardy we added amavisd-new to Main to be a ‘hub’ for spam and virus filtering.
Now in Intrepid, clamav and spamassassin have been promoted to Main and so will have official security support. Ubuntu community developers (mostly me) have been supporting those packages well since Feisty was released, so the technical impact of official support isn’t likely to be great, but I imagine Canonical security support will bring piece of mind to some.
I think we have a pretty complete selection here. Dovecot is also recommended for SASL authentication.
What we lack is an easy way to get all these pieces easily integrated. I made some progress with adding some scripts to the postfix package to make it easier to integrate SMTP filters like amavisd-new and policy servers with your postfix setup (I’ll probably do a separate posting on those later). I had planned to use them to deliver an easy fully integrated Postfix, Amavisd-new, Clamav, Spamassassin experience. Unfortunately the Postfix pieces didn’t land until just before Feature Freeze, so that’s as far as we got for Intrepid. I’ll pick that up for Jaunty and we’ll see how far I can get it for 9.04.
In yesterday’s post on clamav, I should have probably mentioned that the Ubuntu clamav package grew an apparmor profile (thanks jdstrand) for Intrepid, so there’s that security bonus too.

Clamav Plans in Ubuntu

Clamav in Intrepid is currently the 0.94.1 release candidate and unless something upstream changes, that’s what we will release Intrepid with. 0.94.1 final is scheduled for November 3.
So if you are running Intrepid and are interested in Clamav, this would be a good time to notice any problems you are having. File bugs in Launchpad and I’ll push them upstream. The goal is to get fixes into 0.94.1 and then I convince the Ubuntu SRU team to let 0.94.1 into intrepid-updates.
Once we get to a final version in Intrepid, then I’ll start looking at backporting to Hardy. I don’t expect to backport to Dapper/Gutsy any more, but will still try to work on security patches for those releases. If anyone else is interested in backporting to Dapper/Gutsy, I’ll be glad to give advice.
We are now using a common Git repository for Clamav packaging with Debian. See the pkg-clamav project on Alioth for details. This should help with keeping Debian and Ubuntu closely aligned. So far just Intrepid is there. but as we touch the other releases, I’ll add them.

Kubuntu 8.10 – WAY better than I was expecting

I was lucky enough to get to attend the last Ubuntu Developer Summit (UDS) in Prague and work on planning this release. At the time I argued that KDE4 was unlikely to be mature enough to really be useful for most users until at least 9.04 and we ought to deliver parallel KDE3/KDE4 desktops for Intrepid. Riddell convinced me that we just didn’t have the resources for it and so the only thing we could do is push as hard and fast as possible for the best KDE4 desktop we could assemble in the time we had.
Now that the Release Candidate is upon us and I’ve been using it in my daily work for some time now, I’m prepared to say that Riddell had the right plan. Kubuntu Intrepid has come together very well and is, in my experience totally usable for almost everything. It has a few rough spots and there are some small things from KDE3 that I still miss, but this is really ready for almost everyone to use.
This didn’t happen by accident. It took a lot of hard work (to which I contributed in a small way*, but that’s it). The community of Kubuntu developers really matured in this release and rose to the challenge. Looking on #kubuntu-devel I see a lot of people who have contributions they can justifiably be proud of what Kubuntu is about to deliver. It couldn’t have been done without our Dear Leader, Jonathan Riddell, but equally he couldn’t have done it without the amazing community developer group.
That said, if you need something totally stable, you might want to stay with Hardy. It is slightly crashier than KDE 3.5 in Hardy, but only slightly. I don’t know of any major functions we don’t support. The team did a very good job of sorting out where it was prudent to stay with KDE3 versions and where they could push on to KDE4.
My motto for Kubuntu 8.10 was going to be “The Intrepid Ibex searches for the tiger through the jungle of KDE4. Some days you eat the tiger. Other days the tiger eats you. Which will it be? Upgrade and find out!” Looking at it now, I think that’s too harsh, but it will pay to do some work with a Live CD before you upgrade just to make sure what you need is there and working.
* I think my major Kubuntu contributions have been: bitching about missing stuff until someone fixed it, mangling the KDE3 kdegraphics package to produce a working kdvi after a user made a good case for why it was still needed, my now usual banging on Guidance so it doesn’t crash so much, and staying up all night re-uploading all of KDE 4.1.1 because someone had made a small mistake with the kde4libs tarball.