[05:33] <dholbach> good morning
[07:07] <GMAA> NJJJK
[07:07] <GMAA> JUGYG
[07:07] <GMAA> SEX
[10:18] <ma10> hi. i need some expert advice on a bug and a patch i wrote (azureus). anyone familiar with that stuff?
[10:21] <lifeless> I'm done some hacking on limewire
[10:21] <lifeless> probably some stuff in common
[10:21] <ma10> ok
[10:21] <ma10> so the bug is this: bug 222630
[10:21] <ubottu> Launchpad bug 222630 in azureus "Azureus always listens on local port without authentication" [Medium,In progress] https://launchpad.net/bugs/222630
[10:22] <ma10> in my opinion it's a pretty serouis issue
[10:23] <ma10> the problem is that Socket and ServerSocket calls that handle port 6880 are scattred through the code
[10:24] <ma10> what i did was write a patch to:
[10:25] <ma10> - choose a random port instead of 6880
[10:25] <ma10> - have lock file in the users configuration directory with the port number and an authentication key
[10:26] <ma10> so that a new instance can read the file and contact the main instance to pass torrent information etc.
[10:26] <ma10> but user enviroment isolation is mantained
[10:27] <ma10> i basically created one class that offers drop-in replacement for new Socket() and new ServerSocket() and handles this stuff
[10:27] <ma10> so there's minumum impact on the rest on the codebase (one line changes)
[10:28] <ma10> http://gdgieijsdf.pastebin.com/m6a50a36e
[10:28] <ma10> than i talked to upstream about all this
[10:30] <ma10> but them seem very little intrested in this issue (position: most users don't run multiple instances on one machine, and multiuser machines are a thing of the past or something like that)
[10:30] <ma10> *they
[10:31] <ma10> and also they say that the call to SystemProperties.getUserPath() (that handles platform-specific stuff to figure out the configuration dir) is not supposed to happen so early
[10:32] <ma10> so what i'm wondering is if it's still worth including in ubuntu or if it's too much of a hack
[10:34] <ma10> note that if this bug stays it means that if a user has azureus running and another users logs in azureus refuses to start for him, and the torrents he tries to download are addded to the first user's instance :|
[10:35] <persia> While I can see the argument about only providing one running instance, and could accept that one user running would block others, it seems like one could do all sorts of interesting things if one could inject into another user's session.
[10:35] <lifeless> ma10: I think upstream are on crack
[10:36] <lifeless> ma10: and we should take the patch; it sounds well crafted
[10:36] <lifeless> also, apply a large cluebat
[10:36] <lifeless> called 'fast user switching bitches'
[10:36] <ma10> oh thanks got someone thinks straight :)
[10:36] <persia> It essentially allows one user to write an arbitrary file for any other user who happens to use that program.  Raise this with upstream again as a security issue.
[10:37] <lifeless> concurrently logged in multi user machines are extremely common due to user switching
[10:37] <ma10> i know! they respond you that 2 instances are bad for network performance and azureus is like apache, you use only one
[10:38] <lifeless> ma10: they may be right, but it does not stop it being a security problem
[10:38] <lifeless> a problem is a problem
[10:38] <ma10> that's what i think
[10:38] <lifeless> you could sneak up on it - get the replacement classes in but don't change anything else
[10:38] <lifeless> that should reduce the duplication of port numbers everywhere etc
[10:39] <lifeless> cleaner code++
[10:39] <lifeless> then we can carry the resulting much smaller patch to do random port and use a token for controlling the daemon
[10:40] <persia> Closing the security hole without actually allowing multiuser?
[10:40] <ma10> yes that's another advantage. but if you read my new class it is a little "hacky".. what i tried to do was to have a replacemnt that worked no matter how it's called in
[10:40] <persia> That might even get upstream.
[10:41] <ma10> lifeless: sorry i'm not following you. what do you mean?
[10:42] <ma10> ohh now i get it :)
[10:42] <lifeless> ma10: your patch has three components:
[10:42] <lifeless>  - refactoring to reduce duplication
[10:42] <lifeless>  - use a random port
[10:42] <lifeless>  - use a token for controlling the instance to lock it to a user
[10:43] <ma10> ok
[10:43] <lifeless> the first should be uncontentious and is unrelated to the other two except that it makes them easier
[10:43] <lifeless> the second upstream are unhappy about; I think its a good idea but put it to the side
[10:43] <lifeless> the third is the actual bug, and upstream should be convincable to take that
[10:43] <ma10> i think there is already some effort going on to reduce duplication. i could start working on that
[10:44] <ma10> yes i think it'a a good idea
[10:45] <ma10> but it will take time
[10:45] <lifeless> sure
[10:46] <lifeless> should be fairly simple though - just split the patch into three, stuff em in separate branches, voila
[10:46] <ma10> what about my current patch? i may make a package, put it on my ppa, ask for some testing and get back to you
[10:57] <ma10> ok i'll start working in the direction you pointed out. thank you very much to both of you!
[11:01] <lifeless> np
=== dholbach_ is now known as dholbach
[13:43] <Juli__> persia: Hello, it is freeze soon and I'm worry about new staff from netbeans packages. There are 3 packages on REVU. May be you have time to sponsor them?
=== cody-somerville_ is now known as cody-somerville
=== cody-somerville_ is now known as cody-somerville
[18:24] <Sarika> hi