Last night at FSCONS I was awarded the Nordic Free Software Award, sharing the price with Daniel Stenberg who incidentally (or perhaps not) I have been collaborating with on some projects. Receiving a price like this is a great motivator and I feel humbled when thinking about the many excellent hackers that were attending the FSCONS that cheered me on. Thank you everyone.
Now back to coding.
I have read Russel Coker’s nice article on identifying use of thread unsafe functions. This reminded me of a script I wrote a long time ago that is part of GNU SASL’s regression suite: threadsafety.
As you can see, my script looks for functions mentioned in the latest POSIX specification as being thread unsafe. In the last POSIX release, they actually removed some older interfaces (e.g., gethostbyname) so the script also checks for thread-unsafe functions mentioned in one older POSIX specification.
Russel’s approach is to look for man pages of functions ending with _r and labeling the non-_r-function as a thread unsafe function. Russel’s and my approach are quite different, so I wanted to compare the results. There is potential for me to add more functions to search for. I still want to preserve my approach of explicitly listing known thread unsafe functions, though.
Running Russel’s command, I get a list of functions that my script catches that Russel’s doesn’t, and vice versa. For reference, the functions that my script catches that Russel’s doesn’t are:
basename catgets dbm_clearerr dbm_close dbm_delete dbm_error dbm_fetch dbm_firstkey dbm_nextkey dbm_open dbm_store dirname dlerror endgrent endpwent endutxent ftw gcvt getc_unlocked getchar_unlocked getenv getopt getutxent getutxid getutxline inet_ntoa l64a lgamma lgammaf lgammal localeconv nftw nl_langinfo putc_unlocked putchar_unlocked putenv pututxline setenv setgrent setpwent setutxent strsignal system unsetenv wcstombs wctomb
The list contains lgamma, lgammaf, and lgammal which are all excluded by Russel’s command. I don’t understand why — according to the man page, the functions uses a global variable for sign, which doesn’t seem thread safe. So it seems right to include them?
What’s more interesting (for me) is the list of functions that Russel’s script catches that my script currently doesn’t. Here is the list:
erand48 ether_aton ether_ntoa fgetgrent fgetpwent fgetspent getaliasbyname getaliasent gethostbyname2 getmntent getnetgrent getrpcbyname getrpcbynumber getrpcent getspent getspnam getutent getutid getutline initstate jrand48 lcong48 nrand48 qecvt qfcvt random seed48 setstate sgetspent srand48 srandom tmpnam
I started looking into each function. For erand48 there is a erand48_r function in glibc, and the former does indeed seem to use a global variable. However, as far as I can tell from the POSIX specification, erand48 should be thread safe. So I filed a glibc bug about it. The same concern may hold for jrand48, lcong48, nrand48, seed48, and srand48.
I noticed that initstate, random, setstate, and srandom are defined by latest POSIX, but not mentioned as a thread-unsafe functions. Possibly a bug in the POSIX specification?
I also noticed that I had missed to include tmpnam even though it is mentioned separately in the POSIX link.
The rest of the functions are not documented by POSIX, and presumably thread unsafe (although I didn’t read the man page or source code for each of them).
In the end, I ended up adding several new functions to check for. The latest script is always available from:
http://git.savannah.gnu.org/cgit/gsasl.git/tree/tests/threadsafety
So, finally, did the updated script catch any use of thread-unsafe functions in GNU SASL? Nope.
Now that OpenWRT 8.09 has been released, I finally took the time to write down my notes on how to use it together with the Huawei E220 dongle, which supports 3G/HSDPA.
The writeup on how to do this is long, so I put it at a separate page:
http://josefsson.org/openwrt/dongle.html
The GnuTLS trac installation is in a poor shape. To fix that, I looked into alternatives and found Redmine. Redmine appears to do most things that I liked in Trac (wiki, roadmap and issue tracking) plus it supports more than one project (would come in handy for my other projects) and has built-in git support. I would like to see better spam handling and OpenID support, but it is good enough for our purposes now, and there are similar concerns with trac.
However, getting it up and running with lighttpd on a modern debian lenny installation was not trivial, and I needed some help from #redmine (thanks stbuehler). After finally getting it up and running, I made a copy of the machine using rsync and rsnapshot, so I could re-create a working configuration if I get stuck, and then re-installed the virtual machine.
The notes below are the steps required to set up Redmine using Lighttpd and MySQL on a Debian Lenny. I’m posting this to help others searching for the error messages I got, and to help my own memory in case I need to re-install the server sometime.
(more…)
The Free Software & Culture conference FSCONS is held in Gothenburg October 24-26th. Having been there and given talks last year, I can recommend it for anyway interested in what’s going on the free software and culture world.
I’m happy and proud to notice that I have been nominated for their award, for my work on security packages for the GNU project. Too bad I cannot make it to the conference this year.
Thanks to Henrik Schack’s great work in developing a Wordpress Yubikey plugin, I now use two-factor hardware-assisted authentication technology (i.e., the Yubikey) to log in to my blog. Kudos, Henrik!
Since my server still uses php4 (sigh), I had to create a small patch to make it use mhash instead of hash.
