Secure boot – but what about secure distribution!

Chain of trust

There is a lot of talk about secure boot recently – mostly because of the windows 8 certification requirements. Secure boot gives makes it harder (but not impossible) for malware such as rootkits to start at boot time and then control the operating system. It creates a chain of trust from the hardware to the bootloader to the operating system, so criminals cannot break that chain.

However, if we want to protect open source software against criminals there is a different chain of trust that we need to protect: the chain from upstream developers to the end-user. There are quite a few bits and pieces in place already, but some essential parts are missing. In august 2009, for example, the web server from the squirrelmail webmail project was hacked, and two plugins were compromised with malware. It was lucky that the hack was discovered very quickly so little harm was done, but that could have been much worse.

Most open source projects use a version control system for their source code that involves some form of crypto authentication. Some very basic, like a login over ssh to a subversion or cvs server, other require every patch to be signed with a PGP key. Most distributions use some form of signing to protect the integrity of their packages. But the step from upstream development to the distribution is often not secured at all. Many upstream developers offer a md5 or sha1 sum of the downloads – but hey, once the criminals hack your webserver, they can change both the md5 and the tarball with the source code!

So what should we do?

If all upstream developers would sign their releases with PGP, and distributions should check if the source tarball is correctly signed, and signed with a trusted key, it would be much harder for criminals to interfere with this step. The level of trust could be very minimal (just check if the source tarball is signed with the same key as the previous time we downloaded the package) or very high (require a web of trust where keys have to signed after an official government issued ID has been checked such as Debian requires), just depending on the importance of the package.

Bluefish source tarballs have been PGP signed for a while already. Now it’s time for the distributions to automatically check these signatures when building a package.

Bluefish 2.2.3 released

Last months we have worked on lots of small things in your favorite programming editor Bluefish, resulting in the 2.2.3 release. There are only few major changes: a corrupted state in the syntax scanner that could (very rare) lead to a segfault was fixed, code folding had major fixes and improvements, search had a few major fixes, printing with syntax highlighting was added, and a lorem ipsum generator was added.

Then we had lots of small things. The GUI was restructured in some areas, most notably the preferences dialog, but alsi in the the Tools menu and the HTML Tags menu, and some shortcut key combinations were added.

As I pointed out in one of my previous posts we did work on some visibility features, such as a bigger cursor and cursor highlighting, and some options were improved such as zoom and the custom colors.

External commands had some changes such as better cursor positioning after a filter has
been used, user supplied arguments for external commands (for example define a command chmod %a %f so you can add the mode when you activate the menu entry), and an option to restore the default commands. While writing this post I just found the first regression in 2.2.3: the help text that explains all options for external commands has disappeared…

[edit: after opening the dialog again I realized that the help text is moved into a tooltip to save screen space, so it did not just dissapear]

On the multi-platform front: the broken shortcut key S was fixed on OSX, and file recovery was fixed on Windows.

On the web front some dialogs were added for HTML5, the thumbnail generator was fixed, and insert color, path and relative path have been added.

Many language files were improved, and more user configurable options have been added to most language files. For example if you want functions to auto-complete with a semi-colon appended, or if you want a block from square brackets to be foldable. Unfortunately these options require a Bluefish restart, because the language files need to be reloaded and re-compiled into a DFA table for these settings to take effect.

A new feature: you can now select a block of text by dragging the mouse in the margin, and move the selected block with <ctrl><up> and <ctrl><down>.

Now get Bluefish here!

Install Gnome3 on Ubuntu 12.04

You like the nice configuration defaults of Ubuntu but not Unity?

Add this to your /etc/apt/sources.list

deb http://ppa.launchpad.net/gnome3-team/gnome3/ubuntu precise main 
deb-src http://ppa.launchpad.net/gnome3-team/gnome3/ubuntu precise main
deb http://ppa.launchpad.net/webupd8team/gnome3/ubuntu precise main 
deb-src http://ppa.launchpad.net/webupd8team/gnome3/ubuntu precise main

Now run

sudo apt-get update && apt-get install gnome-shell

and you have an up-to-date gnome-shell. Even many of the pretty extensions are packaged as well.

As a bonus I found out that Gnome 3 runs much snappier than Unity on an old IBM T43 laptop (which has 6 years old Centrino technology).

Improvements for visually impaired people

Last week I received an email if Bluefish could be improved for people with a visual impairment. I never occurred to me that there would be people with limited vision wanting to use Bluefish. The most requested features in the email were:

1. Zoom in/out with ctrl+ / ctrl-
2. Maximum screen estate
3. Better cursor visibility

The first feature was easy. Bluefish  already has zoom with ctrl-mousewheel, so I added the accelerators (it turned out that the requester was not aware of this feature).

For the second feature I created an option that automatically hides all menu bars, status bars and toolbars on fullscreen (F11). It displays them again if you hit F11 again. This way basically every bit of the screen is used by the editor itself. The only issue I found is when LXDE is used. LXDE has bound F11 to the window-manager fullscreen, so the application fullscreen never gets called. I moved my code to the configure event handler, where I can detect both the internal fullscreen as well as a window manager fullscreen.

The third feature was the hardest bit. With some help from IRC I managed to make the cursor-aspect-ratio user defined.

In gtk2 it looks like this:

style "bluefish-cursor" {GtkWidget::cursor-aspect-ratio = %f }
class "GtkTextView" style "bluefish-cursor"

which is loaded with gtk_rc_parse_string()

In gtk3it is slightly nicer:

GtkTextView {-GtkWidget-cursor-aspect-ratio: %f;}

which is loaded with gtk_css_provider_load_from_data() and gtk_style_context_add_provider()

Next to a bigger cursor I made a setting to highlight the cursor position: it paints a differently coloured background on the character left and right of the cursor. I connected that to the mark-set insert-text and delete-range signals, the last two with g_signal_connect_after() to get the new location of the cursor and not the old location.

This code does have quite a performance impact: scrolling with the arrow keys is significantly slower with this option enabled. I used this code:

     gtk_text_buffer_get_bounds(btv->buffer, &it1, &it2);
     gtk_text_buffer_remove_tag(btv->buffer, btv->cursortag, &it1, &it2);
     it1 = *location;
     it2 = it1;
     gtk_text_iter_backward_char(&it1);
     gtk_text_iter_forward_char(&it2);
     gtk_text_buffer_apply_tag(btv->buffer, btv->cursortag, &it1, &it2);

What this code causes is an update the internal structure of the GtkTextBuffer (probably something like a balanced tree) that keeps track where each tag starts and stops – for every cursor move. After rethinking this I remembered this is much easier done in the expose event!

get the coordinates with gtk_text_view_get_iter_location(), convert them with gtk_text_view_buffer_to_window_coords() and paint with cairo_rectangle() and cairo_fill():

   gtk_text_buffer_get_iter_at_mark(buffer, &it, gtk_text_buffer_get_insert(buffer));
   gtk_text_view_get_iter_location(view,&it,&itrect);
   gtk_text_view_buffer_to_window_coords(view, GTK_TEXT_WINDOW_TEXT
            , itrect.x, itrect.y, &x2, &y2);
   cairo_rectangle(cr, (gfloat)x2-width, (gfloat)y2, (gfloat)(width*2 )
            , (gfloat)itrect.height);
   cairo_fill(cr);

The result is visible below. So now it is test time!

Bluefish 2.2.2 released

Bluefish 2.2.2 is largely a bug fix release with some very minor new features. A regression in the search functionality was fixed, that caused a segfault if a document with search results was closed. Multiple replace with search results directly next to each other corrupting the text was also fixed. The broken cursor positioning that ruined the Zencoding plugin was also fixed. On the multiplatform front: on Windows handling of the profile directory with non-ascii characters was fixed and on MacOSX image browsing in the image dialog was fixed. Two GTK-3 related bugs where fixed: the CSS dialog was unusable on GTK-3 and the right margin indicator was positioned wrong. Next to the major fixes several small memory leaks where fixed. Next to the bug fixes some small improvements where made. Startup is slightly faster using more threads during startup and improving the document recovery. The annoying scrolling of the side bar filebrowser in ‘treeview’ mode was fixed, descriptions of language options where fixed, and some menu strings, some HTML5 options where improved, accelerators and shortcut keys got improved and translations got better. The new features: duplicate line and delete line, and the Catalan translation.

Download it from http://bluefish.openoffice.nl/download.html

Debugging a reference count bug

Last days I have been debugging some weird reports. They all show the same characteristics:

• the users are on Ubuntu 11.10
• they use bluefish compiled against gtk 3.2 (so not the bluefish package that is provided by Ubuntu, but a newer one)
• in the Bluefish run the sort function of a GtkTreeModelSort is called after the GtkTreeModelSort should have been finalized and free’ed.

First I used gobject-list.c from http://people.gnome.org/~mortenw/gobject-list.c to see all refs and unrefs on all GtkTreeModelSort objects in Bluefish (luckily there is only 1 used in Bluefish).This showed that there was indeed a GtkTreeModelSort with lots of references left after it should have been finalized. I tried the same thing on Fedora 16 (also gtk-3.2), but it can only be reproduced on Ubuntu 11.10.I tried to get backtraces with gobject-list (which uses libunwind for that) but those backtraces turned out to be useless.

Luckily I received some help on IRC #gtk+ from Company and alex. The first idea was to use systemtap, but since there is no useful kernel for systemtap available for Ubuntu I had to use something more low tech suggested by Company:  I set a breakpoint on gtk_tree_model_sort_new to retrieve the pointer of the GtkTreeModelSort. Once I got that pointer I could set a breakpoint on g_object_ref and g_object_unref with a condition on this pointer. Then I created an automatic backtrace on each breakpoint:

break g_object_ref if object == 0x123123123
commands
bt
c
end

I configured gdb to log everrything to a file, and did a bluefish run. This resulted in a 2.1 Mb logfile with backtraces. This log also showed there were more refs than unrefs.

In this logfile there were a lot of similar backtraces, with an identical function doing a ref and an unref. I wrote a short python script to parse the backtraces and skip all ‘valid pairs’

After this step I had only 15 backtraces left. And from these backtraces the leaking references were easily identified.

Because I was unsure if this is a Ubuntu specific bug or a generic gtk bug the resulting bugreport can be found both at https://bugzilla.gnome.org/show_bug.cgi?id=669376 and at https://bugs.launchpad.net/bugs/926889

Now I am wondering if this approach would work for any reference count leaking problem. I guess the most difficult issue is to find the value of the pointer that is leaking if you have many objects of the same type.. Any suggestions how to do this?

Happy new year: Bluefish 2.2.1 released!

Bluefish 2.2.1 is mostly a bug fix release, but it has one major new feature: Zencoding support (which requires python). The bug fixes include a fix to build on Gtk+-2.22, many translations are better up-to-date, a fix for PCRE regular expression searching, several layout fixes for Gtk+-3.2, several obscure segfault fixes, a fix for autocompletion of variables in PHP, <img> dialog fixes, some memory-leak fixes and othere minor fixes.

Download Bluefish here, or check the how to install Bluefish page on our wiki.

The (too large) minimum width of a GtkEntry in Gtk+-3.2

Bluefish has a side-pane in it’s main interface, which is implemented using a GtkHPaned widget. Users may drag the handle to increase or decrease the side pane. Now lets see what happens if the user makes the sidebar smaller than the widgets in there. I created a mini example application that works with both Gtk+-2 and Gtk+-3. There is a GtkEntry in the left sidebar, and a GtkTextView on the right. This is a screenshot with Gtk+-2:

Now see what happens if you drag the handle to the left in Gtk+-2:

The widget now becomes smaller, and it is cropped on the right side, which looks natural.

Now see what happens if you drag the handle to the left in Gtk+-3.2:

The widget is cropped from the left side, which has the content, which looks awful. Also there is a huge empty space after the “Hello World” because the GtkEntry minimum width is very large.

My suggestions for improvement:

• decrease the minimum width of the GtkEntry to 30 pixels or so
• when cropping widgets, crop from the right if the widget is on the left side of the handle, crop from the left if the widget is on the right side of the handle. That suggests that the user drags the handle as a layer on top over the widget which feels much more natural.

b.t.w. GtkEntry is not the only widget that has a too-large minimum width. In Bluefish we also use libgucharmap, and the gucharmap widget forces an even wider sidebar in Gtk+-3.2.

GtkTable and GtkLabel with wrap on Gtk+-3, and trying to stay compatible with Gtk+-2…

Bluefish has several dialogs that use a GtkLabel with wrap enabled inside a GtkTable. Since the width-for-height changes in Gtk+-3.2 these GtkLabel’s take an enormous amount of vertical space. If this launchpad bug is correct it will use enough vertical space to put every word on a new line.

The suggestion in that bugreport is to switch to GtkGrid. This is a good suggestion, but is has a drawback. In Gtk+-2 there is no way to set widget specifc expand properties in a GtkGrid (in a GtkTable this is done with gtk_table_attach()). In Gtk+-3 new properties have been added to GtkWidget to control whether a widget may expand or not. We (Bluefish developers) try to remain compatible with Gtk+-2 at the moment. So what to do? GtkGrid may solve our problem in Gtk+-3 but causes problems in Gtk+-2, and GtkTable solves our problem in Gtk+-2 but causes problems in Gtk+-3 ?

Luckily I found a workaround:

#if GTK_CHECK_VERSION(3,2,0)
    gtk_label_set_width_chars(GTK_LABEL(label),50);
#endif

This fixes the problem with a GtkLabel with wrap in a GtkTable in Gtk+-3.2. So for the moment we stick with GtkTable with this workaround.

Bluefish 2.2.0 released

Bluefish 2.2.0 is a new major release and the start for the 2.2 series. Under the hood Bluefish 2.2.0 has a massive number of changes: Bluefish now works with gtk-3 (gtk-2 is still supported), and the syntax scanner had a major overhaul to make it faster, which is especially noticeable when working on large files.

Another big change in Bluefish 2.2.0 is the new search and replace function. It has been completely redesigned: the simple search function is now integrated in the main window, and the new function supports both search and replace in files on disk (next to already opened documents). Other new features include a toggle comment function that is context-aware (add <!– –> comments in html code, use // comments in javascript code, /* */ in php code, etc. even if all of these languages are in a single file) and a select block feature that automatically selects the current context block and can be used multiple times to select the parent blocks. Another new feature of the syntax recognition is the autocompletion of user-defined functions, and a jump function that will bring you immediately the the definition of a function.

Next to all the new features many existing features have been improved and polished. Furthermore support for new languages has been added, such as Google Go, D, Vala and Ada.

I created an introduction movie using the built in screen recording option of the gnome 3 shell, which has no sound recording. I recorded my voice with audacity and tried to merge them both with pitivi. Pitivi just hanged at rendering 98% no matter what I tried. Then I switched to openshot, which crashed a few times but it did render my video. Unfortunatelythe result was bigger than the original video and sound files, with worse video quality. Anyway, you can see the result on youtube:

p.s. the 2.2.1 release of Bluefish will have a zen-coding plugin!