[maemo-developers] Re: Unresolved issues (Week 42)
Koen Kooi wrote: Tommi Komulainen schreef: Here is a list of issues raised on this list I think have not been concluded so far, in no particular order. The easiest way to get off the list is to provide answers, but you can also try convincing me other ways. I've said it on IRC before, but will say it again where (hopefully) more nokians will see it: I really appreciate these summaries! Let's work on giving the community enough information to help themselves and the developers more time and oppertunity to give us a helping hand in more difficult situations. Seconded. It's good to see these summaries. Sebastian ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] use DT_GNU_HASH
yes, PyGTK slowness came mostly from resolving about 3k symbols. :-) PyGTK also uses a lot of time creating python objects during startup. But this will surely help, and GTK itself also exports many symbols. Rafael, does your 50% is related to _gtk.so import? It is a test that just dlopens the same libraries as openoffice. Rafael ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] Flash player 9
Ola, . Maybe Flash has a use in interactive product demos before we have more capable W3C SVG Maybe this is a bit of a specialist field but there is also a need in GIS for some interactive 3D web applications (Katrina and the Asian Tsunami brought this home pretty hard). This is however a bit of a mine field at the moment regarding standards. There is X3D[1] from the Web3D Consortium, and the standards which build on it: GeoVRML[2] for specifying large, outdoor scenes, and H-Anim[3] for humanoid animation. X3D is the re-working of VRML in XML, and while VRML has a bad rep for being inconsistently implemented, it still presents one of the lower barriers to entry of the 3D standards. By using XML for 3D you also get access to the standard XML DOM for manipulations and animation (which can be good or bad, depending on your feelings about the DOM). More powerful scripting can be done with Python, which has python-visual (on Debian and derivatives) [EMAIL PROTECTED]:$apt-get install python-visual which is a 3D graphics module for Python. If you need to do 3D beyond what VPython provides, but you don't care about the XML aspect of SVG, there quite a number of tools for 3D which have Python bindings. The grand-daddy of them all is PyOpenGL[4], which gives you complete access to the native OpenGL API (an absolute beast, but it does the job). The PyOpenGL project also has a subproject, OpenGLContext[5], which is a learning environment for OpenGL, much more accessible than raw OpenGL (closer to VPython), and has a tool for importing VRML documents. Other 3D Libraries with Python bindings include VTK[6], CrystalSpace[7], Blender[8], and on the commercial front the Poser[9] character animation program (version 5) is scriptable with Python. There is also the H3D API, a GPL (open source) licensed software development platform for multi-sensory applications. H3D API uses X3D and OpenGL and is the only X3D engine which support Python scripting as far as I know. [10]. [1] Extensible 3D Graphics http://www.web3d.org/x3d.html [2] Geographical Data in VRML http://www.geovrml.org/ [3] Specification for a standard humanoid http://www.h-anim.org/Specifications/H-Anim1.1/ [4] The Python OpenGL Binding http://pyopengl.sourceforge.net/ [5] A Learning Environment for PyOpenGL and Python 2.2.x http://pyopengl.sourceforge.net/context/index.html [6] The Visualization Toolkit http://www.vtk.org/ [7] CrystalSpace game development kit http://crystal.sourceforge.net/drupal/ [8] Blender 3D http://www.blender3d.com/ [9] Poser 5 Character Animation Solution http://www.curiouslabs.com/ [10] http://www.h3d.org/ []'s -- Ian Lawrence http://ianlawrence.info Centre for Bioinformatics INSTITUTO NACIONAL DE PESQUISAS DA AMAZÔNIA-INPA RUA ANDRÉ ARAÚJO N º .2936 , BAIRRO DO ALEIXO MANAUS-AMAZONAS-BRAZIL Research Program in Biodiversity http://ppbio.inpa.gov.br PHONE: 055-92-3643-3358 CEP. 69011 -970 | Please do not send me documents in a closed | format.(*.doc,*.xls,*.ppt) | Use the open alternatives. (*.pdf,*.html,*.txt) http://www.gnu.org/philosophy/no-word-attachments.html return [type for type in types if type not in types_to_exclude] If you can see the beauty, then Python got you ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
[maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Hi, this is embarrassing: there is a buffer overflow in the Application Manager that is triggered when dealing with package icons that are larger than 2048 bytes after base64 decoding. The overflow happens when there is a repository in /etc/apt/sources.list that contains such a icon in one of its packages, or when you have installed a .deb file with such an icon. The bug is present in all versions of osso-appliction-manager less than 4.36, except 4.22.1. Version 4.36 will appear in Sardine soonish, and 4.22.1 will be in the next maintenance release of IT 2006. The overfull does usually not result in a crash, tho. The icon will usually be treated as corrupted and the default icon will be shown. If you maintain a repository, it would be good to check the packages in it for icons that are too large. Also, it would be a good idea to reject packages whose icons are too large. You can use the attached script as a starting point. I will check the repositories listed on maemo.org. Limiting icons to 2k seems reasonable to me; almost all of them are smaller than that. So while this is a unfortunate situation, I don't think disallowing icons larger than 2k for packages that are meant for IT 2006 will be that bad. Sorry for the bad news, but please spread them. #! /bin/sh # Usage: check-icon-overflow DEB # # Checks whether the maemo icon in DEB triggers the buffer overflow in # the Application Manager. set -e if [ $# != 1 ]; then echo usage: check-icon-overflow DEB 2 exit 2 fi size=`dpkg-deb -f $1 Maemo-Icon-26 | base64-decode | wc -c` if [ $size -gt 2048 ]; then echo Icon in $1 is larger than 2048 bytes. echo Some versions of the Application Manager might crash echo when trying to handle it. exit 1 fi echo (Icon of `basename $1` is $size bytes.) exit 0 ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, Marius Vollmer [EMAIL PROTECTED] wrote: this is embarrassing: there is a buffer overflow in the Application Manager that is triggered when dealing with package icons that are larger than 2048 bytes after base64 decoding. Oops. Thanks for the disclosure. The bug is present in all versions of osso-appliction-manager less than 4.36, except 4.22.1. Version 4.36 will appear in Sardine soonish, and 4.22.1 will be in the next maintenance release of IT 2006. [snip] This now brings the question of an end-user roadmap back to the fore with a vengenance. To put it bluntly, how long is Nokia going to leave end users vulnerable to possible attacks? When *is* the next maintenance release of IT 2006? Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Ola, This now brings the question of an end-user roadmap back to the fore with a vengenance. To put it bluntly, how long is Nokia going to leave end users vulnerable to possible attacks? When *is* the next maintenance release of IT 2006? maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... []'s -- Ian Lawrence http://ianlawrence.info Centre for Bioinformatics INSTITUTO NACIONAL DE PESQUISAS DA AMAZÔNIA-INPA RUA ANDRÉ ARAÚJO N º .2936 , BAIRRO DO ALEIXO MANAUS-AMAZONAS-BRAZIL Research Program in Biodiversity http://ppbio.inpa.gov.br PHONE: 055-92-3643-3358 CEP. 69011 -970 | Please do not send me documents in a closed | format.(*.doc,*.xls,*.ppt) | Use the open alternatives. (*.pdf,*.html,*.txt) http://www.gnu.org/philosophy/no-word-attachments.html return [type for type in types if type not in types_to_exclude] If you can see the beauty, then Python got you ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, David Weinehall [EMAIL PROTECTED] wrote: [snip] You know, IMO (not official Nokia policy) this isn't exactly a high risk security issue. To exploit, you need to install a package from an external, non-trusted source. Once you start installing non-trusted 3rd party applications, you're dead anyway. That's not what Marius said: The overflow happens when there is a repository in /etc/apt/sources.list that contains such a icon in one of its packages, or when you have installed a .deb file with such an icon. As such, it only requires someone to add a repository containing MyEvilPackage (and then presumably look at the AM in such a way as to display that package's icon). That said: we're a Debian based distribution, hence we follow the Debian release policy. We release when it's ready. As I said in reply to Ian, at the moment it's not even clear that another release *is* planned: as far as we know, the next release could be planned for 2008 on the Nokia 880, with a cutdown version available for 770 die-hards for the bargain basement price of 999EUR. Some clarity would, therefore, be very much appreciated. Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 16:30 +0100, ext Andrew Flegg wrote: On 10/25/06, David Weinehall [EMAIL PROTECTED] wrote: [snip] You know, IMO (not official Nokia policy) this isn't exactly a high risk security issue. To exploit, you need to install a package from an external, non-trusted source. Once you start installing non-trusted 3rd party applications, you're dead anyway. That's not what Marius said: The overflow happens when there is a repository in /etc/apt/sources.list that contains such a icon in one of its packages, or when you have installed a .deb file with such an icon. As such, it only requires someone to add a repository containing MyEvilPackage (and then presumably look at the AM in such a way as to display that package's icon). Well, it still is a low-level risk, since you have to add an untrusted repository to your repository-list. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Weinehall schreef: On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: On 10/25/06, Ian [EMAIL PROTECTED] wrote: maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... That presupposes there *is* another official release planned. Until we know that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: and 4.22.1 will be in the next maintenance release of IT 2006. doesn't indicated that another official release is planned from your point of view, you live in a very twisted world indeed. No, we are just used to people from nokia saying 'a' and doing 'b'. Remember the clock framework discussion? And smartass replies from an @nokia.com address aren't creating a lot of community goodwill either. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFP4Z4MkyGM64RGpERAjNeAJ4veZxwXqewuFiqj4wqhz/dfCkd8ACfXa68 jHbqgq9Fno3iOM7L1rx4QTw= =nOUD -END PGP SIGNATURE- ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, David Weinehall [EMAIL PROTECTED] wrote: On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: On 10/25/06, Ian [EMAIL PROTECTED] wrote: maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... That presupposes there *is* another official release planned. Until we know that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: and 4.22.1 will be in the next maintenance release of IT 2006. doesn't indicated that another official release is planned from your point of view, Apart from the fact there's lots of semantic wriggle room in next maintenance release of IT 2006, until today all we knew of what *Nokia* were planning to do was: * Sardine. * Herring (through a mention of Carlos on #maemo) * IT 2007 mentioned in Bugzilla * A hint, through hearsay, about improved HWR from a trade show. * A reference to updated OS on Nokia's pages about the GPS stuff. If Nokia's plans now solely consist of yearly releases (with no word as to whether or not they cost money), the community'll probably want to start thinking about forking whatever's present so that we're not dependent on occasional, drip-fed releases from Nokia. If Nokia's plans include maintenance releases for IT 2006, is it really that unreasonable to ask when they'll be? you live in a very twisted world indeed. Perhaps, but I don't think that's relevant ;-) Nokia can't have it both ways: they're either open and sharing and can claim to release when it's ready (where ready is also defined by the community); or they're closed, proprietary and have paying customers (and potential customers) dependent on a roadmap. Either way, some professionalism would be nice. Cheers, Andrew -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
ext David Weinehall [EMAIL PROTECTED] writes: On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: On 10/25/06, Ian [EMAIL PROTECTED] wrote: maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... That presupposes there *is* another official release planned. Until we know that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: and 4.22.1 will be in the next maintenance release of IT 2006. doesn't indicated that another official release is planned from your point of view, you live in a very twisted world indeed. Well, plans change. You never know. I really should have said will be in the next maintenance release of IT 2006, if there is one. This poor hacker here at least hopes that there will be one. ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On ons, 2006-10-25 at 17:44 +0200, ext Koen Kooi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Weinehall schreef: On ons, 2006-10-25 at 16:24 +0100, ext Andrew Flegg wrote: On 10/25/06, Ian [EMAIL PROTECTED] wrote: maybe its more helpful to ask if there is anything we (the community) can do to help get it out of the door?? ... That presupposes there *is* another official release planned. Until we know that, how can we offer to help? If the fact that marius.volmer @ *** nokia.com *** wrote: and 4.22.1 will be in the next maintenance release of IT 2006. doesn't indicated that another official release is planned from your point of view, you live in a very twisted world indeed. No, we are just used to people from nokia saying 'a' and doing 'b'. Remember the clock framework discussion? Uhm, no, but I do remember a discussion about an alarm framework, and it's still worked on. Most of the quirks have been twisted out now; it's almost functional, and our legal department is checking it at the moment. (Oh, actually, there is a clock framework too, but that's part of the kernel and has been accepted upstream to the best of my knowledge...) And smartass replies from an @nokia.com address aren't creating a lot of community goodwill either. Well, smartass replies from @dominion.kabel.utwente.nl doesn't do much good either. Regards: David ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: Most of the quirks have been twisted out now; it's almost functional, and our legal department is checking it at the moment. This has got to be the saddest statement of our society, the fact that the legal department has to check on it. A simple alarm function, for the love of god that sucks. Yup we want to release a new clock but we have to check with the Lawyers first. Oh yeah we realize the clock has been around for hundreds of years but.. Ban Software Patents is the only response I can think of. ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
[maemo-developers] Re: maemo-developers Digest, Vol 18, Issue 34
i have to buy a hub of kraun 4 ports usb, now i would to connect a keyboard and a mouse to use better the nokia 770 as keyboard i founded a comat (small keyboard) as mouse i think to use a logitech, but this is not the real problem, after to have connect the usb cable to the nokia and then to the hub, i would to know to take 5 volts from nokia to use the keyboard and the mouse. can any help me ? awaiting a reply, best faithfully , paolo del bene ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, 2006-25-10 at 19:54 +0300, David Weinehall wrote: On ons, 2006-10-25 at 09:39 -0700, ext George Farris wrote: On Wed, 2006-25-10 at 18:57 +0300, David Weinehall wrote: Most of the quirks have been twisted out now; it's almost functional, and our legal department is checking it at the moment. This has got to be the saddest statement of our society, the fact that the legal department has to check on it. A simple alarm function, for the love of god that sucks. Yup we want to release a new clock but we have to check with the Lawyers first. Oh yeah we realize the clock has been around for hundreds of years but.. It's quite a lot more than that. It's not only an alarm function, but an entire event management framework. Yes I realize it is far more than an alarm function and in no way meant to say that what you are creating is trivial, just that it's all been done before. Cheers ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] Re: maemo-developers Digest, Vol 18, Issue 34
I followed these directions, more or less, and built a working cable.. I used a self powered usb hub, so I didn't do anything with the powersupply stuff. http://thoughtfix.blogspot.com/2006/01/usb-power-injector-2.html Any usb keyboard should work, but mouse support seems to be another story. Just hooking up a usb mouse doesn't appear to work. I believe this is because the X server is tweaked out to work with the touch screen and compatibility with a mouse (like showing a cursor to report it's position) wasnt considered important. Cheers -bob paolo delbene wrote: i have to buy a hub of kraun 4 ports usb, now i would to connect a keyboard and a mouse to use better the nokia 770 as keyboard i founded a comat (small keyboard) as mouse i think to use a logitech, but this is not the real problem, after to have connect the usb cable to the nokia and then to the hub, i would to know to take 5 volts from nokia to use the keyboard and the mouse. can any help me ? awaiting a reply, best faithfully , paolo del bene ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, Oct 25, 2006 at 04:49:09PM +0100, Andrew Flegg wrote: If Nokia's plans now solely consist of yearly releases (with no word as to whether or not they cost money), the community'll probably want to start thinking about forking whatever's present so that we're not dependent on occasional, drip-fed releases from Nokia. I'm not sure where you got this idea of yearly releases. Nokia 770 with its software was released in November 2005. A major software upgrade for it was release in June 2006. That accounts for 8 months at most... Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
Ola, Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... From http://en.wikipedia.org/wiki/Professional A professional provides a service in exchange for payment in accordance with established protocols for licensing, ethics, procedures, standards of service and training/certification. so it seems professionalism is the act of doing the above. Since Nokia guys are presumably getting paid we just need to establish what are the 'established protocols' and we are laughing ;) []'s Ian -- .''`. : :' : `. `'` `- Orgulhoso ser MetaRecicleiro http://blogs.metareciclagem.org/manaus http://ianlawrence.info ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On Wed, Oct 25, 2006 at 03:43:34PM -0500, Ian wrote: Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... From http://en.wikipedia.org/wiki/Professional A professional provides a service in exchange for payment in accordance with established protocols for licensing, ethics, procedures, standards of service and training/certification. so it seems professionalism is the act of doing the above. Since Nokia guys are presumably getting paid we just need to establish what are the 'established protocols' and we are laughing ;) Hmmm... Wikipedia's an interesting idea. :) Protocol leads to instersting opportunities... :D That's gonna be interesting. :) -- Misha signature.asc Description: Digital signature ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers
Re: [maemo-developers] IMPORTANT: vulnerability in Application Manager, please check your repositories
On 10/25/06, Mikhail Sobolev [EMAIL PROTECTED] wrote: On Wed, Oct 25, 2006 at 04:49:09PM +0100, Andrew Flegg wrote: If Nokia's plans now solely consist of yearly releases (with no word as to whether or not they cost money), the community'll probably want to start thinking about forking whatever's present so that we're not dependent on occasional, drip-fed releases from Nokia. I'm not sure where you got this idea of yearly releases. Nokia 770 with its software was released in November 2005. A major software upgrade for it was release in June 2006. That accounts for 8 months at most... Sorry, it was an exageration to make the point: without some concrete information from Nokia, we've no idea. (From a technical PoV, IT 2005 and IT 2006 have been completely different, though: lots of minor releases to fix bugs in the former; nothing like that with the latter - but there's Sardine instead) And despite David's flippant comment to read what Marius said as gospel - because it came from @nokia.com - Marius' later clarification that this was *not* to be taken as a promise underlines my question. Either way, some professionalism would be nice. It's certainly a matter of definition :) Please do define it and we'll see if it's possible to follow your definition... Although I take your point, TBH, I've got better and more productive things to do with my time than define English words and idioms. If Nokia want to employ consultants on CRM and Assertiveness without Aggression[1] that's their perogative. However, Clue #1: professionalism is not referring to customers through an official channel as living in twisted little worlds. Cheers, Andrew [1] http://www.creativeedgeuk.com/assertion.asp -- Andrew Flegg -- mailto:[EMAIL PROTECTED] | http://www.bleb.org/ ___ maemo-developers mailing list maemo-developers@maemo.org https://maemo.org/mailman/listinfo/maemo-developers