Category Archives: ubuntu

Open source, closed process

I just tried to report a bug to Ubuntu.  Nothing major, just a missing package dependency: aptitude installed libnids-dev for me without installing libpcap-dev.  My configure script then insists that nids.h was not found, whereas it is in fact clearly visible in /usr/include/nids.h.  Turns out the test program fails because nids.h #includes pcap.h, which is not installed.  Whoops!

OK, let’s do the Right Thing for a change: don’t just ignore it, report it.  How do I report a Ubuntu bug?  Aha, it’s at  Search for nids: nope, none of the 16 bugs listed is this one.  OK, time to report a new bug.

This is where the problems go from straightforward to too difficult.  To report a bug, I need to log in to launchpad.  To log in, I need to create an account (it waffles on about OpenID, but it won’t accept my wordpress OpenID as a login).  And to create an account, I need to solve a captcha.  That is, one of those nasty eyesight tests.

I can’t do it.  This one is nastier than ever.

Cycle the thing a few times, they’re all as bad.  Try the audio version, but it’s silent (this is on a ubuntu machine).  Looks like I can’t report a bug! 😮

I look on freenode, find #ubuntu-devel.  Try asking there:

Just trying to report a bug (missing packaging dependency), but I can’t because I can’t even guess the launchpad captcha
any advice?
The bug is, libnids-dev requires pcap-dev as a dependency

After a few minutes silence, start to blog this.  But a few minutes more and someone replies:

first, I think you meant “libpcap-dev” instead of “pcap-dev”;
second, both these packages come unchanged from Debian, so it’s better to report this bug to

Ok, that looks like someone who knows what he’s talking about.  Try a bug report to Debian.  This fortunately turns out to be a much simpler process: their bug reporting site mentions a “reportbug” tool I can install with apt, and which appears to work nicely.

Ubuntu must be effectively in a bubble isolated from the big bad world!

Verifying Ubuntu

I’ve just downloaded an .iso of the new Ubuntu (7.10). Actually, that’s kubuntu, though I understand it’s from the same stable.

With it comes an MD5SUMS file. The MD5 sum of my .iso checks. So far, so good.

Finally, check the MD5SUMS with the PGP key in MD5SUMS.gpg. Unknown key – oops. Import it, try again. No chain of trust – can’t verify. List the sigs: strewth, this is a *tiny* list for such an important key. Import keys of the signatories, and all but two have no bloody signatures on!

Right, Ubuntu’s release signing key has exactly two meaningful signatures. I don’t have an adequate chain of trust to them, but there are some familiar names in their keychains, including several folks, which I should stand a reasonable chance of verifying independently. But that’s a helluva lot of effort to get even a minimum level of security. Aaargh!

Ubuntu – don’t you believe in security?