What I Do September 15, 2010Posted by jdstrand in ubuntu.
I’m often asked, “So Jamie, what do you do?” I find my answer is usually quite different depending on whom I am talking to. Normally I say something fairly bland like, “I’m a security engineer for Ubuntu, which is a Free alternative to Windows and Mac.” I try to say something about freedom and beer, but really by the time I get to the word ‘engineer,’ many people’s eyes go glassy (maybe they’re tearing up at the thought of working on free software for a living and I am just not empathetic enough to notice). There might be a follow-up question or two and I may even offer a free CD, but usually the response is a simple, “Oh, you work with computers?”
Yes, I work with computers.
The truth is I would love to talk in depth about what I do with people who ask, so when my employer asked people to blog about what they do, I was pretty stoked. So where to start? How about where I got started.
I started using Free Software in 1996, when I went back to school to expand my education. Not long after that, my wife was pregnant and I found myself needing a way to work on my school assignments from home. My computer graphics professor gave me the new RedHat 5.0. I went straight home, installed it and was hooked. A little while later I installed a pre-release version of Debian Slink. Like many others, I loved Debian’s package management, its policy and how it is community-based. These gifts of Free Software and the community around them were, and still are, very meaningful for me.
Fast forward a few years and you’ll find me setting up a business with Debian Woody. Back then Debian stable still had Gnome 1.4, so I was keen on finding a newer desktop on top of the reliable, stable and secure foundation that I admired in Debian. I found Gustavo Noronha Silva’s unofficial Gnome 2 packages, but I really wanted Gnome 2.2. He didn’t plan on providing 2.2 packages, so I took up that work by providing a full, modern desktop including Xfree86, evolution, Mozilla, and a whole lot more. I realized that I had a pretty good thing going and thought others could benefit, so I released this as the Gnome 2.2 Backport for Debian Woody. I provided security support and an upgrade path for the backport for more than 3 years until Woody’s end of life. During this same time I developed an intense interest in secure servers which led me to consulting and a strong advocacy of Free Software. These experiences helped me understand how much good you can bring to people by working on Free Software.
In 2007 I was interviewed for a position at Canonical and I’ll never forget Matt Zimmerman’s question in my interview: “What will stop you from quitting a year from now and going back to consulting?” Though I did not expect this question, the answer was immediate: “Because I know how much of an impact Free Software can have and I won’t have the opportunity to help more people than with Ubuntu.”
These days, I get paid by Canonical to work with computers.
As an Ubuntu Security engineer, I am on a team of people who are responsible for tending to known threats against Ubuntu. We track security vulnerabilities, triage bugs, interact with upstreams, coordinate with other vendors, sponsor patches from the community, liaise with upstreams and vendors on behalf of researchers, analyze vulnerabilities, add to the Debian CVE tracker and of course fix security bugs in Ubuntu. Quality assurance is an integral part of fixing a bug that can land on millions of users’ desktops, so I helped start and regularly participate in the QA Regression Testing (QRT) project. In addition to helping our team prevent regressions in our updates, it is regularly used by the Ubuntu QA team to test the development release and in stable bug fix updates. The scripts in QRT have on several occasions found bugs in software in our development release that led to upstream and/or Debian bug reports and fixes. I also regularly update the Ubuntu CVE Tracker and security team tools for tracking, building and publishing security updates.
Another part of what I do is help develop security features, tools and documentation for Ubuntu. I am the principal author of the Uncomplicated Firewall (ufw) which aims to help people unfamiliar with firewall concepts be safer while helping seasoned administrators get their job done faster. It’s the default firewall for Ubuntu and included in other distributions such as Debian and Arch Linux. Several projects have popped up around ufw and provide graphical frontends, and I coordinate features and bug fixes in ufw with those projects.
I have joined the AppArmor project. AppArmor is the default Mandatory Access Control (MAC) system in Ubuntu and OpenSUSE, and thanks to to the tireless work of John Johansen and many others, is now included in the mainline Linux kernel. My upstream focus is on AppArmor testing, profiling, documentation, userspace tools and ease of distribution integration. In addition, I regularly participate in upstream planning discussions and meetings. For Ubuntu, I have authored many of the profiles in Ubuntu and regularly provide testing, bug fixes and new versions of AppArmor in Ubuntu.
I’ve also authored a few smaller applications like auth-client-config, openssl-blacklist, and openvpn-blacklist. auth-client-config is a program for modifying nsswitch.conf and pam configuration, but has largely been superseded in Ubuntu by pam-auth-update. The openssl-blacklist and openvpn-blacklist tools and lists were developed by me to detect known-bad RSA keys, and are included in Debian. I’ve had patches accepted by upstream for random software such as Gnucash and Gourmet, and have submitted many patches to Debian over the years.
I use virtualization for much of my development work and testing, so I regularly triage and fix bugs in libvirt and other parts of the virtualization stack with the Ubuntu Server team. I wrote and regularly maintain the AppArmor security driver in upstream libvirt. In Ubuntu I tend to focus on libvirt’s bug triage, AppArmor integration, merges with Debian, and testing. Writing much of the vm-tools in the Ubuntu QA Tools, I hope these scripts help anyone be more efficient when trying to manipulate several machines at one time, such as when performing ISO testing or testing a patch on many different operating systems.
When not working at home, I might be at a conference such as the Ubuntu Developer Summit (UDS), where I collaborate with people from all over the world in the Ubuntu community and upstreams to help plan and implement new features with security in mind. I’ve also attended security conferences such as DefCon and BlackHat.
Yes, I work with computers and am happy for it! On any given day I might publish an update, audit a piece of software, discuss a vulnerability with upstream, submit a profile to AppArmor, forward a patch to Debian, plan a ufw feature, test and refine a security fix with other vendors, triage and comment on a security vulnerability, write up some documentation, develop a test script, and/or fire up a bunch of virtual machines. What I do is fun, challenging… satisfying. It is hugely rewarding working on Free Software with so many talented and intelligent individuals in Canonical, the Ubuntu community, and the upstreams I interact with every day. I am blessed to work with these fantastic people who continually inspire me to stretch to learn and do more. I believe by working together on Free Software all of us are in our own way changing the world for the better. That’s why I do what I do.