Yet Another Government Adopting Free Software

Google’s translation:

“The municipality of Vieira do Minho definitively adopted productivity software LibreOffice”.

Motivations given include compliance with a law preferring FLOSS in Portugal, licensing costs and a desire to be free.

Further, the move is “not only desirable but is essential for a more modern Civil Service and financially sustainable.”

Amen. Having seen what GNU/Linux could do for schools for more than a decade working in education, I believe there are no downsides and plenty of good things about FLOSS in government. I recommend Debian GNU/Linux for general purpose computing.

see Municipality of Vieira do Minho adopting Free Software.

According to Netcraft, Viera do Minho has been using a GNU/Linux web-server since 2004. It’s not a current version however
“Apache httpd 1.3 has reached end of life, as of January 2010.
No further releases of this software will be made, although critical security updates may be made available as patches from the following website:
http://www.apache.org/dist/httpd/patches/

I guess they like stability.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

22 Responses to Yet Another Government Adopting Free Software

  1. oldman says:

    “Of course works on systems with Selinux disabled or Trusted extensions disabled or systems lacking the require frameworks(Windows, OS X) are sitting ducks.”

    And yet we in the real world manage to balance the risks inherent in both systems and keep secure. As you have already acknowledged a periodically updated defense in depth is the only answer to minimizing risk in the real world.

  2. oiaohm says:

    Brillo number of those that work on secured systems is also very interesting.

    Person arguing about something existing after 1.3.34 and the last release is 1.3.42 is a clear warning that you could have missed something important like ie the standard.

    Brillo
    “Why not consult the bookmarks you have hoarded and compare the amount of bugs discovered after Feb 2010 and the amount of patches available for these bugs?”

    Here a answer you are not going to like. Number of patches required to fix the fault from Feb 2010 to June 2012 in Apache 1.3 on secure systems with properly operational Mandatory Access Controls. Is zero patches required. Not one of the faults Apache discovered in that time frame work in a securely configured and designed systems would work.

    Of course works on systems with Selinux disabled or Trusted extensions disabled or systems lacking the require frameworks(Windows, OS X) are sitting ducks.

    Since my last system using Apache 1.3 was upgraded in June 2012 I was no longer required to keep up on its security flaws after that.

    Brillo basically you don’t have a leg to stand on. General Googling is not good enough to know what is secure what is not. Having to keep some old systems secure forced me to keep up on the containment. Containment stopping the fault is safer than applying a non reviewed patch.

    Mandatory Access Control reduces attack surface area attacker has to work with massively to the point you can be running highly defective programs and attackers can still cannot do jack because the Mandatory Access Control is in the way. That is of course if your Mandatory Access Control supports both models.

    People don’t understand the importance of Mandatory Access Control to stop attackers in there tracks at times.

    Security is like a onion the more layers you have the better.

  3. Brillo says:

    You are aware that current Apache 1.3 is 1.3.42

    There is no “current” Apache with a major version of 1. 1.3.42 is rather the last release of Apache 1.3 before the end-of-life announcement. Why not consult the bookmarks you have hoarded and compare the amount of bugs discovered after Feb 2010 and the amount of patches available for these bugs?

  4. oiaohm says:

    Content-length: with nothing after it in the example is because I did not maths out how many chars that packet would be.

  5. oiaohm says:

    You are aware that current Apache 1.3 is 1.3.42

    Also those bugs yes a patch to fix it was included. Just it kills mod_frontpage Ron van den Dungen did not check non frontpage.

    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-length: 20\r\n
    \r\n
    foo=bar&baz=flummox\r\n

    Yes it should be split in 2. mod_secuirty will clean up foo=bar&baz=flummox\r\n line from making it to your back end. Ok this does not help with mod_frontpage where you are trying to get invalid http through.

    Brillo really fix mod_frontpage screws up tunnelling over http and multi http requests in a single request. Since mod_frontpage is no longer supported not a problem giving it a won’t fix.

    Brillo your tidbits are http invalid. A key part is missing from the header.
    Content-Type by example Content-Type: text/html; charset=utf-8

    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-Type: text/html; charset=utf-8
    Content-length: 20\r\n
    \r\n
    foo=bar&baz=flummox\r\n

    This would exactly work as expected. Since this would now be correct http. So until http is given a Content-Type the next blank line is end that header and start processing the next header in the stream.

    Content-length: is only processed in newer Apache 1.3 to go through as one piece once you have a Content-Type so hopefully you don’t get some random crud. It also allows mod_security and others todo content check.

    If you have a http header just with Content-length it is suspect to be a header containing many http headers and data blocks and is processed that way and is broken up before the back end gets it.

    Early http servers were lax and would process Content-length without a Content-type even that http spec stated otherwise.

    Basically fix the bug you are referring to Brillo is return to non conforming to spec http.

    Brillo this is a case of Microsoft not following standard and once standard is enforced their product busted.

    Example of a multi request

    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-length:
    \r\n
    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-Type: text/html; charset=utf-8
    Content-length: 20\r\n
    \r\n
    foo=bar&baz=flummox\r\n
    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-Type: text/html; charset=utf-8
    Content-length: 20\r\n
    \r\n
    foo=bar&baz=flummox\r\n

    Basically this allows clients to use tcp/ip packets more effectively. Result of this is 3 requests appear at the back-end and the server only received 1.

    Brillo basically to use mod_frontpage you are disabling this functionality.

    So its not a security flaw.

  6. Brillo says:

    The last patch to 1.3 was March 3, 2012.

    The files says “October 3, 2009”, and the bugs they are meant to fix are from 2004. Just for the icing on that little cake, we have these following tidbits for the request body handling patch:

    “For completeness, users experiencing this problems should apply this patch… which will be included in the next 1.3 release.”

    “Seems this patch is still needed in 1.3.33. Apache 1.3.33 still breaks the
    mod_frontpage.”

    “And still there in 1.3.34. Why doesn’t this patch get included?”

    An explanation of the issue is as follows:

    This bug breaks regular CGI programs on the first POST request if sent without
    credentials. Here’s what the client sends:

    POST /foo/bar.cgi HTTP/1.1\r\n
    Host: blah\r\n
    Content-length: 20\r\n
    \r\n
    foo=bar&baz=flummox\r\n

    Because the request does not yet have keepalive set from the server’s
    perspective, the server closes the request immediately after receiving the \r\n
    on a blank line and sends a 401. Now something happens on the server (I’m
    guessing the socket doesn’t get flushed) that causes the last bit of data
    written by the client to be prepended to REQUEST_METHOD for the requested CGI
    program. When the CGI checks REQUEST_METHOD, it gets a surprise:

    foo=bar&baz=flummoxPOST

    I’ve observed this behavior on both Solaris and Win32.

  7. oiaohm says:

    Robert Pogson exactly there are still updates on security grounds to Apache 1.3.

    Brillo what had to try to be a smart ass because you pulled a bug that is not a bug for well configured Linux and other operating systems. Spend some time on OS included security flaw mitigation measures. You will find Windows and OS X is highly lacking.

    The thing here is Viera do Minho is Linux. Thing we don’t know is it fully Selinux enabled. If so they are safe with the 1.3 line patches as much as any other http web server.

    Lot of the patches to Apache 1.3 since 2010 has not bothered fixing what can be fixed by configuring Mandatory Access Control under Linux and other trusted class OS’s. So anyone running Apache 1.3 on Windows or OS X for any reason are the ones that are for sure screwed. Linux users with LSM off are at risk.

    Brillo now after seeing this real world example of why Mandatory Access Control is required. Can you defend Microsoft and Apple for providing a incomplete Mandatory Access Control system in Windows vista/7/8 and OS X compare to other OS’s out there. Or should you join me calling on Microsoft to provide fully functional Mandatory Access Control.

  8. Brillo wrote, “Support for Apache 1.3 has been over since 2010”

    …but Apache says differently
    “Apache httpd 1.3 has reached end of life, as of January 2010.
    18 No further releases of this software will be made, although critical
    19 security updates may be made available as patches from the following
    20 website:
    21
    22 http://www.apache.org/dist/httpd/patches/

    So, it works and security is maintained. This shows the strength of FLOSS. One can run older software longer and still be secure unlike that other OS that introduces new malware with every release and patch ad nauseam.

    The last patch to 1.3 was March 3, 2012.

    I am not suggesting one should prefer old software except for stability, of course, but why fix what isn’t broken?

  9. Brillo says:

    @Anyone that is not oiaohm

    If you don’t see anything in my previous comment – congratulations, you are not crazy!

  10. Brillo says:

    Brillo answer is not that black or white.

    Here is my point by point rebuttal written for Oiaohm and Oiaohm only:

  11. oiaohm says:

    Brillo answer is not that black or white.

    CVE-2012-0883 that attack method to gain privilege fails on systems with selinux and even apparmor configured correctly around apachectl.

    Why the user adds something to their local directory both selinux and apparmor block apachectl from interacting with it. This is why having a MAC that works is important. Really apachectl program does not need to interact with any user files. It just takes command line options. No one of those command line options has it reading a user file. So it can be completely restricted.

    This is why you need no read up, no read down, no write up and no write down in your Mandatory Access Control system.

    To be correct any properly locked down Linux or other Trusted(ie trusted solaris/AIX) form OS will not be affected by the apachectl bug of CVE-2012-0883 since the attack vector cannot work due to the pre-existing Mandatory Access Control rules. It requires reading of files at different access level to apachectl.

    To be correct almost everything that is a Data source object exploit (DSO) can be taken care of by having a decent grade of Mandatory Access Control system in the OS without having to binary alter the program at all. Yes CVE-2012-0883 is a Trojan DSO attack so Linux/Solaris/HPUX/AIX Mandatory Access Control systems can block that fault from being functional. Windows and OS X users are the worst effected by this bug with no option bar to upgrade. All other server OS’s can mitigate without upgrading just by turning there Mandatory Access Controls on and locked it down.

    Brillo this is why I get so annoyed over Microsoft not providing a decent Mandatory Access Control solution with the two common models of operation.

    To be correct Windows users are at greater risk from CVE-2012-0883 than Linux. Particularly when you take into account lot of programs on Windows use Apache 1.3 internally including some Nvidia motherboards Firewall software. Yes you have nothing you can do against this under windows bar either remove the software or upgrade.

    Fun Nvidia does not provide upgrades to the firewall software containing Apache 1.3 and remove it also removes the network driver from Windows. So there are some poor windows users out there totally screwed.

    Brillo there are a lot of bugs in open source software that don’t worry secuirty designed and managed OS’s. The insecure designed OS’s like Windows and OS X has problems and poorly managed Linux/BSD systems have problems with those faults.

    Remember person standing in a glass house should not throw stones. This is exactly what you just did Apache fault is more harmful to windows.

  12. Brillo says:

    @CM

    You mean the blog itself? 😉

  13. Clarence Moon says:

    Just close it

    No worries

  14. Brillo says:

    For many years Apache 1.3 was the standard and it still works today, obviously. If they need none of the features of 2.X and there are security updates

    “If”. Support for Apache 1.3 has been over since 2010. Vulnerabilities, on the other hand, are still discovered every other week.

    It seems that the business is in good hands indeed.

  15. Chris Weig wrote, ““Upgrading? You don’t need that! Just let it run.””

    In a production environment, truer words were never spoken. For many years Apache 1.3 was the standard and it still works today, obviously. If they need none of the features of 2.X and there are security updates, stability is worth something. I have been using 2.X for many years and I certainly don’t need many of its features. I even have nginx running here and there. For some purposes that works too.

  16. Brillo says:

    There is also this interesting phenomenon where one comment gets “beaten” by another. Say, you open a page and start typing your comment. Then someone also opens the same page and starts writing a comment. Now, if you submit your comment at about the same time as the other guy, there is a good chance that only one of the comments will appear under the blog entry – a classic example of race conditions.

  17. Brillo says:

    Apparently it can really cope well with left-open HTML tags.

    This is what went wrong in dougman’s infomercial:

    <p><b>Is LibreOffice Really Worth Your Time?<b /></p>
    <p>Yes, some people may scoff at the notion because its free and while it is true that LibreOffice doesn’t provide “shine” as M$ Office, it still provides a plethora of useful features. The free version of M$ Office, M$ Works, doesn’t come close to it.</b>

    My guess is that WordPress found two <b> tags but only one </b> tag and decided to change the second <b> to <b /> (for whatever crazy reason), but then when the text was broken into paragraphs (using the block-level tags “p”), the remaining line-level “b” tags were not given their proper open/close counterparts. This resulted in the mess we see in the output from the browser.

  18. dougman says:

    Sixty-five dollars? It seems to me that M$ over charges for their software and gouges the market; M$ valuation of $620.6 billion back in Dec. 30, 1999 agrees and today M$ is at ~$260 billion. Hmmmm..

    That is what Mr. Pogson is referring to, M$ has lost substantial value in the past decade, what do you think projections say for the next ten years?

    Hindsight is 20/20 and all but 10,000 shares in Apple 12 years ago would have been nice. 🙂

    Anyway, $65/student * 30 = $1950 which is still $2K more then what a educational center needs to spend.

    Bean counters will ask you whats the difference between LibreOffice and M$ Office and when you tell them that both offer the same thing functionally, they will follow up with “Then why are we spending money!?”

    Choice is a good thing, especially today and is VERY important for PIGS, as they are all broke! The GDP, is starting to see the value in picking alternatives that are less costly.

    LibreOffice for Android will be another great milestone.

  19. Chris Weig says:

    Wow, Pogson, just wow. Your WordPress installation is really good. Apparently it can really cope well with left-open HTML tags. Let’s make a list:

    There you go!

  20. Chris Weig says:

    According to Netcraft, Viera do Minho has been using a GNU/Linux web-server since 2004. It’s not a current version however… […] I guess they like stability.

    I guess they fell prey to some clueless Cult of Linux member who persuaded them that Linux was the “right way to do IT”.

    “Upgrading? You don’t need that! Just let it run.”

    You’ve ever been to Portugal?

  21. oldman says:

    “Lets see, M$ Office cost’s ~$100+ a copy, multiplied by 30 students comes out to be ~$3K or more! ”

    Nope. Office Pro is available to students under VLA (which any reasonable sized institution can qualify for ) for $65.00 a student.

  22. dougman says:

    Educational centers can save a boat load of money by using LibreOffice!

    LibreOffice is free while M$ Office (consisting of Word, Excel, Powerpoint, and more) costs ~$80 to $350 or more, depending upon which version you purchase.

    Lets see, M$ Office cost’s ~$100+ a copy, multiplied by 30 students comes out to be ~$3K or more! One can purchase nice Xerox printers with that money and still have change to spare for paper.

    4 Reasons Why You Should Use LibreOffice

    1. It is free. You don’t have to pay a dime to use this excellent Office Suite. LibreOffice offers many features that are only available on premium office suites.

    2. It has a portable version. You can edit your documents anywhere you go and run it via a Flash Drive.

    3. It is able to export files to PDF. This is essential because the PDF file is one of the most universally accepted document formats.

    4. It is fast, light, and stable. It runs smoothly and doesn’t use too much memory.

    Is LibreOffice Really Worth Your Time?

    Yes, some people may scoff at the notion because its free and while it is true that LibreOffice doesn’t provide “shine” as M$ Office, it still provides a plethora of useful features. The free version of M$ Office, M$ Works, doesn’t come close to it.

Leave a Reply