Open Source Software and Security

December 2011
This note, developed in consultation with CESG, highlights some of the key security considerations for the use of open source software in Government, and their implications for procurement practice. It focuses on dispelling common security myths about open source software which prevent a level playing field for its evaluation and use in Government. It is published in recognition that a wider audience wish to understand the UK Government’s position on open source software and security. Public sector customers can obtain further information from CESG in GPG38.

1. Open source, as a category, is no more or less secure than closed proprietary software.

All software, including open source and closed proprietary, will have vulnerabilities. Individual software products, regardless of category, will have strengths and weaknesses in security characteristics such as provenance, quality, support, and vulnerability management. Given the range of vulnerabilities and diversity of exploits, on balance, neither category is considered more or less secure than the other.

2. Therefore, open source software cannot be excluded from an options analysis for Government IT.

Given that no one type of software is inherently more secure than another, neither open source nor closed proprietary software should be excluded from an options analysis for security reasons. It is Government policy for open source software to be evaluated in an options analysis, and for suppliers to provide appropriately detailed evidence of the reasoning behind their selection. It is entirely possible that an open source option is not selected for valid reasons, such as insufficient functional fit, inability to meet performance requirements, or higher cost of ownership due to more expensive security controls. It is important that the same selection criteria are applied to all options. It is also important that requirements are not exaggerated, unnecessarily inflating costs.

3. CESG does not accredit software products. Departments accredit their own ICT solutions.

It is a myth that some software products are “accredited” for use in Government. This is a misunderstanding of the security framework and accreditation process. Departmental accreditation of their own IT solutions is a sophisticated and rigorous process encompassing business benefit, threat and risk assessment, hardware, software, communications, and human factors. CESG does operate assurance schemes through which security enforcing products, both open source and closed proprietary, can be evaluated and certified. Such certification assures the public sector that security enforcing products, such as firewalls and cryptography tools, can mitigate various risks to its information. The large majority of software used to build Government IT solutions does not fall into this category. Furthermore, the risk managed decision whether or not to use such software remains with the Department’s information risk owner.

John Pugh (Southport, Liberal Democrat)

To ask the Minister for the Cabinet Office what recent assessment he has made of Government policy on open source software and open standards; and if he will make a statement.

Francis Maude (Minister for the Cabinet Office; Horsham, Conservative)

We have always made clear that, where appropriate, Government will procure open source solutions.

Open source products are used in the delivery, of huge database programmes—such as the Indian Identity card scheme—at a greater scale and for much less cost than we have experienced in the past.

Gov.uk, the new platform for publishing in UK Government employs the same open source technologies.

It’s being delivered for a fraction of the cost of previous Government web schemes.

So not a big long speech, but there it is, said in the house and recorded for posterity with the transcript of the oral answers in Hansard and theyworkforyou.com,

The government is moving on Free Software, there is a very high level understanding of the need to avoid lock in, promote re-use and to remove the barriers to adoption for Open Source software. They have been taken for a ride by a bunch of proprietary suppliers who have sold them the same old stuff over and over again, with contracts that tie the government down and keep the gravy train rolling. There is no massive appetite for the government to contribute directly to free software projects, but they are very willing to have more open software from their existing and new suppliers, and to have those suppliers be good citizens in the open source community.

There appears to be a general alignment (and indeed confusion between) open source and open standards. What the government really appears to want is open standards, with open source software as a means to get to an environment where open standards are prevalent. This will give them the re-use and interoperability that they really want.

To this end the cabinet office is running a public consultation at the moment, asking you to comment on their thinking in the area of open standards. Don’t be misled though, this is all about open source really, and they really really want a bunch more responses to their consultation. You can view the consultation website here:

http://consultation.cabinetoffice.gov.uk/openstandards/

It is a bit of an epic read, there is a 31 page pdf describing the consultation then you can go on to provide your responses on the website where your answers will be published along with those of everyone else. I don’t think I have ever filled in a form where my answers were broken down into chapters before, but there is a first time for everything. Chapter 1 is all about how they should define what an open standard actually is, kind of like art, you know it when you see it. Chapter 2 discusses whether open standards should be mandatory (expect some detailed answers from proprietary suppliers in this section explaining why the world would end if openness was not optional). Chapter 3 is all about international alignment and would be a great place for comments from people who are not UK based but for whatever reason think we should be more interoperable at a government level.

Please do have a read of it and browse the questions and answer any you feel like giving your opinion on. Don’t feel you have to answer them all, or give long answers. I am assured that this consultation will make a difference.

What kind of makes sense to me is that you should be able to right click on the things in the launcher and see the list of windows and choose the one you want. Luckily Unity is quite extensible, there are APIs for adding quicklists to the launcher icons and there is enough information kicking about in dbus to find the window names and get callbacks to happen when things get updated like a window title changes or a window gets added or removed.

I put my thoughts together in a little python script, which I have now packaged and put in a PPA (which was harder than it sounds) so if the screenshot makes sense to you and you are running Ubuntu with Unity (2d or 3d) then you can install it with the following commands:

sudo apt-add-repository ppa:alanbell/unity

sudo apt-get update

sudo apt-get install unity-window-quicklists

Then log out and back in again to get a much more usable desktop if you tend to use lots of windows

In this post I’ll describe one way of providing SSL encrypted access to your shiny new OpenERP 6.1 server running on Ubuntu 10.04 LTS.

This time I thought I’d use the nginx (pronounced like “Engine X”) webserver to act as a reverse proxy and do SSL termination for web, GTK client and WebDAV/CalDAV access. nginx is gaining in popularity and is now the second most popular web server in the world according to some figures. It has a reputation for being fast and lean – so it seemed like a good choice for a relatively simple job like this.

I’m indebted to xat for this post which provided the main configuration script for a reverse proxy on OpenERP 6.0. The changes I have made to xat’s original configuration are: different port number, some additional rewrite rules to support WebDAV and the new mobile interface, new location for static files.

NB: For the purposes of this how to, we’ll be using self-signed certificates. A discussion of the pros and cons of this choice is beyond the scope of this article.

Step 1. Install nginx

On your server install nginx by typing:

sudo apt-get install nginx

Next, we need to generate a SSL certificate and key.

Step 2. Create your cert and key

I create the files in a temporary directory then move them to their final resting place once they have been built (the first cd is just to make sure we are in our home directory to start with):

cd
mkdir temp
cd temp

Then we generate a new key, you will be asked to enter a passphrase and confirm:

openssl genrsa -des3 -out server.pkey 1024

We don’t really want to have to enter a passphrase every time the server starts up so we remove the passphrase by doing this:

openssl rsa -in server.pkey -out server.key

Next we need to create a signing request which will hold the data that will be visible in your final certificate:

openssl req -new -key server.key -out server.csr

This will generate a series of prompts like this: Enter the information as requested:

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:The Client’s Company

And finally we self-sign our certificate.

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

We only need two of the files in the working directory, the key and the certificate. But before we can use them they need to have their ownership and access rights altered:

sudo chown root:www-data server.crt server.key
sudo chmod 640 server.crt server.key

And then we put them in a sensible place:

sudo mkdir /etc/ssl/nginx
sudo chown www-data:root /etc/ssl/nginx
sudo chmod 710 /etc/ssl/nginx
sudo mv server.crt server.key /etc/ssl/nginx/

Now the key and certificate are safely stored away, we can tell nginx where they are and what it should be doing…

Step 3. Create the nginx site configuration file

We create a new configuration file

sudo nano /etc/nginx/sites-available/openerp

with the following content:

Note: You will need to change all references to 10.0.0.26 in the following file to either the domain name or static IP address of your server. This was the IP address of the machine I built this test script on. It will not work unless changed to suit your own system!

upstream openerpweb {
    server 127.0.0.1:8069 weight=1 fail_timeout=300s;
}

server {
    listen 80;
    server_name    10.0.0.26;

    # Strict Transport Security
    add_header Strict-Transport-Security max-age=2592000;

    rewrite ^/mobile.*$ https://10.0.0.26/web_mobile/static/src/web_mobile.html permanent;
    rewrite ^/webdav(.*)$ https://10.0.0.26/webdav/$1 permanent;
    rewrite ^/.*$ https://10.0.0.26/web/webclient/home permanent;
}

server {
    # server port and name
    listen        443 default;
    server_name   10.0.0.26;

    # Specifies the maximum accepted body size of a client request,
    # as indicated by the request header Content-Length.
    client_max_body_size 200m;

    # ssl log files
    access_log    /var/log/nginx/openerp-access.log;
    error_log    /var/log/nginx/openerp-error.log;

    # ssl certificate files
    ssl on;
    ssl_certificate        /etc/ssl/nginx/server.crt;
    ssl_certificate_key    /etc/ssl/nginx/server.key;

    # add ssl specific settings
    keepalive_timeout    60;

    # limit ciphers
    ssl_ciphers            HIGH:!ADH:!MD5;
    ssl_protocols            SSLv3 TLSv1;
    ssl_prefer_server_ciphers    on;

    # increase proxy buffer to handle some OpenERP web requests
    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass    http://openerpweb;
        # force timeouts if the backend dies
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # set headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;

        # Let the OpenERP web service know that we're using HTTPS, otherwise
        # it will generate URL using http:// and not https://
        proxy_set_header X-Forwarded-Proto https;

        # by default, do not forward anything
        proxy_redirect off;
    }

    # cache some static data in memory for 60mins.
    # under heavy load this should relieve stress on the OpenERP web interface a bit.
    location ~* /web/static/ {
        proxy_cache_valid 200 60m;
        proxy_buffering    on;
        expires 864000;
        proxy_pass http://openerpweb;
    }

}

UPDATE: 04/04/2012. I have added a line to the above file: client_max_body_size 200m; thanks to Praxi for reminding me about this. The default setting is just 1MB which will stop users from uploading any files larger than that, including databases!

And then we can enable the new site configuration by creating a symbolic link in the /etc/nginx/sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/openerp /etc/nginx/sites-enabled/openerp

Step 4. Change the OpenERP server configuration file

The next step is to re-configure the OpenERP server so that non-encrypted services are not accessible from the outside world.

In /etc/openerp-server.conf the non-encrypted services will only listen on localhost, i.e. not from external connections so in effect only traffic from nginx will be accepted.

After opening the file for editing, just add 127.0.0.1 to the xmlrpc and netrpc interface lines as shown below.

sudo nano /etc/openerp-server.conf

xmlrpc_interface = 127.0.0.1
netrpc_interface = 127.0.0.1

That’s it. Everything is now configured.

Step 5. Try it out

Restart the services to load the new configurations

sudo service openerp-server restart
sudo service nginx restart

You should not be able to connect to the web client on port 8069 and the GTK client should not connect on either the NetRPC (8070) or XMLRPC (8069) services.

For web access you just need to visit https://your-ip-or-domain and in the GTK client you will need to use port 443 (https) and choose the XMLRPC (Secure) protocol.

The nginx configuration above will also redirect any incoming requests for port 80 to port 443 (https) and it also makes sensible redirects for the mobile and WebDAV/CalDAV services. (From what I can gather however WebDAV clients really don’t handle redirects so this bit is probably not that useful). I think the best bet for WebDAV/CalDAV is just to provide the correct URL in the first place.

For CalDAV access then, the URL to a calendar will be something like this:

https://your-ip-or-domain/webdav/DB_NAME/calendars/users/USERNAME/c/CALENDAR_NAME

There you have it. In OpenERP 6.1 this job actually proved to be a little simpler than the previous version largely due to the integrated web interface. There are also fewer configuration changes required in openerp-server.conf.

Finally, I really wanted to try and make use of the WSGI support in OpenERP 6.1 instead of the method above, but my efforts to get this to work from nginx or Apache have so far ended in failure Obviously if anyone wants to provide a working config for that please feel free to add a comment and link.

UPDATE: By popular request here is a subsequent post describing how to set up a reverse proxy and ssl using nginx.

As my previous howto for 6.0 was a such roaring success I thought I’d better do something for the new 6.1 release too.

Before continuing, I should mention that you can simply download a “.deb” package of OpenERP 6.1 and install that on Ubuntu. But that doesn’t provide me with enough fine grained control over what and where things get installed and it restricts our flexibility to modify & customise hence I prefer to do it a slightly more manual way… (It should be said though, that this install process should only take about 10-15 minutes once the host machine has been built)

So without further ado here we go:

Step 1. Build your server

I install just the bare minimum from the install routine (you can install the openssh-server during the install procedure or install subsequently depending on your preference).

After the server has restarted for the first time I install the openssh-server package (so we can connect to it remotely) and denyhosts to add a degree of brute-force attack protection. There are other protection applications available: I’m not saying this one is the best, but it’s one that works and is easy to configure and manage. If you don’t already, it’s also worth looking at setting up key-based ssh access, rather than relying on passwords. This can also help to limit the potential of brute-force attacks. [NB: This isn't a How To on securing your server...]

sudo apt-get install openssh-server denyhosts

Now make sure you are running all the latest patches by doing an update:

sudo apt-get update
sudo apt-get dist-upgrade

Although not always essential it’s probably a good idea to reboot your server now and make sure it all comes back up and you can login via ssh.

Now we’re ready to start the OpenERP install.

Step 2. Create the OpenERP user that will own and run the application

sudo adduser --system --home=/opt/openerp --group openerp

This is a “system” user. It is there to own and run the application, it isn’t supposed to be a person type user with a login etc. In Ubuntu, a system user gets a UID below 1000, has no shell (it’s actually /bin/false) and has logins disabled. Note that I’ve specified a “home” of /opt/openerp, this is where the OpenERP server code will reside and is created automatically by the command above. The location of the server code is your choice of course, but be aware that some of the instructions and configuration files below may need to be altered if you decide to install to a different location.

A question I was asked a few times in the previous how to for 6.0 was how to run the OpenERP server as the openerp system user from the command line if it has no shell. This can be done quite easily:

sudo su - openerp -s /bin/bash

This will su your current terminal login to the openerp user (the “-” between su and openerp is correct) and use the shell /bin/bash. When this command is run you will be in openerp’s home directory: /opt/openerp.

When you have done what you need you can leave the openerp user’s shell by typing exit.

Step 3. Install and configure the database server, PostgreSQL

sudo apt-get install postgresql

Then configure the OpenERP user on postgres:

First change to the postgres user so we have the necessary privileges to configure the database.

sudo su - postgres

Now create a new database user. This is so OpenERP has access rights to connect to PostgreSQL and to create and drop databases. Remember what your choice of password is here; you will need it later on:

createuser --createdb --username postgres --no-createrole --no-superuser --pwprompt openerp
Enter password for new role: ********
Enter it again: ********

Finally exit from the postgres user account:

exit

Step 4. Install the necessary Python libraries for the server

Update 27/02/2012: Many thanks to Gavin for reporting. Have added python-simplejson to the package list.

sudo apt-get install python-dateutil python-feedparser python-gdata \
python-ldap python-libxslt1 python-lxml python-mako python-openid python-psycopg2 \
python-pybabel python-pychart python-pydot python-pyparsing python-reportlab \
python-simplejson python-tz python-vatnumber python-vobject python-webdav \
python-werkzeug python-xlwt python-yaml python-zsi

From what I can tell, on Ubuntu 10.04 the package python-werkzeug is too old and this will cause the server to not start properly. If you are trying this on a later version of Ubuntu then you might be OK, but just in-case you can also do the following.

I found it necessary to install a more recent version of Werkzeug using Python’s own package management library PIP. The python pip tool can be installed like this:

sudo apt-get install python-pip

Then remove Ubuntu’s packaged version of werkzeug:

sudo apt-get remove python-werkzeug

Then install the up-to-date version of werkzeug:

sudo pip install werkzeug

With that done, all the dependencies for installing OpenERP 6.1 are now satisfied, including for the new integral web interface.

Step 5. Install the OpenERP server

I tend to use wget for this sort of thing and I download the files to my home directory.

Make sure you get the latest version of the application. At the time of writing this it’s 6.1-1; I got the download links from their download page.

wget http://nightly.openerp.com/6.1/releases/openerp-6.1-1.tar.gz

Now install the code where we need it: cd to the /opt/openerp/ directory and extract the tarball there.

cd /opt/openerp
sudo tar xvf ~/openerp-6.1-1.tar.gz

Next we need to change the ownership of all the the files to the OpenERP user and group.

sudo chown -R openerp: *

And finally, the way I have done this is to copy the server directory to something with a simpler name so that the configuration files and boot scripts don’t need constant editing (I called it, rather unimaginatively, server). I started out using a symlink solution, but I found that when it comes to upgrading, it seems to make more sense to me to just keep a copy of the files in place and then overwrite them with the new code. This way you keep any custom or user-installed modules and reports etc. all in the right place.

sudo cp -a openerp-6.1-1 server

As an example, should OpenERP 6.1-2 come out soon, I can extract the tarballs into /opt/openerp/ as above. I can do any testing I need, then repeat the copy command so that the modified files will overwrite as needed and any custom modules, report templates and such will be retained. Once satisfied the upgrade is stable, the older 6.1-1 directories can be removed if wanted.

That’s the OpenERP server software installed. The last steps to a working system is to set up the configuration file and associated boot script so OpenERP starts and stops automatically when the server itself stops and starts.

Step 6. Configuring the OpenERP application

The default configuration file for the server (in /opt/openerp/server/install/) is actually very minimal and will, with only one small change work fine so we’ll simply copy that file to where we need it and change it’s ownership and permissions:

sudo cp /opt/openerp/server/install/openerp-server.conf /etc/
sudo chown openerp: /etc/openerp-server.conf
sudo chmod 640 /etc/openerp-server.conf

The above commands make the file owned and writeable only by the openerp user and group and only readable by openerp and root.

To allow the OpenERP server to run initially, you should only need to change one line in this file. Toward to the top of the file change the line db_password = False to the same password you used back in step 3. Use your favourite text editor here. I tend to use nano, e.g.

sudo nano /etc/openerp-server.conf

One other line we might as well add to the configuration file now, is to tell OpenERP where to write its log file. To complement my suggested location below add the following line to the openerp-server.conf file:

logfile = /var/log/openerp/openerp-server.log

Once the configuration file is edited and saved, you can start the server just to check if it actually runs.

sudo su - openerp -s /bin/bash
/opt/openerp/server/openerp-server

If you end up with a few lines eventually saying OpenERP is running and waiting for connections then you are all set. Just type CTL+C to stop the server then exit to leave the openerp user’s shell.

If there are errors, you’ll need to go back and check where the problem is.

Step 7. Installing the boot script

For the final step we need to install a script which will be used to start-up and shut down the server automatically and also run the application as the correct user. There is a script you can use in /opt/openerp/server/install/openerp-server.init but this will need a few small modifications to work with the system installed the way I have described above. Here’s a link to the one I’ve already modified for 6.1-1.

Similar to the configuration file, you need to either copy it or paste the contents of this script to a file in /etc/init.d/ and call it openerp-server. Once it is in the right place you will need to make it executable and owned by root:

sudo chmod 755 /etc/init.d/openerp-server
sudo chown root: /etc/init.d/openerp-server

In the configuration file there’s an entry for the server’s log file. We need to create that directory first so that the server has somewhere to log to and also we must make it writeable by the openerp user:

sudo mkdir /var/log/openerp
sudo chown openerp:root /var/log/openerp

Step 8. Testing the server

To start the OpenERP server type:

sudo /etc/init.d/openerp-server start

You should now be able to view the logfile and see that the server has started.

less /var/log/openerp/openerp-server.log

If there are any problems starting the server you need to go back and check. There’s really no point ploughing on if the server doesn’t start…

OpenERP 6.1 Home Screen

http://IP_or_domain.com:8069

What you should see is a screen like this one:

What I do recommend you do at this point is to change the super admin password to something nice and strong (Click the “Manage Databases” link below the main Login box). By default this password is just “admin” and knowing that, a user can create, backup, restore and drop databases! This password is stored in plain text in the /etc/openerp-server.conf file; hence why we restricted access to just openerp and root. When you change and save the new password the /etc/openerp-server.conf file will be re-written and will have a lot more options in it.

Now it’s time to make sure the server stops properly too:

sudo /etc/init.d/openerp-server stop

Check the logfile again to make sure it has stopped and/or look at your server’s process list.

Step 9. Automating OpenERP startup and shutdown

If everything above seems to be working OK, the final step is make the script start and stop automatically with the Ubuntu Server. To do this type:

sudo update-rc.d openerp-server defaults

You can now try rebooting you server if you like. OpenERP should be running by the time you log back in.

If you type ps aux | grep openerp you should see a line similar to this:

openerp 1491 0.1 10.6 207132 53596 ? Sl 22:23 0:02 python /opt/openerp/server/openerp-server -c /etc/openerp-server.conf

Which shows that the server is running. And of course you can check the logfile or visit the server from your web browser too.

That’s it!

OpenERP 6.1 really is a major step up in terms of improvements from 6.0 and the new integrated web interface (with a Point of Sale and a Mobile interface built-in) are really very cool. Performance has improved considerably and the way the new web service interfaces to OpenERP is very different. So, if I get the time, the next instalment of these posts will go into a bit of detail about how this works and some alternative ways to provide more secure access, such as reverse proxy.

This evening (Saturday 21/01/2012) I have sowed 13 varieties of chillies, just over 50 seeds! I’m very excited about the prospects for the year ahead but have absolutely no idea what I will do if I have 50 plants to tend – they won’t all fit in our small greenhouse and we don’t have a conservatory… Suggestions welcome.

From the left there is “Black Naga” which I managed to grow last year and by the end of October the pods had ripened to a dark chocolate brown colour. They were hot too . Next is a Red Habanero – These seeds were a gift from my sister-in-law and I have no idea what they will be like but Habaneros are generally quite hot and a have lovely fruity flavour. Finally in this tray is Goat Horn which I also grew last year and they were an absolute delight! A lovely traditional torpedo shaped chilli with a great flavour. They aren’t blisteringly hot but a very, very nice chilli.

In this tray I have the famous “Dorset Naga” which has been a reliable variety over the last two seasons. Hope these seeds still germinate OK. Next is a Bhut Jolokia and to be honest I can’t remember where these seeds came from or if I have grown from this packet before, but there were only 5 seeds in the bag so they have all gone in the tray. Finally is another Habanero style called Congo Trinidad.

I have two varieties in this tray I also grew last year from the first time and liked them so much am growing again: Aji Crystal was quite prolific and produces big meaty chillies with a nice (but not insanely hot) kick. The Lemon Drop on the other side was also quite a good cropper and I loved the bright yellow chillies. These look great on the plate and taste yummy too – a slight citrus note. In the centre is a new variety for me this season – The Habanero 7 Pot. Called the 7 pot apparently as this is how many pots of stew one chilli will flavour! I’m really looking forward to getting these on my tongue!

Here are the “HOT Ones”… The Naga Viper held the hottest chilli world record in 2011 for a while at around 1.4million Scovilles! However within just a few days this Viper was beaten by the Trinidad Scorpion “Butch T” which was measured at just under 1.5million Scovilles. Also in this tray is a chilli called Portugal, which is a Jumbo Cayenne type. Not in the same league heat-wise as it’s 2 neighbours but I like a bit of variety.

And finally, I remember growing this one a few years ago and being pleasantly surprised so I thought I’d give it another go. It’s Italian seed with a description of Peperoncino piccante tondo calabrese. It’s a round chilli that is commonly used for stuffing or in salads. I recall it having a nice punch and the plants being excellent croppers.

I’ll provide updates through the year as, hopefully, the seeds germinate, plants grow and bear fruit.

./erppeek.py -d testdb -u admin -p admin -m res.users 1

in it’s simplist form that will connect to an openerp server running on localhost, (port 8069) with username admin and password admin to a database called testdb. It will then return all fields for the model res.users with id 1 (which will be the admin user)

./erppeek.py --server 'http://myserver.com:8069' -d testdb -u admin -p admin -m res.partner 1 3 5

This connects to a remote server called myserver.com and returns all fields from partners 1, 3 and 5

./erppeek.py --server 'http://myserver.com:8069' -d testdb -u admin -p admin -m res.partner -f name -f city 1 3 5

and now we are using the -f field parameter to return just the name and city (and it always returns the id as well) of those partners

./erppeek.py --server 'http://myserver.com:8069' -d testdb -u admin -p admin -m res.partner -f name -f city -s "name like School" -s "city = Southampton"

This time it is not relying on us passing in a list of object IDs, but it is doing a search of the res.partner objects where the name field contains ‘School’ and the city field is equal to Southampton.

To grab a copy of this small but handy little utility please download it from launchpad and make it executable. It works fine on Ubuntu, and should work on most platforms with Python. Do let me know in the comments what you think of it and what else you would like it to do.

Security note – this does at the moment get you to enter a password on the command line, which means the password will be available in your bash history and other users on your computer looking at processes you are running. This doesn’t bother me much as I am only using it on local development databases with trivial passwords anyway, but you have been warned. If someone wants to help fix that then great.

Anyhow, back to the subject of this post, which is the CDs. If you are living in the UK and want an Ubuntu CD, a Kubuntu CD or an Ubuntu Server CD (or combination thereof) then you are most welcome to one. Please follow the procedure and I will send one out to you. For a while I will also include an 11.04 CD until I run out of them. If you want more than one CD then do ask me and we will try and work something out particularly if you are wanting to distribute them at a University or similar.

I almost forgot to mention, I removed their old Kubuntu 11.04 CD and washed the muck off and stuck it in a desktop, it still boots!

Next year’s central government budget proposal, which the Cabinet
of Ministers has now submitted to the parliament for review, has
dominated the headlines in Latvian media in recent weeks. The
Cabinet has been struggling to prepare a budget with a target
deficit rate of 1.85% of GDP by reducing ministry spending,
eliminating staff positions, postponing planned wage increases for
public sector employees, and even proposing measures as drastic as
closing specific ministries and switching to open source software.
Labor unions and other affected parties have met these proposals
with strong condemnation.

Sounds like switching to open source would release a saving in the order of magnitude of closing a ministry.