dholbachgood morning05:33
ma10hi. i need some expert advice on a bug and a patch i wrote (azureus). anyone familiar with that stuff?10:18
lifelessI'm done some hacking on limewire10:21
lifelessprobably some stuff in common10:21
ma10so the bug is this: bug 22263010:21
ubottuLaunchpad bug 222630 in azureus "Azureus always listens on local port without authentication" [Medium,In progress] https://launchpad.net/bugs/22263010:21
ma10in my opinion it's a pretty serouis issue10:22
ma10the problem is that Socket and ServerSocket calls that handle port 6880 are scattred through the code10:23
ma10what i did was write a patch to:10:24
ma10- choose a random port instead of 688010:25
ma10- have lock file in the users configuration directory with the port number and an authentication key10:25
ma10so that a new instance can read the file and contact the main instance to pass torrent information etc.10:26
ma10but user enviroment isolation is mantained10:26
ma10i basically created one class that offers drop-in replacement for new Socket() and new ServerSocket() and handles this stuff10:27
ma10so there's minumum impact on the rest on the codebase (one line changes)10:27
ma10than i talked to upstream about all this10:28
ma10but them seem very little intrested in this issue (position: most users don't run multiple instances on one machine, and multiuser machines are a thing of the past or something like that)10:30
ma10and also they say that the call to SystemProperties.getUserPath() (that handles platform-specific stuff to figure out the configuration dir) is not supposed to happen so early10:31
ma10so what i'm wondering is if it's still worth including in ubuntu or if it's too much of a hack10:32
ma10note that if this bug stays it means that if a user has azureus running and another users logs in azureus refuses to start for him, and the torrents he tries to download are addded to the first user's instance :|10:34
persiaWhile I can see the argument about only providing one running instance, and could accept that one user running would block others, it seems like one could do all sorts of interesting things if one could inject into another user's session.10:35
lifelessma10: I think upstream are on crack10:35
lifelessma10: and we should take the patch; it sounds well crafted10:36
lifelessalso, apply a large cluebat10:36
lifelesscalled 'fast user switching bitches'10:36
ma10oh thanks got someone thinks straight :)10:36
persiaIt essentially allows one user to write an arbitrary file for any other user who happens to use that program.  Raise this with upstream again as a security issue.10:36
lifelessconcurrently logged in multi user machines are extremely common due to user switching10:37
ma10i know! they respond you that 2 instances are bad for network performance and azureus is like apache, you use only one10:37
lifelessma10: they may be right, but it does not stop it being a security problem10:38
lifelessa problem is a problem10:38
ma10that's what i think10:38
lifelessyou could sneak up on it - get the replacement classes in but don't change anything else10:38
lifelessthat should reduce the duplication of port numbers everywhere etc10:38
lifelesscleaner code++10:39
lifelessthen we can carry the resulting much smaller patch to do random port and use a token for controlling the daemon10:39
persiaClosing the security hole without actually allowing multiuser?10:40
ma10yes that's another advantage. but if you read my new class it is a little "hacky".. what i tried to do was to have a replacemnt that worked no matter how it's called in10:40
persiaThat might even get upstream.10:40
ma10lifeless: sorry i'm not following you. what do you mean?10:41
ma10ohh now i get it :)10:42
lifelessma10: your patch has three components:10:42
lifeless - refactoring to reduce duplication10:42
lifeless - use a random port10:42
lifeless - use a token for controlling the instance to lock it to a user10:42
lifelessthe first should be uncontentious and is unrelated to the other two except that it makes them easier10:43
lifelessthe second upstream are unhappy about; I think its a good idea but put it to the side10:43
lifelessthe third is the actual bug, and upstream should be convincable to take that10:43
ma10i think there is already some effort going on to reduce duplication. i could start working on that10:43
ma10yes i think it'a a good idea10:44
ma10but it will take time10:45
lifelessshould be fairly simple though - just split the patch into three, stuff em in separate branches, voila10:46
ma10what about my current patch? i may make a package, put it on my ppa, ask for some testing and get back to you10:46
ma10ok i'll start working in the direction you pointed out. thank you very much to both of you!10:57
=== dholbach_ is now known as dholbach
Juli__persia: Hello, it is freeze soon and I'm worry about new staff from netbeans packages. There are 3 packages on REVU. May be you have time to sponsor them?13:43
=== cody-somerville_ is now known as cody-somerville
=== cody-somerville_ is now known as cody-somerville

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!