Bugzilla 4.2 will be end of life in November 2015, so if you are thinking of upgrading, then you might want to take a look at Bugzilla 5.0 ( released in July )

You can follow the ‘Installation and Maintenance Guide’ at bugzilla.readthedocs.org or use a configuration template.

If Ansible is your thing, then the repository at bitbucket.org/wrightsolutions/ansible16bugzilla5 can be used to configure an Ubuntu server ( dedicated or cloud )

In ~/hosts.list for Ansible give your server a name such as ‘myubuntu’
and then clone the repository using:

hg clone ssh://hg@bitbucket.org/wrightsolutions/ansible16bugzilla5

From within the local cloned copy you should be able to see site.yml and then run the following:

ansible-playbook site.yml -i ~/hosts.list -u root -l myubuntu

A video demonstration of the automation is available as follows:

python -m unittest discover

…should work fine when you have set everything up with a bit of forethought

If you see response ‘Ran 0 tests’ then try

touch tests/__init__.py

If you fail to create an empty __init__.py in your tests folder, then Python (rightly) will not recognise it [ as a module ]

Rerun your discover command and if missing __init__.py was holding you up, then you should now be further along.

Along the way you have just learned a little about project structure, and Python requirements generally for modularised code.

netstat grepping

grepping listening ports

Here (above) is an example of grepping the full list of ports shown as LISTEN

My example concentrates on port 80 (apache) or alternatives. Amend to fit your requirements.
Source at Bitbucket below:

One criticism of Windows was folks being encouraged (by websites) to download custom .exe file to Desktop and double click.

In response to this, a wave a security products and some access control changes, put a stop to that.

Some users missed the convenience.

Could this ever happen on Linux / Unix?

Yes!

Here is an extract from the install instructions for a Google publicised project:

curl -L get.yeoman.io | bash

Seems the nix community is in too great a hurry to put convenience before security.

I point out some of the reasons why not in the next section.

Internet pipe to Bash – why not?

To suggest such an install procedure, is to ignore many of the security lessons from the past decade.

Possible risks 1: Fat fingered redirect

By advising the user invoke curl with -L flag, the developer is encouraging users to trust any locally coded redirection.

The reason curl advises of redirection is to allow the end user to verify any redirection themselves rather than trusting what redirection is entered at the remote site.

What would happen if a bogus redirect was inserted by mistake, or by a malicious insider? If it only happened for an hour would the company think it important enough to inform the developer population?

Possible risks 2: Shifting sands

Exactly how do you personally know that the code that was there yesterday is the same code as today?

Does it come in a package with checksums and a well understood inbuilt verification of checksum feature?

Can you manually download a verification checksum from a different mirror server, than the actual code download?

Possible risks 3: Compromised server

Compromised servers are always a risk for any internet hosted software.

Hosting code through acceptance in a distribution like Debian or Red Hat, allows a small company to leverage the infrastructure provided.

It also elevates untrusted software somewhat, due to the integration build process, qa review, and hosting infrastructure which such distributions provide.

Bitbucket, Gitorious, Google code and Github offer some minor improvement from self hosting a project yourself.

Then there is Pypi, CPAN, and other convenience collections, which whilst not offering massive assurance, at least mitigate the next problem described.

Possible risks 4: Dns hijack / redirection

Dns cache poisoning is all too common unfortunately.

Whilst this project is getting some backing from Google, it would be unwise to assume that it (and any mirrors?) employ DNSSEC to mitigate Cache poisoning. If they did employ DNSSEC effectively, would that be on the original http endpoint or the redirected http endpoint?

Commentary and other examples:

In fairness to the developers, there are some additional install notes, and in particular there is some hints for Debian / Ubuntu folks that include this line:

sudo npm install -g yeoman

However, those install instructions also suggest at the start, that you should still do an initial pipe bash, in case you had a previous install present.

Doing that initial pipe bash, then switching to more traditional package management techniques, does not mitigate any of the risks described earlier.

It may be that developers are being encouraged to do this sort of hacky curl stuff by seeing this entry from the npm site:

curl https://npmjs.org/install.sh | sh

The observant amongst you will notice that there is no -L flag here, so strike off one of those risks listed earlier.

What comes after the pipe symbol ( | )? Does that make any difference from the other example?

That answer is left as an exercise for the reader.

Further examples (added after article first written):

Chkrootkit and other tools that scan for rootkits sometimes report a python related ‘.path’ file as suspect.

Example:

/usr/lib/pymodules/python2.6/.path

The script/binary responsible for creating that file is /usr/sbin/update-python-modules

from the Debian & Ubuntu package python-support

code extract from /usr/sbin/update-python-modules

There is no harm in understanding how to adapt chkrootkit or alternatives to ignore a list of locally recognised false positives, however some might consider this ‘false positive’ a bug.

The past 5 years has seen much upheaval in roles and responsibilities within Information Technology.

Business leaders felt that IT was too partitioned (and thus expensive)

The result has been a narrowing of knowledge in individual areas, with a focus now on breadth.

IT - Narrowing and Connecting

Narrowing and Connecting

Phrases such as “The developer is king” reflect this shift.

As with all power shifts, there are upsides and downsides.

Cloud computing was fuelled in part by this shift – that is an upside.

Organisations now have to introduce control processes and checks on developers, some of which it could be argued, are a direct replacement for the partitions between people, in the previous model.

Example: Source code and deployment.

If one person acting alone has full responsibility for source code and deployment, where does that leave the company when the Developer leaves?

Ah, you might argue, but the Developer is a responsible type and pushes to central company controlled repositories and deployment templates.

My question here is “How responsible?”

Surely ‘responsible’ is a sliding scale – some Developers will be more so, some less so.

I was deliberate in using the phrase ‘central company controlled’ when talking about repositories and deployment templates.

Are you a head of IT or company Director? – if so do you know….

  • How granular the access control is on source repositories?
  • How granular the access control is on deployment templates?
  • How many people are sharing the main ‘Owner’ account?
  • The credentials for the ‘Owner’ account?

For the final two points, an argument and counter argument:

But the Head of IT and Directors do not need to access source control, in fact best not have them in there in case they do some damage

Without access to source control, which non-developer have you tasked to act as code keeper on your/company behalf?

This post is providing background for a series of articles – more to follow.

Image

For this particular project the setup.py contained the following line:

      install_requires=['bottle','python-memcached>=1.45'],

Note: if you use ‘memcache’ or ‘memcached’ instead of what is written, you will probably get a message like:

Couldn’t find index page for ‘memcache’ (maybe misspelled?)

remote: Reading http://pypi.python.org/simple/
remote: No local packages or download links found for memcache>=1.45
remote: Best match: None

Follow

Get every new post delivered to your Inbox.