This year we want to do something different, something even grander. ReactOS is quite close to transitioning to beta testing and we are constantly improving the development process itself. However for many core developers ReactOS remains a hobby in which they participate in their spare time as all have other real life obligations to meet. All of the developers are extremely skilled and every contribution they make helps significantly improve ReactOS’ quality.

For the first time ever, the ReactOS Foundation seeks to go beyond the usual small fundraising campaigns aimed at paying infrastructure expenses. We wish to raise money to formally hire as many core developers as possible, to work on the project they believe in, the project they’ve been working on, to transform a hobby into a job so they can dedicate all of their time to the ReactOS project.

In light of the significant advances the project enjoyed thanks to work done as part of Google’s Summer of Code 2011, it became even more obvious that the fastest way to accelerate the development of ReactOS is by directly funding developers to contribute to ReactOS. As such, the project is reaching out to our many fans and believers to help make this happen. Together, we can make ReactOS into a true competitor and alternative for computer users worldwide.

I could not agree more! In my opinion, paid development is a key step in the evolution of the development of free software. The benefits are pretty obvious:

1. The current development model mainly involves people working on FLOSS projects in their spare time. As a result, it has become customary to release incomplete and buggy “stable” releases for us to debug. On the contrary, there are several companies which pay developers to work on FLOSS projects or invest their own capital on the development of a FLOSS project. Comparing the quality of the two kinds of projects, it is quite obvious that paid development results in a higher quality product. Money alone cannot produce quality. But, money can greatly help with the creation of the right environment for the right people to produce a high quality product.
2. Usually, a Do-It-Yourself mentality reigns the FLOSS ecosystem. No matter how important the “freedom to customize” is, it is also extremely difficult for people who are not software engineers or who are extremely busy with other things to follow such practices. Donations currently do not work as they should. Contributing money to a FLOSS project should buy nothing more or less than dedication.
3. Funding the development of FLOSS projects will preserve stability and help them survive in the long run. The users will have a greater assurance that a project won’t be suddenly abandoned or dramatically change its goals. This is very important, especially if you base your own work upon such a project.

Today, there is an abundance of free software out there. But in several cases quality is below par. Both users and developers can change things. In my humble opinion, “paid development” and micro-donations (in the form of a subscription) is the necessary next step in the evolution of the model of FLOSS development.

The ReactOS fundraising campaign‘s goal for 2012 is set at 30000 EUR. This means that if 6000 people donated 5 EUR each, the goal would be met. Quite easy I guess for a vast community like the FLOSS ecosystem. I just donated my 5 EUR. Now, it’s your turn. I’m sure this money won’t be wasted. Even if it is, hell, that’s just 5 euros. But… on the other hand, if this plan works out, it will act as a great example for other open source and free software projects about how they should go ahead. It will also be a great example for us users about how important a micro-donation can be and how much it can change things.

Why ReactOS leads the way with their decision to hire full-time developers, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Release Time
• Full G-Loaded content in Planet feeds
• Issue addressed: Author feeds deliver full content

The first thing that went wrong had to do with testing my backup, a step that was not in my original plan. I keep my server data in encrypted containers on Amazon S3 using duplicity. Although I have restored data from the backup numerous times and I was certain it worked OK, I had this strange idea to test the restoration of the data to a virtual machine at home just to make sure. For that purpose I happened to use a VM whose state had been saved several days ago, meaning that its time was way out of sync. That was a detail I had n’t taken into account. So, when I tried to restore the data on that box, I got a glorious exception from duplicity informing me that it could not find any signatures on the S3 bucket. That message was really unhelpful and it resulted in wasting many hours trying to figure out what was wrong with my backup or duplicity, until I finally realized that it was the box’s wrong time that had caused the exception. Once the time was updated, duplicity worked like a charm.

The second thing that went wrong had to do with pvGRUB, which is based on the grub 0.97 code and used to boot Xen DomUs (guests). Due to some limitations of the VPS provider regarding pvgrub, I have to use a very small partition that contains a GRUB configuration file which eventually boots CentOS (root LVM setup). This small partition was initially formatted using ext3. Again, I had a strange hunch to reformat that small partition to ext4! This would have absolutely no benefit, but at that moment I had just thought “why not?”. I was completely unaware that grub 0.97 and eventually pvgrub did not support the ext4 filesystem. To make things even worse, pvgrub deceptively reported that it had recognized the partition as ext2, but could not locate the file I had configured it to load. Disaster. It was a few hours later, after having gone through several bug trackers and mailing lists, that I realized that pvgrub did not actually support reading from ext4. I reformatted the small partition to ext3 and everything went on smoothly.

If I had stuck to the original plan, none of the incidents above would have taken place. No matter how much I trust free software, deciding to experiment with it while I should be doing a specific job is admittedly one of the worst decisions possible. Regardless of how popular a piece of free software might be, it can still have serious bugs and limitations hidden in the last place you’d ever look. Lesson learned: stay on your path and strictly follow the plan.

Lessons learned from a recent OS upgrade, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• MediaWiki Upgrade Procedure
• Hard disk upgrade on an old motherboard

First of all, I needed to know whether the /etc/sysctl.conf I had on my box differed from the original one. But, before doing that, I had to know which RPM package had installed that file. So, I used the rpm command to query this file:

# rpm -qf /etc/sysctl.conf
initscripts-9.03.27-1.el6.centos.1.i686

So, the initscripts package had installed /etc/sysctl.conf.

Then I verified the initscripts package:

# rpm -V initscripts
S.5....T.  c /etc/sysconfig/init
S.5....T.  c /etc/sysctl.conf

According to the following table:

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ

the attributes: size, MD5 checksum and the modification time of /etc/sysctl.conf that existed on my system differed from the attributes of the original file.

Since I had no idea the exact changes I had made to that file at some earlier time, I needed to restore the original and re-modify it from scratch. The new yum “reinstall” command could be used to to do this quite easily.

First, I kept a copy of the current file:

# mv /etc/sysctl.conf /etc/sysctl.conf.modified

Then I reinstalled initscripts using YUM’s reinstall command:

# yum reinstall initscripts
Loaded plugins: downloadonly, fastestmirror, priorities
Setting up Reinstall Process
Loading mirror speeds from cached hostfile
 * base: ftp.ntua.gr
 * epel: ftp.ntua.gr
 * extras: ftp.ntua.gr
 * ius: mirror.rackspace.co.uk
 * updates: centosr3.centos.org
6 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package initscripts.i686 0:9.03.27-1.el6.centos.1 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================
 Package                              Arch                          Version                                           Repository                        Size
=============================================================================================================================================================
Reinstalling:
 initscripts                          i686                          9.03.27-1.el6.centos.1                            updates                          934 k

Transaction Summary
=============================================================================================================================================================
Reinstall     1 Package(s)

Total download size: 934 k
Installed size: 5.4 M
Is this ok [y/N]: y
Downloading Packages:
initscripts-9.03.27-1.el6.centos.1.i686.rpm                                                                                           | 934 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : initscripts-9.03.27-1.el6.centos.1.i686                                                                                                   1/1

Installed:
  initscripts.i686 0:9.03.27-1.el6.centos.1

Complete!

Verify the initscripts package again:

# rpm -V initscripts
S.5....T.  c /etc/sysconfig/init

No verification errors for /etc/sysctl.conf. Note that reinstalling the package did not touch the /etc/sysconfig/init file. It has been mentioned previously that rpm packages do not overwrite existing configuration files.

I had the original file back and I could then start customizing it from scratch.

Restore original configuration files from RPM packages, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• YUM-Priorities Configuration for a CentOS Desktop
• How To Build RPM Packages on Fedora
• How to extract RPM or DEB packages
• Running supervisor 3 on CentOS 5
• RHEL kernel source released with patches already applied

The 1st Rule of Discussion, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Forking Apache-licensed software on Github and Bitbucket
• Creative Commons v3.0 Licenses Launched

<VirtualHost 123.123.123.123:80>
  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  <Directory /home/example.org/public_html>
    AllowOverride All
    ...
  </Directory>
  ...
</VirtualHost>

In order to prevent the htaccess lookups on the filesystem without losing the htaccess functionality – at least at the DocumentRoot level- I transformed the configuration to the following:

<VirtualHost 123.123.123.123:80>
  ServerName example.org:80
  ...
  DocumentRoot /home/example.org/public_html
  <Directory /home/example.org/public_html>
    AllowOverride None
    Include /home/example.org/public_html/.htaccess
    ...
  </Directory>
  ...
</VirtualHost>

Let’s see what we have accomplished with this:

1. httpd does not waste any time looking for and parsing htaccess files resulting in faster request processing,
2. the virtual host administrator can still override the configuration options of the document root manually or through the web interface of the web application.

Seems like a win-win situation performance and functionality wise.

But, as usual, there is no win-win situation without a downside. In this case, the above trick weakens the server’s security. Let’s see how.

Although the configuration of a directory can be set in both httpd.conf and the directory’s htaccess file, not all directives can be used in both contexts. htaccess files support a subset of the directives that can be used in the Directory context within httpd.conf. By including the htaccess file in httpd’s configuration the vhost admin is no longer restricted to that subset of directives.

This means that by implementing the above configuration the virtual host administrator is granted more privileges regarding the configuration of the virtual host. This also means that a potential attacker, that would exploit a vulnerability of the web application, would be granted the same privileges once he got write access to that htaccess file.

So, although this trick may seem like a good idea at first, it is in fact a rather bad idea and should never be used in production, unless you trust the virtual host administrator and the web application. I do not intend to use such a configuration and I do not recommend it. There are by far better ways to speed up Apache.

Your comments and suggestions are welcome.

Speed up Apache by including htaccess files into httpd.conf, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• .htaccess Cheat Sheet
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• Script for Apache Error Report
• Use mod_deflate to Compress Web Content delivered by Apache
• Mozilla Thunderbird speed up

- Wtf I just installed 6….
- I just installed 5.
- Once the version number is up to 50 in a short amount of time, it will become a joke, and future releases will be ignored.
- Firefox is killing themselves is what they’re doing. People use Firefox for the plugins, every new version installation kills all plugins. After I install this, there’s technically no reason for me to use Firefox over Chrome anymore. Why doesn’t Mozilla understand this???
- Pro tip: People aren’t switching from Firefox to Chrome because it’s got a “better” version number, guys.

I would add that it is not necessary to go through all the numbers from 5 to 14 to catch up with Chrome in terms of major version numbers. These could be just skipped and go straight to 14!

PS: The Firefox extension of a software I had paid for had stopped working since the FF3 -> FF4 upgrade. A workaround was released by the company for FF4, but as soon as FF5 came out it stopped working again. I’ll be straight. I’d rather use Internet Explorer or Chrome or Opera instead of asking the company for a workaround every time the Mozilla folks roll out a new major release of Firefox.

The new amateuristic release strategy of Firefox, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Use the Alternatives System to switch to a custom Firefox release
• The Read-It-Later extension
• Mozilla Thunderbird speed up
• Release Time

WordPress is getting better, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• WordPress 2.1
• WordPress Meta Tags plugin stable release
• About The WordPress Plugins
• Highly Exploitable Code Planted into WordPress 2.1.1
• Upgraded to WordPress Coltrane

The problem lies in the way that block ciphers are used in SSL/TLS. Block ciphers are generally operated in one of several modes that define how encrypted blocks are manipulated to ensure complete confidentiality. Cipher Block Chaining, or CBC mode, is used in SSL for all block ciphers, including AES and Triple-DES. The BEAST attack relies on a weakness in the way CBC mode is used in SSL and TLS. Non-CBC cipher suites, such as those using the RC4 stream encryption algorithm, are not vulnerable.

There have been several suggested mitigations that can be put into play from the perspective of the client, such as reorganizing the way the data is sent in the encrypted stream. Servers can protect themselves by requiring a non-CBC cipher suite. One such cipher suite is rc4-sha, which is widely supported by clients and servers.

Researchers have concluded that the RC4 (Alleged RC4) based cipher suites are not vulnerable to the BEAST attack, while CBC (Cipher Block Chaining mode) based cipher suites are. This involves both the TLS 1.0 and the SSL 3.0 protocols. On the contrary, TLS 1.1 and 1.2 have not been found to be vulnerable, but their use is very limited since they haven’t been adopted by the majority of HTTP clients and servers yet.

So, the use of RC4 based ciphers is all that is left for the moment. The security experts have released a list of cipher suites that is suitable for use in the configuration of the mod_ssl module for httpd:

SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

They have also released a one-liner list of ciphers suitable for use in the relevant fields of the Local Group Policy Editor in Windows Server boxes.

However, there is no info about configuring the mod_gnutls module for apache to use RC4 based ciphers, so, as a dedicated user of mod_gnutls, I decided to release this tip. All you have to do is set the preferred ciphers in the GnuTLSPriorities directive. In this example we use the TLS 1.0 protocol:

GnuTLSPriorities NONE:+VERS-TLS1.0:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL

Visiting a secure web site that has been configured using any of the methods described above and by checking the information of the secure connection to that website, you should see the following message:

Firefox message about using RC4 encryption cipher

This means that everything is working correctly.

As always, comments and suggestions are welcome and appreciated.

How to configure mod_gnutls to use the RC4 cipher to mitigate the SSL/TLS vulnerability, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Using SSH for networking
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• Critical vulnerability in Adobe Reader
• mod_gnutls binary for Apache
• How to configure and use LIRC

gfx.direct2d.disabled
layers.acceleration.disabled

Also, open the Add-on Manager (tools/add-ons/plugins) and disable all plugins that do not need to be enabled in your email client. Note that the plugins are a different thing than the extensions. I disabled them all in my TB.

Finally, restart Thunderbird.

This has worked for me. Thunderbird 6 now feels as responsive as TB3 was.

Mozilla Thunderbird speed up, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Mozilla Thunderbird 3 is out!
• Speed up Apache by including htaccess files into httpd.conf
• Be cautious with Notepad++

For content and media, there are the Creative Commons licenses, some of which make it possible for creators to provide their work for free, while at the same time they still reserve the right to selectively make their work available for commercial purposes under different terms. That’s the beauty of those licenses. They are made to solve real problems and that’s why I highly respect them.

Why free should not always mean cost-free, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.

Related Articles

• Operating Systems do not matter any more
• Application Testing: Zero Free Space