Wow! It took me long enough to get back to this. I started to write this on May 19th and just got it finished. I’ll blame being involved in too much :)
Day 4 - started later, 10:00 - much easier to get to. As it’s a long weekend and a Saturday, the traffic was light getting down here and there was parking on the street instead of the parking structure.
I had mentioned new toys in the previous day’s entry, but never got around to actually describing them. I picked up a new video camera to capture the sessions. My old one is a digital8 and works well. This one is a Hard Drive based camera and the difference is amazing. It took about 25 minutes to transfer all of the previous days sessions to my computer. Normally with a camera it is a real time event over firewire. I still have to do that for the tutorial sessions I filmed, and I’m not looking forward to it. There is a slight downside. The camera stores in MPEG2 with an ACC encoded Dolby 5.1 track. None of my software edits it directly (The sound gets lost), but MPEGstreamclip can open it and trim where I need it. It can also demux the audio and video and convert it to a known audio format. As far as I can tell, it doesn’t recode the video, so the quality isn’t affected.
Session 1 - The FreeBSD Security Officer Function
This was an overview of the functions of the security team for the FreeBSD project, including how it’s organized, who is responsible for what, process flow and tasks. It’s a little dry, but shows a practical example of the security function. Probably a very good read for someone who wants to get into this type of work. You need to know what it’s about and the types of functions. Slides are available from:
Session 2 - OpenCVS and OpenRCS - this comes from the OpenBSD folks.
We started off with a review of CVS and RCS, features of both and a overview of the successor - subversion.
OpenRCS - a start towards OpenCVS. It uses RCS files, uses the same commands and formats and has the advantage of simple and direct replacement. It picks up from the GNU unmaintained version and it is actively maintained by the OpenCVS team. OpenCVS is an alternative to the shortcomings of CVS and RCS - Secure, reads CVS repository, BSD license and the GNU CVS is unmaintained. In practice, CVS worked for years, all the basic commands are already there, the pain of migration is avoided, and it uses the RCS file format.
Features of subversion that make it worthwhile include rename, atomic commits and change sets. It also has the CVS people working on it. It is much more complex - HTTP, WEBDAV, complicated backend, “kitchen sink” approach and supposedly hard to secure the codebase - which I don’t personally see, as it seems to be fairly easy in my opinion. Lots of discussion on the features of subversion and the new feature sets.
Subversion also uses the berkeley DB format - binary file, old format, known issues with the file format and we are now storing our revisions in a “unproven” format. FSFS was designed to solve some of the Berkeley DB issues - each revision is one file - it is still a new format
Historically, CVS uses RCS files - easy recovery, use RCS or even vi to edit files if functionality is unavailable. The data is always available. It is also extensible. The essentials are available - commit, checkout, diff, log, update. OpenCVS is not inherently complex - complexity != security. It is a simple proven protocol which is extensible and it is easy to protect the repository.
OpenCVS is a work in progress, - includes some of the new features from subversion - atomic commits (almost ready). There are still issues - speed issues are yet to be addressed, although currently being worked on.
One item that may explain why the OpenCVS folk are reviving a stalled/unmaintained project is licensing. Subversion is available under a modified Apache 2 license, while OpenCVS will be available under the standard BSD license. This makes sense, as the project is being driven by the OpenBSD people.
Some alternates mentioned are mercurial, trac, git, …
The following is from the project webpage:
OpenCVS is a FREE implementation of the Concurrent Versions System, the most popular open source revision control software. It can be used as both client and server for repositories and provides granular access control over data stored in the repository. It aims to be as compatible as possible with other CVS implementations, except when particular features reduce the overall security of the system.
The OpenCVS project was started after discussions regarding the latest GNU CVS vulnerabilities that came out. Although CVS is widely used, its development has been mostly stagnant in the last years and many security issues have popped up, both in the implementation and in the mechanisms.
OpenCVS is developed by the OpenBSD Project. The software is freely usable and re-usable by everyone under a BSD license.
Slides are available from: The BSDCan Website.
Session 3 - OLPC (wanted to see the FreeNAS session too)
While this was not a BSD topic, it is a topic of interest and could have some long term affect on the way we approach learning. This talk was very interesting and if you have never seen the unit, you will be amazed with it. Very impressive! There will be a similar session made to OCLUG at the meeting earlier this week.
The project site is laptop.org and has information on the project, goals, technology, clients, volunteers and the community. I’ll be producing a podcast from the video I took and that will be made available “soon”. I have a lot of video to go through, so in the interests of actually getting it completed, I’ll be making it considerably less polished than I would like.
Session 4 - Another toss-up - PC-BSD and Failover and Load Balancing with pfSense
I decided on PC-BSD just because I wanted to go to an overview session. It was a fast and fun session. It’s a pretty simple install - installed quickly under parallels on my macbook and just worked. This is a good thing as I’m not up to speed on the BSD systems yet. There was a peanut gallery comment that they are not a real BSD, just a fork.
Session 5 - UTORvpn: A Cross-Platform OpenSource SSL VPN Implementation
This is a University of Toronto based implementation of OpenVPN.
This talk was centered around providing the graduate students, staff and professors VPN access to certain resources. While their actual implementation is not available for download, the guts were dissected and the system itself has merit.
One of the more interesting portions was for the windows users (yes, they are out there). Using the nullsoft installer and some setup scripts, customized windows installers can be created on a unix box that have x509 certificates as part of the implementation. You have the choice of certificates or pre-shared keys to implement OpenVPN.
There was mention that the packaging and scripts will be packaged and made available for inclusion in similar deployments for those who want to implement this as a solution. The actual project is heavily tailored to UofTs environment, so it is unlikely that is would be of value as the complete system.
The talk slides are located at: The BSDCan Website.