Beta support for Atom 1.0 in blosxom

atomfeed released!

It’s finished! See this post for more information, docs and download.

atomfeed-beta-6

Download: atomfeed-beta-6

This is now pretty much ready for release: just a last check for suggestions and bugs. It now supports the whole spec apart from , which seems aimed at aggregators rather than bloggers, and , which could easily be implemented if desired using the meta plugin.

Changes:

  • Moved from using class to rel attributes in HTML anchors to identify enclosure/via/related links to include in the feed. Just use the appropriate rel value – there’s no need to include the “atom-” prefix any longer.
  • Support for
    . This uses a technique similar to that used by the foreshortened plugin. It is excluded from the default templates in favour of a full-text element. I’ve temporarily placed the
    inside a comment in my feed if you’re interested in how it looks.
  • and are now available as user-configurable variables.
  • Documentation is now included in the plugin – use perldoc or read directly.
  • Includes support for a stylesheet, like in the original 0.3 version. Excluded by default. You can also specify the MIME tpye of the stylesheet.

As before, comments to the mailing list please.

atomfeed-beta-5

Download atomfeed-beta-5

Changes in this version: support for rel attributes in elements, including enclosures (based on Dave Slusher‘s and Keith Irwin‘s enclosures plugin for RSS 2).

  • enlcosure: In the body of your post, link to a file you would like to appear in your atom feed as an enclosure. Make sure this link has a class attribute of “atom-enclosure”. For extra points: if you have access to the LWP perl module, set the configurable variable $use_full_enclosures to “1″ and atomfeed will attempt to find the content-type and length of your enclosure. (Test: This little audio file should appear in my post as an enclosure. The code for this link looks like this: This little audio file)
  • via: To include a link from your post in your atom feed as , give it a class attribute of “atom-via”
  • related: similar to via, simply give a link a class attribute of “atom-related” for it to appear in your atom feed as an appropriate element.

Note: using the class attribute to identify these links may change in future versions.

atomfeed-beta-4

Download atomfeed-beta-4

Changes in this version (also posted to mailing list) based on suggestions from Stu MacKenzie:

  • typo corrected
  • XML::Parser is now a require rather than a use – those who don’t have this module can now use the plugin with the consequence that their entries will never be labelled as xhtml, only text or html, regardless of validity/well-formedness.
  • Regular expression for guessing text vs. mark-up is now: m!! This should hopefully catch pretty much anything that resembles mark-up.
  • The check in the start() sub for preloaded templates is now or‘d with the call to _load_templates. I’m not even sure if this check is necessary, as it doesn’t appear possible for any user-defined templates to have been loaded by this stage anyway, unless someone else knows better?

Major Revision: atomfeed-beta-3

Since posting this entry, I have made a number of changes to the plugin. It now contains support for the following additional elements:

  • and for

Also, it checks $blog_title, $blog_description and each post’s $title for markup by looking for left-side angle brackets anything matching the regular expression /<[a-zA-Z0-9]+>/. If it finds a match, it assumes that the variable contains markup and parses it as such, labelling it either html or xhtml depending on well-formedness.

You can download the new version here. The link below continues to point to the original version. Documentation is still not finished, but the code is commented. I’m particularly interested in feedback on the _parse_markup subroutine.

Original post

I’ve updated the atomfeed plugin for Blosxom to emit a basic Atom 1.0 feed. It’s in beta; you can download it here. I’m running the plugin, so if you like you can see it in action by checking my Atom feed; the feed’s been checked with feedvalidator.org‘s new Atom 1.0 support. Here are the notes I posted to the blosxom mailing list:

The feed is very basic: only the required elements along with a feed-level pointing at the feed, a based on $blog_description, a element (updated 2005-07-21, but it was always in there), and each has a as well as an element.

I have not yet updated documentation in the plugin. I’m making it available so that anyone interested can take a look and make suggestions before I start looking at adding more support for optional elements and doing some other bugfixes. When I’m happy with it I’ll re-write the docs, remove the BETA flag and post some instructions on my site. Until then, use these notes as guidance if you want to use or test the plugin:

  • $feed_yr is now a configurable variable that MUST to be set to the year you want to see in your feed level element. This should be set once and then never changed.
  • is derived from the timestamp in %blosxom::files, and (entry level) is derived from a stat()->mtime on the actual file. For these two elements to work as intended, you really should be running entries_cache or similar, otherwise they will be the same.
  • entry level ‘s are derived from %blosxom::files. Again, for maximum conformance – to guarantee the tags never change – is currently to use entries_cache or similar.
  • I decided not to worry about sniffing for plaintext entries as it seems to me that most blosxom users will have markup in their entries, so the mechanism for determining the type of has remained bascially the same (UPDATED – see below).
  • I am still assuming that $blog_title and $blog_description contain only plaintext and no mark-up whatsoever.
  • the feed-level element must appear before the s, so I’ve taken the method used in the rss10 plugin to insert it in $blosxom::output in the foot subroutine using a placeholder.

Update 2005-07-21 (1)

I’ve removed the code that conditionally placed some HTML content into a CDATA section. ALL content identfied as HTML will now be escaped.

Feedback

Please direct comments to the blosxom mailing list.

Internal Server Error!

Oops, that inspires confidence… I just noticed my site has been returning 500 errors all day since I uploaded a blank file instead of a perl module and then went off to do something else without checking it worked. Oh well.

Posted in Uncategorized

Microsoft Update

If you run Windows XP and also use other recent Microsoft products, check out Microsoft Update if you haven’t already (you’ll need to be using Internet Explorer to follow that link I’m afraid, as the service only works using this browser). Up until now, updating MS products has involved tracking each set of products separately to ensure that you’ve got the latest security patches and updates. Microsoft Update rolls a number of different product updating services, notably including Office XP/2003, into one centralised service and makes updating that little bit easier. It’s been publically available for around a month now and I’ve already found it saving me time and effort.

Posted in Uncategorized

Chris’s British Road Directory

I stumbled across Chris’s British Road Directory
today while surfing around looking for sites monitoring real-time traffic flow in the UK and I just had to blog it. From the site itself:

CBRD (Chris’s British Road Directory) is a sort of fan site dedicated to the entire road network of mainland Britain. It contains information on most aspects of the network and is frequented by enthusiasts and everyday road users alike.

[...]

CBRD is not a pro-roads protest or campaign site, rather a reference site (with some bits of entertainment thrown in) which aims to provide up-to-date and useful information on the road network of Great Britain.

If you’re interested in the UK Road system (and I feel I should point out that as a rule I’m not) then this is the place for you! There’s vast amounts of information here, ranging from fequently asked questions, a detailed database of Motorways, listings of current road building projects, critiques of poorly-designed junctions, even road-related fonts – and I could go on and on. A fantastic example of what a hobbyist can produce and a great resource for anyone interested in, well, British roads. Hmm.

Posted in Uncategorized

Get updating

Lots of security updates this week: Windows XP and MS Office (info for:users,admins), Mac OS X Tiger and now Firefox 1.0.5. Get patching. Looks like I’ll be spending at least some of my time this weekend at my Dad’s (happy 60th, Dad!) updating and checking his Windows box. It could probably do with a service, anyway.

Posted in Uncategorized

Securing sshd

I’ve decided to collate what I’ve picked-up on this topic as much of the advice I’ve found on the net is rather fragmented. Following these instructions is no substitute for reading the documentation with your SSH server and should be followed at your own risk – this is very much a brief round-up and not a detailed HOWTO. Anyway, having any services publicly available to the internet is a security risk and no amount of preparation can provide 100% certainty against compromise.

  1. Is your version of SSH up to date? Do you have a system for ensuring that it is kept up to date? None of the tips in this post will be of any use if your server has any known vulnerabilities (or any largely unknown ones for that matter, although the only way to effectively protect against these is to give up and unplug the network cable ;-) The same should apply for all the other services you make available to the internet as having a tightly locked-down SSH daemon won’t be much use if your mail and web servers are full of holes. Make sure you have a reasonable understanding of what it takes to secure your machine – see the related reading section below for some starting points.
  2. Work out how sshd is started and with what command line options. For example, are you sure you know what configuration file the server is using? The default is /etc/ssh/sshd_config, but it is possible to change this using the -f switch on the command line used to start the server. Check your startup scripts to be sure.
  3. Audit the user accounts on your system. This is the sort of more general security measure that you should be taking anyway, but it’s worth mentioning here. Some common account names are targeted by the automated brute-force password cracker scripts out there, so be careful of accounts with names like admin, user, guest, test, etc. Where possible also make sure that the system accounts required by some services have no passwords set and have something sensible set as their shells like /bin/false.
  4. Think carefully about from where you need to allow access to the server: does every machine on the net really need to be able to connect to it? You can use the /etc/hosts.allow and /etc/hosts.deny files to control access (see man hosts_access), as well as setting up iptables rules only permit access from trusted IPs or ranges of IPs, for example (assuming you drop incoming packets by default):
    iptables -A INPUT -s $TRUSTED_IP -p tcp --dport 22 -j ACCEPT
  5. Carefully read the relevant manual pages, particularly sshd and sshd_config. Then read your /etc/ssh/sshd_config file – do not assume that your vendor or distribution has not altered any of the default variables. Some variables to pay particular attention to include:
    • Protocol – set this to 2 so as to not allow connections to fall back on protocol 1.
    • Make sure that PermitRootLogin in set to no.
    • Set PasswordAuthentiction to no whenever possible.
    • Set PubkeyAuthentication to yes (default) and set up keypairs for users (see man ssh-keygen and man ssh-agent).
    • Set PermitEmptyPasswords to no (default).
    • Set StrictModes to yes (default).
    • Set UsePrivilageSeparation to yes (default).

    Hopefully most of these variables will be in the states described. Note that some linux distributions use PAM to authenticate users connecting to the SSH server. This is beyond the scope of this article – see the UsePAM directive in the sshd_config manpage and the Linux-PAM website for more information on this.

  6. You can use the AllowUsers and AllowGroups directives and their DenyUsers and DenyGroups counterparts to limit access to trusted users or deny access to system accounts or untrusted users. Particularly useful if you need to allow password-based authentication.
  7. If you need to allow blanket access to the server from the internet, investigate methods for throttling large numbers of simultaneous incoming connections. Two worth investigating are:
    • The built-in MaxStartups directive in the sshd_config file. This sets the number of unauthenticated connections that are allowed at any one time before the server starts ignoring new connection attempts, and can be useful if you find your server is being targeted by brute force attackers making lots and lots of simultaneous or near-simultaneous connections. Read the sshd_config man page for more information on this.
    • Use the recent extension to iptables to track incoming connections and drop any from the same IP within a given number of seconds. This is very effective aganist the brute-force password crackers:
      iptables -A INPUT -p tcp -m state --state NEW --dport 22 \ 
       -m recent --update --seconds 15 -j DROP 
      
      iptables -A INPUT -p tcp -m state --state NEW --dport 22 \
       -m recent --set -j ACCEPT
  8. Some people may recommend moving the server to an unusual port by setting the Port directive in sshd_config, others may suggest implementing port knocking to control access. Although these solutions may afford you some additional security, the former is just a form of security through obscurity, although it’s probably quite effective against the automated scanners. The latter method is not without detractors, but can also be useful. Anyway, neither should be used as a substitute for other security measures, so I’ll say no more about them here.

This article has been re-written from a stub that really just referenced the article that inspired it, Securing access to your server checklist. Feedback is very welcome.

Uma update (3)

She’s started to enjoy sitting up…

alt="[Propped up between cushions on our sofa]"
class="portrait-photo"
id="u3221"/>

…and is really trying to crawl, but without a great deal of success as yet.

alt="[Trying to crawl on the sofa]"
class="landscape-photo"
id="u3216"/>
Posted in Uncategorized

Mother’s Milk Marketing Board

In the spirit of getting on with things after the terrible events of yesterday, here’s a nice lighthearted post. The Mothers Milk Marketing Board is a little company that “sells pro-breastfeeding and gentle parenting advocacy t-shirts and accessories for babies, toddlers and adults”. My favourite thing about them is their URL, www.lactivist.co.uk.

Posted in Uncategorized

Terror in London

By now everyone will have heard the news – bombs on the buses and tubes in London this morning. It’s still pretty hazy as to how many have been killed or injured, or as to who’s behind it, claims of responsibility aside. My thoughts go out to everyone in central London today – I’m still waiting to hear from some of my friends in the city.

The terrorists won’t gain anything from this. I know Londoners – I lived there during the last IRA bombing campaign. They’ll just get back on with their lives and fuck the murderous bastards who think that killing innocent civilians on buses and trains is a reasonable way to go about pursuing their political and ideological aims.

The one thing we musn’t do as a nation – eloquently put by Nick Barlow, quoting Martin Luther King – is to react without thinking and start flailing around looking for people to attack in mindless revenge. Nor must we alter our own society beyond recognition in the name of security. We’ve survived worse than this – think of the blitz – and there’s no way a comparatively small number of murderous fanatics – whoever they are – are going to bring down our society. But let’s not start doing their work for them, eh?

Posted in Uncategorized

Stopped software patents

News broke today about how Software Patents won’t be coming to the EU any time soon, so I’ve taken down the banner supporting the campaign against them. While this is good news, it’s only part of the story: the law rejected today would have regularised the way that patents on software and other computer-related technologies are managed across the EU; while this can be seen as a victory for the anti-patent lobby (despite positive spin (PDF) from the pro-lobby), it’s not the end of softare patents altogether. After all, with no EU-wide legislation there’s nothing stopping the powerful corporate interests in favour of software patents from campaigning in individual countries for similar legislation.

Posted in Uncategorized