Student Application
Name: Thomas Waser
Contact/Email/IRC nick: thomas.waser@libelektra.org
Background: I am a Software Engineering student at the Vienna University of Technology and FOSS enthusiast. During my free time I am currently engaged in the Elektra project mainly writing plugins validating and storing configuration files.
Project title: Avoid configuration errors by specifying attribute qualities.
Project details: Security issues triggered by specific entries in configuration files become more and more common. Especially with the advent of long term support (LTS), Debian faces issues that configuration options that were considered secure earlier turn out to be problematic. Such issues are relevant and quite frequent, for example recently in DSA-3517-1 exim4, recurring problems with sudo, and sometimes by ciphers which are now considered too weak.
Currently, Debian provides no user-friendly way to update configuration files: It is not clear what the purpose of upstream changes are and thus no automatic merging is possible.
In this Google Summer of Code Project we want to introduce a simple way for maintainers to specify the relevance of individual configuration options. When the specification and the default option changes, a tool will validate options to achieve better quality attributes such as security.
For example, we want to increase ServerKeyBits of the openssh-server. Thus we specify:
[openssh/sshd/ServerKeyBits]
default = 2048
security = (<= 1024) ? (-1000) : (+1000)
Using the conditional expression in security, we now gave ?ServerKeyBits the semantics so that the validation tool knows it should trigger a warning if the configuration option is 1024 or below.
The goal of this Google Summer of Code Project: we want to extend the Elektra framework to support such specified quality attributes and write a tool that allows us to validate such configurations. Additionally, we write a specification for important Debian packages such as the openssh-server.
We will provide regular updates about the projects status and try to consider the community feedback.
Benefits to Debian: Validating configurations based on quality attributes provides new way to increase security and prevent issues caused by bad or outdated configurations. Though focused on security, the techniques developed in this project can be applied to improve all kinds of configuration aspects such as battery life, performance, stability, ....
Deliverables:
- Specifications extending configuration keys with specified quality and context related attributes for important Debian packages such as openssh-server.
- A tool to validate such configurations.
- Extensions to the Elektra framework providing techniques to handle such quality attributes.
Project schedule:
Before project acceptance: March 25. - April 21.:
- Improve specification model and add end-user documentation
- Get a better understanding of other merging concepts like Config::Model or ucf
Community bonding period: April 22. - May 22.:
- Continue to work out specification details for quality attributes
- Develop strategies validating quality attributes based on context
- Get community input and improve specification model
1. Work period: May 23. - June 12.:
- Add basic support for quality attributes to the Elektra framework
- Test simple specifications
End of 1. work period: June 13. - June 19.:
- Code cleanup
- Provide implementation of features such as:
- conditions
- enum-like named value sets and mappings between such sets
- context based calculations of quality values
- context based suggestions for configuration options
- deriving configuration options based on other configurations, options or context
Midterm evaluation: June 20. - June 26.:
- Get community input suggestions to improve specification details
- Create complex specifications for testing purpose
2. work period part 1: June 27. - July 15. :
- Extend Elektra support
- Create validation tool
2. work period part 2: July 16. - August 7.:
- Create specifications for other important Debian packages
- Test specifications for Debian packages
- Create automatical tests for continuous integration
- final review
End of 2. work period: August 8. - August 14.:
- Provide guidelines on writing specifications
- Help Maintainers to integrate specifications in their respective packages
Final week: August 15. - August 23.:
- Work out suggestions how to apply the developed techniques on other configuration aspects.
Exams and other commitments: 2 exams during the last week of june (27. and 30.).
Other summer plans: None.
Why Debian?: Starting with sarge Debian has become the OS running my server, workstation, netbook, embedded devices, etc. Finally contributing back seems like the logical conclusion to me.