Jaharmi’s Irreality renewable hyperlinks with 0% transfat since 1999

Under normal circumstances, the latest Radmind tools that communicate with the server report client status updates in the Radmind server’s system log. These standard messages can include ones like:

May 8 03:14:56 RadmindServerHost radmind[7890]: report radmind-client.example.com 192.168.7.42 - - ktcheck No updates needed
May 15 03:15:25 RadmindServerHost radmind[24531]: report radmind-client.example.com 192.168.7.42 - - ktcheck Updates retrieved
May 15 03:21:48 RadmindServerHost radmind[24534]: report radmind-client.example.com 192.168.7.42 - - lapply Changes applied successfully
May 15 03:31:07 RadmindServerHost radmind[24356]: report radmind-client.example.com 192.168.7.42 CertificateCN - lapply Error, changes made

The Radmind repo, or “report,” tool provides the ability to send arbitrary messages to the Radmind server process. But how are these messages formatted and sent?

$ repo -e "Debug" -h radmindserverhost.example.com -w2 "Test message"

… results in the system log message:

May 15 03:31:56 RadmindServerHost radmind[25236]: report radmind-client.example.com 192.168.7.42 CertificateCN - Debug Test message

Here, we can see that an entry created with repo looks like the standard Radmind log messages above. The client hostname and IP address are reported after the “report” text. The CertificateCN for the client — if the highest authorization level is specified (with the -w2 flag) — is also listed; if not, a dash takes its place. I haven’t seen a case where the second dash is substituted, however.

Finally, where the Radmind command/tool used would normally be, the “event” specified by repo will printed. After that, the message text appears.

The value proposition is that if you’re using Radmind, the repo command can help you send arbitrary messages to the server for logging. As bonus, if you've taken the time and effort to build the certificate infrastructure for Radmind, you can send these messages securely between the clients and the server cloaked in SSL.

If you’re using multiple servers, you may want to combine their logs in one location so that you can get all of the clients’ reports in one location. You may also want or need to retain these reports for more time. In either case, determine what policies you should apply to the syslog or Apple System Logger (ASL, for Mac OS X) configuration for your server systems.

Whether or not you use repo, it’s good to know that the tools do some logging. The logging can be followed to try to determine the status of your clients, or whether they are failing their updates.

Unfortunately, the most common client failures I have seen tend to involve the lapply tool, and the default level of detail I’ve seen reported back to the server does not provide an indication of what problem has been encountered. You see only that there was an error. Still, even though you may not get enough detail to remotely resolve the problem, it’s something for you to go by find problems in the first place.

When I come across software I might need to add into Mac OS X that requires compilation, I typically want to produce one Universal Binary. Make it a four-way UB and you get both 32- and 64-bit support.

A single binary is ideal for a Radmind transcript (or other package, if you wanted to bundle it into an installer) that can be deployed on both PowerPC and Intel Macs on Leopard.

Since rsync 3.0.2 with some patches is apparently working quite well at preserving Mac OS X data and metadata — passing the Backup Bouncer tests — I thought I'd try my hand at a four-way Universal Binary.

What worked for me, using a Mac Pro 4x2.8 GHz with Mac OS X 10.5.2 and Xcode 3.0, was to start with Mike Bombich's instructions and modify them with some fairly standard Universal Binary build steps. The configure and compile were both less than a minute on this system.

$ ./prepare-source
$ env CFLAGS="-O -g -isysroot /Developer/SDKs/MacOSX10.5.sdk -arch i386 -arch ppc -arch ppc64 -arch x86_64" \
LDFLAGS="-arch i386 -arch ppc -arch ppc64 -arch x86_64" \
./configure --prefix=/usr/local --disable-dependency-tracking
$ make
$ sudo make install

I have seen the use of "-Wl,-syslibroot,/Developer/SDKs/MacOSX10.5.sdk," in the LDFLAGS environment variable when compiling some applications but this did not work for me with rsync; when I removed it, rsync 3.0.2 configured successfully for me.

The result of the above build process appears to be a full four-way UB:

$ lipo -info /usr/local/bin/rsync
Architectures in the fat file: /usr/local/bin/rsync are: i386 ppc7400 ppc64 x86_64

A local transfer on the build system appears to have worked correctly. I did not test with Backup Bouncer, sync with a non-Mac system, or when shuttling data between architectures. So, accept these results with a grain of salt; I’m just happy I got rsync to compile for now.

The “iLife Support 8.2” from Apple update seems to affect only /System/Library/PrivateFrameworks/iLifeMediaBrowser.framework. I ran lsbom -a on its package receipt, which is in /Library/Receipts/iLifeMediaBrowser.

I had the update appear on two different computers that didn’t have iLife 08 installed — one of each architecture (PowerPC and i386) — in Software Update. It appeared this week along with Mac OS X 10.5.2 and other updates, but did not require 10.5.2.

Therefore, it seems relatively safe to install (or Radmind to) to more computers than just those with iLife 08 installed. This is important with Radmind because you worry about the layering of updates and dependencies between them, so I’d advise you to do your own testing in your own environment. In particular, I don’t know how it will interact with older versions of iLife if they happened to be in place, so if you have such a situation, you’ll want to do your own testing before rolling into production.

After a tiny bit of experimentation with Leopard launchd jobs that have multiple triggers, I found that they can in fact run as expected when either trigger is hit.

I had a working launchd job that used the StartCalendarInterval key. I then added a WatchPath key and rebooted for good measure. When I used `touch` to modify the watched path, the job executed.

Good to know, even though I’d never tried this in Tiger. I don't yet know if there is a limitation on how many triggers can be added successfully, or if there are triggers which cannot be combined.

One immediate benefit of this, however, is that you can have one job that will definitely be coalesced into a single execution whenever it is missed (as with system sleep). If they don't coalesce into a single execution, it sounds as if the developers at Apple would consider that a bug. Multiple individual jobs do not coalesce if they are defined in separate plists, even if they call the same script or command line tool.

Following McAfee's use of the Mac OS X filesystem is quite a job. If you're a systems administrator, the way their VirusScan product is installed makes it complex to understand and deploy. If you're deploying with a system like Radmind, it pays to take the time to look into what gets installed and where.

Take the recently-released McAfee VirusScan 8.6 for Mac OS X — the first post-Leopard update to their anti-virus software. I must give them credit for that. They did provide support for Leopard more quickly than I can recall them doing for any other previous version of Mac OS X, going back to when the product was called Virex.

This new VirusScan still has files that are named "Virex," in the second version after the product was renamed. (Or third, if you count their questionably-named "VirusScan 8 for Mactel" product.) Look in /Library/Application Support for one example.

The /Library/Application Support/Virex/ directory includes the StuffIt and StuffItCore frameworks, presumably to scan within StuffIt archives now that the operating system itself no longer includes StuffIt. This directory also stores the VirusScan Reporter application.

VirusScan 8.6 installs a kernel extension, but it doesn't necessarily get put where you might expect. Not in /System/Library/Extensions, no — it is placed, instead, in /usr/local/vscanx/Extensions. Oh, it's named Virex.kext.

Speaking of /usr/local/vscanx, McAfee apparently decided to duplicate similar system-supplied directories there. So, you'll find "Extensions," "lib," "var," and "var/tmp" directories inside it.

There are four setuid/setgid applications in VirusScan 8.6.

The installer also modifies the local syslog.conf, adding the line:

local7.info /var/log/VirusScan.log

In VirusScan 8.5, a local user and group were created during the installation — they became UID and GID 500, as I recall. I haven't yet confirmed that with version 8.6, but it seems likely that practice has continued, so be alert because it can affect the ownership of the installed files.

Update 01/21/2008: Nathan Lewan posted helpful information about managing VirusScan 8.6 to the Radmind mailing list. (If you need to know how software gets installed, ask a Radmind admin.)

In reading the man page for the updated installer utility in Leopard, it looks like it offers the equivalent of "answer files" on Windows. This sounds like a big improvement, especially for systems administrators who want to automate the installation of packages on Mac OS X.

The "install choice change XML file" can be used to apply changes to the default option in an installer package. This uses the -applyChoiceChangesXML flag.

The installer can also show the defaults as well as the result after applying a choice changes XML file to them. Use the -showChoicesXML to find the choices and -showChoicesAfterApplyingChangesXML to see the outcome of choice changes, respectively.

For what it's worth, the -dominfo and -query flags are also new and have functions that I don't recognize from Tiger, comparing the two man pages.

Anyway, the install choices sound like a "win" — even just to get reliable, reproducible Radmind transcripts, if you're into that sort of thing. Imagine creating an installer choice change file for a package you install/update all the time — the system software itself, and the Apple Xcode Developer Tools, both spring to mind. Whether you're creating install choice change files for bulk installation or just automation of your build process, it sounds as if this new capability should be really helpful.

Every time I do hashing in Python, I have to look it up. I forget how to do it. That's probably a bad thing, at least compared to the shell. The shell way isn't exactly simple, but I find it something I can do by rote.

I'm going to write down how I got MD5 and SHA-1 hashes for a file — which is something I occasionally have to do when posting a download, for example — thereby making it possible to find my own perfectly-tailored how-to next time:

>>> import hashlib # hashlib is new in Python 2.5
>>> file_reference=open('/path/to/file', 'rb').read() # open the file for reading, in binary mode
>>> hashlib.md5(file_reference).hexdigest()
'11fb57ba7927ad04534d0a341dd9c943'
>>> hashlib.sha1(file_reference).hexdigest()
'bff8e8bcd74662ee52dde369e9387cb10d5a5ece'


There, that wasn't so bad. I just have to remember the name of the built-in hashlib module and how to call for a hash of some data with it. You're missing the twenty other lines I tried which didn't work, of course, but you don't really need to see that. Sigh.

Without specifying hexdigest(), the result is a hash object rather than the hash value.

>>> hashlib.md5(file_reference)
<md5 HASH object @ 0x639c0>


I compared the Python hashlib results above with the following output from OpenSSL, and they are the same:

$ openssl md5 /path/to/file
MD5(/path/to/file)= 11fb57ba7927ad04534d0a341dd9c943
$ openssl sha1 /path/to/file
SHA1(/path/to/file)= bff8e8bcd74662ee52dde369e9387cb10d5a5ece


On balance, I think I'd still like comparing that hash against another string better in Python, but getting the hashes was quite a bit more confusing to me. It was enough to interrupt my flow.

Wow, Apple bought the Common UNIX Printing System (CUPS) back in February, and the announcement has just come out. (I have to wonder why the delay … perhaps it has something to do with Leopard?) The software continues to be licensed under its regular terms.

Michael Sweet, one of the principals behind Easy Software Products and developer of CUPS, is now an Apple employee.

I’m sure this all means something.

In reviewing Jesper's list of requirements for The Email Client That Doesn't Suck, I was somewhat surprised how many of his points are already handled by Microsoft Entourage 2004.

I’d give it 19 out of 26 points. There are some places where I’m being charitable towards Entourage, partly because it can support the requirement with a little work (which does not always mean scripting — and it should be noted that Entourage is very scriptable) or I didn’t understand what Jesper meant by the requirement.

Many Mac users discount Entourage. There are a couple of reasons that may be cited:

• Microsoft bundles it with Office 2004, so you have to buy it along with a lot of other software in order to get it. That costs more than a standalone client, even if you’re eligible for the $149 Student and Teacher Edition (which is often discounted even more).
• It’s not Universal yet, so it works natively only on PowerPC Macs. It requires Rosetta on Intel Macs today. (But Microsoft has announced that the next version of Office will be Universal.)
• It comes from Microsoft, so it must be evil somehow.
• It has a custom monolithic database for its backend. This predates any of Apple’s Core Data-type development. It can be a completely valid issue for some — such as those with network or portable home directories, or those performing regular client backups.
• It doesn’t look like a Mac OS X application. Rather, you might say it looks more like an application from classic Mac OS … and I’d agree, but there are some quick things you can do to spruce things up. (I had some on my old blog, but I still haven’t ported the old content over. Suffice it to say that changing a lot of the font choices to “Lucida Grande” in the preferences makes a big difference.)

That said, there are many valid concerns about Entourage. I voice many through the Microsoft feedback channels available to me.

However, I think there is a huge impediment to creating a new e-mail client today, simply because of how connected this kind of product is to your whole computing experience. Any developer should take that into consideration, and realize that it’s probably an unending effort.

Mentioning Dennis’ recent interview with the Wall Street Journal reminded me that I’d never tooted my own horn here regarding another press placement. Why? I was interviewed by Lisa Nadile for CIO Magazine back in spring, and the article appeared quite some time ago (after I’d almost forgotten about it or thought I’d missed it).

So, read below the fold to find my quoted moments — not necessarily quotable moments, mind you — in the article: Hi, I’m a Mac and I’m your Enterprise Computer.