Re: [Firebird-devel] FB4 - Linux snapshots
2018. 12. 03. 11:06 keltezéssel, Alex Peshkoff via Firebird-devel írta: On 12/3/18 12:17 PM, Gabor Boros wrote: Hi All, The current Windows snapshots of 4.0 are 4.0.0.1324 but the Linux just 4.0.0.1258. Please fix/update it. Build fails due to too old (4.8) ICU. IMO it's also time to decide what toolchain (gcc + glibc) we should use to build FB4 and prepare appropriate environment for beta builds. gcc 4.7.2 we use to build FB3 is definitely too old. Beta 1 released. Linux snapshots are still outdated. Will be fixed? Gabor Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Start transaction from base transaction
Hi! As part of READ COMMITTED READ CONSISTENCY, it was added context variables (under RDB$GET_CONTEXT's SYSTEM namespace) GLOBAL_CN and SNAPSHOT_CN. GLOBAL_CN: Most current value of global Commit Number counter SNAPSHOT_CN: Value of Commit Number of currently database snapshot: either transaction level (for SNAPSHOT or CONSISTENCY transaction), or request level (for READ COMMITTED READ CONSISTENCY transaction). NULL, if snapshot is not exist. It was also added function RDB$GET_TRANSACTION_CN( ): Returns commit number of given transaction. I may be wrong but as RDB$GET_TRANSACTION_CN does not get the SNAPSHOT_CN of active transactions, but only commit number of committed transactions, these set of (user exposed) feature is now currently only for curiosity or debug purposes, but not for monitoring. If SNAPSHOT_CN is exposed outside own transaction/attachment (say in MON$ or with another function as RDB$GET_TRANSACTION_CN that gets the SNAPSHOT_CN from another transaction) that feature may also be used for monitoring. I think that must be considered. Despite that, with this thread feature SNAPSHOT_CN gains a function, i.e., to start more than one transaction (could be in different attachments) seeing the same initial data. It's agreed that we also need a transaction info code to get the same thing currently returned by SNAPSHOT_CN of SNAPSHOT transactions. So all this functionality is very related, so they names must match accordingly. Vlad is proposing the new info code to be named fb_info_tra_snapshot_number. I have no problem with it, provided that SNAPSHOT_CN is also renamed (with he seems to be open), but for what? SNAPSHOT_NUMBER too? (I have no problem with that) So if we consistently call that number a "SNAPSHOT NUMBER" the path to name the new TPB and SET TRANSACTION subclause becomes easy. Which then I would go to isc_tpb_at_snapshot_number and SET TRANSACTION SNAPSHOT [ AT NUMBER ]. Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 25/02/2019 15:12, Alex Peshkoff via Firebird-devel wrote: page 125 in relnotes 3.0.3 (and I believe not far from it in other versions): Bear in mind in my case I was provided with 3.0.2 via SUSE and even finding the release notes was an exercise. I'm fairly sure that this said specifically DO NOT do something if you are only going to use legacy connections ... yep ... The same red box appears on the 3.0.4 version! 3.0.4 copy I am looking at now only refers to adding the default SYSDBA user and in my case this did exist but the 'Legacy Authentication' section I THINK has a change? UserManager = Legacy_UserManager I think had the ", Srp" in the earlier version and it's that which I was adding back first ... leaving it out THEN AuthServer = Legacy_Auth, Srp is not causing a problem! Now back to trying to find out why streaming video is broken :( -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 2/25/19 5:51 PM, Lester Caine wrote: On 25/02/2019 14:05, Alex Peshkoff via Firebird-devel wrote: Then lets change this question to why the security database in the distribution isn't initialized for SRP (ie having the PLG$SRP table, maybe other things needed). Would it be possible to initialize it as part of the distribution **without** having a user present? That at least would avoid the "Look at the compatibility chapter" error. It will be very useful for a user which started to change configuration file not understanding it to read an instruction instead of continuing in random order. Once again - if one includes SRP in configuration security DB should contain at least one SRP user, if there are no users why include it at all? If I am reading this correctly then I was correct last month when I simply ended up stripping all but the Legacy options from the config file? Rather than following the 'compatibility chapter' which I don't think makes any mention about creating a srp user ... page 125 in relnotes 3.0.3 (and I believe not far from it in other versions): Initializing the Security Database By default, Firebird 3 is configured for the new authentication model which uses SRP to work with user pass- words and generate unique session identifiers for traffic encryption. The security database (security3.fdb) has no predefined users. This is intentional. However, when using the standard installers for Windows, Linux and MacOSX, the SYSDBA user is created during the final step of the installation, with a password that is either random or defined via a user input routine. In a situation where the SYSDBA initialization step either fails, or is missing from an OS-specific install process, such as a Windows .zip kit install or a dedicated POSIX platform port, it may be necessary to initialize the security database manually for use with the SRP plugins. You will need to create the user SYSDBA and set up the password for it using SQL CREATE USER command syntax in embedded mode as your first step to getting access to databases and utilities. and so on... Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 2/25/19 5:51 PM, Lester Caine wrote: On 25/02/2019 14:05, Alex Peshkoff via Firebird-devel wrote: Then lets change this question to why the security database in the distribution isn't initialized for SRP (ie having the PLG$SRP table, maybe other things needed). Would it be possible to initialize it as part of the distribution **without** having a user present? That at least would avoid the "Look at the compatibility chapter" error. It will be very useful for a user which started to change configuration file not understanding it to read an instruction instead of continuing in random order. Once again - if one includes SRP in configuration security DB should contain at least one SRP user, if there are no users why include it at all? If I am reading this correctly then I was correct last month when I simply ended up stripping all but the Legacy options from the config file? Rather than following the 'compatibility chapter' which I don't think makes any mention about creating a srp user ... it's about manually creating a legacy SYSDBA/xxx which in the case of the SUSE install already existed. It WAS only when I removed the srp ( and windows ) entries that I could get in. I've a stack of 6 servers out in the workshop each with their own copy of firebird but also using versions on other machines in the stack as backups. The 3050 port is not enabled outside the network and apart from using Flamerobin for manual tweaks, everything else is accessed via PHP, so DO I need to worry about SRP on this setup? Lester, as I've already said: if you are sure that nothing untrusted can reach your port 3050 - what a difference what authentication plugin is used? The only small one - legacy is slightly faster. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 25/02/2019 14:05, Alex Peshkoff via Firebird-devel wrote: Then lets change this question to why the security database in the distribution isn't initialized for SRP (ie having the PLG$SRP table, maybe other things needed). Would it be possible to initialize it as part of the distribution **without** having a user present? That at least would avoid the "Look at the compatibility chapter" error. It will be very useful for a user which started to change configuration file not understanding it to read an instruction instead of continuing in random order. Once again - if one includes SRP in configuration security DB should contain at least one SRP user, if there are no users why include it at all? If I am reading this correctly then I was correct last month when I simply ended up stripping all but the Legacy options from the config file? Rather than following the 'compatibility chapter' which I don't think makes any mention about creating a srp user ... it's about manually creating a legacy SYSDBA/xxx which in the case of the SUSE install already existed. It WAS only when I removed the srp ( and windows ) entries that I could get in. I've a stack of 6 servers out in the workshop each with their own copy of firebird but also using versions on other machines in the stack as backups. The 3050 port is not enabled outside the network and apart from using Flamerobin for manual tweaks, everything else is accessed via PHP, so DO I need to worry about SRP on this setup? -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 2/25/19 4:45 PM, Mark Rotteveel wrote: On 25-2-2019 13:51, Alex Peshkoff via Firebird-devel wrote: On 2/24/19 10:52 AM, Mark Rotteveel wrote: The security database inside the distribution is already initialized with a Legacy_Auth SYSDBA only. I'm not sure why the same can't be done for SRP (or at least: isn't done for SRP). First half of an answer is very simple - in order to avoid network server running with SYSDBA/masterkey login in default configuration. Looking at this discussion I once again notice that this protection is rather efficient :) Then lets change this question to why the security database in the distribution isn't initialized for SRP (ie having the PLG$SRP table, maybe other things needed). Would it be possible to initialize it as part of the distribution **without** having a user present? That at least would avoid the "Look at the compatibility chapter" error. It will be very useful for a user which started to change configuration file not understanding it to read an instruction instead of continuing in random order. Once again - if one includes SRP in configuration security DB should contain at least one SRP user, if there are no users why include it at all? And given the default security database does contain a legacy auth with SYSDBA/masterke it is insecure anyway for people who'll enable Legacy_Auth. If anyone himself changed configuration to include legacy plugin he definitely gets insecure configuration. Certainly I talk about default configuration which was already mentioned explicitly. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
25.02.2019 15:51, Alex Peshkoff via Firebird-devel wrote: The security database inside the distribution is already initialized with a Legacy_Auth SYSDBA only. I'm not sure why the same can't be done for SRP (or at least: isn't done for SRP). First half of an answer is very simple - in order to avoid network server running with SYSDBA/masterkey login in default configuration. There's also a different approach to this, used by some other databases. In our case it would look like this: RemoteBindAddress = 127.0.0.1 Dmitry Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] [FB-Tracker] Created: (CORE-6012) Possible server/utilities hang because of infinity loop in AbstractString::vprintf
Possible server/utilities hang because of infinity loop in
AbstractString::vprintf
--
Key: CORE-6012
URL: http://tracker.firebirdsql.org/browse/CORE-6012
Project: Firebird Core
Issue Type: Bug
Components: Engine
Affects Versions: 4.0 Beta 1, 3.0.4, 3.0.3, 4.0 Alpha 1, 3.0.2, 3.0.1,
3.0.0, 4.0 Initial, 3.0.5, 4.0 Beta 2, 3.0.6
Reporter: Artyom Smirnov
The problem is because only result of vsnprintf checked, but not cause of this
result (e.g. errno).
One of case with this issue I've got and reproduced is hanging gsec on CentOS 6
which have bug in glibc (https://sourceware.org/bugzilla/show_bug.cgi?id=6530)
For example simple reproduction for FB 3.x/4.x: shutdown server, create system
audit file with service auditing and add it to firebird.conf:
services
{
enabled = true
log_filename = /tmp/log
log_services = true
log_service_query = false
}
Run gsec with locale which is not POSIX or C:
LANG=en_US.utf8 bin/gsec -user SYSDBA -password masterkey -add test -pw test
vprintf will get string like "-user SYSDBA -ADD \377TEST\377 -PW \377test\377"
and will hang on it, because vsnprintf result always be -1 and errno always be
84.
All versions affected by infinity loop hang, because this part of code is same,
but this particular case of course will hang only on 3.x/4.x.
What about:
1. Checking errno in vprintf and at least throw exception instead hang?
2. Cleanup service terminal symbols in TracePluginImpl::log_event_service_start
before passing it to vprintf?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://tracker.firebirdsql.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 2/24/19 10:52 AM, Mark Rotteveel wrote: On 23-2-2019 20:56, Lester Caine wrote: On 23/02/2019 19:21, Paul Reeves wrote: It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. IIRC, rpm install 2.5 used to initialize security database using random password for sysdba. Was it changed in 3.0? I only know the suse packages. The security db was left unitialised. The fresh install using the packages currently supported by SUSE Leap 15.0 defaults to 'masterke', Shame on them... and as always the first thing I do is change that via flamerobin. The security database inside the distribution is already initialized with a Legacy_Auth SYSDBA only. I'm not sure why the same can't be done for SRP (or at least: isn't done for SRP). First half of an answer is very simple - in order to avoid network server running with SYSDBA/masterkey login in default configuration. Looking at this discussion I once again notice that this protection is rather efficient :) And that has been done in this case. My problem with the 'Compatibility chapter' on the previous install was that I was unable to access the database until I REMOVED Srp from the config file. I have no worries about the legacy system being 'less secure' simply because the only application accessing it is PHP on a local network link and I don't need any more than that so why should I have to do any more than getting a single user working? The problem is essentially http://tracker.firebirdsql.org/browse/CORE-5485 which Alex doesn't consider to be a bug. If you create a single Srp user, this will go away. And you have to create a user (or users) anyway for your application(s), so why not just use Srp for that? To be precise - if some application does not use firebird's access rights control (it's using same login for all attaches) and you are quite sure in reliability of infrastructure protecting server running firebird from undesired access I see no reason to use srp. Legacy plugin is faster - needs less CPU to establish connection. But in this case what's a need to add more plugins to configuration file? Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] [FB-Tracker] Created: (CORE-6011) Enabling legacy authentication in Windows installer leads to less secur config than possible
On 2/23/19 7:54 PM, Dimitry Sibiryakov wrote: 23.02.2019 17:51, Paul Reeves wrote: It is linked to the fact that rpm installs don't allow interaction at install time, so the security database is not initialised. IIRC, rpm install 2.5 used to initialize security database using random password for sysdba. Was it changed in 3.0? Supporting of RPM in _our_ (i.e. SF) binaries became unreal. That's first of all because no matter of the fact that all them have .rpm extensions and even same internal format _content_ of RPMs for different distro should be a bit different, and this difference does not get smaller from year to year. We used to fix (but "hack" is more precise word here) that using post-install script which in turn caused fatal problems when trying to upgrade firebird using our .rpm. That's why support of rpm's was dropped in FB3. Certainly various distro provide binaries in rpm form but we (project) do not publish rpm's any more. I.e. any question regarding ability to initialize security database using random password should better be asked not here. On my mind that should be possible. Moreover, it's done in a case of using '-silent' switch in install.sh from .tar.gz binary package and when doing 'make silent_install' when building from sources. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Stable distributions ...
On 25/02/2019 11:14, Mark Rotteveel wrote: You need to explicitly enable hggit to allow TortoiseHg to work with git (and similar for subversion), see https://mcmblog.azurewebsites.net/using-tortoisehg-with-git/ Maybe you need to enable it again? I've been installing hggit for many years ... CURRENTLY the combination of versions of Mercurial, thg and hggit are not matched in Leap15.0 as it's been dropped and I'm wasting time trying to untangle the mess as ALL of my own patches in the website code are managed via that setup :( I may even resort to dropping thg onto a windows machine just to get something working for now but all I've been doing for the last week is trying to get a stable development platform again ... however just had another report of a problem on a client website so need to fix that ... sites that have run for years without any problems. -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Stable distributions ...
On 25-2-2019 12:00, Lester Caine wrote: on the whole it's now stable - except I can't get access to github via TortoiseHG which has been my stable access route for MANY years and all my local code tracking is on Mercurial in parallel with Git or SVN as required for the third party libraries. I have at least got FlameRobin working despite problems with the problems between versions of graphics libraries and it seems that is part of the problem with TortoiseHG. You need to explicitly enable hggit to allow TortoiseHg to work with git (and similar for subversion), see https://mcmblog.azurewebsites.net/using-tortoisehg-with-git/ Maybe you need to enable it again? Mark -- Mark Rotteveel Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Stable distributions ...
On 25/02/2019 08:00, Lester Caine wrote: > > > Keeping PHP working with Firebird is a major headache anyway and the > interface does need some attention from someone more capable on the C > side than me but simply working through the Firebird side what is the > SAFE way to update the installation on SUSE Leap 15 and get it all > updated and even if I do will it fix the problem. I know I can roll > back to FB2.5 and I do now have queries that avoid the new bits in FB3 > but with FB4 now appearing there is a further minefield on the horizon > with timezone management hand grenades on the side! So just where DO I > start trying to get back to a stable platform? > You'd first start on support list or buying some support contract, as seems you cannot even well describe the problem. Adriano Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] Setting time zone bind through DPB?
On 2/23/19 2:39 PM, Mark Rotteveel wrote: On 18-2-2019 12:59, Alex Peshkoff via Firebird-devel wrote: On 2/18/19 2:21 PM, Adriano dos Santos Fernandes wrote: On 16/02/2019 12:57, Mark Rotteveel wrote: BTW: similar arguments could be made for the SET DECFLOAT options, but I don't have a need there. The similar SET DECFLOAT wasn't it, so TIME ZONE didn't had too. That backward compatibility bindings were designed in order to make new features work somehow with old, having no idea about them, software. Such software hardly has a good way to place unknown to it items to DPB. New one should better use default bindings cause they provide best (from functionality POV) access to new features. So why overcomplicate server where it's not needed ? That ignores the reality of drivers that are aware of the existence of a feature but haven't yet come around to implementing it (or don't want to implement it). For example, I only want to support time zones in Java 8 (and higher) and not in Java 7 to avoid having to implement it twice because the Java 8 implementation will use the java.time (JSR-310) API as required by JDBC, and this doesn't exist in Java 7. I could also add something like that in Jaybird 3.x, etc (that could apply for both DECFLOAT and WITH TIME ZONE types). And as I mentioned earlier, I'm also concerned about the effects of ALTER SESSION RESET. To me you suggestion looks reasonable - but I'm not sure is not it too late to add new features to FB4 after beta1. Let's see what others think about it. Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] Stable distributions ...
Currently I have several systems running FB2.5 or earlier along with stable versions of Nginx ( replacing Apache ) and PHP5.x Some are even still running on XP because of hardware that later versions of windows will not support, although it seems the key there is only to run 32bit versions of W10 to gain access to the parallel port. These have been running perfectly stably for years but obviously there are requests from sites to 'upgrade'. Those sites that are now running W10-32bit have now all been configured to reboot over night as a few days of running invariably gets niggles where XP gave in some cases YEARS without a reboot! Some machines have 20 years worth of data back to Interbase days. Currently I've got one of the servers running PHP7.2.5 with FB3.0.4 except it's reporting LI-V6.3.2.32703 Firebird 3.0 in PHP and checking back with yast I'm seeing 3.0.2 for libfbclient2. The problem is I'm getting occasional reports of errors which I HAVE now pined down to the sites running on FB3 while the sites using FB2.5 from another server seem fine. I am presuming that libfbclient2 is accessing both version servers ... but need to work out why the client has not updated. The switch of web stack came about in something of a rush after a disk failure and the server was switched from SUSE13.1 which is no longer accessible repo wise to Leap 15.0 which is the latest SUSE STABLE distribution! So the versions used are as provided and updated by that version. I had the problem initially trying to get access to the FB3.0.2 server, but since everything IS backed up it was simple to just switch to a working FB2.5 server short term ... although that has been some time ago now :( I've been slowly working through getting the development machine upgraded to Leap15.0 which is more problematic than the servers which are running text only and just a web stack. But I now have all four screens working with Gnome (having kicked KDE into the long grass) and on the whole it's now stable - except I can't get access to github via TortoiseHG which has been my stable access route for MANY years and all my local code tracking is on Mercurial in parallel with Git or SVN as required for the third party libraries. I have at least got FlameRobin working despite problems with the problems between versions of graphics libraries and it seems that is part of the problem with TortoiseHG. *SO* I'm a little wary of changing elements which are not directly supported by Leap15.0 such as to FB3.0.4 or later versions of PHP and Nginx along with the development platform based on Eclipse. However the development server IS showing instability and is giving me quite regular crashes due to PHP failing to access the database with a message that Username and password are not set, but a second load works fine! Keeping PHP working with Firebird is a major headache anyway and the interface does need some attention from someone more capable on the C side than me but simply working through the Firebird side what is the SAFE way to update the installation on SUSE Leap 15 and get it all updated and even if I do will it fix the problem. I know I can roll back to FB2.5 and I do now have queries that avoid the new bits in FB3 but with FB4 now appearing there is a further minefield on the horizon with timezone management hand grenades on the side! So just where DO I start trying to get back to a stable platform? -- Lester Caine - G8HFL - Contact - https://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - https://lsces.co.uk EnquirySolve - https://enquirysolve.com/ Model Engineers Digital Workshop - https://medw.co.uk Rainbow Digital Media - https://rainbowdigitalmedia.co.uk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
