# June 29, 2015

## Jonathan McDowell <!-- document.write( "<a href=\"#\" id=\"http://www.earth.li/~noodles/blog/2015/06/what-jonathan-did-next.html_hide\" onClick=\"exclude( 'http://www.earth.li/~noodles/blog/2015/06/what-jonathan-did-next.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.earth.li/~noodles/blog/2015/06/what-jonathan-did-next.html_show\" style=\"display:none;\" onClick=\"show( 'http://www.earth.li/~noodles/blog/2015/06/what-jonathan-did-next.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### What Jonathan Did Next

While I mentioned last September that I had failed to be selected for an H-1B and had been having discussions at DebConf about alternative employment, I never got around to elaborating on what I’d ended up doing.

Short answer: I ended up becoming a law student, studying for a Masters in Legal Science at Queen’s University Belfast. I’ve just completed my first year of the 2 year course and have managed to do well enough in the 6 modules so far to convince myself it wasn’t a crazy choice.

Longer answer: After Vello went under in June I decided to take a couple of months before fully investigating what to do next, largely because I figured I’d either find something that wanted me to start ASAP or fail to find anything and stress about it. During this period a friend happened to mention to me that the applications for the Queen’s law course were still open. He happened to know that it was something I’d considered before a few times. Various discussions (some of them over gin, I’ll admit) ensued and I eventually decided to submit an application. This was towards the end of August, and I figured I’d also talk to people at DebConf to see if there was anything out there tech-wise that I could get excited about.

It turned out that I was feeling a bit jaded about the whole tech scene. Another friend is of the strong opinion that you should take a break at least every 10 years. Heeding her advice I decided to go ahead with the law course. I haven’t regretted it at all. My initial interest was largely driven by a belief that there are too few people who understand both tech and law. I started with interests around intellectual property and contract law as well as issues that arise from trying to legislate for the global nature of most tech these days. However the course is a complete UK qualifying degree (I can go on to do the professional qualification in NI or England & Wales) and the first year has been about public law. Which has been much more interesting than I was expecting (even, would you believe it, EU law). Especially given the potential changing constitutional landscape of the UK after the recent general election, with regard to talk of repeal of the Human Rights Act and a referendum on exit from the EU.

Next year will concentrate more on private law, and I’m hoping to be able to tie that in better to what initially drove me to pursue this path. I’m still not exactly sure which direction I’ll go once I complete the course, but whatever happens I want to keep a linkage between my skill sets. That could be either leaning towards the legal side but with the appreciation of tech, returning to tech but with the appreciation of the legal side of things or perhaps specialising further down an academic path that links both. I guess I’ll see what the next year brings. :)

## Lunar <!-- document.write( "<a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_9/_hide\" onClick=\"exclude( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_9/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_9/_show\" style=\"display:none;\" onClick=\"show( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_9/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Reproducible builds: week 9 in Stretch cycle

What happened about the reproducible builds effort this week:

## Toolchain fixes

Norbert Preining uploaded texinfo/6.0.0.dfsg.1-2 which makes texinfo indices reproducible. Original patch by Chris Lamb.

Lunar submitted recently rebased patches to make the file order of files inside .deb stable.

akira filled #789843 to make tex4ht stop printing timestamps in its HTML output by default.

Dhole wrote a patch for xutils-dev to prevent timestamps when creating gzip compresed files.

Reiner Herrmann sent a follow-up patch for wheel to use UTC as timezone when outputing timestamps.

Mattia Rizzolo started a discussion regarding the failure to build from source of subversion when -Wdate-time is added to CPPFLAGS—which happens when asking dpkg-buildflags to use the reproducible profile. SWIG errors out because it doesn't recognize the aforementioned flag.

Trying to get the .buildinfo specification to more definitive state, Lunar started a discussion on storing the checksums of the binary package used in dpkg status database.

akira discovered—while proposing a fix for simgrid—that CMake internal command to create tarballs would record a timestamp in the gzip header. A way to prevent it is to use the GZIP environment variable to ask gzip not to store timestamps, but this will soon become unsupported. It's up for discussion if the best place to fix the problem would be to fix it for all CMake users at once.

## Infrastructure-related work

Andreas Henriksson did a delayed NMU upload of pbuilder which adds minimal support for build profiles and includes several fixes from Mattia Rizzolo affecting reproducibility tests.

Neils Thykier uploaded lintian which both raises the severity of package-contains-timestamped-gzip and avoids false positives for this tag (thanks to Tomasz Buchert).

Petter Reinholdtsen filled #789761 suggesting that how-can-i-help should prompt its users about fixing reproducibility issues.

## Packages fixed

The following packages became reproducible due to changes in their build dependencies: autorun4linuxcd, libwildmagic, lifelines, plexus-i18n, texlive-base, texlive-extra, texlive-lang.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Untested uploaded as they are not in main:

Patches submitted which have not made their way to the archive yet:

• #789648 on apt-dater by Dhole: allow the build date to be set externally and set it to the time of the latest debian/changelog entry.
• #789715 on simgrid by akira: fix doxygen and patch CMakeLists.txt to give GZIP=-n for tar.
• #789728 on aegisub by Juan Picca: get rid of __DATE__ and __TIME__ macros.
• #789747 on dipy by Juan Picca: set documentation date for Sphinx.
• #789748 on jansson by Juan Picca: set documentation date for Sphinx.
• #789799 on tmexpand by Chris Lamb: remove timestamps, hostname and username from the build output.
• #789804 on libevocosm by Chris Lamb: removes generated files which include extra information about the build environment.
• #789963 on qrfcview by Dhole: removes the timestamps from the the generated PNG icon.
• #789965 on xtel by Dhole: removes extra timestamps from compressed files by gzip and from the PNG icon.
• #790010 on simbody by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790023 on stx-btree by akira: pass HTML_TIMESTAMP=NO to Doxygen.
• #790034 on siscone by akira: removes $datetime from footer.html used by Doxygen. • #790035 on thepeg by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #790072 on libxray-spacegroup-perl by Chris Lamb: set $Storable::canonical = 1 to make space_groups.db.PL output deterministic.
• #790074 on visp by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790081 on wfmath by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790082 on wreport by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790088 on yudit by Chris Lamb: removes timestamps from the build system by passing a static comment.
• #790122 on clblas by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790133 on dcmtk by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #790139 on glfw3 by akira: patch for Doxygen timestamps further improved by James Cowgill by removing $datetime from the footer. • #790228 on gtkspellmm by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #790232 on ucblogo by Reiner Herrmann: set LC_ALL to C before sorting. • #790235 on basemap by Juan Picca: set documentation date for Sphinx. • #790258 on guymager by Reiner Herrmann: use the date from the latest debian/changelog as build date • #790309 on pelican by Chris Lamb: removes useless (and unreproducible) tests. ## debbindiff development debbindiff/23 includes a few bugfixes by Helmut Grohne that result in a significant speedup (especially on larger files). It used to exhibit the quadratic time string concatenation antipattern. Version 24 was released on June 23rd in a hurry to fix an undefined variable introduced in the previous version. (Reiner Herrmann) debbindiff now has a test suite! It is written using the PyTest framework (thanks Isis Lovecruft for the suggestion). The current focus has been on the comparators, and we are now at 93% of code coverage for these modules. Several problems were identified and fixed in the process: paths appearing in output of javap, readelf, objdump, zipinfo, unsqusahfs; useless MD5 checksum and last modified date in javap output; bad handling of charsets in PO files; the destination path for gzip compressed files not ending in .gz; only metadata of cpio archives were actually compared. stat output was further trimmed to make directory comparison more useful. Having the test suite enabled a refactoring of how comparators were written, switching from a forest of differences to a single tree. This helped removing dust from the oldest parts of the code. Together with some other small changes, version 25 was released on June 27th. A follow up release was made the next day to fix a hole in the test suite and the resulting unidentified leftover from the comparator refactoring. (Lunar) ## Documentation update Ximin Luo improved code examples for some proposed environment variables for reference timestamps. Dhole added an example on how to fix timestamps C pre-processor macros by adding a way to set the build date externally. akira documented her fix for tex4ht timestamps. ## Package reviews 94 obsolete reviews have been removed, 330 added and 153 updated this week. Hats off for Chris West (Faux) who investigated many fail to build from source issues and reported the relevant bugs. Slight improvements were made to the scripts for editing the review database, edit-notes and clean-notes. (Mattia Rizzolo) ## Meetings A meeting was held on June 23rd. Minutes are available. The next meeting will happen on Tuesday 2015-07-07 at 17:00 UTC. ## Misc. The Linux Foundation announced that it was funding the work of Lunar and h01ger on reproducible builds in Debian and other distributions. This was further relayed in a Bits from Debian blog post. ## Paul Wise <!-- document.write( "<a href=\"#\" id=\"http://bonedaddy.net/pabs3/log/2015/06/29/aliens-amongst-us/_hide\" onClick=\"exclude( 'http://bonedaddy.net/pabs3/log/2015/06/29/aliens-amongst-us/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://bonedaddy.net/pabs3/log/2015/06/29/aliens-amongst-us/_show\" style=\"display:none;\" onClick=\"show( 'http://bonedaddy.net/pabs3/log/2015/06/29/aliens-amongst-us/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### The aliens are amongst us! Don't worry, they can't cope with our atmosphere. Perhaps they are just playing dead. Don't turn your back if you see one. Folks may want to use this alien in free software. The original photo is available on request. To the extent possible under law, I have waived all copyright and related or neighboring rights to this work. The alien has signed a model release. An email or a link to this page would be appreciated though. ## Norbert Preining <!-- document.write( "<a href=\"#\" id=\"http://www.preining.info/blog/2015/06/talos-principle-puzzles-sat-solvers/_hide\" onClick=\"exclude( 'http://www.preining.info/blog/2015/06/talos-principle-puzzles-sat-solvers/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.preining.info/blog/2015/06/talos-principle-puzzles-sat-solvers/_show\" style=\"display:none;\" onClick=\"show( 'http://www.preining.info/blog/2015/06/talos-principle-puzzles-sat-solvers/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### The Talos Principle – Solving puzzles using SAT solvers After my last post on Portal, there was a sale of The Talos Principle, so I got it and started playing. And soon I got stuck at these kind of puzzles where one has to fit in pieces into a frame. As a logician I hate to solve something by trial and error, so I decided I write a solver for these kind of puzzles, based on a propositional logic encoding and satisfiability solver. Sometimes it is good to be logician! In the Talos Principle, access to new worlds and specific items is often blocked by gates that open by putting Sigils into the frame. Of course, collecting the sigils is the most challenging part, but that is often solvable by logical thinking. On the other hand, solving these fitting puzzles drove me crazy, so let us solve them with a SAT solver. ## Encoding I used a propositional encoding that for each combination of cells and sigils assigns a propositional variable, which is true if the specific sigil rests in on that cell in the final solution. That is, we have variable (encoded as x_i_j_n) where runs over the cells of the frame, and over the (numbered) sigils. ## Setup I have written a perl program that for a definition of a puzzle (see later), outputs SMT2 code, which then is checked for satisfiability and generation of model with the z3 solver (which is available in Debian). ## Necessary assertions We have to state relations between these propositional variables to obtain a proper solution, in particular we have added the following statements: • every field has at least one sigil on it • every field has at most one sigil on it • every sigil is used at least once • defining equations for the sigil’s form Let us go through them one by one: ### Every field has at least on sigil on it That is an easy part by asserting In the SMT2 code it would look like (assert (or x_i_j_1 x_i_j_2 ... x_i_j_n)) ### Every field has at most one sigil on it This can be achieved by asserting for each tile and each pair of different sigil (numbers), that not both of the two hold: and in SMT2 code: (assert (and (not (and x_1_1_1 x_1_1_2)) (not (and x_1_1_1 x_1_1_3)) ... (assert (and (not (and x_1_2_1 x_1_2_2)) (not (and x_1_2_1 x_1_2_3)) ... ### Every sigil is used at least once This was a bit a tricky one. First I thought I want to express that every sigil is used exactly once by excluding that for one sigil there are more fields assigned to it then the sigil contains parts. So if a sigil occupies 4 tiles, then every combination of 5 tiles needs to evaluate to false. But with 8×8 or so frames, the number of combinations simply explodes to above several million, which brings my harddrive size and z3 to an end. The better idea was to say that every sigil was used at least once. Since all sigils together exactly fill the frame, this is enough. This can be done easily by assuming that for each sigil, at least one of the tiles is assigned to it: or in SMT code for a 6×6 frame and the first sigil: (assert (or x_1_1_n x_1_2_n ... x_6_6_1)) ### Defining equations for the sigil’s form Of course the most important part are the defining equations for the various sigils. Here I choose the following path: • choose for each sigil form an anchor point • for each tile in the frame and each sigil, put the anchor of the sigil on the tile, and express the 4 directions of rotation So for example for the top-most sigil in the above photo, I choose the anchor point to be the center, and if that was in , I need to assume that for the upright position holds. In the same way, when rotated right, we need All these options have to be disjunctively connected, in SMT code for the case where the anchor lies at (4,2). (assert (or ... (and x_3_2_n x_4_2_n x_5_2_n x_4_3_n) (and x_3_3_n x_3_2_n x_3_1_n x_4_2_n) (and x_3_2_n x_4_2_n x_5_2_n x_4_1_n) ... When generating these equations one has to be careful not to include rotated sigils that stick out of the frame, though. Although the above might not be the optimal encoding, the given assertions suffice to check for SAT and produce a model, which allows me to solve the riddles. ## Implementation in Perl To generate the SMT2 code, I used a Perl script, which is very quickly hacked together. The principle function is (already coded for the above riddle): create_smt2_def(8,6,'a','a','b','cl','cl','cr','cr','cr','q','q','sl','sl'); where the first two arguments define the size of the frame, and the rest are codes for sigil types: • a podest, the first sigil in the above screen shot • b stick, the third sigil above, the long stick • cl club left, the forth sigil above, a club facing left • cr club right, the sixth sigil above, a club facing right • q square, the ninth sigil above • sl step left, the last sigil in the above image • sr step right, mirror of step left (not used above) This function first sets up the header of the smt2 file, followed by shipping out all the necessary variable definitions, in SMT these are defined as Boolean functions, and the other assertions (please see the Perl code linked below for details). The most interesting part are the definitions of the sigils:  # for each piece, call the defining assertions for my$n (1..$nn) { my$p = $pieces[$n-1]; print "(assert (or\n"; for my $i (1..$xx) { for my $j (1..$yy) { if ($p eq 'q') { type_square($xx,$yy,$i,$j,$n); } elsif ($p eq 'a') { type_potest($xx,$yy,$i,$j,$n); ....

Every sigil type has its own definiton, in case of the a podest, the type_podest function:

sub type_potest { my ($xx,$yy,$i,$j,$n) = @_; my ($il, $jl,$ir, $jr,$iu, $ju);$il = $i - 1;$ir = $i + 1;$iu = $i;$jl = $jr =$j; $ju =$j + 1; do_rotate_shipout($xx,$yy, $i,$j, $n,$il, $jl,$ir, $jr,$iu, $ju); } This function is prototypical, one defines the tiles a sigil occupies if the anchor is placed on (i,j) for an arbitrary orientation of the sigil, and then calls do_rotate_shipout on the list of occupied tiles. This function in turn is very simple: sub do_rotate_shipout { my ($xx,$yy,$i, $j,$n, @pairs) = @_ ; for my $g (0..3) { @pairs = rotate90($i, $j, @pairs); check_and_shipout($xx,$yy,$n, $i,$j, @pairs); } }

as it only rotates four times by 90 degrees, and then checks whether the rotated sigil is completely within the frame, and if yes ships out the assertion code. The rotation is done by multiplying the vector from (i,j) to the tile position with the (0 -1 1 0) matrix and adding it again to (i,j):

sub rotate90 { my ($i,$j, @pairs) = @_ ; my @ret; while (@pairs) { my $ii = shift @pairs; my$jj = shift @pairs; my $ni =$i - ($jj -$j); my $nj =$j + ($ii -$i); push @ret, $ni,$nj; } return @ret; }

There are a few more functions, for those interested, the full Perl code is here: tangram.pl. There is no user interface or any config file reading done, I just edit the source code if I need to solve a riddle.

### Massaging the output

Last but not least, the output of the z3 solver is a bit noisy, so I run the output through a few Unix commands to get only the true assignments, which gives me the location of the tiles. That is, I run the following pipeline:

perl tangram.pl | z3 -in | egrep 'define-fun|true|false' | sed -e 'h;s/.*//;G;N;s/\n//g' | grep true | sort

which produces a list like the following as output:

 (define-fun x_1_1_10 () Bool true) (define-fun x_1_2_10 () Bool true) (define-fun x_1_3_5 () Bool true) (define-fun x_1_4_6 () Bool true) (define-fun x_1_5_6 () Bool true) (define-fun x_1_6_6 () Bool true) (define-fun x_2_1_10 () Bool true) (define-fun x_2_2_10 () Bool true) (define-fun x_2_3_5 () Bool true) ...

from which I can read up the solution that puts the tenth sigil (a square) in the lower left corner:

29 June, 2015 12:21AM by Norbert Preining

# June 28, 2015

## Ben Armstrong <!-- document.write( "<a href=\"#\" id=\"http://syn.theti.ca/2015/06/28/bluff-trail-early-summer-2015/_hide\" onClick=\"exclude( 'http://syn.theti.ca/2015/06/28/bluff-trail-early-summer-2015/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://syn.theti.ca/2015/06/28/bluff-trail-early-summer-2015/_show\" style=\"display:none;\" onClick=\"show( 'http://syn.theti.ca/2015/06/28/bluff-trail-early-summer-2015/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Bluff Trail – Early Summer 2015

Here’s a photo journal of a walk I just completed around the Pot Lake loop of the Bluff Wilderness Hiking Trail. Hope you enjoy it!

28 June, 2015 07:22PM by Ben Armstrong

## Sven Hoexter <!-- document.write( "<a href=\"#\" id=\"http://sven.stormbind.net/blog/posts/cm12_1_moto_g_gps_reset/_hide\" onClick=\"exclude( 'http://sven.stormbind.net/blog/posts/cm12_1_moto_g_gps_reset/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://sven.stormbind.net/blog/posts/cm12_1_moto_g_gps_reset/_show\" style=\"display:none;\" onClick=\"show( 'http://sven.stormbind.net/blog/posts/cm12_1_moto_g_gps_reset/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### moto g GPS reset when it is not working with CM 12.1

There seems to be an issue with the moto g, CM 12.1 (nightlies) and the GPS. My GPS receiver stopped to work as well and I could recover it with the following steps in fastboot mode as described on xda-developers.

fastboot erase modemst1
fastboot erase modemst2
fastboot reboot


That even works with the 4.2.2 fastboot packaged in anroid-tools-fastboot.

## Russell Coker <!-- document.write( "<a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/28/raid-pain/_hide\" onClick=\"exclude( 'http://etbe.coker.com.au/2015/06/28/raid-pain/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/28/raid-pain/_show\" style=\"display:none;\" onClick=\"show( 'http://etbe.coker.com.au/2015/06/28/raid-pain/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### RAID Pain

One of my clients has a NAS device. Last week they tried to do what should have been a routine RAID operation, they added a new larger disk as a hot-spare and told the RAID array to replace one of the active disks with the hot-spare. The aim was to replace the disks one at a time to grow the array. But one of the other disks had an error during the rebuild and things fell apart.

I was called in after the NAS had been rebooted when it was refusing to recognise the RAID. The first thing that occurred to me is that maybe RAID-5 isn’t a good choice for the RAID. While it’s theoretically possible for a RAID rebuild to not fail in such a situation (the data that couldn’t be read from the disk with an error could have been regenerated from the disk that was being replaced) it seems that the RAID implementation in question couldn’t do it. As the NAS is running Linux I presume that at least older versions of Linux have the same problem. Of course if you have a RAID array that has 7 disks running RAID-6 with a hot-spare then you only get the capacity of 4 disks. But RAID-6 with no hot-spare should be at least as reliable as RAID-5 with a hot-spare.

Whenever you recover from disk problems the first thing you want to do is to make a read-only copy of the data. Then you can’t make things worse. This is a problem when you are dealing with 7 disks, fortunately they were only 3TB disks and only each had 2TB in use. So I found some space on a ZFS pool and bought a few 6TB disks which I formatted as BTRFS filesystems. For this task I only wanted filesystems that support snapshots so I could work on snapshots not on the original copy.

I expect that at some future time I will be called in when an array of 6+ disks of the largest available size fails. This will be a more difficult problem to solve as I don’t own any system that can handle so many disks.

I copied a few of the disks to a ZFS filesystem on a Dell PowerEdge T110 running kernel 3.2.68. Unfortunately that system seems to have a problem with USB, when copying from 4 disks at once each disk was reading about 10MB/s and when copying from 3 disks each disk was reading about 13MB/s. It seems that the system has an aggregate USB bandwidth of 40MB/s – slightly greater than USB 2.0 speed. This made the process take longer than expected.

One of the disks had a read error, this was presumably the cause of the original RAID failure. dd has the option conv=noerror to make it continue after a read error. This initially seemed good but the resulting file was smaller than the source partition. It seems that conv=noerror doesn’t seek the output file to maintain input and output alignment. If I had a hard drive filled with plain ASCII that MIGHT even be useful, but for a filesystem image it’s worse than useless. The only option was to repeatedly run dd with matching skip and seek options incrementing by 1K until it had passed the section with errors.

for n in /dev/loop[0-6] ; do echo $n ; mdadm –examine -v -v –scan$n|grep Events ; done

Once I had all the images I had to assemble them. The Linux Software RAID didn’t like the array because not all the devices had the same event count. The way Linux Software RAID (and probably most RAID implementations) work is that each member of the array has an event counter that is incremented when disks are added, removed, and when data is written. If there is an error then after a reboot only disks with matching event counts will be used. The above command shows the Events count for all the disks.

Fortunately different event numbers aren’t going to stop us. After assembling the array (which failed to run) I ran “mdadm -R /dev/md1” which kicked some members out. I then added them back manually and forced the array to run. Unfortunately attempts to write to the array failed (presumably due to mismatched event counts).

Now my next problem is that I can make a 10TB degraded RAID-5 array which is read-only but I can’t mount the XFS filesystem because XFS wants to replay the journal. So my next step is to buy another 2*6TB disks to make a RAID-0 array to contain an image of that XFS filesystem.

Finally backups are a really good thing…

28 June, 2015 10:31AM by etbe

# June 27, 2015

## Christian Perrier <!-- document.write( "<a href=\"#\" id=\"http://www.perrier.eu.org/weblog/2015/06/27#780000-790000_hide\" onClick=\"exclude( 'http://www.perrier.eu.org/weblog/2015/06/27#780000-790000' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.perrier.eu.org/weblog/2015/06/27#780000-790000_show\" style=\"display:none;\" onClick=\"show( 'http://www.perrier.eu.org/weblog/2015/06/27#780000-790000' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Bugs #780000 - 790000

Thorsten Glaser reported Debian bug #780000 on Saturday March 7th 2015, against the gcc-4.9 package.

Bug #770000 was reported as of November 18th so there have been 10,000 bugs in about 3.5 months, which was significantly slower than earlier.

Matthew Vernon reported Debian bug #790000 on Friday June 26th 2015, against the pcre3 package.

Thus, there have been 10,000 bugs in 3.5 months again. It seems that the bug report rate stabilized again.

Sorry for missing bug #780000 annoucement. I'm doing this since....November 2007 for bug #450000 and it seems that this lack of attention is somehow significant wrt my involvment in Debian. Still, this involvment is still here and I'll try to "survive" in the project until we reach bug #1000000...:-)

See you for bug #800000 annoucement and the result of the bets we placed on the date it would happen.

# June 25, 2015

## Norbert Preining <!-- document.write( "<a href=\"#\" id=\"http://www.preining.info/blog/2015/06/tex-live-2015-hits-debian-unstable/_hide\" onClick=\"exclude( 'http://www.preining.info/blog/2015/06/tex-live-2015-hits-debian-unstable/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.preining.info/blog/2015/06/tex-live-2015-hits-debian-unstable/_show\" style=\"display:none;\" onClick=\"show( 'http://www.preining.info/blog/2015/06/tex-live-2015-hits-debian-unstable/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### TeX Live 2015 hits Debian/unstable

Here we go, I just uploaded 15 packages to the Debian archive that brings TeX Live in Debian up to the 2015 release (and a bit newer)!

Uploaded packages are asymptote, biber, context, context-modules, jadetex, musixtex, pmx, tex-common, texinfo, texinfo-doc-nonfree, texlive-base, texlive-bin, texlive-extra, texlive-lang, xmltex.

The packages are basically what has been in experimental for quite some time, plus a checkout of tlnet from yesterday. For details on the changes and the new packaging, please consult this post.

So, now let the flood of bug reports begin, but in the mean time, enjoy!

25 June, 2015 11:03PM by Norbert Preining

# June 24, 2015

### TeX Live Manager News June 2015

TeX Live 2015 has been released, and normal operation with daily updates has started. During the freeze time and afterwards I have made a few changes to the TeX Live Manager (tlmgr) that I want to highlight here.

The main changes are better error and return code handling (which should be hardly visible for the users), and more more informative output of the tlmgr info action, incorporating more data from the TeX Catalogue.

## Error handling

With a program that started as an experiment that has grown into the central configuration and management program, there are lots of old code pieces that did not do proper error signaling via return values. That meant that the return value of a tlmgr run didn’t have any meaning, mostly because it was 0 (success) most of the times.

I have now tried to do proper return code handling throughout the tlmgr code base, that is the tlmgr.pl and the necessary Perl modules.

While this should not be a user visible changes, it turned out that the MacOS TeX Live Utility by Adam Maxwell (btw, a great program, it would be nice to have something similar written for Unix replacing the bit clumsy tlmgr gui), got broken for paper configuration, due to forgotten return value fixes in the TLPaper.pm module. That is fixed now in our repository.

All in all we do hope that the return value of a tlmgr run now gives proper information about success or error. I might add a bit more semantics by returning bit-values in case of errors, but this is in early stages of thinking.

## TeX Catalogue data in tlmgr info

Since more or less the very beginning we incorporated information from the TeX Catalogue into our database. In particular did we carry over the license information, version, CTAN directory, and date of last change of information in the Catalogue.

Recently (or not so recently, I actually don’t know), CTAN has enriched their package view with more information, in particular a list of topics, and a list of related packages. Take for example the Asana-math package. It’s CTAN page now displays besides the previously available information also a list of topics and a list of related packages. The topic index can also be browsed directly when searching for a specific package.

I have now added functionality in the TeX Live Manager that tlmgr info also prints out the topic names and related packages. In the case of Asana Math fonts, that would look like:

$tlmgr info Asana-Math package: Asana-Math category: Package shortdesc: A font to typeset maths in Xe(La)TeX and Lua(La)TeX. longdesc: The Asana-Math font is an OpenType font that includes almost all mathematical Unicode symbols and it can be used to typeset mathematical text with any software that can understand the MATH OpenType table (e.g., XeTeX 0.997 and Microsoft Word 2007). The font is beta software. Typesetting support for use with LaTeX is provided by the fontspec and unicode-math packages. installed: Yes revision: 37556 sizes: doc: 9k, run: 1177k relocatable: No cat-version: 000.955 cat-date: 2015-06-02 20:04:19 +0200 cat-license: ofl cat-topics: font font-maths font-otf font-ttf cat-related: stix xits collection: collection-fontsextra GUIs could use the topic names and related packages to link directly to the CTAN page. At the moment the related packages are named according to CTAN standards, which are a bit different from what we use in TeX Live. I am not sure whether I will change that, or ship out both names. We will see. The changes are currently in testing, see section about Test version here, and will be pushed out in due time, probably in the next week. As usual, in case of any problems or bugs, please contact us at the TeX Live mailing list. Enjoy. 24 June, 2015 11:55PM by Norbert Preining ## Steinar H. Gunderson <!-- document.write( "<a href=\"#\" id=\"http://blog.sesse.net/blog/tech/2015-06-24-22-22_jsonb_in_postgres.html_hide\" onClick=\"exclude( 'http://blog.sesse.net/blog/tech/2015-06-24-22-22_jsonb_in_postgres.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.sesse.net/blog/tech/2015-06-24-22-22_jsonb_in_postgres.html_show\" style=\"display:none;\" onClick=\"show( 'http://blog.sesse.net/blog/tech/2015-06-24-22-22_jsonb_in_postgres.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### JSONB in Postgres PostgreSQL continues to amaze. Load in 45 MB (47 581 294 bytes) of JSON in a single-column table with a generic index, and voila: sesse=# \timing Timing is on. sesse=# select jsonb_extract_path(contents, 'short_score') from analysis where contents @> '{"position":{"fen":"rnbqkb1r/pp3ppp/2p1pn2/3p2B1/2PP4/2N2N2/PP2PPPP/R2QKB1R b KQkq - 1 5"}}'; jsonb_extract_path \-------------------- "+0.17" (1 row) Time: 2,286 ms Millisecond-level arbitrary JSON queries. (In the end, I designed the database more traditionally SQL-like, but it was fun to see that this would actually work.) Update to clarify: That's a little over 2 milliseconds, not 2286 milliseconds. ## Russell Coker <!-- document.write( "<a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/24/phones-charge-speed/_hide\" onClick=\"exclude( 'http://etbe.coker.com.au/2015/06/24/phones-charge-speed/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/24/phones-charge-speed/_show\" style=\"display:none;\" onClick=\"show( 'http://etbe.coker.com.au/2015/06/24/phones-charge-speed/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Smart Phones Should Measure Charge Speed My first mobile phone lasted for days between charges. I never really found out how long it’s battery would last because there was no way that I could use it to deplete the charge in any time that I could spend awake. Even if I had managed to run the battery out the phone was designed to accept 4*AA batteries (it’s rechargeable battery pack was exactly that size) so I could buy spare batteries at any store. Modern phones are quite different in physical phone design (phones that weigh less than 4*AA batteries aren’t uncommon), functionality (fast CPUs and big screens suck power), and use (games really drain your phone battery). This requires much more effective chargers, when some phones are intensively used (EG playing an action game with Wifi enabled) they can’t be charged as they use more power than the plug-pack supplies. I’ve previously blogged some calculations about resistance and thickness of wires for phone chargers [1], it’s obvious that there are some technical limitations to phone charging based on the decision to use a long cable at ~5V. My calculations about phone charge rate were based on the theoretical resistance of wires based on their estimated cross-sectional area. One problem with such analysis is that it’s difficult to determine how thick the insulation is without destroying the wire. Another problem is that after repeated use of a charging cable some conductors break due to excessive bending. This can significantly increase the resistance and therefore increase the charging time. Recently a charging cable that used to be really good suddenly became almost useless. My Galaxy Note 2 would claim that it was being charged even though the reported level of charge in the battery was not increasing, it seems that the cable only supplied enough power to keep the phone running not enough to actually charge the battery. I recently bought a USB current measurement device which is really useful. I have used it to diagnose power supplies and USB cables that didn’t work correctly. But one significant way in which it fails is in the case of problems with the USB connector. Sometimes a cable performs differently when connected via the USB current measurement device. The CurrentWidget program [2] on my Galaxy Note 2 told me that all of the dedicated USB chargers (the 12V one in my car and all the mains powered ones) supply 1698mA (including the ones rated at 1A) while a PC USB port supplies ~400mA. I don’t think that the Note 2 measurement is particularly reliable. On my Galaxy Note 3 it always says 0mA, I guess that feature isn’t implemented. An old Galaxy S3 reports 999mA of charging even when the USB current measurement device says ~500mA. It seems to me that method the CurrentWidget uses to get the current isn’t accurate if it even works at all. Android 5 on the Nexus 4/5 phones will tell the amount of time until the phone is charged in some situations (on the Nexus 4 and Nexus 5 that I used for testing it didn’t always display it and I don’t know why). This is an useful but it’s still not good enough. I think that what we need is to have the phone measure the current that’s being supplied and report it to the user. Then when a phone charges slowly because apps are using some power that won’t be mistaken for a phone charging slowly due to a defective cable or connector. 24 June, 2015 02:00AM by etbe # June 23, 2015 ## Sandro Tosi <!-- document.write( "<a href=\"#\" id=\"http://feedproxy.google.com/~r/SandroTosi/~3/rYkRNDhqTu0/cfengine-upgrade-debian-packages.html_hide\" onClick=\"exclude( 'http://feedproxy.google.com/~r/SandroTosi/~3/rYkRNDhqTu0/cfengine-upgrade-debian-packages.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://feedproxy.google.com/~r/SandroTosi/~3/rYkRNDhqTu0/cfengine-upgrade-debian-packages.html_show\" style=\"display:none;\" onClick=\"show( 'http://feedproxy.google.com/~r/SandroTosi/~3/rYkRNDhqTu0/cfengine-upgrade-debian-packages.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### CFEngine: upgrade Debian packages say you use CFEngine to install Debian packages on your server, so it's likely you'll have a bundle looking like this: bundle agent agentname { vars: "packages" slist => { "pkg1", "pkg2", "pkg3" }; packages: "$(packages)"
package_policy => "addupdate",
package_method => apt_get;

}

this works great to guarantee those packages are installed, but if a newer version is available in the repositories, that wont be installed. If you want CFEngine to do that too, then the web suggests this trick:

packages:

"$(packages)" package_policy => "addupdate", package_version => "999999999", package_method => apt_get; which tweak the install system declaring that you want to install version 999999999 of each package, so if you have available a higher version than the one installed, CFEngine will happily upgrade it for you. It works great.. but sometimes it doesn't. why oh why? That's because Debian versions can have a epoch: every plain version (like 1.0-1) has an implicit epoch of 0, and same goes for the 999999999 above, that means if any of the installed packages has an epoch, that version will sort higher than 999999999 and the package wont be upgraded. If you want to be sure to upgrade every package, then the right solution is: packages: "$(packages)"
package_policy => "addupdate",
package_version => "9:999999999",
package_method => apt_get;

23 June, 2015 07:37PM by Sandro Tosi (noreply@blogger.com)

## Bits from Debian <!-- document.write( "<a href=\"#\" id=\"http://bits.debian.org/2015/06/reproducible-builds-funded-by-cii.html_hide\" onClick=\"exclude( 'http://bits.debian.org/2015/06/reproducible-builds-funded-by-cii.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://bits.debian.org/2015/06/reproducible-builds-funded-by-cii.html_show\" style=\"display:none;\" onClick=\"show( 'http://bits.debian.org/2015/06/reproducible-builds-funded-by-cii.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

The Core Infrastructure Initiative announced today that they will support two Debian Developers, Holger Levsen and Jérémy Bobbio, with $200,000 to advance their Debian work in reproducible builds and to collaborate more closely with other distributions such as Fedora, Ubuntu, OpenWrt to benefit from this effort. The Core Infrastructure Initiative (CII) was established in 2014 to fortify the security of key open source projects. This initiative is funded by more than 20 companies and managed by The Linux Foundation. The reproducible builds initiative aims to enable anyone to reproduce bit by bit identical binary packages from a given source, thus enabling anyone to independently verify that a binary matches the source code from which it was said it was derived. For example, this allow the users of Debian to rebuild packages and obtain exactly identical packages to the ones provided by the Debian repositories. 23 June, 2015 12:00PM by Ana Guerrero Lopez ## Ben Armstrong <!-- document.write( "<a href=\"#\" id=\"http://syn.theti.ca/2015/06/23/debian-live-rescue-needs-some-love/_hide\" onClick=\"exclude( 'http://syn.theti.ca/2015/06/23/debian-live-rescue-needs-some-love/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://syn.theti.ca/2015/06/23/debian-live-rescue-needs-some-love/_show\" style=\"display:none;\" onClick=\"show( 'http://syn.theti.ca/2015/06/23/debian-live-rescue-needs-some-love/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Debian Live Rescue needs some love You may have noticed that Jessie no longer includes the useful rescue flavour of live image, formerly included in Wheezy and earlier releases, and neither will Stretch unless you take action. This is my second public call for help this year to revive it. So if you care about rescue, here’s how you can help: • First, try a self-built image, based on the old live-image-rescue configuration. While Jessie still contains the live-image-rescue configuration for live-build as a starting point, to successfully build this image for yourself, you need to edit the package lists to drop or substitute any packages that aren’t in the archive. As of writing, this includes libphash0, mii-diag, denyhosts, hal and emacs23-nox. (Tip: for the latter, substitute emacs24-nox.) • Join or form a team to maintain the rescue metapackages in the long term. All of the official Debian Live images are based on metapackages that are looked after by various other teams, (principally the desktop teams,) with rescue being the sole exception. The old package lists include some forensics packages, so you may wish to contact Debian Forensics, but I don’t want to presume they’ll take it on. • Have your team decide on what a rescue system should include. You might start with the old lists, spruced up a bit just to make the image build, or you might take an entirely different tack. This is your project, so it’s up to you. • File a bug on tasksel, preferably with patch, to include a task-forensics and/or task-rescue task (or whatever you decide the task or tasks should be called). • File a bug on the live-images package to include your work. If you have any questions not answered in this post, please feel free to leave a comment on this blog, talk to the Debian Live team on irc — I’m SynrG, and hang out with the team at #debian-live @ irc.oftc.net) — or drop us an email at debian-live@lists.debian.org. 23 June, 2015 11:16AM by Ben Armstrong ## Russell Coker <!-- document.write( "<a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/23/one-android-per-child/_hide\" onClick=\"exclude( 'http://etbe.coker.com.au/2015/06/23/one-android-per-child/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/23/one-android-per-child/_show\" style=\"display:none;\" onClick=\"show( 'http://etbe.coker.com.au/2015/06/23/one-android-per-child/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### One Android Phone Per Child I was asked for advice on whether children should have access to smart phones, it’s an issue that many people are discussing and seems worthy of a blog post. ### Claimed Problems with Smart Phones The first thing that I think people should read is this XKCD post with quotes about the demise of letter writing from 99+ years ago [1]. Given the lack of evidence cited by people who oppose phone use I think we should consider to what extent the current concerns about smart phone use are just reactions to changes in society. I’ve done some web searching for reasons that people give for opposing smart phone use by kids and addressed the issues below. Some people claim that children shouldn’t get a phone when they are so young that it will just be a toy. That’s interesting given the dramatic increase in the amount of money spent on toys for children in recent times. It’s particularly interesting when parents buy game consoles for their children but refuse mobile phone “toys” (I know someone who did this). I think this is more of a social issue regarding what is a suitable toy than any real objection to phones used as toys. Obviously the educational potential of a mobile phone is much greater than that of a game console. It’s often claimed that kids should spend their time reading books instead of using phones. When visiting libraries I’ve observed kids using phones to store lists of books that they want to read, this seems to discredit that theory. Also some libraries have Android and iOS apps for searching their catalogs. There are a variety of apps for reading eBooks, some of which have access to many free books but I don’t expect many people to read novels on a phone. Cyber-bullying is the subject of a lot of anxiety in the media. At least with cyber-bullying there’s an electronic trail, anyone who suspects that their child is being cyber-bullied can check that while old-fashioned bullying is more difficult to track down. Also while cyber-bullying can happen faster on smart phones the victim can also be harassed on a PC. I don’t think that waiting to use a PC and learn what nasty thing people are saying about you is going to be much better than getting an instant notification on a smart phone. It seems to me that the main disadvantage of smart phones in regard to cyber-bullying is that it’s easier for a child to participate in bullying if they have such a device. As most parents don’t seem concerned that their child might be a bully (unfortunately many parents think it’s a good thing) this doesn’t seem like a logical objection. Fear of missing out (FOMO) is claimed to be a problem, apparently if a child has a phone then they will want to take it to bed with them and that would be a bad thing. But parents could have a policy about when phones may be used and insist that a phone not be taken into the bedroom. If it’s impossible for a child to own a phone without taking it to bed then the parents are probably dealing with other problems. I’m not convinced that a phone in bed is necessarily a bad thing anyway, a phone can be used as an alarm clock and instant-message notifications can be turned off at night. When I was young I used to wait until my parents were asleep before getting out of bed to use my PC, so if smart-phones were available when I was young it wouldn’t have changed my night-time computer use. Some people complain that kids might use phones to play games too much or talk to their friends too much. What do people expect kids to do? In recent times the fear of abduction has led to children doing playing outside a lot less, it used to be that 6yos would play with other kids in their street and 9yos would be allowed to walk to the local park. Now people aren’t allowing 14yo kids walk to the nearest park alone. Playing games and socialising with other kids has to be done over the Internet because kids aren’t often allowed out of the house. Play and socialising are important learning experiences that have to happen online if they can’t happen offline. Apps can be expensive. But it’s optional to sign up for a credit card with the Google Play store and the range of free apps is really good. Also the default configuration of the app store is to require a password entry before every purchase. Finally it is possible to give kids pre-paid credit cards and let them pay for their own stuff, such pre-paid cards are sold at Australian post offices and I’m sure that most first-world countries have similar facilities. Electronic communication is claimed to be somehow different and lesser than old-fashioned communication. I presume that people made the same claims about the telephone when it first became popular. The only real difference between email and posted letters is that email tends to be shorter because the reply time is smaller, you can reply to any questions in the same day not wait a week for a response so it makes sense to expect questions rather than covering all possibilities in the first email. If it’s a good thing to have longer forms of communication then a smart phone with a big screen would be a better option than a “feature phone”, and if face to face communication is preferred then a smart phone with video-call access would be the way to go (better even than old fashioned telephony). ### Real Problems with Smart Phones The majority opinion among everyone who matters (parents, teachers, and police) seems to be that crime at school isn’t important. Many crimes that would result in jail sentences if committed by adults receive either no punishment or something trivial (such as lunchtime detention) if committed by school kids. Introducing items that are both intrinsically valuable and which have personal value due to the data storage into a typical school environment is probably going to increase the amount of crime. The best options to deal with this problem are to prevent kids from taking phones to school or to home-school kids. Fixing the crime problem at typical schools isn’t a viable option. Bills can potentially be unexpectedly large due to kids’ inability to restrain their usage and telcos deliberately making their plans tricky to profit from excess usage fees. The solution is to only use pre-paid plans, fortunately many companies offer good deals for pre-paid use. In Australia Aldi sells pre-paid credit in$15 increments that lasts a year [2]. So it’s possible to pay $15 per year for a child’s phone use, have them use Wifi for data access and pay from their own money if they make excessive calls. For older kids who need data access when they aren’t at home or near their parents there are other pre-paid phone companies that offer good deals, I’ve previously compared prices of telcos in Australia, some of those telcos should do [3]. It’s expensive to buy phones. The solution to this is to not buy new phones for kids, give them an old phone that was used by an older relative or buy an old phone on ebay. Also let kids petition wealthy relatives for a phone as a birthday present. If grandparents want to buy the latest smart-phone for a 7yo then there’s no reason to stop them IMHO (this isn’t a hypothetical situation). Kids can be irresponsible and lose or break their phone. But the way kids learn to act responsibly is by practice. If they break a good phone and get a lesser phone as a replacement or have to keep using a broken phone then it’s a learning experience. A friend’s son head-butted his phone and cracked the screen – he used it for 6 months after that, I think he learned from that experience. I think that kids should learn to be responsible with a phone several years before they are allowed to get a “learner’s permit” to drive a car on public roads, which means that they should have their own phone when they are 12. I’ve seen an article about a school finding that tablets didn’t work as well as laptops which was touted as news. Laptops or desktop PCs obviously work best for typing. Tablets are for situations where a laptop isn’t convenient and when the usage involves mostly reading/watching, I’ve seen school kids using tablets on excursions which seems like a good use of them. Phones are even less suited to writing than tablets. This isn’t a problem for phone use, you just need to use the right device for each task. ### Phones vs Tablets Some people think that a tablet is somehow different from a phone. I’ve just read an article by a parent who proudly described their policy of buying “feature phones” for their children and tablets for them to do homework etc. Really a phone is just a smaller tablet, once you have decided to buy a tablet the choice to buy a smart phone is just about whether you want a smaller version of what you have already got. The iPad doesn’t appear to be able to make phone calls (but it supports many different VOIP and video-conferencing apps) so that could technically be described as a difference. AFAIK all Android tablets that support 3G networking also support making and receiving phone calls if you have a SIM installed. It is awkward to use a tablet to make phone calls but most usage of a modern phone is as an ultra portable computer not as a telephone. The phone vs tablet issue doesn’t seem to be about the capabilities of the device. It’s about how portable the device should be and the image of the device. I think that if a tablet is good then a more portable computing device can only be better (at least when you need greater portability). Recently I’ve been carrying a 10″ tablet around a lot for work, sometimes a tablet will do for emergency work when a phone is too small and a laptop is too heavy. Even though tablets are thin and light it’s still inconvenient to carry, the issue of size and weight is a greater problem for kids. 7″ tablets are a lot smaller and lighter, but that’s getting close to a 5″ phone. ### Benefits of Smart Phones Using a smart phone is good for teaching children dexterity. It can also be used for teaching art in situations where more traditional art forms such as finger painting aren’t possible (I have met a professional artist who has used a Samsung Galaxy Note phone for creating art work). There is a huge range of educational apps for smart phones. The Wikireader (that I reviewed 4 years ago) [4] has obvious educational benefits. But a phone with Internet access (either 3G or Wifi) gives Wikipedia access including all pictures and is a better fit for most pockets. There are lots of educational web sites and random web sites that can be used for education (Googling the answer to random questions). When it comes to preparing kids for “the real world” or “the work environment” people often claim that kids need to use Microsoft software because most companies do (regardless of the fact that most companies will be using radically different versions of MS software by the time current school kids graduate from university). In my typical work environment I’m expected to be able to find the answer to all sorts of random work-related questions at any time and I think that many careers have similar expectations. Being able to quickly look things up on a phone is a real work skill, and a skill that’s going to last a lot longer than knowing today’s version of MS-Office. There are a variety of apps for tracking phones. There are non-creepy ways of using such apps for monitoring kids. Also with two-way monitoring kids will know when their parents are about to collect them from an event and can stay inside until their parents are in the area. This combined with the phone/SMS functionality that is available on feature-phones provides some benefits for child safety. ### iOS vs Android Rumour has it that iOS is better than Android for kids diagnosed with Low Functioning Autism. There are apparently apps that help non-verbal kids communicate with icons and for arranging schedules for kids who have difficulty with changes to plans. I don’t know anyone who has a LFA child so I haven’t had any reason to investigate such things. Anyone can visit an Apple store and a Samsung Experience store as they have phones and tablets you can use to test out the apps (at least the ones with free versions). As an aside the money the Australian government provides to assist Autistic children can be used to purchase a phone or tablet if a registered therapist signs a document declaring that it has a therapeutic benefit. I think that Android devices are generally better for educational purposes than iOS devices because Android is a less restrictive platform. On an Android device you can install apps downloaded from a web site or from a 3rd party app download service. Even if you stick to the Google Play store there’s a wider range of apps to choose from because Google is apparently less restrictive. Android devices usually allow installation of a replacement OS. The Nexus devices are always unlocked and have a wide range of alternate OS images and the other commonly used devices can usually have an alternate OS installed. This allows kids who have the interest and technical skill to extensively customise their device and learn all about it’s operation. iOS devices are designed to be sealed against the user. Admittedly there probably aren’t many kids with the skill and desire to replace the OS on their phone, but I think it’s good to have option. Android phones have a range of sizes and features while Apple only makes a few devices at any time and there’s usually only a couple of different phones on sale. iPhones are also a lot smaller than most Android phones, according to my previous estimates of hand size the iPhone 5 would be a good tablet for a 3yo or good for side-grasp phone use for a 10yo [5]. The main benefits of a phone are for things other than making phone calls so generally the biggest phone that will fit in a pocket is the best choice. The tiny iPhones don’t seem very suitable. Also buying one of each is a viable option. ### Conclusion I think that mobile phone ownership is good for almost all kids even from a very young age (there are many reports of kids learning to use phones and tablets before they learn to read). There are no real down-sides that I can find. I think that Android devices are generally a better option than iOS devices. But in the case of special needs kids there may be advantages to iOS. 23 June, 2015 02:26AM by etbe # June 22, 2015 ## Sven Hoexter <!-- document.write( "<a href=\"#\" id=\"http://sven.stormbind.net/blog/posts/misc_cert_snakeoil_wosign/_hide\" onClick=\"exclude( 'http://sven.stormbind.net/blog/posts/misc_cert_snakeoil_wosign/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://sven.stormbind.net/blog/posts/misc_cert_snakeoil_wosign/_show\" style=\"display:none;\" onClick=\"show( 'http://sven.stormbind.net/blog/posts/misc_cert_snakeoil_wosign/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Free SSL/TLS snakeoil from wosign.com I've been a proponet of CaCert.org for a long time and I'm still using those certificates in some places, but lately I gave in and searched for something that validates even on iOS. It's not that I strictly need it, it's more a favour to make life for friends and family easier. I turned down startssl.com because I always manage to somehow lose the client certificate for the portal login. Plus I failed to generate several certificates for subdomains within the primary domain. I want to use different keys on purpose so SANs are not helpful, neither are wildcard certs for which you've to pay anyway. Another point against a wildcard cert from startssl is that I'd like to refrain from sending in my scanned papers for verification. On a sidenote I'm also not a fan of random email address extractions from whois to sent validation codes to. I just don't see why the abuse desk of a registrar should be able to authorize on DV certificates for a domain under my control. So I decided to pay the self proclaimed leader of the snakeoil industrie (Comodo) via cheapsslshop.com. That made 12USD for a 3 year Comodo DV certificate. Fair enough for the mailsetup I share with a few friends, and the cheapest one I could find at that time. Actually no hassle with logins or verification. It looks a bit like a scam but the payment is done via 2checkout if I remember correctly and the certificate got issued via a voucher code by Comodo directly. Drawback: credit card payment. Now while we're all waiting for letsencrypt.org I learned about the free offer of wosign.com. The CA is issued by the StartSSL Root CA, so technically we're very close to step one. Beside of that I only had to turn off uBlock origin and the rest of the JavaScript worked fine with Iceweasel once I clicked on the validity time selection checkbox. They offer the certificate for up to 3 years, you can paste your own csr and you can add up to 100 SANs. The only drawback is that it took them about 12 hours to issue the certificate and the mails look a hell lot like spam if you sent them through Spamassassin. That provides now a free and validating certificate for sven.stormbind.net in case you'd like to check out the chain. The validation chain is even one certificate shorter then the chain for the certificate I bought from Comodo. So in case anyone else is waiting for letsencrypt to start, you might want to check wosign until Mozilla et al are ready. From my point of view the only reason to pay one of the major CAs is for the service of running a reliable OCSP system. I also pointed that out here. It's more and more about the service you buy and no longer just money for a few ones and zeroes. ## Niels Thykier <!-- document.write( "<a href=\"#\" id=\"https://nthykier.wordpress.com/2015/06/22/introducing-dak-auto-decruft/_hide\" onClick=\"exclude( 'https://nthykier.wordpress.com/2015/06/22/introducing-dak-auto-decruft/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://nthykier.wordpress.com/2015/06/22/introducing-dak-auto-decruft/_show\" style=\"display:none;\" onClick=\"show( 'https://nthykier.wordpress.com/2015/06/22/introducing-dak-auto-decruft/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Introducing dak auto-decruft Debian now have over 22 000 source packages and 45 500 binary packages. To counter that, the FTP masters and I have created a dak tool to automatically remove packages from unstable! This is also much more efficient than only removing them from testing! :) The primary goal of the auto-decrufter is to remove a regular manual work flow from the FTP masters. Namely, the removal of the common cases of cruft, such as “Not Built from Source” (NBS) and “Newer Version In Unstable” (NVIU). With the auto-decrufter in place, such cruft will be automatically removed when there are no reverse dependencies left on any architecture and nothing Build-Depends on it any more. Despite the implication in the “opening” of this post, this will in fact not substantially reduce the numbers of packages in unstable. :) Nevertheless, it is still very useful for the FTP masters, the release team and packaging Debian contributors. The reason why the release team benefits greatly from this tool, is that almost every transition generates one piece of “NBS”-cruft. Said piece of cruft currently must be removed from unstable before the transition can progress into its final phase. Until recently that removal has been 100% manual and done by the FTP masters. The restrictions on auto-decrufter means that we will still need manual decrufts. Notably, the release team will often complete transitions even when some reverse dependencies remain on non-release architectures. Nevertheless, it is definitely an improvement. Omelettes and eggs: As an old saying goes “You cannot make an omelette without breaking eggs”. Less so when the only “test suite” is production. So here are some of the “broken eggs” caused by implementation of the auto-decrufter: • About 30 minutes of “dak rm” (without –no-action) would unconditionally crash. • A broken dinstall when “dak auto-decruft” was run without “–dry-run” for the first time. • A boolean condition inversion causing removals to remove the “override” for partial removals (and retain it for “full” removals). • Side-effect, this broke Britney a couple of times because dak now produced some “unexpected” Packages files for unstable. • Not to mention the “single digit bug closure” bug. Of the 3, the boolean inversion was no doubt the worst. By the time we had it fixed, at least 50 (unique) binary packages had lost their “override”. Fortunately, it was possible to locate these issues using a database query and they have now been fixed. Before I write any more non-trivial patches for dak, I will probably invest some time setting up a basic test framework for dak first. Filed under: Debian, Release-Team 22 June, 2015 01:11PM by Niels Thykier ## Lunar <!-- document.write( "<a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_8/_hide\" onClick=\"exclude( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_8/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_8/_show\" style=\"display:none;\" onClick=\"show( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_8/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Reproducible builds: week 8 in Stretch cycle What happened about the reproducible builds effort this week: ## Toolchain fixes Andreas Henriksson has improved Johannes Schauer initial patch for pbuilder adding support for build profiles. ## Packages fixed The following 12 packages became reproducible due to changes in their build dependencies: collabtive, eric, file-rc, form-history-control, freehep-chartableconverter-plugin , jenkins-winstone, junit, librelaxng-datatype-java, libwildmagic, lightbeam, puppet-lint, tabble. The following packages became reproducible after getting fixed: Some uploads fixed some reproducibility issues but not all of them: Patches submitted which have not made their way to the archive yet: • #788747 on 0xffff by Dhole: allow embedded timestamp to be set externally and set it to the time of the debian/changelog. • #788752 on analog by Dhole: allow embedded timestamp to be set externally and set it to the time of the debian/changelog. • #788757 on jacktrip by akira: remove $datetime from the documentation footer.
• #788868 on apophenia by akira: remove $date from the documentation footer. • #788920 on orthanc by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #788955 on rivet by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #789040 on liblo by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #789049 on mpqc by akira: remove $datetime from the documentation footer.
• #789071 on libxkbcommon by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #789073 on libxr by akira: remove $datetime from the documentation footer. • #789076 on lvtk by akira: set HTML_TIMESTAMP=NO in Doxygen configuration. • #789087 on lmdb by akira: pass HTML_TIMESTAMP=NO to Doxygen. • #789184 on openigtlink by akira: remove $datetime from the documentation footer.
• #789264 on openscenegraph by akira: pass HTML_TIMESTAMP=NO to Doxygen.
• #789308 on trigger-rally-data by Mattia Rizzolo: call dh_fixperms even when overriding dh_fixperms.
• #789396 on libsidplayfp by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #789399 on psocksxx by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #789405 on qdjango by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #789406 on qof by akira: set HTML_TIMESTAMP=NO in Doxygen configuration.
• #789428 on qsapecng by akira: pass HTML_TIMESTAMP=NO to Doxygen.

## reproducible.debian.net

Bugs with the ftbfs usertag are now visible on the bug graphs. This explain the recent spike. (h01ger)

Andreas Beckmann suggested a way to test building packages using the “funny paths” that one can get when they contain the full Debian package version string.

## debbindiff development

Lunar started an important refactoring introducing abstactions for containers and files in order to make file type identification more flexible, enabling fuzzy matching, and allowing parallel processing.

## Documentation update

Ximin Luo detailed the proposal to standardize environment variables to pass a reference source date to tools that needs one (e.g. documentation generator).

## Package reviews

41 obsolete reviews have been removed, 168 added and 36 updated this week.

Some more issues affecting packages failing to build from source have been identified.

## Meetings

Minutes have been posted for Tuesday June 16th meeting.

The next meeting is scheduled Tuesday June 23rd at 17:00 UTC.

## Presentations

Lunar presented the project in French during Pas Sage en Seine in Paris. Video and slides are available.

# debtags rewritten in python3

In my long quest towards closing #540218, I have uploaded a new libept to experimental. Then I tried to build debtags on a sid+experimental chroot and the result runs but has libc's free() print existential warnings about whatevers.

At a quick glance, there are now things around like a new libapt, gcc 5 with ABI changes, and who knows what else. I figured how much time it'd take me to debug something like that, and I've used that time to rewrite debtags in python3. It took 8 hours, 5 of pleasant programming and the usual tax of another 3 of utter frustration packaging the results. I guess I gained over the risk of spending an unspecified amount of hours of just pure frustration.

So from now on debtags is going to be a pure python3 package, with dependencies on only python3-apt and python3-debian. 700 lines of python instead of several C++ files built on 4 layers of libraries. Hopefully, this is the last of the big headaches I get from hacking on this package. Also, one less package using libept.

## Steve Kemp <!-- document.write( "<a href=\"#\" id=\"http://blog.steve.org.uk/we_re_all_about_storing_objects.html_hide\" onClick=\"exclude( 'http://blog.steve.org.uk/we_re_all_about_storing_objects.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.steve.org.uk/we_re_all_about_storing_objects.html_show\" style=\"display:none;\" onClick=\"show( 'http://blog.steve.org.uk/we_re_all_about_storing_objects.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### We're all about storing objects

Recently I've been experimenting with camlistore, which is yet another object storage system.

Camlistore gains immediate points because it is written in Go, and is a project initiated by Brad Fitzpatrick, the creator of Perlbal, memcached, and Livejournal of course.

Camlistore is designed exactly how I'd like to see an object storage-system - each server allows you to:

• Upload a chunk of data, getting an ID in return.
• Download a chunk of data, by ID.
• Iterate over all available IDs.

It should be noted more is possible, there's a pretty web UI for example, but I'm simplifying. Do your own homework :)

With those primitives you can allow a client-library to upload a file once, then in the background a bunch of dumb servers can decide amongst themselves "Hey I have data with ID:33333 - Do you?". If nobody else does they can upload a second copy.

In short this kind of system allows the replication to be decoupled from the storage. The obvious risk is obvious though: if you upload a file the chunks might live on a host that dies 20 minutes later, just before the content was replicated. That risk is minimal, but valid.

There is also the risk that sudden rashes of uploads leave the system consuming all the internal-bandwith constantly comparing chunk-IDs, trying to see if data is replaced that has been copied numerous times in the past, or trying to play "catch-up" if the new-content is larger than the replica-bandwidth. I guess it should possible to detect those conditions, but they're things to be concerned about.

Anyway the biggest downside with camlistore is documentation about rebalancing, replication, or anything other than simple single-server setups. Some people have blogged about it, and I got it working between two nodes, but I didn't feel confident it was as robust as I wanted it to be.

I have a strong belief that Camlistore will become a project of joy and wonder, but it isn't quite there yet. I certainly don't want to stop watching it :)

On to the more personal .. I'm all about the object storage these days. Right now most of my objects are packed in a collection of boxes. On the 6th of next month a shipping container will come pick them up and take them to Finland.

For pretty much 20 days in a row we've been taking things to the skip, or the local charity-shops. I expect that by the time we've relocated the amount of possesions we'll maintain will be at least a fifth of our current levels.

We're working on the general rule of thumb: "If it is possible to replace an item we will not take it". That means chess-sets, mirrors, etc, will not be carried. DVDs, for example, have been slashed brutally such that we're only transferring 40 out of a starting collection of 500+.

Only personal, one-off, unique, or "significant" items will be transported. This includes things like personal photographs, family items, and similar. Clothes? Well I need to take one jacket, but more can be bought. The only place I put my foot down was books. Yes I'm a kindle-user these days, but I spent many years tracking down some rare volumes, and though it would be possible to repeat that effort I just don't want to.

I've also decided that I'm carrying my complete toolbox. Some of the tools I took with me when I left home at 18 have stayed with me for the past 20+ years. I don't need this specific crowbar, or axe, but I'm damned if I'm going to lose them now. So they stay. Object storage - some objects are more important than they should be!

# June 20, 2015

## Joachim Breitner <!-- document.write( "<a href=\"#\" id=\"http://www.joachim-breitner.de/blog/680-Running_circle-packing_in_the_Browser%2C_now_using_GHCJS_hide\" onClick=\"exclude( 'http://www.joachim-breitner.de/blog/680-Running_circle-packing_in_the_Browser%2C_now_using_GHCJS' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.joachim-breitner.de/blog/680-Running_circle-packing_in_the_Browser%2C_now_using_GHCJS_show\" style=\"display:none;\" onClick=\"show( 'http://www.joachim-breitner.de/blog/680-Running_circle-packing_in_the_Browser%2C_now_using_GHCJS' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Running circle-packing in the Browser, now using GHCJS

Quite a while ago, I wrote a small Haskell library called circle-packing to pack circles in a tight arrangement. Back then, I used the Haskell to JavaScript compiler fay to create a pretty online demo of that library, and shortly after, I create the identical demo using haste (another Haskell to JavaScript compiler).

The main competitor of these two compilers, and the most promising one, is GHCJS. Back then, it was too annoying to install. But after two years, things have changed, and it only takes a few simple commands to get GHCJS running, so I finally created the circle packing demo in a GHCJS variant.

Quick summary: Cabal integration is very good (like haste, but unline fay), interfacing JavaScript is nice and easy (like fay, but unlike haste), and a quick check seems to indicate that it is faster than either of these two. I should note that I did not update the other two demos, so they represent the state of fay and haste back then, respectively.

With GHCJS now available at my fingertips, maybe I will produce some more Haskell to be run in your browser. For example, I could port FrakView, a GUI program to render, expore and explain iterated function systems, from GTK to HTML.

20 June, 2015 08:50PM by Joachim Breitner (mail@joachim-breitner.de)

## Lunar <!-- document.write( "<a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_4/_hide\" onClick=\"exclude( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_4/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_4/_show\" style=\"display:none;\" onClick=\"show( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_4/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Reproducible builds: week 4 in Stretch cycle

What happened about the reproducible builds effort for this week:

## Toolchain fixes

• Guillem Jover uploaded dpkg/1.18.0 which now uses an approximation to compute Installed-Size, making it indpendent from the underlying filesystem. It now always sort the Dpkg::Dist::Files files list on output to make the output stable with parallel builds.
• Lunar uploaded mozilla-devscripts/0.40 which told xpi-pack to skip saving extra zip attributes when making jar.
• Dominique Dumont uploaded libmodule-build-perl/0.421100-2 which makes the output deterministic. Original patch by Lunar.

Lunar rebased our custom dpkg on the new release, removing a now unneeded patch identified by Guillem Jover. An extra sort in the buildinfo generator prevented a stable order and was quickly fixed once identified.

Mattia Rizzolo also rebased our custom debhelper on the latest release.

## Packages fixed

The following 30 packages became reproducible due to changes in their build dependencies: animal-sniffer, asciidoctor, autodock-vina, camping, cookie-monster, downthemall, flashblock, gamera, httpcomponents-core, https-finder, icedove-l10n, istack-commons, jdeb, libmodule-build-perl, libur-perl, livehttpheaders, maven-dependency-plugin, maven-ejb-plugin, mozilla-noscript, nosquint, requestpolicy, ruby-benchmark-ips, ruby-benchmark-suite, ruby-expression-parser, ruby-github-markup, ruby-http-connection, ruby-settingslogic, ruby-uuidtools, webkit2gtk, wot.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which did not make their way to the archive yet:

• #775531 on console-setup by Reiner Herrmann: update and split patch written in January.
• #785535 on maradns by Reiner Herrmann: use latest entry in debian/changelog as build date.
• #785549 on dist by Reiner Herrmann: set hostname and domainname to predefined value.
• #785583 on s5 by Juan Picca: set timezone to UTC when unzipping files.
• #785617 on python-carrot by Juan Picca: use latest entry in debian/changelog as documentation build date.
• #785774 on afterstep by Juan Picca: modify documentation generator to allow a build date to be set instead of the current time, then use latest entry in debian/changelog as reference.
• #786508 on ttyload by Juan Picca: remove timestamp from documentation.
• #786568 on linux-minidisc by Lunar: use latest entry in debian/changelog as build date.
• #786615 on kfreebsd-10 by Steven Chamberlain: make order of file in source tarballs stable.
• #786633 on webkit2pdf by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786634 on libxray-scattering-perl by Reiner Herrmann: tell Storable::nstore to produce sorted output.
• #786637 on nvidia-settings by Lunar: define DATE, WHOAMI, andHOSTNAME_CMD to stable values.
• #786710 on armada-backlight by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786711 on leafpad by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.
• #786714 on equivs by Reiner Herrmann: use latest entry in debian/changelog as documentation build date.

Also, the following bugs have been reported:

• #785536 on maradns by Reiner Herrmann: unreproducible deadwood binary.
• #785624 on doxygen by Christoph Berg: timestamps in manpages generated makes builds non-reproducible.
• #785736 on git-annex by Daniel Kahn Gillmor: documentation should be made reproducible.
• #786593 on wordwarvi by Holger Levsen: please provide a --distrobuild build switch.
• #786601 on sbcl by Holger Levsen: FTBFS when locales-all is installed instead of locales.
• #786669 on ruby-celluloid by Holger Levsen: tests sometimes fail, causing ftbfs sometimes.
• #786743 on obnam by Holger Levsen: FTBFS.

## reproducible.debian.net

Holger Levsen made several small bug fixes and a few more visible changes:

• For packages in testing, comparisions will be done using the sid version of debbindiff.
• The scheduler will now schedule old packages from sid twice often as the ones in testing as we care more about the former at the moment.
• More statistics are now visible and the layout has been improved.
• Variations between the first and second build are now explained on the statistics page.

## strip-nondeterminism

Version 0.007-1 of strip-nondeterminism—the tool to post-process various file formats to normalize them—has been uploaded by Holger Levsen. Version 0.006-1 was already in the reproducible repository, the new version mainly improve the detection of Maven's pom.properties files.

## debbindiff development

At the request of Emmanuel Bourg, Reiner Herrmann added a comparator for Java .class files.

## Documentation update

Christoph Berg created a new page for the timestamps in manpages created by Doxygen.

## Package reviews

93 obsolete reviews have been removed, 76 added and 43 updated this week.

New identified issues: timestamps in manpages generated by Doxygen, modification time differences in files extracted by unzip, tstamp task used in Ant build.xml, timestamps in documentation generated by ASDocGen. The description for build id related issues has been clarified.

## Meetings

Holger Levsen announced a first meeting on Wednesday, June 3rd, 2015, 19:00 UTC. The agenda is amendable on the wiki.

## Misc.

Lunar worked on a proof-of-concept script to import the build environment found in .buildinfo files to UDD. Lucas Nussbaum has positively reviewed the proposed schema.

Holger Levsen cleaned up various experimental toolchain repositories, marking merged brances as such.

### Reproducible builds: week 5 in Stretch cycle

What happened about the reproducible builds effort for this week:

## Toolchain fixes

Uploads that should help other packages:

• Stephen Kitt uploaded mingw-w64/4.0.2-2 which avoids inserting timestamps in PE binaries, and specify dlltool's temp prefix so it generates reproducible files.
• Stephen Kitt uploaded binutils-mingw-w64/6.1 which fixed dlltool to initialize its output's .idata$6 section, avoiding random data ending up there. Patch submitted for toolchain issues: • #787159 on openjdk-7 by Emmanuel Bourg: sort the annotations and enums in package-tree.html produced by javadoc. • #787250 on python-qt4 by Reiner Herrmann: sort imported modules to get reproducible output. • #787251 on pyqt5 by Reiner Herrmann: sort imported modules to get reproducible output. Some discussions have been started in Debian and with upstream: ## Packages fixed The following 8 packages became reproducible due to changes in their build dependencies: access-modifier-checker, apache-log4j2, jenkins-xstream, libsdl-perl, maven-shared-incremental, ruby-pygments.rb, ruby-wikicloth, uimaj. The following packages became reproducible after getting fixed: Some uploads fixed some reproducibility issues but not all of them: Patches submitted which did not make their way to the archive yet: • #777308 on dhcp-helper by Dhole: fix mtimes of packaged files. • #786927 on flowscan by Dhole: remove timestamps from gzip files and fix mtimes of packaged files. • #786959 on python3.5 by Lunar: set build date of binary and documentation to the time of latest debian/changelog entry, prevent gzip from storing a timestamp. • #786965 on python3.4 by Lunar: same as python3.5. • #786978 on python2.7 by Lunar: same as python3.5. • #787122 on xtrlock by Dhole: fix mtimes of packaged files. • #787123 on rsync by Dhole: remove timestamps from gzip files and fix mtimes of packaged files. • #787125 on pachi by Dhole: fix mtimes of packaged files. • #787126 on nis by Dhole: remove timestamps from gzip files and fix mtimes of packaged files. • #787206 on librpc-xml-perl by Reiner Herrmann: remove timestamps from generated code. • #787265 on libwx-perl by Reiner Herrmann: produce sorted output. • #787303 on dos2unix by Juan Picca: set manpage date to the time of latest entry in debian/changelog. • #787327 on vim by Reiner Herrmann: remove usage of __DATE__ and __TIME__ macros. Discussions that have been started: ## reproducible.debian.net Holger Levsen added two new package sets: pkg-javascript-devel and pkg-php-pear. The list of packages with and without notes are now sorted by age of the latest build. Mattia Rizzolo added support for email notifications so that maintainers can be warned when a package becomes unreproducible. Please ask Mattia or Holger or in the #debian-reproducible IRC channel if you want to be notified for your packages! ## strip-nondeterminism development Andrew Ayer fixed the gzip handler so that it skip adding a predetermined timestamp when there was none. ## Documentation update Lunar added documentation about mtimes of file extracted using unzip being timezone dependent. He also wrote a short example on how to test reproducibility. Stephen Kitt updated the documentation about timestamps in PE binaries. Documentation and scripts to perform weekly reports were published by Lunar. ## Package reviews 50 obsolete reviews have been removed, 51 added and 29 updated this week. Thanks Chris West and Mathieu Bridon amongst others. New identified issues: ## Misc. Lunar will be talking (in French) about reproducible builds at Pas Sage en Seine on June 19th, at 15:00 in Paris. Meeting will happen this Wednesday, 19:00 UTC. ## Russell Coker <!-- document.write( "<a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/20/btrfs-status-june-2015/_hide\" onClick=\"exclude( 'http://etbe.coker.com.au/2015/06/20/btrfs-status-june-2015/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://etbe.coker.com.au/2015/06/20/btrfs-status-june-2015/_show\" style=\"display:none;\" onClick=\"show( 'http://etbe.coker.com.au/2015/06/20/btrfs-status-june-2015/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### BTRFS Status June 2015 The version of btrfs-tools in Debian/Jessie is incapable of creating a filesystem that can be mounted by the kernel in Debian/Wheezy. If you want to use a BTRFS filesystem on Jessie and Wheezy (which isn’t uncommon with removable devices) the only options are to use the Wheezy version of mkfs.btrfs or to use a Jessie kernel on Wheezy. I recently got bitten by this issue when I created a BTRFS filesystem on a removable device with a lot of important data (which is why I wanted metadata duplication and checksums) and had to read it on a server running Wheezy. Fortunately KVM in Wheezy works really well so I created a virtual machine to read the disk. Setting up a new KVM isn’t that difficult, but it’s not something I want to do while a client is anxiously waiting for their data. BTRFS has been working well for me apart from the Jessie/Wheezy compatability issue (which was an annoyance but didn’t stop me doing what I wanted). I haven’t written a BTRFS status report for a while because everything has been OK and there has been nothing exciting to report. I regularly get errors from the cron jobs that run a balance supposedly running out of free space. I have the cron jobs due to past problems with BTRFS running out of metadata space. In spite of the jobs often failing the systems keep working so I’m not too worried at the moment. I think this is a bug, but there are many more important bugs. Linux kernel version 3.19 was the first version to have working support for RAID-5 recovery. This means version 3.19 was the first version to have usable RAID-5 (I think there is no point even having RAID-5 without recovery). It wouldn’t be prudent to trust your important data to a new feature in a filesystem. So at this stage if I needed a very large scratch space then BTRFS RAID-5 might be a viable option but for anything else I wouldn’t use it. BTRFS still has had little performance optimisation, while this doesn’t matter much for SSD and for single-disk filesystems for a RAID-5 of hard drives that would probably hurt a lot. Maybe BTRFS RAID-5 would be good for a scratch array of SSDs. The reports of problems with RAID-5 don’t surprise me at all. I have a BTRFS RAID-1 filesystem on 2*4TB disks which is giving poor performance on metadata, simple operations like “ls -l” on a directory with ~200 subdirectories takes many seconds to run. I suspect that part of the problem is due to the filesystem being written by cron jobs with files accumulating over more than a year. The “btrfs filesystem” command (see btrfs-filesystem(8)) allows defragmenting files and directory trees, but unfortunately it doesn’t support recursively defragmenting directories but not files. I really wish there was a way to get BTRFS to put all metadata on SSD and all data on hard drives. Sander suggested the following command to defragment directories on the BTRFS mailing list: find / -xdev -type d -execdir btrfs filesystem defrag -c {} + Below is the output of “zfs list -t snapshot” on a server I run, it’s often handy to know how much space is used by snapshots, but unfortunately BTRFS has no support for this.  NAME USED AVAIL REFER MOUNTPOINT hetz0/be0-mail@2015-03-10 2.88G – 387G – hetz0/be0-mail@2015-03-11 1.12G – 388G – hetz0/be0-mail@2015-03-12 1.11G – 388G – hetz0/be0-mail@2015-03-13 1.19G – 388G – Hugo pointed out on the BTRFS mailing list that the following command will give the amount of space used for snapshots.$SNAPSHOT is the name of a snapshot and $LASTGEN is the generation number of the previous snapshot you want to compare with. btrfs subvolume find-new$SNAPSHOT $LASTGEN | awk '{total = total +$7}END{print total}'

One upside of the BTRFS implementation in this regard is that the above btrfs command without being piped through awk shows you the names of files that are being written and the amounts of data written to them. Through casually examining this output I discovered that the most written files in my home directory were under the “.cache” directory (which wasn’t exactly a surprise).

Now I am configuring workstations with a separate subvolume for ~/.cache for the main user. This means that ~/.cache changes don’t get stored in the hourly snapshots and less disk space is used for snapshots.

### Conclusion

My observation is that things are going quite well with BTRFS. It’s more than 6 months since I had a noteworthy problem which is pretty good for a filesystem that’s still under active development. But there are still many systems I run which could benefit from the data integrity features of ZFS and BTRFS that don’t have the resources to run ZFS and need more reliability than I can expect from an unattended BTRFS system.

At this time the only servers I run with BTRFS are located within a reasonable drive from my home (not the servers in Germany and the US) and are easily accessible (not the embedded systems). ZFS is working well for some of the servers in Germany. Eventually I’ll probably run ZFS on all the hosted servers in Germany and the US, I expect that will happen before I’m comfortable running BTRFS on such systems. For the embedded systems I will just take the risk of data loss/corruption for the next few years.

20 June, 2015 04:47AM by etbe

## Norbert Preining <!-- document.write( "<a href=\"#\" id=\"http://www.preining.info/blog/2015/06/localizing-a-wordpress-blog/_hide\" onClick=\"exclude( 'http://www.preining.info/blog/2015/06/localizing-a-wordpress-blog/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.preining.info/blog/2015/06/localizing-a-wordpress-blog/_show\" style=\"display:none;\" onClick=\"show( 'http://www.preining.info/blog/2015/06/localizing-a-wordpress-blog/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Localizing a WordPress Blog

There are many translation plugins available for WordPress, and most of them deal with translations of articles. This might be of interest for others, but not for me. If you have a blog with visitors from various language background, because you are living abroad, or writing in several languages, you might feel tempted to provide visitors with a localized “environment”, meaning that as much as possible is translated into the native language of the visitor, without actually translating content – but allowing to.

In my case I am writing mostly in English and Japanese, but sometimes (in former times) in Italian and now and then in my mother tongue, German. Visitors from my site are from all over the world, but at least for Japanese visitors I wanted to provide a localized environment. This blog describes how to get as much as possible translated of your blog, and here I mean not the actual articles, because this is the easy part and most translation plugins handle that fine, but the things around the articles (categories, tags, headers, …).

## Starting point and aims

My starting point was a blog where I already had language added as extra taxonomy, and have tagged all articles with a language. But I didn’t have any other translation plugin installed or used. Furthermore, I am using a child theme of the main theme in use (that is always a good idea anyway!). And of course, the theme you are using should be prepared for translation, that is that most literal strings in the theme source code are wrapped in __( ... ) or _e( ... ) calls. And by the way, if you don’t have the language taxonomy, don’t worry, that will come in automatically.

One more thing: The following descriptions are not for the very beginner. I expect certain fluency with WordPress, where for example themese and plugins keep their files, as well as PHP programming experience is needed for some of the steps.

With this starting point my aims were quite clear:

• allow for translation of articles
• translate as much as possible of the surroundings
• auto-selection of language either depending on article or on browser language of visitor
• by default show all articles independent of selected language
• if possible, keep database clean as far as possible

## Translation plugins

There is a huge bunch of translation plugins, localization plugins, or internationalization plugins out there, and it is hard to select one. I don’t say that what I propose here is the optimal solution, just one that I was pointed at by a colleague, namely utilizing the xili-language plugin.

## Installation and initial setup

Not much to say here, just follow the usual procedure (search, install, activate), followed by the initial setup of xili-language. If you haven’t had a language taxonomy by now, you can add languages from the preference page of xili-language, first tab. After having added some languages you should have something similar to the above screen shot. Having defined your languages, you can assign a language to your articles, but for now nothing has actually changed on the blog pages.

As I already mentioned, I assume that you are using a child theme. In this case you should consult the fourth tab of the xili-language settings page, called Managing language files, where on the right you should see / set up things in a way that translations in the child theme override the ones in the main theme, see screen shot on the right. I just mention here that there is another xili plugin, xili-dictionary, that can do a lot of things for you when it comes to translation – but I couldn’t figure out its operation mode, so I switched back (i.e., uninstalled that plugin) and used normal .po/.mo files as described in the next section.

## Adding translations – po and mo files

Translations are handled in normal (at least for the Unix world) gettext format. Matthias wrote about this in this blog. In principle you have to:

• create a directory languages in your child theme folder
• create there .po file named local-LL.po or local-LL_DD.po, where LL and LL_DD are the same as the values in the field ISO Names in the list of defined languages (see above)
• convert the .po files to .mo files using
msgfmt local-LL.po -o local-LL.mo

The contents of the po files are described in Matthias’ blog, and in the following when I say add a translation, then I mean: adding a stanza

msgid "some string" msgstr "translation of some string"

to the po file, and not forgetting to recompile it to mo file.

So let us go through a list of changes I made to translate various pieces of the blog appearance:

## Translation of categories

This is the easiest part, simply throw in the names of your categories into the respective local-DD_LL.po file, and be ready. In my case I used local-ja.po which besides other categories contains stanzas like:

msgid "Travel" msgstr "旅行"

## Translation of widget titles

In most cases the widget titles are already automatically translated, if the plugin/widget author cared for it, meaning that he called the widget_title filter on the title. If this does not happen, please report this to the widget/plugin author. I have done this for example for the simple links plugin, which I use for various elements of the side-bar. The author was extremely responsive and the fix will be in the next release is already in the latest release – big thanks!

## Translation of tags

This is a bit a problem, as the tags appear in various places on my blog: next to the title line and the footer of each blog, as well as in the tag cloud in the side bar.

Furthermore, I want to translate tags instead of having related tag groups as provided by xili tidy tags plugin, so we have to deal with the various appearances of tags one by one:

### Tags on the main page – shown by the theme

This is the easier part – in my case I had already a customized content.php and content-single.php in my child theme folder. If not, you need to copy the one from the parent theme and change the appearance of it to translate tags. Since this is something that depends on the specific theme, I cannot give detailed advice, but if you see something like:

$tags_list = get_the_tag_list( '', __( ', ', 'mistylake' ) ); (here the get_the_tag_list is the important part), then you can replace this by the following code: $posttags = get_the_tags(); $first = 1;$tag_list = ''; if ($posttags) { foreach($posttags as $tag) { if ($first == 1) { $first = 0; } else {$tag_list = $tag_list . __( ', ', 'mistylake' ); }$tag_list = $tag_list . '<a href="' . esc_url( home_url( '/tag/' .$tag->slug ) ) . '">' . __($tag->name, 'mistylake') . '</a>'; } } (there are for sure simpler ways …) This code loops over the tags and translates them using the __ function. Note that the second parameter must be the text domain of the parent theme. If you have done this right and the web site is still running (I recommend testing it on a test installation – I had white pages many times due to php programming errors), and of course you have actual translations available and are looking at a localized version of the web site, then the list of tags as shown by your theme should be translated. ### Tag cloud widget This one is a tricky one: The tag cloud widget comes by default with WordPress, but doesn’t translate the tags. I tried a few variants (e.g. creating a new widget as extension of the original tag cloud widget, and only changing the respective functions), but that didn’t work out at all. I finally resorted to a trick: Reading the code of the original widget, I saw that it applies the tag-sort-filter filter on the array of tags. That allows us to hook into the tag cloud creating and translate the tags. You have to add the following code to your child theme’s functions.php: function translate_instead_of_sort($tags) { foreach ( (array) $tags as$tag ) { $tag->name = __($tag->name , 'mistylake' ); } return $tags; } add_action('tag_cloud_sort', 'translate_instead_of_sort'); (again, don’t forget to change the text domain in the __(.., ..) call!) There might be some more things one could do, like changing the priority to be used after the sorting, or sort directly, but I haven’t played around with that. Using the above code and translating several of the tags, the tag cloud now looks like the screenshot on the right – I know, it could use some tweaking. Also, now the untranslated tags are sorted all before the translated, things one probably can address with the priority of the filter. Having done the above things, my blog page when Japanese is selected is now mostly in Japanese, with of course the exception the actual articles, which are in a variety of languages. ## Open problems There are a few things I haven’t managed till now to translate, and they are mostly related to the Jetpack plugin, but not only: • translation of the calendar – it is strange that although this is a standard widget of WordPress, the translation somehow does not work out there • transalation of the meta text entries (Log in, RSS feed, …) – interestingly, even adding the translation of these strings did not help get them translated • translation of simple links text fields – here I haven’t invested by now • translation of (Jetpack) subscribe to this blog widget I have a few ideas how to tackle this problem: With Jetpack the biggest problem seems that all the strings are translated in a different text domain. So one should be able to add some code to the functions.php to override/add translations to the jetpack text domain. But somehow it didn’t work out in my case. The same goes for things that are in the WordPress core and use the translation functions without a text domain – so I guess the translation function will use the main WordPress translation files/text domain. ## Conclusion The good thing of the xili-language plugin is that it does not change the actual posts (some plugins save the translations in the the post text), and is otherwise not too intrusive IMHO. Still, it falls short of allowing to translate various parts of the blog, including the widget areas. I am not sure whether there are better plugins for this usage scenario, I would be surprised if not, but all the plugins I have seen were doing a bit too much on the article translation side and not enough on the translation of the surroundings side. In any case, I would like to see more separation between the functionality of localization (translating the interface) and translation (translating the content). But at the moment I don’t have enough impetus to write my own plugin for this. If you have any suggestions for improvement, please let me know! Enjoy. 20 June, 2015 12:09AM by Norbert Preining # June 18, 2015 ## Bálint Réczey <!-- document.write( "<a href=\"#\" id=\"http://balintreczey.hu/blog/debian-is-preparing-the-transition-to-ffmpeg/_hide\" onClick=\"exclude( 'http://balintreczey.hu/blog/debian-is-preparing-the-transition-to-ffmpeg/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://balintreczey.hu/blog/debian-is-preparing-the-transition-to-ffmpeg/_show\" style=\"display:none;\" onClick=\"show( 'http://balintreczey.hu/blog/debian-is-preparing-the-transition-to-ffmpeg/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Debian is preparing the transition to FFmpeg! Ending an era of shipping Libav as default the Debian Multimedia Team is working out the last details of switching to FFmpeg. If you would like to read more about the reasons please read the rationale behind the change on the dedicated wiki page. If you feel so be welcome to test the new ffmpeg packages or join the discussion starting here. (Warning, the thread is loooong!) 18 June, 2015 11:56AM by Réczey Bálint # June 17, 2015 ## Norbert Preining <!-- document.write( "<a href=\"#\" id=\"http://www.preining.info/blog/2015/06/gaming-portal/_hide\" onClick=\"exclude( 'http://www.preining.info/blog/2015/06/gaming-portal/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.preining.info/blog/2015/06/gaming-portal/_show\" style=\"display:none;\" onClick=\"show( 'http://www.preining.info/blog/2015/06/gaming-portal/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Gaming: Portal Ok, I have to admit, I sometimes do game – and recently I finished Portal. Quite old (released in 2007), but still lots of fun. I started playing it about one year ago, off and on, until I recently finished the last level. Took me about 1 year of playing to finish the actual playing time of about 10h – I guess you can see how much an addict I am I have never been a gamer, and I think there are only three set of games I played for extended periods of time: plus one more game, which got me hooked somehow: Hard-core board gamer who I am (I prefer playing with people real games without computer), I loved the Myst series for its crazy riddles, where solving them often needs a combination of logical thinking, recognizing patterns in images and sounds, and piecing together long list of hints. This is something a normal board game cannot provide. From the Descent series I loved the complete freedom of movement. Normal first-person shooters are just like humans running around, a bit of jumping and crouching, but Descent gives you 6D freedom – which led to some people getting sick while watching me playing. From the Civilization series I don’t know what I liked particularly, but it got you involved and allowed you to play long rounds. After these sins of youngsters, I haven’t played for long long time, until a happy coincidence (of being Debian Developer) brought Steam onto my (Linux) machine together with a bunch of games I received for free. One of the games was Portal. Portal is in the style of Myst games – one can place dual portals in various places, and by entering one of the portals, one leaves through the other. Using this one has to manage to solve loads of puzzle, evade being shot, dissolved in acid, crashed to death, etc etc, with the only aim to leave the underground station. Besides shooting these portals there are some cubes that one can carry around and use for a variety of purposes, like putting them onto buttons, using them as stairs, protecting yourself from being shot, etc. But that’s already all the tools one has. Despite of this, the levels pose increasingly difficult problems, and one is surprised how strange things one can achieve with these limited abilities – and no, one cannot buy new power-ups, its not WoW. Logical thinking, tactic, and a certain level of reaction suffices. While not as philosophical as Myst, it was still a lot of fun. The only thing I am a bit unclear is, where to go from here. There are two possible successors: The logical one would be Portal 2. But I recently found a game that reminded me even more of the Myst series, combined with Portal: The Talos Principle, with stunning graphics: And filled with riddles again, maybe not as involved as in the Myst series (I don’t know by now), but still a bit more challenging than Portal’s one: Difficult decision. If you have any other suggestions, please let me know! 17 June, 2015 10:54PM by Norbert Preining ## DebConf team <!-- document.write( "<a href=\"#\" id=\"http://blog.debconf.org/blog/debconf15/2015-06-17_debconf15_diversity_sponsorship.dc_hide\" onClick=\"exclude( 'http://blog.debconf.org/blog/debconf15/2015-06-17_debconf15_diversity_sponsorship.dc' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.debconf.org/blog/debconf15/2015-06-17_debconf15_diversity_sponsorship.dc_show\" style=\"display:none;\" onClick=\"show( 'http://blog.debconf.org/blog/debconf15/2015-06-17_debconf15_diversity_sponsorship.dc' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Striving for more diversity at DebConf15 (Posted by DebConf Team) DebConf is not just for Debian Developers, we welcome all members of our community active in different areas, like translation, documentation, artwork, testing, specialized derivatives, and many other ways that help make Debian better. In fact, we would like to open DebConf to an even broader audience, and we strongly believe that more diversity at DebConf and in the Debian community will significantly help us towards our goal of becoming the Universal Operating System. The DebConf team is proud to announce that we have started designing a specific diversity sponsorship programme to attract people to DebConf that would otherwise not consider attending our conference or not be able to join us. In order to apply for this special sponsorship, please write an email to outreach@debian.org, before July 6th, about your interest in Debian and your sponsorship needs (accomodation, travel). Please include a sentence or two about why you are applying for a Diversity Sponsorship. You can also nominate people you think should be considered for this sponsorship programme. Please feel free to send this announcement on to groups or individuals that could be interested in this sponsorship programme. And we’re also looking forward to your feedback. We’re just getting started and you can help shape these efforts. 17 June, 2015 10:09AM by DebConf Organizers # June 16, 2015 ## C.J. Adams-Collier <!-- document.write( "<a href=\"#\" id=\"https://wp.colliertech.org/cj/?p=1485_hide\" onClick=\"exclude( 'https://wp.colliertech.org/cj/?p=1485' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://wp.colliertech.org/cj/?p=1485_show\" style=\"display:none;\" onClick=\"show( 'https://wp.colliertech.org/cj/?p=1485' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Trip Report: UW signing-party Dear Debian Users, I met last night with a friend from many years ago and a number of students of cryptography. I was disappointed to see the prevalence of black hat, anti-government hackers at the event. I was hoping that civilized humanity had come to agree that using cryptography for deception, harm to others and plausible deniability is bad, m’kay? When one speaks of the government as “they,” nobody’s going to get anywhere really quick. Let’s take responsibility for the upkeep of the environment in which we find ourselves, please. Despite what I perceived as a negative focus of the presentation, it was good to meet with peers in the Seattle area. I was very pleasantly surprised to find that better than half of the attendees were not male, that many of the socioeconomic classes of the city were represented, as were those of various ethnic backgrounds. I am really quite proud of the progress of our State University, even if I’m not always in agreement with the content that they’re polluting our kids’ brains with. I guess I should roll up my sleeves and get busy, eh? V/R, C.J. 16 June, 2015 11:28PM by C.J. Adams-Collier ## Julien Danjou <!-- document.write( "<a href=\"#\" id=\"https://julien.danjou.info/blog/2015/python-and-timezones_hide\" onClick=\"exclude( 'https://julien.danjou.info/blog/2015/python-and-timezones' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://julien.danjou.info/blog/2015/python-and-timezones_show\" style=\"display:none;\" onClick=\"show( 'https://julien.danjou.info/blog/2015/python-and-timezones' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Timezones and Python Recently, I've been fighting with the never ending issue of timezones. I never thought I would have plunged into this rabbit hole, but hacking on OpenStack and Gnocchi I felt into that trap easily is, thanks to Python. ## “Why you really, really, should never ever deal with timezones” To get a glimpse of the complexity of timezones, I recommend that you watch Tom Scott's video on the subject. It's fun and it summarizes remarkably well the nightmare that timezones are and why you should stop thinking that you're smart. ## The importance of timezones in applications Once you've heard what Tom says, I think it gets pretty clear that a timestamp without any timezone attached does not give any useful information. It should be considered irrelevant and useless. Without the necessary context given by the timezone, you cannot infer what point in time your application is really referring to. That means your application should never handle timestamps with no timezone information. It should try to guess or raises an error if no timezone is provided in any input. Of course, you can infer that having no timezone information means UTC. This sounds very handy, but can also be dangerous in certain applications or language – such as Python, as we'll see. Indeed, in certain applications, converting timestamps to UTC and losing the timezone information is a terrible idea. Imagine that a user create a recurring event every Wednesday at 10:00 in its local timezone, say CET. If you convert that to UTC, the event will end up being stored as every Wednesday at 09:00. Now imagine that the CET timezone switches from UTC+01:00 to UTC+02:00: your application will compute that the event starts at 11:00 CET every Wednesday. Which is wrong, because as the user told you, the event starts at 10:00 CET, whatever the definition of CET is. Not at 11:00 CET. So CET means CET, not necessarily UTC+1. As for endpoints like REST API, a thing I daily deal with, all timestamps should include a timezone information. It's nearly impossible to know what timezone the timestamps are in otherwise: UTC? Server local? User local? No way to know. ## Python design & defect Python comes with a timestamp object named datetime.datetime. It can store date and time precise to the microsecond, and is qualified of timezone "aware" or "unaware", whether it embeds a timezone information or not. To build such an object based on the current time, one can use datetime.datetime.utcnow() to retrieve the date and time for the UTC timezone, and datetime.datetime.now() to retrieve the date and time for the current timezone, whatever it is. >>> import datetime>>> datetime.datetime.utcnow()datetime.datetime(2015, 6, 15, 13, 24, 48, 27631)>>> datetime.datetime.now()datetime.datetime(2015, 6, 15, 15, 24, 52, 276161) As you can notice, none of these results contains timezone information. Indeed, Python datetime API always returns unaware datetime objects, which is very unfortunate. Indeed, as soon as you get one of this object, there is no way to know what the timezone is, therefore these objects are pretty "useless" on their own. Armin Ronacher proposes that an application always consider that the unaware datetime objects from Python are considered as UTC. As we just saw, that statement cannot be considered true for objects returned by datetime.datetime.now(), so I would not advise doing so. datetime objects with no timezone should be considered as a "bug" in the application. ## Recommendations My recommendation list comes down to: 1. Always use aware datetime object, i.e. with timezone information. That makes sure you can compare them directly (aware and unaware datetime objects are not comparable) and will return them correctly to users. Leverage pytz to have timezone objects. 2. Use ISO 8601 as input and output string format. Use datetime.datetime.isoformat() to return timestamps as string formatted using that format, which includes the timezone information. In Python, that's equivalent to having: >>> import datetime>>> import pytz>>> def utcnow(): return datetime.datetime.now(tz=pytz.utc)>>> utcnow()datetime.datetime(2015, 6, 15, 14, 45, 19, 182703, tzinfo=<UTC>)>>> utcnow().isoformat()'2015-06-15T14:45:21.982600+00:00' If you need to parse strings containing ISO 8601 formatted timestamp, you can rely on the iso8601, which returns timestamps with correct timezone information. This makes timestamps directly comparable: >>> import iso8601>>> iso8601.parse_date(utcnow().isoformat())datetime.datetime(2015, 6, 15, 14, 46, 43, 945813, tzinfo=<FixedOffset '+00:00' datetime.timedelta(0)>)>>> iso8601.parse_date(utcnow().isoformat()) < utcnow()True If you need to store those timestamps, the same rule should apply. If you rely on MongoDB, it assumes that all the timestamp are in UTC, so be careful when storing them – you will have to normalize the timestamp to UTC. For MySQL, nothing is assumed, it's up to the application to insert them in a timezone that makes sense to it. Obviously, if you have multiple applications accessing the same database with different data sources, this can end up being a nightmare. PostgreSQL has a special data type that is recommended called timestamp with timezone, and which can store the timezone associated, and do all the computation for you. That's the recommended way to store them obviously. That does not mean you should not use UTC in most cases; that just means you are sure that the timestamp are stored in UTC since it's written in the database, and you check if any other application inserted timestamps with different timezone. ## OpenStack status As a side note, I've improved OpenStack situation recently by changing the oslo.utils.timeutils module to deprecate some useless and dangerous functions. I've also added support for returning timezone aware objects when using the oslo_utils.timeutils.utcnow() function. It's not possible to make it a default unfortunately for backward compatibility reason, but it's there nevertheless, and it's advised to use it. Thanks to my colleague Victor for the help! Have a nice day, whatever your timezone is! 16 June, 2015 05:39PM by Julien Danjou ## Simon Josefsson <!-- document.write( "<a href=\"#\" id=\"http://blog.josefsson.org/2015/06/16/ssh-host-certificates-with-yubikey-neo/_hide\" onClick=\"exclude( 'http://blog.josefsson.org/2015/06/16/ssh-host-certificates-with-yubikey-neo/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.josefsson.org/2015/06/16/ssh-host-certificates-with-yubikey-neo/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.josefsson.org/2015/06/16/ssh-host-certificates-with-yubikey-neo/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### SSH Host Certificates with YubiKey NEO If you manage a bunch of server machines, you will undoubtedly have run into the following OpenSSH question: The authenticity of host 'host.example.org (1.2.3.4)' can't be established. RSA key fingerprint is 1b:9b:b8:5e:74:b1:31:19:35:48:48:ba:7d:d0:01:f5. Are you sure you want to continue connecting (yes/no)?  If the server is a single-user machine, where you are the only person expected to login on it, answering “yes” once and then using the ~/.ssh/known_hosts file to record the key fingerprint will (sort-of) work and protect you against future man-in-the-middle attacks. I say sort-of, since if you want to access the server from multiple machines, you will need to sync the known_hosts file somehow. And once your organization grows larger, and you aren’t the only person that needs to login, having a policy that everyone just answers “yes” on first connection on all their machines is bad. The risk that someone is able to successfully MITM attack you grows every time someone types “yes” to these prompts. Setting up one (or more) SSH Certificate Authority (CA) to create SSH Host Certificates, and have your users trust this CA, will allow you and your users to automatically trust the fingerprint of the host through the indirection of the SSH Host CA. I was surprised (but probably shouldn’t have been) to find that deploying this is straightforward. Even setting this up with hardware-backed keys, stored on a YubiKey NEO, is easy. Below I will explain how to set this up for a hypothethical organization where two persons (sysadmins) are responsible for installing and configuring machines. I’m going to assume that you already have a couple of hosts up and running and that they run the OpenSSH daemon, so they have a /etc/ssh/ssh_host_rsa_key* public/private keypair, and that you have one YubiKey NEO with the PIV applet and that the NEO is in CCID mode. I don’t believe it matters, but I’m running a combination of Debian and Ubuntu machines. The Yubico PIV tool is used to configure the YubiKey NEO, and I will be using OpenSC‘s PKCS#11 library to connect OpenSSH with the YubiKey NEO. Let’s install some tools: apt-get install yubikey-personalization yubico-piv-tool opensc-pkcs11 pcscd  Every person responsible for signing SSH Host Certificates in your organization needs a YubiKey NEO. For my example, there will only be two persons, but the number could be larger. Each one of them will have to go through the following process. The first step is to prepare the NEO. First mode switch it to CCID using some device configuration tool, like yubikey-personalization. ykpersonalize -m1  Then prepare the PIV applet in the YubiKey NEO. This is covered by the YubiKey NEO PIV Introduction but I’ll reproduce the commands below. Do this on a disconnected machine, saving all files generated on one or more secure media and store that in a safe. user=simon key=dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"' echo$key > ssh-$user-key.txt pin=dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-6 echo$pin > ssh-$user-pin.txt puk=dd if=/dev/random bs=1 count=6 2>/dev/null | hexdump -v -e '/1 "%u"'|cut -c1-8 echo$puk > ssh-$user-puk.txt yubico-piv-tool -a set-mgm-key -n$key
yubico-piv-tool -k $key -a change-pin -P 123456 -N$pin
yubico-piv-tool -k $key -a change-puk -P 12345678 -N$puk


Then generate a RSA private key for the SSH Host CA, and generate a dummy X.509 certificate for that key. The only use for the X.509 certificate is to make PIV/PKCS#11 happy — they want to be able to extract the public-key from the smartcard, and do that through the X.509 certificate.

openssl genrsa -out ssh-$user-ca-key.pem 2048 openssl req -new -x509 -batch -key ssh-$user-ca-key.pem -out ssh-$user-ca-crt.pem  You import the key and certificate to the PIV applet as follows: yubico-piv-tool -k$key -a import-key -s 9c < ssh-$user-ca-key.pem yubico-piv-tool -k$key -a import-certificate -s 9c < ssh-$user-ca-crt.pem  You now have a SSH Host CA ready to go! The first thing you want to do is to extract the public-key for the CA, and you use OpenSSH's ssh-keygen for this, specifying OpenSC's PKCS#11 module. ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e > ssh-$user-ca-key.pub


If you happen to use YubiKey NEO with OpenPGP using gpg-agent/scdaemon, you may get the following error message:

no slots
cannot read public key from pkcs11


The reason is that scdaemon exclusively locks the smartcard, so no other application can access it. You need to kill scdaemon, which can be done as follows:

gpg-connect-agent SCD KILLSCD SCD BYE /bye


The output from ssh-keygen may look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp+gbwBHova/OnWMj99A6HbeMAGE7eP3S9lKm4/fk86Qd9bzzNNz2TKHM7V1IMEj0GxeiagDC9FMVIcbg5OaSDkuT0wGzLAJWgY2Fn3AksgA6cjA3fYQCKw0Kq4/ySFX+Zb+A8zhJgCkMWT0ZB0ZEWi4zFbG4D/q6IvCAZBtdRKkj8nJtT5l3D3TGPXCWa2A2pptGVDgs+0FYbHX0ynD0KfB4PmtR4fVQyGJjJ0MbF7fXFzQVcWiBtui8WR/Np9tvYLUJHkAXY/FjLOZf9ye0jLgP1yE10+ihe7BCxkM79GU9BsyRgRt3oArawUuU6tLgkaMN8kZPKAdq0wxNauFtH


Now all your users in your organization needs to add a line to their ~/.ssh/known_hosts as follows:

@cert-authority *.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCp+gbwBHova/OnWMj99A6HbeMAGE7eP3S9lKm4/fk86Qd9bzzNNz2TKHM7V1IMEj0GxeiagDC9FMVIcbg5OaSDkuT0wGzLAJWgY2Fn3AksgA6cjA3fYQCKw0Kq4/ySFX+Zb+A8zhJgCkMWT0ZB0ZEWi4zFbG4D/q6IvCAZBtdRKkj8nJtT5l3D3TGPXCWa2A2pptGVDgs+0FYbHX0ynD0KfB4PmtR4fVQyGJjJ0MbF7fXFzQVcWiBtui8WR/Np9tvYLUJHkAXY/FjLOZf9ye0jLgP1yE10+ihe7BCxkM79GU9BsyRgRt3oArawUuU6tLgkaMN8kZPKAdq0wxNauFtH


Each sysadmin needs to go through this process, and each user needs to add one line for each sysadmin. While you could put the same key/certificate on multiple YubiKey NEOs, to allow users to only have to put one line into their file, dealing with revocation becomes a bit more complicated if you do that. If you have multiple CA keys in use at the same time, you can roll over to new CA keys without disturbing production. Users may also have different policies for different machines, so that not all sysadmins have the power to create host keys for all machines in your organization.

The CA setup is now complete, however it isn't doing anything on its own. We need to sign some host keys using the CA, and to configure the hosts' sshd to use them. What you could do is something like this, for every host host.example.com that you want to create keys for:

h=host.example.com
scp root@$h:/etc/ssh/ssh_host_rsa_key.pub . gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -s ssh-$user-ca-key.pub -I $h -h -n$h -V +52w ssh_host_rsa_key.pub
scp ssh_host_rsa_key-cert.pub root@$h:/etc/ssh/  The ssh-keygen command will use OpenSC's PKCS#11 library to talk to the PIV applet on the NEO, and it will prompt you for the PIN. Enter the PIN that you set above. The output of the command would be something like this: Enter PIN for 'PIV_II (PIV Card Holder pin)': Signed host key ssh_host_rsa_key-cert.pub: id "host.example.com" serial 0 for host.example.com valid from 2015-06-16T13:39:00 to 2016-06-14T13:40:58  The host now has a SSH Host Certificate installed. To use it, you must make sure that /etc/ssh/sshd_config has the following line: HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub  You need to restart sshd to apply the configuration change. If you now try to connect to the host, you will likely still use the known_hosts fingerprint approach. So remove the fingerprint from your machine: ssh-keygen -R$h


Now if you attempt to ssh to the host, and using the -v parameter to ssh, you will see the following:

debug1: Server host key: RSA-CERT 1b:9b:b8:5e:74:b1:31:19:35:48:48:ba:7d:d0:01:f5
debug1: Host 'host.example.com' is known and matches the RSA-CERT host certificate.


Success!

One aspect that may warrant further discussion is the host keys. Here I only created host certificates for the hosts' RSA key. You could create host certificate for the DSA, ECDSA and Ed25519 keys as well. The reason I did not do that was that in this organization, we all used GnuPG's gpg-agent/scdaemon with YubiKey NEO's OpenPGP Card Applet with RSA keys for user authentication. So only the host RSA key is relevant.

Revocation of a YubiKey NEO key is implemented by asking users to drop the corresponding line for one of the sysadmins, and regenerate the host certificate for the hosts that the sysadmin had created host certificates for. This is one reason users should have at least two CAs for your organization that they trust for signing host certificates, so they can migrate away from one of them to the other without interrupting operations.

16 June, 2015 12:05PM by simon

## Martin Pitt <!-- document.write( "<a href=\"#\" id=\"http://www.piware.de/2015/05/autopkgtest-3-14-now-twice-as-rebooty/_hide\" onClick=\"exclude( 'http://www.piware.de/2015/05/autopkgtest-3-14-now-twice-as-rebooty/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.piware.de/2015/05/autopkgtest-3-14-now-twice-as-rebooty/_show\" style=\"display:none;\" onClick=\"show( 'http://www.piware.de/2015/05/autopkgtest-3-14-now-twice-as-rebooty/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### autopkgtest 3.14 “now twice as rebooty”

Almost every new autopkgtest release brings some small improvements, but 3.14 got some reboot related changes worth pointing out.

First of all, I simplified and unified the implementation of rebooting across all runners that support it (ssh, lxc, and qemu). If you use a custom setup script for adt-virt-ssh you might have to update it: Previously, the setup script needed to respond to a reboot function to trigger a reboot, wait for the testbed to go down, and come back up. This got split into issuing the actual reboot system command directly by adt-run itself on the testbed, and the “wait for go down and back up” part. The latter now has a sensible default implementation: it simply waits for the ssh port to become unavailable, and then waits for ssh to respond again; most testbeds should be fine with that. You only need to provide the new wait-reboot function in your ssh setup script if you need to do anything else (such as re-enabling ssh after reboot). Please consult the manpage and the updated SKELETON for details.

The ssh runner gained a new --reboot option to indicate that the remote testbed can be rebooted. This will automatically declare the reboot testbed capability and thus you can now run rebooting tests without having to use a setup script. This is very useful for running tests on real iron.

Finally, in testbeds which support rebooting your tests will now find a new /tmp/autopkgtest-reboot-prepare command. Like /tmp/autopkgtest-reboot it takes an arbitrary “marker”, saves the current state, restores it after reboot and re-starts your test with the marker; however, it will not trigger the actual reboot but expects the test to do that. This is useful if you want to test a piece of software which does a reboot as part of its operation, such as a system-image upgrade. Another use case is testing kernel crashes, kexec or another “nonstandard” way of rebooting the testbed. README.package-tests shows an example how this looks like.

3.14 is now available in Debian unstable and Ubuntu wily. As usual, for older releases you can just grab the deb and install it, it works on all supported Debian and Ubuntu releases.

Enjoy, and let me know if you run into troubles or have questions!

16 June, 2015 04:30AM by pitti

# June 15, 2015

## Lunar <!-- document.write( "<a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_7/_hide\" onClick=\"exclude( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_7/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_7/_show\" style=\"display:none;\" onClick=\"show( 'http://people.debian.org/~lunar/blog/posts/reproducible_builds_stretch_week_7/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Reproducible builds: week 7 in Stretch cycle

What happened about the reproducible builds effort for this week:

## Presentations

On June 7th, Reiner Herrmann presented the project at the Gulaschprogrammiernacht 15 in Karlsruhe, Germany. Video and audio recordings in German are available, and so are the slides in English.

## Toolchain fixes

• Joachim Breitner uploaded ghc/7.8.4-9 which uses a hash of the command line instead of the pid when calculating a “random” directory name.
• Lunar uploaded mozilla-devscripts/0.42 which now properly sets the timezone. Patch by Reiner Herrmann.
• Dmitry Shachnev uploaded python-qt4/4.11.4+dfsg-1 which now outputs the list of imported module in a stable order. The issue has been fixed upstream. Original patch by Reiner Herrmann.
• Norbert Preining uploaded tex-common/6.00 which tries to ensure reproducible builds in files generated by dh_installtex.
• Barry Warsaw uploaded wheel/0.24.0-2 which makes the output deterministic. Barry has submitted the fixes upstream based on patches by Reiner Herrman.

Daniel Kahn Gillmor's report on help2man started a discussion with Brendan O'Dea and Ximin Luo about standardizing a common environment variable that would provide a replacement for an embedded build date. After various proposals and research by Ximin about date handling in several programming languages, the best solution seems to define SOURCE_DATE_EPOCH with a value suitable for gmtime(3).

1. Martin Borgert wondered if Sphinx could be changed in a way that would avoid having to tweak debian/rules in packages using it to produce HTML documentation.

Daniel Kahn Gillmor opened a new report about icont producing unreproducible binaries.

## Packages fixed

The following 32 packages became reproducible due to changes in their build dependencies: agda, alex, c2hs, clutter-1.0, colorediffs-extension, cpphs, darcs-monitor, dispmua, haskell-curl, haskell-glfw, haskell-glib, haskell-gluraw, haskell-glut, haskell-gnutls, haskell-gsasl, haskell-hfuse, haskell-hledger-interest, haskell-hslua, haskell-hsqml, haskell-hssyck, haskell-libxml-sax, haskell-openglraw, haskell-readline, haskell-terminfo, haskell-x11, jarjar-maven-plugin, kxml2, libcgi-struct-xs-perl, libobject-id-perl, maven-docck-plugin, parboiled, pegdown.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues but not all of them:

Patches submitted which did not make their way to the archive yet:

## reproducible.debian.net

A new variation to better notice when a package captures the environment has been introduced. (h01ger)

The test on Debian packages works by building the package twice in a short time frame. But sometimes, a mirror push can happen between the first and the second build, resulting in a package built in a different build environment. This situation is now properly detected and will run a third build automatically. (h01ger)

OpenWrt, the distribution specialized in embedded devices like small routers, is now being tested for reproducibility. The situation looks very good for their packages which seems mostly affected by timestamps in the tarball. System images will require more work on debbindiff to be better understood. (h01ger)

## debbindiff development

Reiner Herrmann added support for decompling Java .class file and .ipk package files (used by OpenWrt). This is now available in version 22 released on 2015-06-14.

## Documentation update

Stephen Kitt documented the new --insert-timestamp available since binutils-mingw-w64 version 6.2 available to insert a ready-made date in PE binaries built with mingw-w64.

## Package reviews

195 obsolete reviews have been removed, 65 added and 126 updated this week.

New identified issues:

## Misc.

Holger Levsen reported an issue with the locales-all package that Provides: locales but is actually missing some of the files provided by locales.

Coreboot upstream has been quick to react after the announcement of the tests set up the week before. Patrick Georgi has fixed all issues in a couple of days and all Coreboot images are now reproducible (without a payload). SeaBIOS is one of the most frequently used payload on PC hardware and can now be made reproducible too.

Paul Kocialkowski wrote to the mailing list asking for help on getting U-Boot tested for reproducibility.

Lunar had a chat with maintainers of Open Build Service to better understand the difference between their system and what we are doing for Debian.

## Petter Reinholdtsen <!-- document.write( "<a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Graphing_the_Norwegian_company_ownership_structure.html_hide\" onClick=\"exclude( 'http://people.skolelinux.org/pere/blog/Graphing_the_Norwegian_company_ownership_structure.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Graphing_the_Norwegian_company_ownership_structure.html_show\" style=\"display:none;\" onClick=\"show( 'http://people.skolelinux.org/pere/blog/Graphing_the_Norwegian_company_ownership_structure.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Graphing the Norwegian company ownership structure

It is a bit work to figure out the ownership structure of companies in Norway. The information is publicly available, but one need to recursively look up ownership for all owners to figure out the complete ownership graph of a given set of companies. To save me the work in the future, I wrote a script to do this automatically, outputting the ownership structure using the Graphviz/dotty format. The data source is web scraping from Proff, because I failed to find a useful source directly from the official keepers of the ownership data, Brønnøysundsregistrene.

To get an ownership graph for a set of companies, fetch the code from git and run it using the organisation number. I'm using the Norwegian newspaper Dagbladet as an example here, as its ownership structure is very simple:

% time ./bin/eierskap-dotty 958033540 > dagbladet.dot

real    0m2.841s
user    0m0.184s
sys     0m0.036s
%


The script accept several organisation numbers on the command line, allowing a cluster of companies to be graphed in the same image. The resulting dot file for the example above look like this. The edges are labeled with the ownership percentage, and the nodes uses the organisation number as their name and the name as the label:

digraph ownership {
rankdir = LR;
"Aller Holding A/s" -> "910119877" [label="100%"]
"910119877" -> "998689015" [label="100%"]
"998689015" -> "958033540" [label="99%"]
"974530600" -> "958033540" [label="1%"]
"958033540" [label="AS DAGBLADET"]
"998689015" [label="Berner Media Holding AS"]
"974530600" [label="Dagbladets Stiftelse"]
"910119877" [label="Aller Media AS"]
}


To view the ownership graph, run "dotty dagbladet.dot" or convert it to a PNG using "dot -T png dagbladet.dot > dagbladet.png". The result can be seen below:

Note that I suspect the "Aller Holding A/S" entry to be incorrect data in the official ownership register, as that name is not registered in the official company register for Norway. The ownership register is sensitive to typos and there seem to be no strict checking of the ownership links.

Let me know if you improve the script or find better data sources. The code is licensed according to GPL 2 or newer.

Update 2015-06-15: Since the initial post I've been told that "Aller Holding A/S" is a Danish company, which explain why it did not have a Norwegian organisation number. I've also been told that there is a web services API available from Brønnøysundsregistrene, for those willing to accept the terms or pay the price.

## Alessio Treglia <!-- document.write( "<a href=\"#\" id=\"http://en.alessiotreglia.com/articles/how-to-have-a-successful-openstack-project/_hide\" onClick=\"exclude( 'http://en.alessiotreglia.com/articles/how-to-have-a-successful-openstack-project/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://en.alessiotreglia.com/articles/how-to-have-a-successful-openstack-project/_show\" style=\"display:none;\" onClick=\"show( 'http://en.alessiotreglia.com/articles/how-to-have-a-successful-openstack-project/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### How to have a successful OpenStack project

It’s no secret that OpenStack is becoming the de-facto standard for private cloud and a way for telecom operators to differentiate against big names such as Amazon or Google.
OpenStack has already been adopted in some specific projects, but the wide adoption in enterprises is starting now, mostly because people simply find it difficult to understand. VMWare is still something to compare to, but OpenStack and cloud is different. While cloud implies virtualization, virtualization is not cloud.

Cloud is a huge shift in your organization and will change forever your way of working in the IT projects, improving your IT dramatically and cutting down costs.

In order to get the best of OpenStack, you need to understand deeply how cloud works. Moreover, you need to understand the whole picture beyond the software itself to provide new levels of agility, flexibility, and cost savings in your business.

Giuseppe Paterno’, leading European consultant and recently awarded by HP, wrote OpenStack Explained to guide you through the OpenStack technology and reveal his secret ingredient to have a successful project. You can download the ebook for a small donation to provide emergency and reconstruction aid for Nepal. Your donation is certified by ZEWO , the Swiss federal agency that ensures that funds go to a real charity project.

… but hurry up, the ebook is in a limited edition and it ends on July 2015.

Donate & Download here: https://life-changer.helvetas.ch/openstack

15 June, 2015 08:30AM by Giuseppe Paternò

# June 13, 2015

## Tomasz Buchert <!-- document.write( "<a href=\"#\" id=\"https://tomasz.buchert.pl/blog/2015/06/14/notmuch-response_hide\" onClick=\"exclude( 'https://tomasz.buchert.pl/blog/2015/06/14/notmuch-response' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://tomasz.buchert.pl/blog/2015/06/14/notmuch-response_show\" style=\"display:none;\" onClick=\"show( 'https://tomasz.buchert.pl/blog/2015/06/14/notmuch-response' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Tagging unreplied messages with notmuch

Some people are very bad at responding to e-mails. Or they don’t check their mailbox as often as I do, who knows. Anyway, sometimes I want to ping somebody about an e-mail that I sent some time ago. Till now, I did it by going through a list of my sent e-mails and resending messages that were unreplied. However, that was somewhat inefficient.

As a solution, I coded a post-new hook for notmuch that tags all unreplied messages. The implementation is rather short and straightforward (see GitHub repo). It marks all replied messages with response and everything else with noresponse. The precise definition of replied message is: a message whose ID is mentioned in at least one In-Reply-To header in your mailbox.

To solve my initial problem, I also tag my sent, but unreplied messages with noack so that I can easily obtain the list of people to ping eventually. I also have the backlog tag which groups e-mails sent to me and which I haven’t replied yet.

Feel free to use it if you find it useful.

## Craig Small <!-- document.write( "<a href=\"#\" id=\"https://enc.com.au/2015/06/13/linux-4-0-ate-my-docker-images/_hide\" onClick=\"exclude( 'https://enc.com.au/2015/06/13/linux-4-0-ate-my-docker-images/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://enc.com.au/2015/06/13/linux-4-0-ate-my-docker-images/_show\" style=\"display:none;\" onClick=\"show( 'https://enc.com.au/2015/06/13/linux-4-0-ate-my-docker-images/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Linux 4.0 ate my docker images

I have previously written about the gitlab CI runners that use docker.  Yesterday I made some changes to procps and pushed them to gitlab which would then start the CI.  This morning I checked and it said build failed – ok, so that’s not terribly unusual. The output from the runner was:

gitlab-ci-multi-runner 0.3.3 (dbaf96f)
Using Docker executor with image csmall/testdebian ...
Pulling docker image csmall/testdebian ...
Build failed with Error: image csmall/testdebian: not found

Hmm, I know I have that image, it just must be the runner so, let’s see what images I have:

$docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE Now, I know I have images, I had about 10 or so of them, where did they go? I even looked in the /var/lib/docker directories and can see the json configs, what have you done with my images docker? ## Storage Drivers The first hint I got from stackexchange where someone lost their AUFS images and needed to load the aufs kernel module. Now I know there are two places or methods where docker stores its images. They are called aufs and devicemapper. There is some debate around which one is better and to be honest with what I do I don’t much care, I just want it to work. The version of kernel is significant. It seems the default storage container was AUFS and this requires the aufs.ko kernel module. Linux 4.0 (the version shipped with Debian) does NOT have that module, or at least I couldn’t find it. For new images, this isn’t a problem. Docker will just create the new images using devicemapper and everyone is happy. The problem is where you have old aufs images, like me. I want those images. ## Rescue the Images I’m not sure if this is the best or most correct way of getting your images, but for me it worked. I got the idea basically from someone who wanted to switch from aufs to devicemapper images for other reasons. You first need to reboot and select at the grub prompt a 3.x kernel that has aufs support. Then when the system comes up, you should see all your images, like this: $ docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
csmall/testdebian latest 6979033105a4 5 weeks ago 369.4 MB
gcc 5.1 b063030b23b8 5 weeks ago 1.225 GB
gcc 5.1.0 b063030b23b8 5 weeks ago 1.225 GB
gcc latest b063030b23b8 5 weeks ago 1.225 GB
ruby 2.1 236bf35223e7 6 weeks ago 779.8 MB
ruby 2.1.6 236bf35223e7 6 weeks ago 779.8 MB
debian jessie 41b730702607 6 weeks ago 125.1 MB
debian latest 41b730702607 6 weeks ago 125.1 MB
debian 8 41b730702607 6 weeks ago 125.1 MB
debian 8.0 41b730702607 6 weeks ago 125.1 MB
busybox buildroot-2014.02 8c2e06607696 8 weeks ago 2.433 MB
busybox latest 8c2e06607696 8 weeks ago 2.433 MB

What a relief to see this! Work out what images you need to transfer over. In my case it was just the csmall/testdebian one. You need to save it to a tar file.

$docker save csmall/testdebian &gt; csmall-testdebian.tar.gz Once you have all your images you want, reboot back to your 4.x kernel. You then need to load each image back into docker. $ docker load csmall-testdebian.tar.gz

and then test to see its there

aws ec2 --region ${Region} attach-volume --volume-id${VolumeId} --instance-id ${InstanceId} …and at this stage, the above manipulation of the raw block device with LVM can begin. Likewise you can then use the CLI to detach and destroy any unwanted volumes if you are migrating off old block devices. 12 June, 2015 01:41PM by james ## Richard Hartmann <!-- document.write( "<a href=\"#\" id=\"http://richardhartmann.de/blog/posts/2015/06/12-Happy_Friday/_hide\" onClick=\"exclude( 'http://richardhartmann.de/blog/posts/2015/06/12-Happy_Friday/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://richardhartmann.de/blog/posts/2015/06/12-Happy_Friday/_show\" style=\"display:none;\" onClick=\"show( 'http://richardhartmann.de/blog/posts/2015/06/12-Happy_Friday/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Happy Friday!! So, what do you do before you break the Internet? You tweet this: 12 June, 2015 11:31AM by Richard 'RichiH' Hartmann # June 11, 2015 ## Vincent Fourmond <!-- document.write( "<a href=\"#\" id=\"http://vince-debian.blogspot.com/2015/06/release-013-of-ctioga2.html_hide\" onClick=\"exclude( 'http://vince-debian.blogspot.com/2015/06/release-013-of-ctioga2.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://vince-debian.blogspot.com/2015/06/release-013-of-ctioga2.html_show\" style=\"display:none;\" onClick=\"show( 'http://vince-debian.blogspot.com/2015/06/release-013-of-ctioga2.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Release 0.13 of ctioga2 Today is ctioga2's release. Unlike most other release, this one does not bring many visible features, but quite a few changes nevertheless, including: • finally customizable output PDF resolution, which was asked some time ago • ways to average successive Y values (for the same X value), setting the error bars to the standard deviation • handling of histograms with missing X values (SF issue #1) • improvements in the emacs mode (including contextual help) As usual, the new version is available as a gem ~ gem update ctioga  Enjoy ! 11 June, 2015 10:01PM by Vincent Fourmond (noreply@blogger.com) ## Holger Levsen <!-- document.write( "<a href=\"#\" id=\"http://layer-acht.org/thinking/blog/20150610-debian-22k/_hide\" onClick=\"exclude( 'http://layer-acht.org/thinking/blog/20150610-debian-22k/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://layer-acht.org/thinking/blog/20150610-debian-22k/_show\" style=\"display:none;\" onClick=\"show( 'http://layer-acht.org/thinking/blog/20150610-debian-22k/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### 20150610-debian-22k # >22000 source packages in Debian main today Just now Debian main for the first time had more than 22000 source packages in unstable, 22001 at this moment to be exact. Very few weeks ago for the first time there were more than 45000 binary packages for unstable/amd64(+all) in main - and today this number is up to 45542! Thanks and kudos to everyone involved to make it happen. You make countless people smile each day! Keep up the good work! (And, that said, cleaning the archive from cruft and making sure only "good" packages enter is also a very important part of this work. Thanks to those who care about that too.) ## John Goerzen <!-- document.write( "<a href=\"#\" id=\"http://changelog.complete.org/archives/9353-roundup-of-remote-encrypted-deduplicated-backups-in-linux_hide\" onClick=\"exclude( 'http://changelog.complete.org/archives/9353-roundup-of-remote-encrypted-deduplicated-backups-in-linux' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://changelog.complete.org/archives/9353-roundup-of-remote-encrypted-deduplicated-backups-in-linux_show\" style=\"display:none;\" onClick=\"show( 'http://changelog.complete.org/archives/9353-roundup-of-remote-encrypted-deduplicated-backups-in-linux' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Roundup of remote encrypted deduplicated backups in Linux Since I wrote last about Linux backup tools, back in a 2008 article about BackupPC and similar toools and a 2011 article about dedpulicating filesystems, I’ve revisited my personal backup strategy a bit. I still use ZFS, with my tool “simplesnap” that I wrote about in 2014 to perform local backups to USB drives, which get rotated offsite periodically. This has the advantage of being very fast and very secure, but I also wanted offsite backups over the Internet. I began compiling criteria, which ran like this: • Remote end must not need any special software installed. Storage across rsync, sftp, S3, WebDAV, etc. should all be good candidates. The remote end should not need to support hard links or symlinks, etc. • Cross-host deduplication at at least the file level is required, so if I move a 4GB video file from one machine to another, my puny DSL wouldn’t have to re-upload it. • All data that is stored remotely must be 100% encrypted 100% of the time. I must not need to have any trust at all in the remote end. • Each backup after the first must send only an incremental’s worth of data across the line. No periodic re-uploading of the entire data set can be done. • The repository format must be well-documented and stable. So, how did things stack up? Didn’t meet criteria A lot of popular tools didn’t meet the criteria. Here are some that I considered: • BackupPC requires software on the remote end and does not do encryption. • None of the rsync hardlink tree-based tools are suitable here. • rdiff-backup requires software on the remote end and does not do encryption or dedup. • duplicity requires a periodic re-upload of a full backup, or incremental chains become quite long and storage-inefficient. It also does not support dedup, although it does have an impressive list of “dumb” storage backends. • ZFS, if used to do backups the efficient way, would require software to be installed on the remote end. If simple “zfs send” images are used, the same limitations as with duplicity apply. • The tools must preserve POSIX attributes like uid/gid, permission bits, symbolic links, hard links, etc. Support for xattrs is also desireable but not required. • bup and zbackup are both interesting deduplicators, but do not yet have support for removing old data, so are impractical for this purpose. • burp requires software on the server side. Obnam and Attic/Borg Backup Obnam and Attic (and its fork Borg Backup) are both programs that have a similar concept at their heart, which is roughly this: the backup repository stores small chunks of data, indexed by a checksum. Directory trees are composed of files that are assembled out of lists of chunks, so if any given file matches another file already in the repository somewhere, the added cost is just a small amount of metadata. Obnam was eventually my tool of choice. It has built-in support for sftp, but its reliance on local filesystem semantics is very conservative and it works fine atop davfs2 (and, I’d imagine, other S3-backed FUSE filesystems). Obnam’s repository format is carefully documented and it is very conservatively designed through and through — clearly optimized for integrity above all else, including speed. Just what a backup program should be. It has a lot of configurable options, including chunk size, caching information (dedup tables can be RAM-hungry), etc. These default to fairly conservative values, and the performance of Obnam can be significantly improved with a few simple config tweaks. Attic was also a leading contender. It has a few advantages over Obnam, actually. One is that it uses an rsync-like rolling checksum method. This means that if you add 1 byte at the beginning of a 100MB file, Attic will upload a 1-byte chunk and then reference the other chunks after that, while Obnam will have to re-upload the entire file, since its chunks start at the beginning of the file in fixed sizes. (The only time Obnam has chunks smaller than its configured chunk size is with very small files or the last chunk in a file.) Another nice feature of Attic is its use of “packs”, where it groups chunks together into larger pack files. This can have significant performance advantages when backing up small files, especially over high-latency protocols and links. On the downside, Attic has a hardcoded fairly small chunksize that gives it a heavy metadata load. It is not at all as configurable as Obnam, and unlike Obnam, there is nothing you can do about this. The biggest reason I avoided it though was that it uses a single monolithic index file that would have to be uploaded from scratch after each backup. I calculated that this would be many GB in size, if not even tens of GB, for my intended use, and this is just not practical over the Internet. Attic assumes that if you are going remote, you run Attic on the remote so that the rewrite of this file doesn’t have to send all the data across the network. Although it does work atop davfs2, this support seemed like an afterthought and is clearly not very practical. Attic did perform much better than Obnam in some ways, largely thanks to its pack support, but the monolothic index file was going to make it simply impractical to use. There is a new fork of Attic called Borg that may, in the future, address some of these issues. Brief honorable mentions: bup, zbackup, syncany There are a few other backup tools that people are talking about which do dedup. bup is frequently mentioned, but one big problem with it is that it has no way to delete old data! In other words, it is more of an archive than a backup tool. zbackup is a really neat idea — it dedups anything you feed at it, such as a tar stream or “zfs send” stream, and can encrypt, too. But it doesn’t (yet) support removing old data either. syncany is fundamentally a syncing tool, but can also be used from the command line to do periodic syncs to a remote. It supports encryption, sftp, webdave, etc. natively, and runs on quite a number of platforms easily. However, it doesn’t store a number of POSIX attributes, such as hard links, uid/gid owner, ACL, xattr, etc. This makes it impractical for use for even backing up my home directory; I make fairly frequent use of ln, both with and without -s. If there were some tool to create/restore archives of metadata, that might work out better. 11 June, 2015 05:09PM by John Goerzen ## Holger Levsen <!-- document.write( "<a href=\"#\" id=\"http://layer-acht.org/thinking/blog/20150610-lts-may/_hide\" onClick=\"exclude( 'http://layer-acht.org/thinking/blog/20150610-lts-may/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://layer-acht.org/thinking/blog/20150610-lts-may/_show\" style=\"display:none;\" onClick=\"show( 'http://layer-acht.org/thinking/blog/20150610-lts-may/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### 20150610-lts-may # My LTS May With regrets I have had to realize that I'm currently to overloaded to work on Debian LTS, so we planned that I'll do 7h in May and then I would take a three months break from doing LTS work. And then I didn't even manage that, I've only managed to finally fix #783800 ("security-tracker: squeeze-lts/non-free not handled correctly") and file #788362 and that was that. I do hope to come back to do sensible and serious LTS work in autumn, but for now it's better to move this off my plate. I'm really sorry for not being able to support Debian LTS at the moment. I still think it's very much needed, worth of and in need of support - just not by me at this point. Of course I'll also continue to use it myself - because it's great to be able to choose when to upgrade ones systems! ## Daniel Silverstone <!-- document.write( "<a href=\"#\" id=\"http://blog.digital-scurf.org/posts/in-defence-of-curl-pipe-sudo-bash/_hide\" onClick=\"exclude( 'http://blog.digital-scurf.org/posts/in-defence-of-curl-pipe-sudo-bash/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.digital-scurf.org/posts/in-defence-of-curl-pipe-sudo-bash/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.digital-scurf.org/posts/in-defence-of-curl-pipe-sudo-bash/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### In defence of curl | sudo bash - Long ago, in days of yore, we assumed that any software worth having would be packaged by the operating system we used. Debian with its enormous pile of software (over 20,000 sources last time I looked) looked to basically contain every piece of free software ever. However as more and more people have come to Linux-based and BSD-based systems, and the proliferation of *NIX-based systems has become even more diverse, it has become harder and harder to ensure that everyone has access to all of the software they might choose to use. Couple that with the rapid development of new projects, who clearly want to get users involved well before the next release cycle of a Linux-based distribution such as Debian, and you end up with this recommendation to bypass the operating system's packaging system and simply curl | sudo bash -. We, the OS-development literati, have come out in droves to say "eww, nasty, don't do that please" and yet we have brought this upon ourselves. Our tendency to invent, and reinvent, at the very basic levels of distributions has resulted in so many operating systems and so many ways to package software (if not in underlying package format then in policy and process) that third party application authors simply cannot keep up. Couple that with the desire of the consumers to not have their chosen platform discounted, and if you provide Debian packages, you end up needing to provide for Fedora, RHEL, SuSE, SLES, CentOS, Mint, Gentoo, Arch, etc.etc; let alone supporting all the various BSDs. This leads to the simple expedience of curl | sudo bash -. Nobody, not even those who are most vehemently against this mechanism of installing software, can claim that it is not quick, simple for users, easy to copy/paste out of a web-page, and leaves all the icky complexity of sorting things out up to a script which the computer can run, rather than the nascent user of the software in question. As a result, many varieties of software have ended up using this as a simple installation mechanism, from games to orchestration frameworks - everyone can acknowledge how easy it is to use. Now, some providers are wising up a little and ensuring that the url you are curling is at least an https:// one. Some even omit the sudo from the copy/paste space and have it in the script, allowing them to display some basic information and prompting the user that this will occur as root before going ahead and elevating. All of these myriad little tweaks to the fundamental idea improve matters but are ultimately just putting lipstick on a fairly sad looking pig. So, what can be done? Well we (again the OS-development literati) got ourselves into this horrendous mess, so it's up to us to get ourselves back out. We're all too entrenched in our chosen packaging methodologies, processes, and policies, to back out of those; yet we're clearly not properly servicing a non-trivial segment of our userbase. We need to do better. Not everyone who currently honours a curl | sudo bash - is capable of understanding why it's such a bad idea to do so. Some education may reduce that number but it will never eliminate it. For a long time I advocated a switch to wget && review && sudo ./script approach instead, but the above comment, about people who don't understand why it might be a bad idea, really applies to show how few of those users would even be capable of starting to review a script they downloaded, let alone able to usefully judge for themselves if it is really safe to run. Instead we need something better, something collaborative, something capable of solving the accessibility issues which led to the curl | sudo bash - revolt in the first place. I don't pretend to know what that solution might be, and I don't pretend to think I might be the one to come up with it, but I can hilight a few things I think we'll need to solve to get there: 1. Any solution to this problem must be as easy as curl | sudo bash - or easier. This might mean a particular URI format which can have os-specific ways to handle standardised inputs, or it might mean a pervasive tool which does something like that. 2. Any solution must do its best to securely acquire the content the user actually wanted. This means things like validating SSL certificates, presenting information to the user which a layman stands a chance of evaluating to decide if the content is likely to be what they wanted, and then acting smoothly and cleanly to get that content onto the user's system. 3. Any solution should not introduce complex file formats or reliance on any particular implementation of a tool. Ideally it would be as easy to implement the solution on FreeBSD in shell, or on Ubuntu as whizzy 3D GUIs written in Haskell. (modulo the pain of working in shell of course) 4. The solution must be arrived at in a multi-partisan way. For such a mechanism to be as usefully pervasive as curl | sudo bash - as many platforms as possible need to get involved. This means not only Debian, Ubuntu, Fedora and SuSE; but also Arch, FreeBSD, NetBSD, CentOS etc. Maybe even the OpenSolaris/Illumos people need to get involved. Given the above, no solution can be "just get all the apps developers to learn how to package software for all the OS distributions they want their app to run on" since that way madness lies. I'm sure there are other minor, and major, requirements on any useful solution but the simple fact of the matter is that until and unless we have something which at least meets the above, we will never be rid of curl | sudo bash - :- just like we can never seem to be rid of that one odd person at the party, noone knows who invited them, and noone wants to tell them to leave because they do fill a needed role, but noone really seems to like. Until then, let's suck it up and while we might not like it, let's just let people keep on curl | sudo bash -ing until someone gets hurt. P.S. I hate curl | sudo bash - for the record. 11 June, 2015 12:32PM by Daniel Silverstone ## Petter Reinholdtsen <!-- document.write( "<a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Measuring_and_adjusting_the_loudness_of_a_TV_channel_using_bs1770gain.html_hide\" onClick=\"exclude( 'http://people.skolelinux.org/pere/blog/Measuring_and_adjusting_the_loudness_of_a_TV_channel_using_bs1770gain.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Measuring_and_adjusting_the_loudness_of_a_TV_channel_using_bs1770gain.html_show\" style=\"display:none;\" onClick=\"show( 'http://people.skolelinux.org/pere/blog/Measuring_and_adjusting_the_loudness_of_a_TV_channel_using_bs1770gain.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Measuring and adjusting the loudness of a TV channel using bs1770gain Television loudness is the source of frustration for viewers everywhere. Some channels are very load, others are less loud, and ads tend to shout very high to get the attention of the viewers, and the viewers do not like this. This fact is well known to the TV channels. See for example the BBC white paper "Terminology for loudness and level dBTP, LU, and all that" from 2011 for a summary of the problem domain. To better address the need for even loadness, the TV channels got together several years ago to agree on a new way to measure loudness in digital files as one step in standardizing loudness. From this came the ITU-R standard BS.1770, "Algorithms to measure audio programme loudness and true-peak audio level". The ITU-R BS.1770 specification describe an algorithm to measure loadness in LUFS (Loudness Units, referenced to Full Scale). But having a way to measure is not enough. To get the same loudness across TV channels, one also need to decide which value to standardize on. For European TV channels, this was done in the EBU Recommondaton R128, "Loudness normalisation and permitted maximum level of audio signals", which specifies a recommended level of -23 LUFS. In Norway, I have been told that NRK, TV2, MTG and SBS have decided among themselves to follow the R128 recommondation for playout from 2016-03-01. There are free software available to measure and adjust the loudness level using the LUFS. In Debian, I am aware of a library named libebur128 able to measure the loudness and since yesterday morning a new binary named bs1770gain capable of both measuring and adjusting was uploaded and is waiting for NEW processing. I plan to maintain the latter in Debian under the Debian multimedia umbrella. The free software based TV channel I am involved in, Frikanalen, plan to follow the R128 recommondation ourself as soon as we can adjust the software to do so, and the bs1770gain tool seem like a good fit for that part of the puzzle to measure loudness on new video uploaded to Frikanalen. Personally, I plan to use bs1770gain to adjust the loudness of videos I upload to Frikanalen on behalf of the NUUG member organisation. The program seem to be able to measure the LUFS value of any media file handled by ffmpeg, but I've only successfully adjusted the LUFS value of WAV files. I suspect it should be able to adjust it for all the formats handled by ffmpeg. ## Steve McIntyre <!-- document.write( "<a href=\"#\" id=\"http://blog.einval.com/2015/06/11#usb_keys_hide\" onClick=\"exclude( 'http://blog.einval.com/2015/06/11#usb_keys' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.einval.com/2015/06/11#usb_keys_show\" style=\"display:none;\" onClick=\"show( 'http://blog.einval.com/2015/06/11#usb_keys' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Debian-branded USB keys I've had some 8GB USB keys made, with the Debian swirl and text. By buying a reasonable number, I've got what I think is a good price for nice high-quality keys (metal body with a solid loop for attaching to a keyring). I'm now selling these for 7 pounds each, and I'm planning on bringing some to DebConf 15 too, where they'll be 10 EUR. They're selling faster than I expected - if you're interested in buying one (or several!), please let me know. If there's enough demand, I may order more. ## Michal Čihař <!-- document.write( "<a href=\"#\" id=\"http://blog.cihar.com/archives/2015/06/11/improved-social-presence-weblate/?utm_source=rss2_hide\" onClick=\"exclude( 'http://blog.cihar.com/archives/2015/06/11/improved-social-presence-weblate/?utm_source=rss2' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.cihar.com/archives/2015/06/11/improved-social-presence-weblate/?utm_source=rss2_show\" style=\"display:none;\" onClick=\"show( 'http://blog.cihar.com/archives/2015/06/11/improved-social-presence-weblate/?utm_source=rss2' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Improved social presence for Weblate Up to recently, the only social presence for Weblate was my personal Twitter account. It's time to change that. You can now follow news and information about Weblate on Twitter, Facebook or Google+. Filed under: English phpMyAdmin SUSE Weblate | 0 comments 11 June, 2015 10:00AM by Michal Čihař (michal@cihar.com) ## MJ Ray <!-- document.write( "<a href=\"#\" id=\"http://www.news.software.coop/mick-morgan-heres-why-pay-twice/1584/_hide\" onClick=\"exclude( 'http://www.news.software.coop/mick-morgan-heres-why-pay-twice/1584/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.news.software.coop/mick-morgan-heres-why-pay-twice/1584/_show\" style=\"display:none;\" onClick=\"show( 'http://www.news.software.coop/mick-morgan-heres-why-pay-twice/1584/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Mick Morgan: here’s why pay twice? http://baldric.net/2015/06/05/why-pay-twice/ asks why the government hires civilians to monitor social media instead of just giving GC HQ the keywords. Us cripples aren’t allowed to comment there (physical ability test) so I reply here: It’s pretty obvious that they have probably done both, isn’t it? This way, they’re verifying each other. Politicians probably trust neither civilians or spies completely and that makes it worth paying twice for this. Unlike lots of things that they seem to want not to pay for at all… 11 June, 2015 03:49AM by mjr # June 10, 2015 ## DebConf team <!-- document.write( "<a href=\"#\" id=\"http://blog.debconf.org/blog/debconf15/2015-06-10_debconf15_invited_speakers.dc_hide\" onClick=\"exclude( 'http://blog.debconf.org/blog/debconf15/2015-06-10_debconf15_invited_speakers.dc' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.debconf.org/blog/debconf15/2015-06-10_debconf15_invited_speakers.dc_show\" style=\"display:none;\" onClick=\"show( 'http://blog.debconf.org/blog/debconf15/2015-06-10_debconf15_invited_speakers.dc' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### DebConf15 Invited speakers (Posted by DebConf Team) This year, on top of the many excellent contributed talks, BoFs, and other events always part of DebConf (some of which have already been announced) we are excited to have confirmed the following keynote speakers. During the Open Weekend (Saturday, August 15th and Sunday, August 16th), we will have keynotes delivered by: • Bradley M. Kuhn, President, Software Freedom Conservancy / Board of Directors, Free Software Foundation (Wikipedia page) • Werner Koch, Creator and Lead Developer, GnuPG Project / g10 Code GmbH (Wikipedia page) • Bdale Garbee, Chief Technologist Open Source and Linux, HP / Debian Project (Wikipedia page) On the last day of DebConf, we look forward to the closing keynote by: • Jacob Appelbaum, Security Researcher and Journalist / Tor Project (Wikipedia page) For more information about our invited speakers, please see http://debconf15.debconf.org/invited_speakers.xhtml ### Citizenfour Screening Additionally, there will be a screening of the Citizenfour movie, winner of the Best Documentary Feature Academy Award on the evening of Friday, August 21st. ### You still have time to submit your talk There are only a few days left before the end of the Call for Proposals on June 15th. Events submitted after that date might not be part of the official DebConf schedule. So, please, hurry, check out the proposal submission guide and submit your event. Regards from the DebConf Team 10 June, 2015 09:41PM by DebConf Organizers # June 09, 2015 ## Tiago Bortoletto Vaz <!-- document.write( "<a href=\"#\" id=\"http://acaia.ca/~tiago/posts/zyne-is-now-in-debian/_hide\" onClick=\"exclude( 'http://acaia.ca/~tiago/posts/zyne-is-now-in-debian/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://acaia.ca/~tiago/posts/zyne-is-now-in-debian/_show\" style=\"display:none;\" onClick=\"show( 'http://acaia.ca/~tiago/posts/zyne-is-now-in-debian/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Zyne is now in Debian Zyne is a modular synthetizer written in Python. Anyone can create and extend its modules using the Pyo library. Zyne's GUI is coded using WXPython and will look nicely in GNU/Linux, Mac and Windows systems. It's written by the same author of Pyo, and together with Cecilia and Soundgrain is part of an amazing set of libre tools for sound synthesis and electronic music composition. Zyne package is result of a successful one-day event called MicroDebconf Brasilia 2015, being created during a track about packaging and QA leaded by Eriberto Mota and Antonio Terceiro. 09 June, 2015 04:05PM by Tiago Bortoletto Vaz ## Daniel Silverstone <!-- document.write( "<a href=\"#\" id=\"http://blog.digital-scurf.org/posts/recruiter-missing-the-point/_hide\" onClick=\"exclude( 'http://blog.digital-scurf.org/posts/recruiter-missing-the-point/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.digital-scurf.org/posts/recruiter-missing-the-point/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.digital-scurf.org/posts/recruiter-missing-the-point/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Sometimes recruiters really miss the point... I get quite a bit of recruitment spam, especially via my LinkedIn profile, but today's Twitter-madness (recruiter scraped my twitter and then contacted me) really took the biscuit. I include my response (stripped of identifying marks) for your amusement: On Tue, Jun 09, 2015 at 10:30:35 +0000, Silly Recruiter wrote: > I have come across your profile on various social media platforms today and > after looking through them I feel you are a good fit for a permanent Java > Developer Role I have available. Given that you followed me on Twitter I'm assuming you found a tweet or two in which I mention how much I hate Java? > I can see you are currently working at Codethink and was wondering if you > were considering a change of role? I am not. > The role on offer is working as a Java Developer for a company based in > Manchester. You will be maintaining and enhancing the company's core websites > whilst using the technologies Java, JavaScript, JSP, Struts, Hibernate XML > and Grails. This sounds like one of my worst nightmares. > Are you interested in hearing more about the role? Please feel free to call > or email me to discuss it further. Thanks, but no. > If not, do you know someone that is interested? We offer a £500 referral fee > for any candidate that is successful. I wouldn't inflict that kind of Lovecraftian nightmare of a software stack on anyone I cared about, sorry. D.  I then decided to take a look back over my Twitter and see if I could find what might have tripped this. There's some discussion of Minecraft modding but nothing which would suggest JavaScript, JSP, Struts, Hibernate XML or Grails. Indeed my most recent tweet regarding Java could hardly be construed as positive towards it. Sigh. 09 June, 2015 03:11PM by Daniel Silverstone # June 08, 2015 ## Timo Jyrinki <!-- document.write( "<a href=\"#\" id=\"http://losca.blogspot.com/2015/06/quick-look-dell-xps-13-developer.html_hide\" onClick=\"exclude( 'http://losca.blogspot.com/2015/06/quick-look-dell-xps-13-developer.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://losca.blogspot.com/2015/06/quick-look-dell-xps-13-developer.html_show\" style=\"display:none;\" onClick=\"show( 'http://losca.blogspot.com/2015/06/quick-look-dell-xps-13-developer.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Quick Look: Dell XPS 13 Developer Edition (2015) with Ubuntu 14.04 LTS I recently obtained the newest Dell's Ubuntu developer offering, XPS 13 (2015, model 9343). I opted in for FullHD non-touch display, mostly because of better battery life, the actual no need for higher resolution, and matte screen which is great outside. Touch would have been "nice-to-have", but in my work I don't really need it. The other specifications include i7-5600U CPU, 8GB RAM, 256GB SSD [edit: lshw], and of course Ubuntu 14.04 LTS pre-installed as OEM specific installation. It was not possible to directly order it from Dell site, as Finland is reportedly not online market for Dell... The wholesale company however managed to get two models on their lists and so it's now possible to order via retailers. [edit: here are some country specific direct web order links however US, DE, FR, SE, NL] In this blog post I give a quick look on how I started up using it, and do a few observations on the pre-installed Ubuntu included. I personally was interested in using the pre-installed Ubuntu like a non-Debian/Ubuntu developer would use it, but Dell has also provided instructions for Ubuntu 15.04, Debian 7.0 and Debian 8.0 advanced users among else. Even if not using the pre-installed Ubuntu, the benefit from buying an Ubuntu laptop is obviously smaller cost and on the other hand contributing to free software (by paying for the hardware enablement engineering done by or purchased by Dell). #### Unboxing  The Black Box. (and white cat)  Opened box.  First time lid opened, no dust here yet!  First time boot up, transitioning from the boot logo to a first time Ubuntu video.  A small clip from the end of the welcoming video.  First time setup. Language, Dell EULA, connecting to WiFi, location, keyboard, user+password.  Creating recovery media. I opted not to do this as I had happened to read that it's highly recommended to install upgrades first, including to this tool.  Finalizing setup.  Ready to log in!  It's alive!  Not so recent 14.04 LTS image... lots of updates. #### Problems in the First Batch Unfortunately the first batch of XPS 13:s with Ubuntu are going to ship with some problems. They're easy to fix if you know how to, but it's sad that they're there to begin with in the factory image. There is no knowledge when a fixed batch will start shipping - July maybe? First of all, installing software upgrades stops. You need to run the following command via Dash → Terminal once: sudo apt-get install -f (it suggests upgrading libc-dev-bin, libc6-dbg, libc6-dev and udev). After that you can continue running Software Updater as usual, maybe rebooting in between. Secondly, the fixed touchpad driver is included but not enabled by default. You need to enable the only non-enabled ”Additional Driver” as seen in the picture below or instructed in Youtube.  Dialog enabling the touchpad driver. Clarification: you can safely ignore the two paragraphs below, they're just for advanced users like me who want to play with upgraded driver stacks. Optionally, since I'm interested in the latest graphics drivers especially in case of a brand new hardware like Intel Broadwell, I upgraded my Ubuntu to use the 14.04.2 Hardware Enablement stack (matches 14.10 hardware support): sudo apt install --install-recommends libgles2-mesa-lts-utopic libglapi-mesa-lts-utopic linux-generic-lts-utopic xserver-xorg-lts-utopic libgl1-mesa-dri-lts-utopic libegl1-mesa-drivers-lts-utopic libgl1-mesa-glx-lts-utopic:i386 Even though it's much better than a normal Ubuntu 14.10 would be since many of the Dell fixes continue to be in use, some functionality might become worse compared to the pre-installed stack. The only thing I have noticed though is the internal microphone not working anymore out-of-the-box, requiring a kernel patch as mentioned in Dell's notes. This is not a surprise since the real eventual upstream support involves switching from HDA to I2S and during 14.10 kernel work that was not nearly done. If you're excited about new drivers, I'd recommend waiting until August when the 15.04 based 14.04.3 stack is available (same package names, but 'vivid' instead of 'utopic'). [edit: I couldn't resist myself when I saw linux-generic-lts-vivid (3.19 kernel) is already in the archives. 14.04.2 + that gives me working microphone again!] #### Conclusion Dell XPS 13 Developer Edition with Ubuntu 14.04 LTS is an extremely capable laptop + OS combination nearing perfection, but not quite there because of the software problems in the launch pre-install image. The laptop looks great, feels like a quality product should and is very compact for the screen size. I've moved over all my work onto it and everything so far is working smoothly in my day-to-day tasks. I'm staying at Ubuntu 14.04 LTS and using my previous LXC configuration to run the latest Ubuntu and Debian development versions. I've also done some interesting changes already like LUKS In-Place Conversion, converting the pre-installed Ubuntu into whole disk encrypted one (not recommended for the faint hearted, GRUB reconfiguration is a bit of a pain). I look happily forward to working a few productive years with this one! 08 June, 2015 11:02AM by Timo Jyrinki (noreply@blogger.com) ## Craig Small <!-- document.write( "<a href=\"#\" id=\"https://enc.com.au/2015/06/08/checking-cloudflare-ssl/_hide\" onClick=\"exclude( 'https://enc.com.au/2015/06/08/checking-cloudflare-ssl/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://enc.com.au/2015/06/08/checking-cloudflare-ssl/_show\" style=\"display:none;\" onClick=\"show( 'https://enc.com.au/2015/06/08/checking-cloudflare-ssl/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Checking Cloudflare SSL My website for a while has used CloudFlare as its front-end. It’s a rather nice setup and means my real server gets less of a hammering, which is a good thing. A few months ago they enabled a feature called Universal SSL which I have also added to my site. Around the same time, my SSL check scripts started failing for the website, the certificate had expired apparently many many days ago. Something wasn’t right. ## The Problem The problem was simply at first I’d get emails saying “The SSL certificate for enc.com.au “(CN: )” has expired!”. I use a program called ssl-cert-check that would check all (web, smtp, imap) of my certificates. It’s very easy to forget to renew and this program runs daily and does a simple check. Running the program on the command line gave some more information, but nothing (for me) that really helped: $ /usr/bin/ssl-cert-check -s enc.com.au -p 443
Host Status Expires Days
----------------------------------------------- ------------ ------------ ----
unable to load certificate
140364897941136:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
unable to load certificate
139905089558160:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140017829234320:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
unable to load certificate
140567473276560:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE
enc.com.au:443 Expired -2457182

So, apparently, there was something wrong with the certificate. The problem was this was CloudFlare who seem to have a good idea on how to handle certificates and all my browsers were happy.

ssl-cert-check is a shell script that uses openssl to make the connection, so the next stop was to see what openssl had to say.

$echo "" | /usr/bin/openssl s_client -connect enc.com.au:443 CONNECTED(00000003) 140115756086928:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 345 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated --- No peer certificate available. That was the clue I was looking for. ## Where’s my Certificate? CloudFlare Universal SSL uses certificates that have multiple domains in the one certificate. The do this by having one canonical name which is something like sni(numbers).cloudflaressl.com and then multiple Subject Alternative Names (a bit like ServerAlias in apache configurations). This way a single server with a single certificate can serve multiple domains. The way that the client tells the server which website it is looking for is Server Name Indication (SNI). As part of the TLS handshaking the client tells the server “I want website www.enc.com.au”. The thing is, by default, both openssl s_client and the check script do not use this feature. That was fail the SSL certificate checks were failing. The server was waiting for the client to ask what website it wanted. Modern browsers do this automatically so it just works for them. ## The Fix For openssl on the command line, there is a flag -servername which does the trick nicely: $ echo "" | /usr/bin/openssl s_client -connect enc.com.au:443 -servername enc.com.au
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify error:num=20:unable to get local issuer certificate
---
(lots of good SSL type messages)

That was openssl happy now. We asked the server what website we were interested in with the -servername and got the certificate.

The fix for ssl-cert-check is even simpler.  Like a lot of things once you know the problem, the solution is not only easy to work out but someone has done it for you already.  There is a Debian bug report on this problem with a simple fix from Francois Marier.

Just edit the check script and change the line that has:

 TLSSERVERNAME="FALSE"

and change it to true.  Then the script is happy too:

\$ ssl-cert-check -s enc.com.au -p https
Host Status Expires Days
----------------------------------------------- ------------ ------------ ----
enc.com.au:https Valid Sep 30 2015 114

All working and as expected!  This isn’t really a CloudFlare problem as such, it is just that’s the first place I had seen these sort of SNI certificates being used in something I administer (or more correctly something behind the something).

08 June, 2015 06:08AM by Craig