# December 13, 2013

## Sylvain Le Gall <!-- document.write( "<a href=\"#\" id=\"http://le-gall.net/sylvain+violaine/blog/index.php?post/2013/12/11/Release-of-OASIS-0.4.0_hide\" onClick=\"exclude( 'http://le-gall.net/sylvain+violaine/blog/index.php?post/2013/12/11/Release-of-OASIS-0.4.0' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://le-gall.net/sylvain+violaine/blog/index.php?post/2013/12/11/Release-of-OASIS-0.4.0_show\" style=\"display:none;\" onClick=\"show( 'http://le-gall.net/sylvain+violaine/blog/index.php?post/2013/12/11/Release-of-OASIS-0.4.0' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Release of OASIS 0.4.0

I am happy to announce that OASIS v0.4.0 has just been released.

OASIS is a tool to help OCaml developers to integrate configure, build and install systems in their projects. It should help to create standard entry points in the source code build system, allowing external tools to analyse projects easily.

This tool is freely inspired by Cabal which is the same kind of tool for Haskell.

You can find the new release here and the changelog here. More information about OASIS in general on the OASIS website.

I have recently resumed my work on OASIS and this will be hopefully the new version that will lead to quicker iteration in the development of OASIS. The development process was slowdown by the fact, that I feared introducing new fields in _oasis or regression. This was a pain and I decided to change my development model.

### Features

The most important step is the introduction of AlphaFeatures and BetaFeatures fields. They allow to introduce pieces of code that will only be activated if certain features are listed in those fields. It should help to be always ready to release.

The features also cover other aspect like flag_tests and flag_docs which has been introduced in OASIS v0.3.0. In fact the features API is now used to introduce all enhancement while keeping backward compatibility with regard to OASISFormat. Rather than defining a ~since_version:0.3 for fields we use a feature that handle the maturity level of the feature. When I feel a specific feature is ready to ship, I just change the InDev Alpha to InDev Beta and then SinceVersion 0.4. On the long term, when we won't support anymore a version of OASIS that existed before the SinceVersion, the feature will always be true and I will fully integrate it in the code.

The only constraint around features is: if you use AlphaFeatures or BetaFeatures field, you must use the latest OASISFormat...

Features section in the manual.

Example of features available:

• section_object: allow to create object (.cmo/.cmx) in _oasis
• pure_interface: an OCamlbuild feature that allows to handle .mli without a .ml file

### Automate

Another topic is automation of testing releases. For OASIS v0.3.0, I ran tests on all platforms manually, late in the development of v0.3.0 and it was painful to fix. So I have decided to setup a Jenkins instance that automate testing on Linux. On the long term, I plan to also setup a Mac OS X builder and start looking at Windows as well. This should help me catch errors early and be able to fix them quickly.

However, for v0.4.0 I have decided to just release what I have and which has mainly be tested on Linux. The point here is to quickly release and iterate, rather than wait for perfection. Hopefully end user testing will allow to quickly discover new bugs.

### Time boxed release

In the coming months, I will try to do time boxed releases. I will try to release version of OASIS every 15th of the month. The point here is to try to iterate faster and avoid long delay between release.

See you in 1 month for the next release.

13 December, 2013 02:14AM by gildor

## Jonathan McCrohan <!-- document.write( "<a href=\"#\" id=\"http://dereenigne.org/linux/linux-kernel-contributor_hide\" onClick=\"exclude( 'http://dereenigne.org/linux/linux-kernel-contributor' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://dereenigne.org/linux/linux-kernel-contributor_show\" style=\"display:none;\" onClick=\"show( 'http://dereenigne.org/linux/linux-kernel-contributor' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Linux Kernel Contributor

Having used GNU/Linux systems for some time now, and having submitted patches to a fair number of open source projects, it is nice to finally get a patch accepted into the biggest open source project of them all, the Linux kernel. While I did submit a kernel patch to OpenWrt back in 2011, it is maintained as a rebased patchset, and was never upstreamed to Linus' tree.

That changed today though, when a small patch I (had forgotten I had) sent to the linux-media mailinglist back in October 2013, was just pulled by Linus Torvalds into his tree for the Linux 3.13-rc4 release; so I'm now proud to be able to call myself a contributor to the Linux Kernel.

13 December, 2013 01:22AM by jmccrohan

## Daniel Pocock <!-- document.write( "<a href=\"#\" id=\"http://danielpocock.com/xwiki-ten-years-and-webrtc_hide\" onClick=\"exclude( 'http://danielpocock.com/xwiki-ten-years-and-webrtc' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://danielpocock.com/xwiki-ten-years-and-webrtc_show\" style=\"display:none;\" onClick=\"show( 'http://danielpocock.com/xwiki-ten-years-and-webrtc' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### xWiki: 10 years and a WebRTC success story

Six months ago, I wrote to the leaders of several open source web frameworks and asked them about their vision for WebRTC and if they would come to the WebRTC Conference in Paris this week (now finished). The most promising response was from Ludovic Dubost, founder of the xWiki project.

Ludovic successfully demonstrated their shiny new WebRTC capabilities today in front of an audience including many far more experienced telephony operators who are still only getting to terms with this technology.

### What is xWiki?

Don't let the wiki name limit your perception of this project. xWiki is a lot more than just another wiki hosting framework. As a bare minimum, you can certainly use it in the same way as other wikis, doing lightweight markup that is easier than HTML. On the other hand, xWiki really shines when it comes to extensibility. The xWiki team are Java developers and so xWiki appeals most to other Java developers who may want to leverage some library code from their web portal from time to time, without even having to compile anything. Here are some examples and here is one of the most trivial ones:

{{velocity}}
Your username is $xcontext.getUser(), welcome to the site. {{/velocity}}  ### WebRTC capabilities The xWiki team chose XMPP as a chat protocol (using the Candy XMPP JavaScript chat) as the foundation for real-time communication. They have then extended this by creating a custom signalling mechanism and making it convenient for users of a chat session to upgrade the session to voice/video with a mouseclick. The whole experience works within the browser without any plugins. ### 10 years of xWiki It was also xWiki's 10th birthday today and this provided the perfect opportunity for a party: ### cjdns and enigmabox While at the xWiki office, it was interesting to see a lot of innovative work taking place, including this VoIP setup where a Grandstream phone is attached to an Enigmabox operated by Caleb from the cjdns project. 13 December, 2013 12:09AM by Daniel.Pocock # December 12, 2013 ## Gerfried Fuchs <!-- document.write( "<a href=\"#\" id=\"http://rhonda.deb.at/blog/2013/12/13#dunkelbunt_hide\" onClick=\"exclude( 'http://rhonda.deb.at/blog/2013/12/13#dunkelbunt' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://rhonda.deb.at/blog/2013/12/13#dunkelbunt_show\" style=\"display:none;\" onClick=\"show( 'http://rhonda.deb.at/blog/2013/12/13#dunkelbunt' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### [dunkelbunt] Tuesday was a really nice evening. A few weeks ago I found a poster about the concert of [dunkelbunt], and got my ticket only on monday. I was told by the ticket sellers that they still have plenty left. In the end when I turned up at the event at tuesday though the concert hall was fully packed with people and I was told that it actually was sold out. There wasn't much place inside the hall left, so I mostly stood in the doorway to the bar area and enjoyed the music from there. If you listen to their songs you might get an idea why the music catched me and I started to let the music move my body, literally. It's a great feeling after a tough day, and there were some other nice people around which let the same happen to them so it did feel less awkward for me. Anyway, if you want to find out if their music can do the same to you, here are some songs to listen to: • The Chocolate Butterfly: This was actually the first song that got me interested in them which was playing on a local radio station. • Cinnamon Girl: One of the reasons why [dunkelbunt] is put into the electro swing genre. :) • Schlawiener: The title is a pun, a mix between "Schlawiner" (smooth operator) and "Wiener" (Viennese). Enjoy! /music | permanent link | Comments: 0 | Flattr this 12 December, 2013 11:30PM by Rhonda ## Christine Spang <!-- document.write( "<a href=\"#\" id=\"http://blog.spang.cc/posts/Donate_to_OpenHatch/_hide\" onClick=\"exclude( 'http://blog.spang.cc/posts/Donate_to_OpenHatch/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.spang.cc/posts/Donate_to_OpenHatch/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.spang.cc/posts/Donate_to_OpenHatch/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Donate to OpenHatch I just donated$500 to OpenHatch. Here's why you should donate too:

1. Diversity in open source matters. We can't keep making the software the world runs on without involving people of all sorts, from all backgrounds.
2. OpenHatch is run by community members who I've known for years and trust. They care about data-driven effectiveness and are always getting better at what they do.
3. A rising tide floats all boats. More contributors == more awesome.
4. If you donate before December 24th, your donation makes twice the difference.

Diversity and education initiatives are the reason I'm a part of the free and open source software community today. (Thanks, Debian Women.)

You don't have to donate $500 to make a difference.$5, $10,$25— from a hundred people—all adds up.

Please join me in supporting OpenHatch today.

# December 11, 2013

## C.J. Adams-Collier <!-- document.write( "<a href=\"#\" id=\"http://wp.colliertech.org/cj/?p=1232_hide\" onClick=\"exclude( 'http://wp.colliertech.org/cj/?p=1232' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://wp.colliertech.org/cj/?p=1232_show\" style=\"display:none;\" onClick=\"show( 'http://wp.colliertech.org/cj/?p=1232' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### I miss you. Please come back?

...
Checking supported features...
Installing system database...
- SSL connections supported
Collecting tests...
Using server port 42388

==============================================================================

TEST                                      RESULT   TIME (ms) or COMMENT
--------------------------------------------------------------------------

worker[1] Using MTR_BUILD_THREAD 300, with reserved ports 16000..16019
oqgraph.basic                            [ skipped ]  No OQGraph
oqgraph.binlog                           [ skipped ]  No OQGraph
sphinx.sphinx                            [ skipped ]  No Sphinx
archive.archive-big                      [ skipped ]  Test needs --big-test
binlog.binlog_multi_engine               [ skipped ]  ndbcluster disabled
binlog.binlog_spurious_ddl_errors        [ disabled ]  BUG#11761680 2013-01-18 astha Fixed on mysql-5.6 and trunk
binlog.binlog_truncate_innodb            [ disabled ]  BUG#11764459 2010-10-20 anitha Originally disabled due to BUG#42643. Product bug fixed, but test changes needed
federated.federated_server               [ skipped ]  Test needs --big-test
...


11 December, 2013 07:01PM by C.J. Adams-Collier

## Daniel Pocock <!-- document.write( "<a href=\"#\" id=\"http://danielpocock.com/get-webrtc-going-faster_hide\" onClick=\"exclude( 'http://danielpocock.com/get-webrtc-going-faster' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://danielpocock.com/get-webrtc-going-faster_show\" style=\"display:none;\" onClick=\"show( 'http://danielpocock.com/get-webrtc-going-faster' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Get WebRTC going faster

On Saturday, Lumicall began offering free calls from browser to mobile using the free and open WebRTC technology. It should be no surprise that the service has been popular.

### Is it really free and open?

The only way to prove this technology is free is to help people implement this for themself.

On Monday, I uploaded reSIProcate v1.9.0 beta7 packages to Debian. The reSIProcate SIP proxy, repro, is one of the core components of the solution behind the free Lumicall service.

Simply install the repro and resiprocate-turn-server packages using apt-get and make the following changes to the configuration (use your own IP addresses of course). I've taken this diff from my own runtime environment, only hiding my passwords, so that you can see exactly how I got it working:

--- repro.config.orig	2013-12-11 17:36:27.179228324 +0100
+++ repro-ws.sip5060.net.config	2013-12-11 17:48:24.159938649 +0100
@@ -143,6 +143,41 @@
# Transport6TlsClientVerification = None
# Transport6RecordRouteUri = sip:h1.sipdomain.com;transport=WS

+Transport1Interface = 195.8.117.57:80
+Transport1Type = WS
+Transport1RecordRouteUri = auto
+
+Transport2Interface = 2001:67c:1388:1000::57:80
+Transport2Type = WS
+Transport2RecordRouteUri = auto
+
+Transport3Interface = 195.8.117.57:5060
+Transport3Type = TCP
+Transport3RecordRouteUri = auto
+
+Transport4Interface = 2001:67c:1388:1000::57:5060
+Transport4Type = TCP
+Transport4RecordRouteUri = auto
+
+Transport5Interface = 195.8.117.57:443
+Transport5Type = WSS
+#Transport5RecordRouteUri = auto
+Transport5TlsDomain = ws.sip5060.net
+Transport5TlsClientVerification = None
+Transport5RecordRouteUri = sip:ws.sip5060.net;transport=WSS
+Transport5TlsCertificate = /etc/ssl/ssl.crt/ws.sip5060.net-bundle.crt
+Transport5TlsPrivateKey = /etc/ssl/private/ws.sip5060.net-key.pem
+
+Transport6Interface = 2001:67c:1388:1000::57:443
+Transport6Type = WSS
+#Transport6RecordRouteUri = auto
+Transport6TlsDomain = ws.sip5060.net
+Transport6TlsClientVerification = None
+Transport6RecordRouteUri = sip:ws.sip5060.net;transport=WSS
+Transport6TlsCertificate = /etc/ssl/ssl.crt/ws.sip5060.net-bundle.crt
+Transport6TlsPrivateKey = /etc/ssl/private/ws.sip5060.net-key.pem
+
+
# Comma separated list of DNS servers, overrides default OS detected list (leave blank
# for default)
DNSServers =
@@ -455,7 +490,7 @@
ForceRecordRouting = false

# Assume path option
-AssumePath = false
+AssumePath = true

# Disable registrar
DisableRegistrar = false
@@ -481,7 +516,7 @@
# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using
# the alternate transport specification mechanism and defining a RecordRouteUri per
# transport: TransportXRecordRouteUri
-DisableOutbound = true
+DisableOutbound = false

# Set the draft version of outbound to support (default: RFC5626)
# Other accepted values are the versions of the IETF drafts, before RFC5626 was issued
@@ -505,7 +540,7 @@
# WARNING: Before enabling this, ensure you have a RecordRouteUri setup, or are using
# the alternate transport specification mechanism and defining a RecordRouteUri per
# transport: TransportXRecordRouteUri
-EnableFlowTokens = false
+EnableFlowTokens = true

# Enable use of flow-tokens in non-outbound cases for clients detected to be behind a NAT.
# This a more selective flow token hack mode for clients not supporting RFC5626.  The



This is a diff against the /etc/repro/repro.config file distributed in the Debian package version 1.9.0~beta7-1.

In the example above, I've included WSS transport defintions for WebSockets over TLS. Use the standard procedure for creating webserver SSL certificates to create certificates for repro and make sure you insert the correct filenames in the TLS parameters above. I've also duplicated every transport for IPv6. If you don't want TLS/WSS or IPv6, just comment those entries out (and renumber the remaining transports).

### Web-based SIP proxy setup

Once you have repro running, go to the web admin interface (port 5080, username: admin, password: admin) and finish the setup using the web UI. The following steps are essential:

• Add any routes to external services (optional - in my next blog I'll demonstrate how to route WebRTC calls to Asterisk using the Debian packages and less than 20 lines of configuration)

### Set up reTurn, the TURN server

test:notasecret:reTurn:authorized


IMPORTANT: the realm in the users file (reTurn in the example and default config) must be identical to the AuthenticationRealm in the /etc/reTurnServer.config file.

### On your own web site

Simply install your own apache server and clone the webrtc.lumicall.org demo site. Modify the file js/custom.js and include the settings for your own server.

# cd /var/www
# mkdir webcall
# cd webcall
# wget -r -nH http://webrtc.lumicall.org
# vi js/custom.js


In the custom.js, make sure you use a ws:// URL if you didn't set up SSL certificates and use a wss:// URL if you did. The IP or domain of your repro server must be in the ws:// or wss:// URL.

Now navigate to the URL ending with /webcall on your server.

### For RHEL, Fedora and other RPM users

Can somebody please assist with the review of the cajun-jsonapi dependency package so I can upload this new version of reSIProcate to Fedora? I'm also planning to make v1.9.0 available in EPEL6 when it is released in January.

### Questions?

11 December, 2013 05:25PM by Daniel.Pocock

## Steve Kemp <!-- document.write( "<a href=\"#\" id=\"http://blog.steve.org.uk/it_s_a_wonderful_life.html_hide\" onClick=\"exclude( 'http://blog.steve.org.uk/it_s_a_wonderful_life.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.steve.org.uk/it_s_a_wonderful_life.html_show\" style=\"display:none;\" onClick=\"show( 'http://blog.steve.org.uk/it_s_a_wonderful_life.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### It's a wonderful life

Today, here in the UK, the date is 11/12/13.

Today, here in Edinburgh, I we became married.

I've already promised I will make no more than two jokes, ever, about "owning a wife". I will save them for suitable occasions.

## Gustavo Noronha Silva <!-- document.write( "<a href=\"#\" id=\"http://blog.kov.eti.br/2013/12/webkitgtk-hackfest-5-0-2013/_hide\" onClick=\"exclude( 'http://blog.kov.eti.br/2013/12/webkitgtk-hackfest-5-0-2013/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.kov.eti.br/2013/12/webkitgtk-hackfest-5-0-2013/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.kov.eti.br/2013/12/webkitgtk-hackfest-5-0-2013/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### WebKitGTK+ hackfest 5.0 (2013)!

For the fifth year in a row the fearless WebKitGTK+ hackers have gathered in A Coruña to bring GNOME and the web closer. Igalia has organized and hosted it as usual, welcoming a record 30 people to its office. The GNOME foundation has sponsored my trip allowing me to fly the cool 18 seats propeller airplane from Lisbon to A Coruña, which is a nice adventure, and have pulpo a feira for dinner, which I simply love! That in addition to enjoying the company of so many great hackers.

Web with wider tabs and the new prefs dialog

The goals for the hackfest have been ambitious, as usual, but we made good headway on them. Web the browser (AKA Epiphany) has seen a ton of little improvements, with Carlos splitting the shell search provider to a separate binary, which allowed us to remove some hacks from the session management code from the browser. It also makes testing changes to Web more convenient again. Jon McCan has been pounding at Web’s UI making it more sleek, with tabs that expand to make better use of available horizontal space in the tab bar, new dialogs for preferences, cookies and password handling. I have made my tiny contribution by making it not keep tabs that were created just for what turned out to be a download around. For this last day of hackfest I plan to also fix an issue with text encoding detection and help track down a hang that happens upon page load.

Martin Robinson and Dan Winship hack

Martin Robinson and myself have as usual dived into the more disgusting and wide-reaching maintainership tasks that we have lots of trouble pushing forward on our day-to-day lives. Porting our build system to CMake has been one of these long-term goals, not because we love CMake (we don’t) or because we hate autotools (we do), but because it should make people’s lives easier when adding new files to the build, and should also make our build less hacky and quicker – it is sad to see how slow our build can be when compared to something like Chromium, and we think a big part of the problem lies on how complex and dumb autotools and make can be. We have picked up a few of our old branches, brought them up-to-date and landed, which now lets us build the main WebKit2GTK+ library through cmake in trunk. This is an important first step, but there’s plenty to do.

Hackers take advantage of the icecream network for faster builds

Under the hood, Dan Winship has been pushing HTTP2 support for libsoup forward, with a dead-tree version of the spec by his side. He is refactoring libsoup internals to accomodate the new code paths. Still on the HTTP front, I have been updating soup’s MIME type sniffing support to match the newest living specification, which includes specification for several new types and a new security feature introduced by Internet Explorer and later adopted by other browsers. The huge task of preparing the ground for a one process per tab (or other kinds of process separation, this will still be topic for discussion for a while) has been pushed forward by several hackers, with Carlos Garcia and Andy Wingo leading the charge.

Jon and Guillaume battling code

Other than that I have been putting in some more work on improving the integration of the new Web Inspector with WebKitGTK+. Carlos has reviewed the patch to allow attaching the inspector to the right side of the window, but we have decided to split it in two, one providing the functionality and one the API that will allow browsers to customize how that is done. There’s a lot of work to be done here, I plan to land at least this first patch durign the hackfest. I have also fought one more battle in the never-ending User-Agent sniffing war, in which we cannot win, it looks like.

Hackers chillin’ at A Coruña

I am very happy to be here for the fifth year in a row, and I hope we will be meeting here for many more years to come! Thanks a lot to Igalia for sponsoring and hosting the hackfest, and to the GNOME foundation for making it possible for me to attend! See you in 2014!

## Rogério Brito <!-- document.write( "<a href=\"#\" id=\"http://cynic.cc/blog//posts/2013-12-11-trivial_fact_convexity_of_polyhedra/_hide\" onClick=\"exclude( 'http://cynic.cc/blog//posts/2013-12-11-trivial_fact_convexity_of_polyhedra/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://cynic.cc/blog//posts/2013-12-11-trivial_fact_convexity_of_polyhedra/_show\" style=\"display:none;\" onClick=\"show( 'http://cynic.cc/blog//posts/2013-12-11-trivial_fact_convexity_of_polyhedra/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Trivial fact: convexity of polyhedra

Just a trivial fact: every polyhedron that is used in linear programming is convex, that is !!mathjaxbegin-i!! QXggXGxlcSBi !!mathjaxend-i!! is convex, for a matrix !!mathjaxbegin-i!! QQ== !!mathjaxend-i!! and a (column) vector !!mathjaxbegin-i!! Yg== !!mathjaxend-i!!.

Proof: Take any !!mathjaxbegin-i!! eCcsIHgnJw== !!mathjaxend-i!! that satisfy the system of inequalities !!mathjaxbegin-i!! QXggXGxlcSBi !!mathjaxend-i!!. Then, for !!mathjaxbegin-i!! MCBcbGVxIFxsYW1iZGEgXGxlcSAx !!mathjaxend-i!!, we have that !!mathjaxbegin-i!! XGxhbWJkYSBBeCcgXGxlcSBcbGFtYmRhIGI= !!mathjaxend-i!!, that is !!mathjaxbegin-i!! QSBcbGFtYmRhIHgnIFxsZXEgXGxhbWJkYSBi !!mathjaxend-i!!. Similarly, for !!mathjaxbegin-i!! eCcn !!mathjaxend-i!!, we have that !!mathjaxbegin-i!! QSAoMS1cbGFtYmRhKSB4JyBcbGVxICgxLVxsYW1iZGEpIGI= !!mathjaxend-i!!. Summing the inequalities, we get: !!mathjaxbegin-d!! CiBBW1xsYW1iZGEgeCcgKyAoMS1cbGFtYmRhKSB4JyddIFxsZXEgW1xsYW1iZGEgKyAoMS1cbGFt YmRhKV0gYiA9IGIsCg== !!mathjaxend-d!! which means that !!mathjaxbegin-i!! XGhhdHt4fSA9IFxsYW1iZGEgeCcgKyAoMS1cbGFtYmRhKSB4Jyc= !!mathjaxend-i!! is again a solution of the original set of inequalities, thus concluding the argument.

# December 10, 2013

## Kees Cook <!-- document.write( "<a href=\"#\" id=\"http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/_hide\" onClick=\"exclude( 'http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/_show\" style=\"display:none;\" onClick=\"show( 'http://www.outflux.net/blog/archives/2013/12/10/live-patching-the-kernel/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### live patching the kernel

A nice set of recent posts have done a great job detailing the remaining ways that a root user can get at kernel memory. Part of this is driven by the ideas behind UEFI Secure Boot, but they come from the same goal: making sure that the root user cannot directly subvert the running kernel. My perspective on this is toward making sure that an attacker who has gained access and then gained root privileges can’t continue to elevate their access and install invisible kernel rootkits.

An outline for possible attack vectors is spelled out by Matthew Gerrett’s continuing “useful kernel lockdown” patch series. The set of attacks was examined by Tyler Borland in “Bypassing modules_disabled security”. His post describes each vector in detail, and he ultimately chooses MSR writing as the way to write kernel memory (and shows an example of how to re-enable module loading). One thing not mentioned is that many distros have MSR access as a module, and it’s rarely loaded. If modules_disabled is already set, an attacker won’t be able to load the MSR module to begin with. However, the other general-purpose vector, kexec, is still available. To prove out this method, Matthew wrote a proof-of-concept for changing kernel memory via kexec.

Chrome OS is several steps ahead here, since it has hibernation disabled, MSR writing disabled, kexec disabled, modules verified, root filesystem read-only and verified, kernel verified, and firmware verified. But since not all my machines are Chrome OS, I wanted to look at some additional protections against kexec on general-purpose distro kernels that have CONFIG_KEXEC enabled, especially those without UEFI Secure Boot and Matthew’s lockdown patch series.

My goal was to disable kexec without needing to rebuild my entire kernel. For future kernels, I have proposed adding /proc/sys/kernel/kexec_disabled, a partner to the existing modules_disabled, that will one-way toggle kexec off. For existing kernels, things got more ugly.

What options do I have for patching a running kernel?

First I looked back at what I’d done in the past with fixing vulnerabilities with systemtap. This ends up being a rather heavy-duty way to go about things, since you need all the distro kernel debug symbols, etc. It does work, but has a significant problem: since it uses kprobes, a root user can just turn off the probes, reverting the changes. So that’s not going to work.

Next I looked at ksplice. The original upstream has gone away, but there is still some work being done by Jiri Slaby. However, even with his updates which fixed various build problems, there were still more, even when building a 3.2 kernel (Ubuntu 12.04 LTS). So that’s out too, which is too bad, since ksplice does exactly what I want: modifies the running kernel’s functions via a module.

So, finally, I decided to just do it by hand, and wrote a friendly kernel rootkit. Instead of dealing with flipping page table permissions on the normally-unwritable kernel code memory, I borrowed from PaX’s KERNEXEC feature, and just turn off write protect checking on the CPU briefly to make the changes. The return values for functions on x86_64 are stored in RAX, so I just need to stuff the kexec_load syscall with “mov -1, %rax; ret” (-1 is EPERM):

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

#include <linux/init.h>
#include <linux/module.h>
#include <linux/slab.h>

static unsigned long long_target;
static char *target;
module_param_named(syscall, long_target, ulong, 0644);

The Newstart payments start to decrease if the recipient earns more than $62 per fortnight. The minimum wage in Australia is$16.37 per hour for permanent work or $20.30 for casual work [3]. So if someone works for more than 3 hours at a casual rate (and I can’t imagine 4 hours a fortnight being anything other than casual) then their Newstart payments will decrease. The payment decreases are fairly significant, for every dollar that is earned about 50 cents will be deducted from the payments. That’s a great incentive to either avoid opportunities to do part-time work or to do cash-only work that’s outside the tax system. The most obvious way of implementing a Basic Income would be to replace Newstart. Then anyone who is in that situation would be free to just not get a job – which would be OK IMHO as people who don’t want to work probably wouldn’t do a good job if the government forced them to get a job. People who are unemployed who want to work could work as much as they want and scale up according to what their employer asks and how much money they need. Currently the full-time minimum wage is$622.20 per week (I’m not sure exactly how they get that from 16.37). That’s almost 2.5* the Newstart allowance for a single person (but less than twice the Newstart allowance for a carer). While Newstart (and the other forms of social security) don’t provide a great income, it seems that the difference between Newstart and the minimum wage isn’t that great – particularly when you consider that working involves some expenses for travel etc. There doesn’t seem to be a great financial incentive for someone to leave Newstart and get a minimum wage job. ### People Who Want Social Security Some people think it’s great to get government payments while others find it embarrassing to need such payments and won’t necessarily apply if they are eligible. I think that the current system of forcing people to apply for social security is a way of discouraging people who find themselves unexpectedly in a difficult situation but doesn’t discourage people who are happy not to work. This seems to effectively reduce the incidence of payments to the people who most tax-payers would regard as the most worthy recipients. ### Economics Charles Stross wrote about some ideas related to this [4]. He suggests that as the workforce participation has been steadily reducing due to technology we should move to a social model that isn’t based around working to live but working to buy luxuries that aren’t covered by the Basic Income. One of the many economic changes related to a Basic Income is that the minimum wage could be smaller than it might otherwise be. For example if the minimum wage was decreased by the same amount that the Basic Income provided then the minimum income would remain the same while employers would pay less, this would affect the viability of certain types of contract work web sites if they were subject to minimum wage laws (currently they just ignore the minimum wage laws by paying based on job completion instead of hours worked). I don’t think that the minimum wage should decrease that much though, currently employers are able to run viable businesses with the minimum wage laws and I don’t think that a Basic Income should be used as a way of helping corporations avoid paying their employees. If we had a Basic Income then there’s many ways that it could be used to stabilise the economy. If people could pay their rent even if they lost their job then a down-turn in one area of the economy wouldn’t immediately affect other areas. Also if rent payments were deducted automatically from an account used to receive the Basic Income then landlords would be more likely to rent to poor people as they could be guaranteed to receive rent payments (it would be easy to have a contractual agreement for rent to take priority and have bank computers enforce that). ### The Implementation Problem I don’t think that my idea would have any significant negative effects. It wouldn’t decrease government revenues if tax was adjusted accordingly. It wouldn’t make people stop working as people who don’t want to work already avoid it. It would help people who are out of work to get work by reducing the barriers to entry in terms of paperwork and of unreasonable cuts to Newstart making it bad value to take part time work. I think that the big problem with implementing it is people who want to prevent poor people from having opportunities. They want to reduce social security and minimum wages even though such changes will in the long run only give less tax revenue and greater expense in law enforcement. It seems rather ironic that such hostility often comes from people at the low end of the middle class whos jobs are most likely to be at risk from new technology. As on-going technological development reduces the number of workers that are required to keep things running we need to have some form of payment to the people who aren’t doing enough work to survive. A decent Basic Income is a much better option than giving Newstart payments and forcing a significant portion of the population into a degrading search for jobs that don’t exist. As that’s the inevitable future I think we should make political changes to deal with it sooner rather than later. However a Basic Income might be implemented now it’s surely going to be a lot better than what might happen if we wait until the majority of the population are unemployed before doing something about it. 08 December, 2013 12:17PM by etbe ### A Better University I previously wrote about the financial value of a university degree [1], my general conclusion is that the value is decreasing for most fields of employment that don’t have a legal requirement for a degree. In the past I wrote about some ideas for a home university [2], basically extending the home-schooling concept to a university level. I recently read John Scalzi’s post about being poor [3], many of the comments address the difficulty of getting to college and how it impacts career possibilities. From reading that it seems that my ideas about a “home university” are mostly based around what middle-class people can afford. Also getting a job afterwards will probably be a lot easier for someone who was born into the middle classes. It seems to me that a large part of the problem with the university system is the expectation that they will both provide for academic research and train people for jobs. Dr. David Helfand has some great ideas for running a university to give the higher education that a university is supposed to provide rather than the work training that most universities actually provide [4]. His ideas aren’t theoretical, they have been implemented and proven to work. Note that Dr Helfand’s talk starts slowly, the second half is the best (for those of you with short attention spans). The fact that most people think of a university degree in terms of getting a job seems to be a failure of the university system to fulfill it’s original aim. If Dr Helfand’s ideas take off then it would really address the problem of universities not educating people. But that still leaves the issue of job training. ### Is a Degree Mandatory? I think that to some degree people expect that a university degree is necessary job training even when it isn’t. I wonder what would happen if it was generally agreed that the right thing to do was to search for a job between the end of high school and the start of university, then anyone who got a suitable offer could defer their university course and see what career success they could achieve without it. When I was at school the general idea was that after completing year 12 everyone just had a holiday until the start of university as the entire point of school was to get into university. While hiring managers prefer candidates who have degrees they also prefer to hire people who will accept a lower salary, so hiring an 18yo with no degree may give better value than a 21yo who has a degree. I believe that making university degrees more accessible has reduced inequality which is a good thing. But making degrees mandatory (which is widely believed by high school students and thus is the situation that they have to deal with) contributes to greater inequality. While university doesn’t cost much by middle-class standards it is still expensive for poor people. If a university degree wasn’t considered to be mandatory then the number of people employed to teach at a university level would be smaller. This would hopefully mean that the average skill of university lecturers would increase (I hope that the least skillful lecturers would be the ones to find work elsewhere). 08 December, 2013 11:39AM by etbe ## John Goerzen <!-- document.write( "<a href=\"#\" id=\"http://changelog.complete.org/archives/9123-results-with-btrfs-and-zfs_hide\" onClick=\"exclude( 'http://changelog.complete.org/archives/9123-results-with-btrfs-and-zfs' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://changelog.complete.org/archives/9123-results-with-btrfs-and-zfs_show\" style=\"display:none;\" onClick=\"show( 'http://changelog.complete.org/archives/9123-results-with-btrfs-and-zfs' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Results with btrfs and zfs The recent news that openSUSE considers btrfs safe for users prompted me to consider using it. And indeed I did. I was already familiar with zfs, so considered this a good opportunity to experiment with btrfs. btrfs makes an intriguing filesystem for all sorts of workloads. The benefits of btrfs and zfs are well-documented elsewhere. There are a number of features btrfs has that zfs lacks. For instance: • The ability to shrink a device that’s a member of a filesystem/pool • The ability to remove a device from a filesystem/pool entirely, assuming enough free space exists elsewhere for its data to be moved over. • Asynchronous deduplication that imposes neither a synchronous performance hit nor a heavy RAM burden • Copy-on-write copies down to the individual file level with cp --reflink • Live conversion of data between different profiles (single, dup, RAID0, RAID1, etc) • Live conversion between on-the-fly compression methods, including none at all • Numerous SSD optimizations, including alignment and both synchronous and asynchronous TRIM options • Proper integration with the VM subsystem • Proper support across the many Linux architectures, including 32-bit ones (zfs is currently only flagged stable on amd64) • Does not require excessive amounts of RAM The feature set of ZFS that btrfs lacks is well-documented elsewhere, but there are a few odd btrfs missteps: • There is no way to see how much space subvolume/filesystem is using without turning on quotas. Even then, it is cumbersome and not reported with df like it should be. • When a maxmium size for a subvolume is set via a quota, it is not reported via df; applications have no idea when they are about to hit the maximum size of a filesystem. btrfs would be fine if it worked reliably. I should say at the outset that I have never lost any data due to it, but it has caused enough kernel panics that I’ve lost count. I several times had a file that produced a panic when I tried to delete it, several times when it took more than 12 hours to unmount a btrfs filesystem, behaviors where hardlink-heavy workloads take days longer to complete than on zfs or ext4, and that’s just the ones I wrote about. I tried to use btrfs balance to change the metadata allocation on the filesystem, and never did get it to complete; it seemed to go into an endless I/O pattern after the first 1GB of metadata and never got past that. I didn’t bother trying the live migration of data from one disk to another on this filesystem. I wanted btrfs to work. I really, really did. But I just can’t see it working. I tried it on my laptop, but had to turn of CoW on my virtual machine’s disk because of the rm bug. I tried it on my backup devices, but it was unusable there due to being so slow. (Also, the hardlink behavior is broken by default and requires btrfstune -r. Yipe.) At this point, I don’t think it is really all that worth bothering with. I think the SuSE decision is misguided and ill-informed. btrfs will be an awesome filesystem. I am quite sure it will, and will in time probably displace zfs as the most advanced filesystem out there. But that time is not yet here. In the meantime, I’m going to build a Debian Live Rescue CD with zfsonlinux on it. Because I don’t ever set up a system I can’t repair. 08 December, 2013 05:53AM by John Goerzen # December 07, 2013 ## Dirk Eddelbuettel <!-- document.write( "<a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/07#r_bigdata_uirp_2013_hide\" onClick=\"exclude( 'http://dirk.eddelbuettel.com/blog/2013/12/07#r_bigdata_uirp_2013' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/07#r_bigdata_uirp_2013_show\" style=\"display:none;\" onClick=\"show( 'http://dirk.eddelbuettel.com/blog/2013/12/07#r_bigdata_uirp_2013' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### R and Big Data at Big Data Summit at UI Research Park I spent yesterday at the very enjoyable Big Data Summit held at the University of Illinois Research Park at the edge of the University of Illinois at Urbana-Champaign. campus. My (short) presentation was part of a panel session on R and Big Data which Doug Simpson of the UIUC Statistics department had put together very well. We heard from a vendor / technology provider with Christopher Nguyen from Adatao talking about their "Big R", from industry with Andy Stevens talking about a number of some real-life challenges with big data at John Deere, from academia with Jonathon Greenberg talking about R and HPC for geospatial research and I added a few short comments and links about R, HPC and Rcpp. My few slides are now up on my talks / presentations page. Overall, a good day with a number of interesting presentations and of course a number of engaging hallway discussions. This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings. ## Daniel Pocock <!-- document.write( "<a href=\"#\" id=\"http://danielpocock.com/free-calling-from-browser-to-mobile_hide\" onClick=\"exclude( 'http://danielpocock.com/free-calling-from-browser-to-mobile' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://danielpocock.com/free-calling-from-browser-to-mobile_show\" style=\"display:none;\" onClick=\"show( 'http://danielpocock.com/free-calling-from-browser-to-mobile' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Free calling from browser to mobile with free software Lumicall is now offering free calls from browser to mobile. The whole service is powered by free software using open standards. • The person receiving the call must have the open source Lumicall app on their phone (Android and Cyanogenmod phones supported) • The person making the call just goes to http://webrtc.lumicall.org and dials the number in international format. For example, for the UK mobile 07123 45678, you need to dial +44712345678 ### Credits Various open source projects have made this possible, in particular: The service is enabled by WebRTC which is part of the latest HTML and JavaScript standards. You need to have the latest version of Mozilla Firefox, Google Chrome or another modern web browser supporting WebRTC - so there is no need to install any plugin. ### Feedback and discussion Please come and join us on the mailing list for any of the third-party projects that are involved. Please also join the Free real-time communications list sponsored by the FSF Europe for any general discussion about the future of free communications with free software. ### WebRTC Conference this week I'll be presenting some of my own work with WebRTC at the WebRTC Conference and Exhibition 2013 in Paris this week. Various other free software developers are also in the program, including Ludovic Dubost from xWiki and Emil Ivov from Jitsi 07 December, 2013 08:14PM by Daniel.Pocock ## Hideki Yamane <!-- document.write( "<a href=\"#\" id=\"http://henrich-on-debian.blogspot.com/2013/12/i-was-in-mini-debconf-in-taiwan-2013.html_hide\" onClick=\"exclude( 'http://henrich-on-debian.blogspot.com/2013/12/i-was-in-mini-debconf-in-taiwan-2013.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://henrich-on-debian.blogspot.com/2013/12/i-was-in-mini-debconf-in-taiwan-2013.html_show\" style=\"display:none;\" onClick=\"show( 'http://henrich-on-debian.blogspot.com/2013/12/i-was-in-mini-debconf-in-taiwan-2013.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### I was in Mini DebConf in Taiwan 2013 I've done GPG key sign for Mini DebConf in Taiwan 2013 participates, and written an article for Japanese magazine, Software Design 2014/Jan. This means, my short trip has been ended, at last. In this event, I've talked about "local community" for Debian, a bit (PDF/ODF are in Debian Wiki). Probably you know, most of Debian contributors are in Euro/America(North and South), not in Asia. But there are lots of talented people. It means: there is huge possibility for Debian :) I hope we Asian Debian people unite and publish its community work more, and do "DebConf in Asia" - in the future. 07 December, 2013 03:49PM by Hideki Yamane (noreply@blogger.com) ## Dominique Dumont <!-- document.write( "<a href=\"#\" id=\"http://ddumont.wordpress.com/2013/12/07/lwpuseragent-https-proxy-now-fixed-in-debian/_hide\" onClick=\"exclude( 'http://ddumont.wordpress.com/2013/12/07/lwpuseragent-https-proxy-now-fixed-in-debian/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://ddumont.wordpress.com/2013/12/07/lwpuseragent-https-proxy-now-fixed-in-debian/_show\" style=\"display:none;\" onClick=\"show( 'http://ddumont.wordpress.com/2013/12/07/lwpuseragent-https-proxy-now-fixed-in-debian/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### LWP::UserAgent https proxy now fixed in Debian Hello For more 10 years, opening a https connection throught a proxy was not possible with LWP::UserAgent. Thanks to Steffen Ullrich, this bug is now fixed in LWP::UserAgent and LWP::Protocol::https repositories. In Debian, I’ve updated libwww-perl 6.05-2 and liblwp-protocol-https-perl 6.04-2 to include the same patches. This fix is now available in Debian unstable. See my previous blog for more details on this story. All the best Tagged: debian, https_proxy, Perl # December 06, 2013 ## Steve Kemp <!-- document.write( "<a href=\"#\" id=\"http://blog.steve.org.uk/so_paas.html_hide\" onClick=\"exclude( 'http://blog.steve.org.uk/so_paas.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.steve.org.uk/so_paas.html_show\" style=\"display:none;\" onClick=\"show( 'http://blog.steve.org.uk/so_paas.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### So PaaS I just realised a lot of my projects are deployed in the same way: • They run under runit. • They operate directly from git clones. This includes both Apache-based projects, and node.js projects. I'm sure I could generalize this, and do clever things with git-hooks. Right now for example I have run-scripts which look like this: #!/bin/sh # # /etc/service/blogspam.js/run - Runs the blogspam.net API. # # update the repository. git pull --update --quiet # install dependencies, if appropriate. npm install # launche exec node server.js  It seems the only thing that differs is the name of the directory and the remote git clone URL. With a bit of scripting magic I'm sure you could push applications to a virgin Debian installation and have it do the right thing. I think the only obvious thing I'm missing is a list of Debian dependencies. Perhaps adding soemthing like the packages.json file I could add an extra step: apt-get update -qq apt-get install --yes --force-yes(cat packages.apt)


Making deployments easy is a good thing, and consistency helps..

## Petter Reinholdtsen <!-- document.write( "<a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Klaus_Knopper.html_hide\" onClick=\"exclude( 'http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Klaus_Knopper.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Klaus_Knopper.html_show\" style=\"display:none;\" onClick=\"show( 'http://people.skolelinux.org/pere/blog/Debian_Edu_interview__Klaus_Knopper.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Debian Edu interview: Klaus Knopper

It has been a while since I managed to publish the last interview, but the Debian Edu / Skolelinux community is still going strong, and yesterday we even had a new school administrator show up on #debian-edu to share his success story with installing Debian Edu at their school. This time I have been able to get some helpful comments from the creator of Knoppix, Klaus Knopper, who was involved in a Skolelinux project in Germany a few years ago.

Who are you, and how do you spend your days?

I am Klaus Knopper. I have a master degree in electrical engineering, and is currently professor in information management at the university of applied sciences Kaiserslautern / Germany and freelance Open Source software developer and consultant.

All of this is pretty much of the work I spend my days with. Apart from teaching, I'm also conducting some more or less experimental projects like the Knoppix GNU/Linux live system (Debian-based like Skolelinux), ADRIANE (a blind-friendly talking desktop system) and LINBO (Linux-based network boot console, a fast remote install and repair system supporting various operating systems).

How did you get in contact with the Skolelinux / Debian Edu project?

The credit for this have to go to Kurt Gramlich, who is the German coordinator for Skolelinux. We were looking for an all-in-one open source community-supported distribution for schools, and Kurt introduced us to Skolelinux for this purpose.

What do you see as the advantages of Skolelinux / Debian Edu?

• Quick installation,
• works (almost) out of the box,
• contains many useful software packages for teaching and learning,
• is a purely community-based distro and not controlled by a single company,
• has a large number of supporters and teachers who share their experience and problem solutions.

What do you see as the disadvantages of Skolelinux / Debian Edu?

• Skolelinux is - as we had to learn - not easily upgradable to the next version. Opposed to its genuine Debian base, upgrading to a new version means a full new installation from scratch to get it working again reliably.
• Skolelinux is based on Debian/stable, and therefore always a little outdated in terms of program versions compared to Edubuntu or similar educational Linux distros, which rather use Debian/testing as their base.
• Skolelinux has some very self-opinionated and stubborn default configuration which in my opinion adds unnecessary complexity and is not always suitable for a schools needs, the preset network configuration is actually a core definition feature of Skolelinux and not easy to change, so schools sometimes have to change their network configuration to make it "Skolelinux-compatible".
• Some proposed extensions, which were made available as contribution, like secure examination mode and lecture material distribution and collection, were not accepted into the mainline Skolelinux development and are now not easy to maintain in the future because of Skolelinux somewhat undeterministic update schemes.
• Skolelinux has only a very tiny number of base developers compared to Debian.

For these reasons and experience from our project, I would now rather consider using plain Debian for schools next time, until Skolelinux is more closely integrated into Debian and becomes upgradeable without reinstallation.

Which free software do you use daily?

GNU/Linux with LXDE desktop, bash for interactive dialog and programming, texlive for documentation and correspondence, occasionally LibreOffice for document format conversion. Various programming languages for teaching.

Which strategy do you believe is the right one to use to get schools to use free software?

Strong arguments are

• Knowledge is free, and so should be methods and tools for teaching and learning.
• Students can learn with and use the same software at school, at home, and at their working place without running into license or conversion problems.
• Closed source or proprietary software hides knowledge rather than exposing it, and proprietary software vendors try to bind customers to certain products. But teachers need to teach science, not products.
• If you have everything you for daily work as open source, what would you need proprietary software for?

## Wouter Verhelst <!-- document.write( "<a href=\"#\" id=\"http://grep.be/blog/en/computer/povray_3.7_hide\" onClick=\"exclude( 'http://grep.be/blog/en/computer/povray_3.7' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://grep.be/blog/en/computer/povray_3.7_show\" style=\"display:none;\" onClick=\"show( 'http://grep.be/blog/en/computer/povray_3.7' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### POV-Ray 3.7 out!

I've been using POV-Ray off and on for the past decade or so. I've never been extremely talented with graphical stuff, but I've always liked playing around with it; and POV-Ray, with its turing-complete scene description language, appeals to me as a programmer. I've used it when I needed to do some animation; for instance, I created the FOSDEM 2013 and DebConf13 "wait screen" animations for the video team with FOSDEM.

One particular downside of POV-Ray has always been the fact that their license was a custom non-free one. This was a historical accident (POV-Ray has existed for a long time, since before the popularization of FLOSS), and AIUI, the relicensing was impossible for various reasons. However, a rewrite of POV-Ray (as version 3.7) has been in the making for quite a while.

Today, I noticed two things: first, POV-Ray 3.7 was released (under the AGPLv3, thereby becoming Free Software); and second, as of the 3.7 release, the POV-Ray is put into a git repository and available on github.

Also, apart from it being free software now, POV-Ray 3.7 has a few new features as well. Most importantly among those (at least in my opinion), POV-Ray 3.7 is a multithreaded application, in contrast to POV-Ray 3.6 and before which wasn't.

Building it seemed to have some issues with the versions of a few things that are in Debian unstable; but for one of these a fix has already been merged, and for the other a merge request is out.

Now to decide whether I should package it...

06 December, 2013 08:00AM by Wouter Verhelst (w@uter.be)

## Gunnar Wolf <!-- document.write( "<a href=\"#\" id=\"http://gwolf.org/blog/people-mexico-workshop-next-wednesday-video-editing-command-line-chema-serralde-joseserralde_hide\" onClick=\"exclude( 'http://gwolf.org/blog/people-mexico-workshop-next-wednesday-video-editing-command-line-chema-serralde-joseserralde' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://gwolf.org/blog/people-mexico-workshop-next-wednesday-video-editing-command-line-chema-serralde-joseserralde_show\" style=\"display:none;\" onClick=\"show( 'http://gwolf.org/blog/people-mexico-workshop-next-wednesday-video-editing-command-line-chema-serralde-joseserralde' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### For people in Mexico: Workshop next Wednesday! Video editing from the command line (by Chema Serralde, @joseserralde)

(Yes, yes... Maybe I should post in Spanish.. But hey, gotta keep consistecy in my blog!)

### General, public, open invitation

Are you in Mexico City, or do you plan to be next Wednesday (December 11)?

Are you interested in video edition? In Free Software?

I will have the pleasure to host at home the great Chema Serralde, a good friend, and a multifacetic guru both in the technical and musical areas. He will present a workshop: Video editing from the command line.

I asked Chema for an outline of his talk, but given he is a busy guy, I will basically translate the introduction he prepared for this same material in FSL Vallarta, held two weeks ago.

With the help of the commandline, you can become a multimedia guru. We will edit a video using just a terminal. This skill will surprise your friends — and your couple.

But the most important is that this knowledge is just an excuse to understand step by step what does a video CODEC mean, what is a FORMAT, and how video and audio editors work; by using this knowledge, you will be able to set the basis for multimedia editing, without the promises and secrets of propietary editors.

How much does my file weigh and why? How to improve a video file's quality? Why cannot I read my camera's information from GNU/Linux?

By the end of this workshop, we well see how some libraries help you develop your first audio and video application, what are their main APIs and uses.

### Logistics

Everybody is welcome to come for free, no questions asked, no fees collected. I can offer coffee for all, but if you want anything else to eat/drink, you are welcome to bring it.

We do require you to reserve and confirm your place (mail me to my usual mail address). We have limited space, and I must set an absolute quota of 10 participants.

Some people hide their address... Mine is quite publicly known: Av. Copilco 233, just by Parque Hugo Margain, on the Northern edge of UNAM (Metro Copilco).

The course starts at 16:00, and lasts... As long as we make it last ;-)

So, that said... See you there! :-D

[update]: Chema sent me the list of topics he plans to cover. Copy/pasting from his mail, in Spanish:

TALLER RELÁMPAGO DE EDICIÓN AUDIOVISUAL EN LÍNEA DE COMANDO

1. Editando como cavernícola.
1. Manipulación básica de archivos multimedia en entornos POSIX.
2. Sé un Bash VJ (videojockey)
3. Vaciando y entubando
2. Editando como científico.
2. 3 familias de CODECS de vídeo y sus patentes
3. 3 famlias de CODECS de audio y sus patentes
4. Muxers, demuxers y muxes.
3. Editando como artista.
1. Cajas de herramientas en software libre para procesamiento de vídeo.
2. Procesamiento en tiempo real de vídeo (el que se crea artista pierde)
3. Derritiendo vídeo, audio con calcetines MELT + SOX

Software necesario

(sistemas operativos POSIX, windouseros acercarse con el afán de repensar sus vidas): mplayer, avconv/ffmpeg (libavcodec), melt, sox, imagemagick

06 December, 2013 01:56AM by gwolf

# December 05, 2013

## Daniel Kahn Gillmor <!-- document.write( "<a href=\"#\" id=\"http://debian-administration.org/users/dkg/weblog/104_hide\" onClick=\"exclude( 'http://debian-administration.org/users/dkg/weblog/104' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://debian-administration.org/users/dkg/weblog/104_show\" style=\"display:none;\" onClick=\"show( 'http://debian-administration.org/users/dkg/weblog/104' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### The legal utility of deniability in secure chat

This Monday, I attended a workshop on Multi-party Off the Record Messaging and Deniability hosted by the Calyx Institute. The discussion was a combination of legal and technical people, looking at how the characteristics of this particular technology affect (or do not affect) the law.

This is a report-back, since I know other people wanted to attend. I'm not a lawyer, but I develop software to improve communications security, I care about these questions, and I want other people to be aware of the discussion. I hope I did not misrepresent anything below. I'd be happy if anyone wants to offer corrections.

## Background

Off the Record Messaging (OTR) is a way to secure instant messaging (e.g. jabber/XMPP, gChat, AIM).

The two most common characteristics people want from a secure instant messaging program are:

Authentication
Each participant should be able to know specifically who the other parties are on the chat.
Confidentiality
The content of the messages should only be intelligible to the parties involved with the chat; it should appear opaque or encrypted to anyone else listening in. Note that confidentiality effectively depends on authentication -- if you don't know who you're talking to, you can't make sensible assertions about confidentiality.

As with many other modern networked encryption schemes, OTR relies on each user maintaining a long-lived "secret key", and publishing a corresponding "public key" for their peers to examine. These keys are critical for providing authentication (and by extension, for confidentiality).

But OTR offers several interesting characteristics beyond the common two. Its most commonly cited characteristics are "forward secrecy" and "deniability".

Forward secrecy
Assuming the parties communicating are operating in good faith, forward secrecy offers protection against a special kind of adversary: one who logs the encrypted chat, and subsequently steals either party's long-term secret key. Without forward secrecy, such an adversary would be able to discover the content of the messages, violating the confidentiality characteristic. With forward secrecy, this adversary is be stymied and the messages remain confidential.
Deniability
Deniability only comes into play when one of the parties is no longer operating in good faith (e.g. their computer is compromised, or they are collaborating with an adversary). In this context, if Alice is chatting with Bob, she does not want Bob to be able to cryptographically prove to anyone else that she made any of the specific statements in the conversation. This is the focus of Monday's discussion.

To be clear, this kind of deniability means Alice can correctly say "you have no cryptographic proof I said X", but it does not let her assert "here is cryptographic proof that I did not say X" (I can't think of any protocol that offers the latter assertion). The opposite of deniability is a cryptographic proof of origin, which usually runs something like "only someone with access to Alice's secret key could have said X."

The traditional two-party OTR protocol has offered both forward secrecy and deniability for years. But deniability in particular is a challenging characteristic to provide for group chat which is the domain of Multi-Party OTR (mpOTR). You can read some past discussion about the challenges of deniability in mpOTR (and why it's harder when there are more than two people chatting) from the otr-users mailing list.

## If you're not doing anything wrong...

The discussion was well-anchored by a comment from another participant who cheekily asked "If you're not doing anything wrong, why do you need to hide your chat at all, let alone be able to deny it?"

The general sense of the room was that we'd all heard this question many times, from many people. There are lots of problems with the ideas behind the question from many perspectives. But just from a legal perspective, there are at least two problems with the way this question is posed:

• laws themselves are not always just (e.g. consider chat communications between an interracial couple in the USA before 1967, if instant messaging had existed at the time), and
• law enforcement (or a legal adversary in civil litigation) may have a different understanding or interpretation of the law than you do (e.g. consider chat communications between a corporate or government whistleblower and a journalist).
In these situations, people confront real risk from the law. If we care about these people, we need to figure out if we can build systems to help them reduce that legal risk (of course we also need to fix broken laws, and the legal environment in general, but those approaches were out of scope for this discussion).

## The Legal Utility of Deniability

Monday's meeting was called specifically because it wasn't clear how much real-world usefulness there is in the "deniability" characteristic, and whether this feature is worth the development effort and implementation tradeoffs required. In particular, the group was interested in deniability's utility in legal contexts; many (most?) people in the room were lawyers, and it's also not clear that deniability has much utility outside of a formal legal setting. If your adversary isn't constrained by some rule of law, they probably won't care at all whether there is a cryptographic proof or not that you wrote a particular message (In retrospect, one possible exception is exposure in the media, but we did not discuss that scenario).

### Places of possible usefulness

So where might deniability come in handy during civil litigation or a criminal trial? Presumably the circumstance is that a piece of a chat log is offered as incriminating evidence, and the defendant is trying to deny something that they appear to have said in the log.

This denial could take place in two rather different contexts: during rules over admissibility of evidence, or (once admitted) in front of a jury.

In legal wrangling over admissibility, apparently a lot of horse-trading can go on -- each side concedes some things in exchange for the other side conceding other things. It appears that cryptographic proof of origin (that is, a lack of deniability) on the chat logs themselves might reduce the amount of leverage a defense lawyer can get from conceding or arguing strongly over that piece of evidence. For example, if the chain of custody of a chat transcript is fuzzy (i.e. the transcript could have been mishandled or modified somehow before reaching trial), then a cryptographic proof of origin would make it much harder for the defense to contest the chat transcript on the grounds of tampering. Deniability would give the defense more bargaining power.

In arguing about already-admitted evidence before a jury, deniability in this sense seems like a job for expert witnesses, who would need to convince the jury of their interpretation of the data. There was a lot of skepticism in the room over this, both around the possibility of most jurors really understanding what OTR's claim of deniability actually means, and on jurors' ability to distinguish this argument from a bogus argument presented by an opposing expert witness who is willing to lie about the nature of the protocol (or who misunderstands it and passes on their misunderstanding to the jury).

The complexity of the tech systems involved in a data-heavy prosecution or civil litigation are themselves opportunities for lawyers to argue (and experts to weigh in) on the general reliability of these systems. Sifting through the quantities of data available and ensuring that the appropriate evidence is actually findable, relevant, and suitably preserved for the jury's inspection is a hard and complicated job, with room for error. OTR's deniability might be one more element in a multi-pronged attack on these data systems.

These are the most compelling arguments for the legal utility of deniability that I took away from the discussion. I confess that they don't seem particularly strong to me, though some level of "avoiding a weaker position when horse-trading" resonates with me.

What about the arguments against its utility?

### Limitations

The most basic argument against OTR's deniability is that courts don't care about cryptographic proof for digital evidence. People are convicted or lose civil cases based on unsigned electronic communications (e.g. normal e-mail, plain chat logs) all the time. OTR's deniability doesn't provide any legal cover stronger than trying to claim you didn't write a given e-mail that appears to have originated from your account. As someone who understands the forgeability of e-mail, i find this overall situation troubling, but it seems to be where we are.

Worse, OTR's deniability doesn't cover whether you had a conversation, just what you said in that conversation. That is, Bob can still cryptographically prove to an adversary (or before a judge or jury) that he had a communication with someone controlling Alice's secret key (which is probably Alice); he just can't prove that Alice herself said any particular part of the conversation he produces.

Additionally, there are runtime tradeoffs depending on how the protocol manages to achieve these features. For example, forward secrecy itself requires an additional round trip or two when compared to authenticated, encrypted communications without forward secrecy (a "round trip" is a message from Alice to Bob followed by a message back from Bob to Alice).

Getting proper deniability into the mpOTR spec might incur extra latency (imagine having to wait 60 seconds after everyone joins before starting a group chat, or a pause in the chat of 15 seconds when a new member joins) or extra computational power (meaning that they might not work well on slower/older devices) or an order of magnitude more bandwidth (meaning that chat might not work at all on a weak connection). There could also simply be complexity that makes it harder to correctly implement a protocol with deniability than an alternate protocol without deniability. Incorrectly-implemented software can put its users at risk.

I don't know enough about the current state of mpOTR to know what the specific tradeoffs are for the deniability feature, but it's clear there will be some. Who decides whether the tradeoffs are worth the feature?

### Other kinds of deniability

Further weakening the case for the legal utility of OTR's deniability, there seem to be other ways to get deniability in a legal context over a chat transcript.

There are deniability arguments that can be made from outside the protocol. For example, you can always claim someone else took control of your computer while you were asleep or using the bathroom or eating dinner, or you can claim that your computer had a virus that exported your secret key and it must have been used by someone else.

If you're desperate enough to sacrifice your digital identity, you could arrange to have your secret key published, at which point anyone can make signed statements with it. Having forward secrecy makes it possible to expose your secret key without exposing the content of your past communications to any listener who happened to log them.

### Conclusion

My takeaway from the discussion is that the legal utility of OTR's deniability is non-zero, but quite low; and that development energy focused on deniability is probably only justified if there are very few costs associated with it.

Several folks pointed out that most communications-security tools are too complicated or inconvenient to use for normal people. If we have limited development energy to spend on securing instant messaging, usability and ubiquity would be a better focus than this form of deniability.

Secure chat systems that take too long to make, that are too complex, or that are too cumbersome are not going to be adopted. But this doesn't mean people won't chat at all -- they'll just use cleartext chat, or maybe they'll use supposedly "secure" protocols with even worse properties: for example, without proper end-to-end authentication (permitting spoofing or impersonation by the server operator or potentially by anyone else); with encryption that is reversible by the chatroom operator or flawed enough to be reversed by any listener with a powerful computer; without forward secrecy; or so on.

As a demonstration of this, we heard some lawyers in the room admit to using Skype to talk with their clients even though they know it's not a safe communications channel because their clients' adversaries might have access to the skype messaging system itself.

My conclusion from the meeting is that there are a few particular situations where deniability could be useful legally, but that overall, it is not where we as a community should be spending our development energy. Perhaps in some future world where all communications are already authenticated, encrypted, and forward-secret by default, we can look into improving our protocols to provide this characteristic, but for now, we really need to work on usability, popularization, and wide deployment.

### Thanks

Many thanks to Nick Merrill for organizing the discussion, to Shayana Kadidal and Stanley Cohen for providing a wealth of legal insight and legal experience, to Tom Ritter for an excellent presentation of the technical details, and to everyone in the group who participated in the interesting and lively discussion.

Tags: chat, deniability, otr, security

05 December, 2013 11:14PM by Daniel Kahn Gillmor (dkg)

## Steve Kemp <!-- document.write( "<a href=\"#\" id=\"http://blog.steve.org.uk/belated_updates.html_hide\" onClick=\"exclude( 'http://blog.steve.org.uk/belated_updates.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.steve.org.uk/belated_updates.html_show\" style=\"display:none;\" onClick=\"show( 'http://blog.steve.org.uk/belated_updates.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

Today I should have been heading down to York, to attend the Bytemark Christmas party. Instead I'm here in Edinburgh, because wind/storms basically shutdown the rail network in Scotland for the morning.

Technically I could have probably made it, but only belatedly and only at a huge cost to my sanity. The train-station was insane with stranded people, and there seemed no guarantee the recently-revived service would continue.

So instead I'm sulking at home.

I had a lot of other things scheduled to do in York/London today/tomorrow, for reasons that will become apparent next week, so to say I'm annoyed is an understatement.

In happier news I'm not dead.

Walking to work this morning was horrific, there was so much wind 70-100mph, that I counldn't actually cross a bridge, on Ocean Drive, because I just kept getting blown into the road. (Yeah, that's a road that is very close to the coast. Driving wind. Horrible rain. Storming sea. Fun.)

I ended up retracing my steps, and taking a detour. (PS. My boots leaked.)

Not a good day. Enjoy some software instead - a trivial HTTP / XMPP bridge.

## Jakub Wilk <!-- document.write( "<a href=\"#\" id=\"http://jwilk.net/blog/20131204-a-za-z-a-za-z_hide\" onClick=\"exclude( 'http://jwilk.net/blog/20131204-a-za-z-a-za-z' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://jwilk.net/blog/20131204-a-za-z-a-za-z_show\" style=\"display:none;\" onClick=\"show( 'http://jwilk.net/blog/20131204-a-za-z-a-za-z' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### A-za-z | a-zA-z

Releasing the shift key is hard.

# December 04, 2013

## Matthew Palmer <!-- document.write( "<a href=\"#\" id=\"http://www.hezmatt.org/~mpalmer/blog/2013/12/05/the-easy-bit-of-software-development.html_hide\" onClick=\"exclude( 'http://www.hezmatt.org/~mpalmer/blog/2013/12/05/the-easy-bit-of-software-development.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.hezmatt.org/~mpalmer/blog/2013/12/05/the-easy-bit-of-software-development.html_show\" style=\"display:none;\" onClick=\"show( 'http://www.hezmatt.org/~mpalmer/blog/2013/12/05/the-easy-bit-of-software-development.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### The easy bit of software development

I’m sure this isn’t an original thought of mine, but it just popped into my head and I think it’s something of a “fundamental truth” that all software developers need to keep in mind:

Writing software is easy. The hard part is writing software that works.

All too often, we get so caught up in the rush of building something that we forget that it has to work – and, all too often, we fail in some fundamental fashion, whether it’s “doesn’t satisfy the user’s needs” or “you just broke my $FEATURE!” (which is the context I was thinking of). 04 December, 2013 11:45PM by Matt Palmer (mpalmer@hezmatt.org) ## Aigars Mahinovs <!-- document.write( "<a href=\"#\" id=\"http://aigarius.com/blog/2013/12/04/translation-management-workflows/_hide\" onClick=\"exclude( 'http://aigarius.com/blog/2013/12/04/translation-management-workflows/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://aigarius.com/blog/2013/12/04/translation-management-workflows/_show\" style=\"display:none;\" onClick=\"show( 'http://aigarius.com/blog/2013/12/04/translation-management-workflows/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Translation management workflows Whatever you do with translations, consider translation management issues. For example, you are developing a multilingual web site. All kinds of labels and buttons and form fields are nicely translatable with trans template tag and ugettext. You have po files that follow your code from dev to stage to production environment. Now you add a CMS into the mix. And suddenly - you translations are in more than one place, in more than one format and follow different routes to production. Now imagine that you need to add Chinese language to your entire site. The translator is an off-site contractor. What files would you send to him to translate? How would you generate them? How will you integrate them? If someone adds or changes a page on production in English: how will your developers see that change? how will you know that an updated translation for Chinese is needed? how will you manage the update of the translation? If you make a CMS and don't have at least the export_po_file and import_po_file management commands, then you are not really multilingual. It is either that or figuring out your own answer for the above questions. I have finally found a Django-based CMS that has those - http://pythonhosted.org/django-page-cms/ . Have not really tried it yet, but I am hopeful. 04 December, 2013 08:56PM by aigarius ## Jonathan McDowell <!-- document.write( "<a href=\"#\" id=\"http://www.earth.li/~noodles/blog/2013/12/thoughts-on-ssds-and-encryptio.html_hide\" onClick=\"exclude( 'http://www.earth.li/~noodles/blog/2013/12/thoughts-on-ssds-and-encryptio.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.earth.li/~noodles/blog/2013/12/thoughts-on-ssds-and-encryptio.html_show\" style=\"display:none;\" onClick=\"show( 'http://www.earth.li/~noodles/blog/2013/12/thoughts-on-ssds-and-encryptio.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Thoughts on SSDs and encryption My laptop is just over 3 years old, which is about the point I start to think about a replacement. At present there's nothing that's an obvious contender so I've been looking at an SSD to prolong it by another year or two. One of the other thoughts I had is that I currently use dm-crypt under Linux to provide whole disk encryption for everything except the boot partition - I have a bunch of my personal financial and immigration documents stored that I'd prefer not to get disclosed if my laptop is stolen. Modern drives have started offered integral AES encryption options, so perhaps I could offload that to the drive (my i5 470UM lacks the hardware instructions for this). General consensus in the pub (where all the best security advice is to be found) is that no one present trusted SSD firmware authors to not use some badly chosen AES crypto mode, or leave the key lying around plain text in easily readable flash, or some other implementation mishap. So how hard would it be to retrofit reliable (or at least source verifiable and thus more reliable) crypto to an SSD? There was an impressive article recently about reverse engineering the firmware of a HDD, to the point of modifying data returned to the host and also running Linux on the controller. It seems that SSD firmware should be easier - NAND is simpler to talk to than motors and magnetic sensors, right? It's a case of gluing together a SATA interface, a NAND controller and an AES offload engine, yes? Aside from the minor matter of finding a suitable drive with an available JTAG interface, a controller with docs (or more likely that can be reverse engineered) and enough time to produce a replacement open firmware, that is. Alternatively can anyone provide some idea of how secure the available laptop SSDs on the market actually are? I'm fine with "the NSA can read your data if they want" because a determined attacker will be able to find other ways to get my data anyway, but I don't want "anyone who finds the drive can use this loophole in the firmware by wiggling some bits with jtag to dump the key and read all your data". # December 03, 2013 ## Matthew Garrett <!-- document.write( "<a href=\"#\" id=\"http://mjg59.dreamwidth.org/28746.html_hide\" onClick=\"exclude( 'http://mjg59.dreamwidth.org/28746.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://mjg59.dreamwidth.org/28746.html_show\" style=\"display:none;\" onClick=\"show( 'http://mjg59.dreamwidth.org/28746.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Subverting security with kexec (Discussion of a presentation I gave at Kiwicon last month) Kexec is a Linux kernel feature intended to allow the booting of a replacement kernel at runtime. There's a few reasons you might want to do that, such as using Linux as a bootloader[1], rebooting without having to wait for the firmware to reinitialise or booting into a minimal kernel and userspace that can be booted on crash in order to save system state for later analysis. But kexec's significantly more flexible than this. The kexec system call interface takes a list of segments (ie, pointers to a userspace buffer and the desired target destination) and an entry point. The kernel relocates those segments and jumps to the entry point. That entry point is typically code referred to as purgatory, due to the fact that it lives between the world of the first kernel and the world of the second kernel. The purgatory code sets up the environment for the second kernel and then jumps to it. The first kernel doesn't need to know anything about what the second kernel is or does. While it's conventional to load Linux, you can load just about anything. The most important thing to note here is that none of this is signed. In other words, despite us having a robust in-kernel mechanism for ensuring that only signed modules can be inserted into the kernel, root can still load arbitrary code via kexec and execute it. This seems like a somewhat irritating way to patch the running kernel, so thankfully there's a much more straightforward approach. I modified kexec to add an additional loader and uploaded the code here. Build and install it. Make sure that /sys/module/module/parameters/sig_enforce on your system is "Y". Then, as root, do something like: kexec --type="dummy" --address=printf "0x%x"$(( $(grep "B sig_enforce" /proc/kallsyms | awk '{print "0x"$1}') & 0x7fffffff)) --value=0 --load-preserve-context --mem-max=0x10000 /bin/true
to load it[2]. Now do kexec -e and watch colours flash and check /sys/module/module/parameters/sig_enforce again.

The beauty of this approach is that it doesn't rely on any kernel bugs - it's using kernel functionality that was explicitly designed to let you do this kind of thing (ie, run arbitrary code in ring 0). There's not really any way to fix it beyond adding a new system call that has rather tighter restrictions on the binaries that can be loaded. If you're using signed modules but still permit kexec, you're not really adding any additional security.

But that's not the most interesting way to use kexec. If you can load arbitrary code into the kernel, you can load anything. Including, say, the Windows kernel. ReactOS provides a bootloader that's able to boot the Windows 2003 kernel, and it shouldn't be too difficult for a sufficiently enterprising individual to work out how to get Windows 8 booting. Things are a little trickier on UEFI - you need to tell the firmware which virtual→physical map to use, and you can only do it once. If Linux has already done that, it's going to be difficult to set up a different map for Windows. Thankfully, there's an easy workaround. Just boot with the "noefi" kernel argument and the kernel will skip UEFI setup, letting you set up your own map.

Why would you want to do this? The most obvious reason is avoiding Secure Boot restrictions. Secure Boot, if enabled, is explicitly designed to stop you booting modified kernels unless you've added your own keys. But if you boot a signed Linux distribution with kexec enabled (like, say, Ubuntu) then you're able to boot a modified Windows kernel that will still believe it was booted securely. That means you can disable stuff like the Early Launch Anti-Malware feature or driver signing, or just stick whatever code you want directly into the kernel. In most cases all you'd need for this would be a bootloader, kernel and an initrd containing support for the main storage, an ntfs driver and a copy of kexec-tools. That should be well under 10MB, so it'll easily fit on the EFI system partition. Copy it over the Windows bootloader and you should be able to boot a modified Windows kernel without any terribly obvious graphical glitches in the process.

And that's the story of why kexec is disabled on Fedora when Secure Boot is enabled.

[1] That way you only have to write most drivers once
[2] The address section finds the address of the sig_enforce symbol in the kernel, and the value argument tells the dummy code what value to set that address to. --load-preserve-context informs the kernel that it should save hardware state in order to permit returning to the original kernel. --mem-max indicates the highest address that the kernel needs to back up. /bin/true is just there to satisfy the argument parser.

## Iustin Pop <!-- document.write( "<a href=\"#\" id=\"http://k1024.org/~iusty/blog/entry/a-not-so-dark-sky/_hide\" onClick=\"exclude( 'http://k1024.org/~iusty/blog/entry/a-not-so-dark-sky/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://k1024.org/~iusty/blog/entry/a-not-so-dark-sky/_show\" style=\"display:none;\" onClick=\"show( 'http://k1024.org/~iusty/blog/entry/a-not-so-dark-sky/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### A not so dark sky

I'm aware of how not-dark our modern city night sky is, but sometimes it still heavily surprises me how full of light it actually is.

Yesterday I went about five kilometres out of Zürich; I thought at that distance, on a reasonably dark hill, it would be good enough for some night-sky shots.

So I setup my tripod, only to realise I can't expose over 30 seconds because (at low ISO and fast aperture, shooting not straight up), everything is bleached out:

I couldn't believe my eyes. Yes, I heard that one needs to go 100Km out of big cities, but but… So I went and found that since about 2004, all of Switzerland is light polluted - even going on top of Jungfrau, for example, wouldn't completely eliminate it. I also learned about Merle Walker's equation - yeah, 200Km or more away from light sources would be good. Not here, in this quite small, quite populated country in the middle of Europe :/… I realised that as soon as my eyes got acclimated to the location I was at, I could easily see everything around me, due to the light pollution.

I miss a really dark sky - I remember a couple of years back, in a different country, stopping at night on the side of the road, and being shocked at how the sky was filled with starts. I didn't have any camera with me at that time ☹ Heck, I remember seeing the Milky Way way back as a child, but nowadays when I get out of work, I can barely see 4-5 points of light in the sky.

Anyway, enough with ranting ☺ Thanks to modern technology, one can recover lots of detail, even in a washed out picture. So in the end, shooting straight up, I could get some resemblance of structure (and this was only at 28mm, which is not that wide):

Or alternatively, one can use the glowing light for a bit of play/contrast:

I also played with stacking images via Deep Sky Stacker, but stacking - I learned to my surprise - only works to reduce noise in the final image, and not to make it "brighter" or more detailed. Live and learn ☺ The result was a bit better than not stacked, but not by much:

This was a 25×5s, ISO 800, f/4, same 28mm lens. What I found surprising is the "non-star object" (to call it so) near the centre of the image - I have no idea what it is, it definitely doesn't look like a star, it could be an elliptical galaxy or so. I tried navigating back in time via Stellarium, but I don't remember the orientation of the lens, so it will remain a mystery to me.

Anyway, two more pictures and higher resolutions on a Smugmug album. Feel free to leave a comment or drop me an email if you have suggestions where to take nice night sky photos in Switzerland…

### procps-ng 3.3.9

Procps version 3.3.9 was released today.  As there has been some API changes and fixes which means the library has changed again.  There is a fine balance between fixing or enhancing library functions and keeping the API stable, with the added problem it wasn’t a terribly good one to start with.

Besides the API change, the following changes were made:

• kernel namespaces support added to skill, pgrep, ps and top
• pidof was reimplemented from scratch (replacing sysvinit pidof)
• ps has configurable libselinux support (–enable-libselinux)
• ps provides for display of systemd slice unit (–with-systemd)
• free can once again report non-zero ‘shared’ memory
• sysctl provides ‘–system’ to ignore missing /etc/sysctl.conf
• watch interval capacity was increased – debian #720445
• pwdx no longer fails in a nonexistent locale – debian #718766
• top clarified summary area Mem/Swap stats – debian #718670
• top batch mode -w (width) abend fixed – debian #721204
• top man page removed ‘Bd/Ed’ mdoc macros – debian #725713
• top no longer clears screen at exit – redhat #977561
• top adapted to potential libnuma stderr message – redhat #998678
• top added missing batch mode newline – redhat #1008674

Tar file is at sourceforge at https://sourceforge.net/projects/procps-ng/files/Production/

03 December, 2013 11:47AM by Craig

## Dirk Eddelbuettel <!-- document.write( "<a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/03#digest_0.6.4_hide\" onClick=\"exclude( 'http://dirk.eddelbuettel.com/blog/2013/12/03#digest_0.6.4' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/03#digest_0.6.4_show\" style=\"display:none;\" onClick=\"show( 'http://dirk.eddelbuettel.com/blog/2013/12/03#digest_0.6.4' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### digest 0.6.4

digest version 0.6.4 is now on CRAN and in Debian.

This is a pure maintenance release which should help with a build issue affecting users on Solaris.

CRANberries provides the usual summary of changes to version 0.6.3. Our package is available via the R-Forge page leading to svn and tarball access, my digest page, the local directory here as well as via Debian and its mirrors.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

## Brett Parker <!-- document.write( "<a href=\"#\" id=\"http://www.sommitrealweird.co.uk/blog/2013/12/03/dd-over-ssh-oddness/_hide\" onClick=\"exclude( 'http://www.sommitrealweird.co.uk/blog/2013/12/03/dd-over-ssh-oddness/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.sommitrealweird.co.uk/blog/2013/12/03/dd-over-ssh-oddness/_show\" style=\"display:none;\" onClick=\"show( 'http://www.sommitrealweird.co.uk/blog/2013/12/03/dd-over-ssh-oddness/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### dd over ssh oddness

So, using the command:

root@new# ssh root@old dd if=/dev/vg/somedisk | dd of=/dev/vg/somedisk

appears to fail, getting a SIGTERM at some point for no discernable reason... however, using

root@old# dd if=/dev/vg/somedisk | ssh root@new dd of=/dev/vg/somedisk

works fine.

The pull version fails at a fairly random point after a fairly undefined period of time. The push version works everytime. This is most confusing and odd...

Dear lazyweb, please give me some new ideas as to what's going on, it's driving me nuts!

Update: solved...

A different daemon wasn't limiting it's killing habits in the case that a certain process wasn't running, and was killing the ssh process on the new server almost at random, found the bug in the code and now testing with that.

Thanks for all the suggestions though, much appreciated.

03 December, 2013 10:59AM by Brett Parker (iDunno@sommitrealweird.co.uk)

## Daniel Pocock <!-- document.write( "<a href=\"#\" id=\"http://danielpocock.com/ski-season-starts-andermatt-2013_hide\" onClick=\"exclude( 'http://danielpocock.com/ski-season-starts-andermatt-2013' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://danielpocock.com/ski-season-starts-andermatt-2013_show\" style=\"display:none;\" onClick=\"show( 'http://danielpocock.com/ski-season-starts-andermatt-2013' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Ski season starts

The ski season has started again, I went down to Andermatt on Sunday to have some fun.

Here is a video made with my camera phone:

03 December, 2013 07:27AM by Daniel.Pocock

## Russell Coker <!-- document.write( "<a href=\"#\" id=\"http://etbe.coker.com.au/2013/12/03/preferring-not-to/_hide\" onClick=\"exclude( 'http://etbe.coker.com.au/2013/12/03/preferring-not-to/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://etbe.coker.com.au/2013/12/03/preferring-not-to/_show\" style=\"display:none;\" onClick=\"show( 'http://etbe.coker.com.au/2013/12/03/preferring-not-to/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Preferring Not To

I’ve just read Bartleby the Scrivener which is a short story about a scrivener who refused to work saying “I’d prefer not to”.

It reminded me of some situations in the computer industry. I’ve never seen a single case where someone preferred not to work when everyone around them (colleagues and management) wanted them to work. But then the incidence of having an entire team and management wanting to work efficiently isn’t nearly as common as one might imagine.

In some cases it’s desired that someone not work, such as a former colleague who was hired as a sysadmin but did nothing but change backup tapes (a few hours work per week). Not having him login as root improved the general reliability of the servers but it was fortunate that we never needed to restore from backups…

One time I had a colleague who preferred to spend most of his time in the office searching the Internet for videos of street fights. I have often told colleagues that I would prefer them to work, but in the case of a guy who’s only hobby is street-fighting I decided to let it go.

Managing people can be difficult, particularly for someone who doesn’t like disagreements. Some managers that I’ve reported to seemed to prefer not to manage in an apparent attempt to avoid disputes. One time when I complained about a colleague not even having a suitable computer to permit doing any work a manager responded with the rhetorical question “what do you expect me to do?”. That manager didn’t do any annual reviews of staff for over a year, he only eventually did some reviews because he was told that his scheduled promotion was on hold until he got them done. I got the impression that at least two levels of management preferred not to work at that company.

Sometimes it just gets weird though, such as the occasion when I was the only member of a team and the manager who was supposedly managing no-one but me never seemed to have time to have a meeting with me. But he didn’t want me to bypass him and talk directly to other people in the company, so he preferred not to work and not to have anyone else do his job.

Most of the companies that I’ve worked for in a full-time capacity didn’t seem to have any effective technical interviews (note that I’ve mostly worked for financial companies and ISPs not free software companies). So it seems that anyone with minimal computer skills who wants a well paying job could just send out a CV to a bunch of recruiting agencies, get interviewed by enough companies to eventually hit one without a technical interview process and then find a job that doesn’t require work.

### Depression

The Wikipedia page about Bartleby the Scrivener [2] suggests that Bartleby was depressed. I wonder how much of the lack of performance I’ve witnessed has been due to depression. There appears to be a strong correlation between work environments that cause depression and people preferring not to work.

Maybe managers should be considering how to make work less depressing to try and get more effective employees (in terms of quality and quantity of work). One example of this is the sysadmin team death spiral I’ve witnessed where no-one can automate solving problems (EG by cron jobs to manage resource usage and analysis tools to find minor problems before they become major problems) because everyone is dedicated to fixing things that break needlessly (EG systems crashing due to lack of disk space). When people start getting control over recurring problems and automating things then the work becomes increasingly about solving problems and less about implementing the same manual processes every day/week and it’s more fun and effective for everyone.

At the BoF on depression at LCA 2013 one delegate stated that many companies have people in HR who can arrange support for depressed employees. Apparently if you are depressed and you work for a company that’s large enough to have a HR department then it can be beneficial to talk to HR about it. That probably works well in the case where an employee is depressed but the company is working well. But in the case where the company isn’t working well it seems unlikely to help.

David Graeber wrote an interesting article about “Bullshit Jobs” [3]. He goes a bit far, I don’t think that late night pizza delivery is a bullshit job and actuaries are useful to society. But his points about the existence of useless jobs are reasonable.

### Management Levels

I sometimes wonder whether there is some benefit in establishing social norms about working and then having management take little interest in how it happens. If a team works well together then management could just set deadlines (which would be negotiated with employees who know what’s possible) and let the team work out how to do it. Then instead of having one manager for each team of ~10 people who theoretically tracks what everyone is doing you could have one manager for a dozen teams who just tracks overall team performance – essentially remove a layer of management.

Valve is famous for having no formal management structure and for getting things done, unfortunately that apparently allows school-style cliques to block actions [4]. But I think that the Valve experiment is useful and provides some ideas that can be used by other companies. Maybe if instead of requiring consensus of the entire company for hiring decisions they only required consensus of the team things would have worked better.

Of course another down-side to such things is that hierarchical management can be good for avoiding discrimination and bullying. The article I cited about Valve compares it to high-school. It could be that Valve employees were all nice people who only hired other nice people. But if similar systems were implemented in many companies then some would surely end up being like a typical high school with all the bullying and mistreatment of minority groups that entails.

Michael O. Church wrote an interesting article in which he divides employees into four categories, “loser”, “clueless”, “psychopaths”, and “technocrats” (note that he didn’t invent the first three names) [5]. In his model the “clueless” category includes most middle-management. I think that there are some problems with Michael’s model and I’m not arguing for a “technocracy” (which is how this post might be interpreted in terms of his ideas). But I think he demonstrates some of the real problems in the way companies are managed and in his model the “losers” prefer not to work as long as they can get paid.

### Conclusion

I don’t have any good solutions to these problems to offer. It seems that the best we can hope for is incremental change to make work less depressing, to have the minimal amount of management, and to avoid “bullshit jobs”.

03 December, 2013 05:44AM by etbe

## Antoine Beaupré <!-- document.write( "<a href=\"#\" id=\"http://anarcat.koumbit.org/2013-12-03-announcing-prettier-noping_hide\" onClick=\"exclude( 'http://anarcat.koumbit.org/2013-12-03-announcing-prettier-noping' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://anarcat.koumbit.org/2013-12-03-announcing-prettier-noping_show\" style=\"display:none;\" onClick=\"show( 'http://anarcat.koumbit.org/2013-12-03-announcing-prettier-noping' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Announcing a prettier noping

I have implemented really pretty histograms in the venerable ping software, something I never thought could be improved, until I discovered prettyping.sh, something that was just begging for improvements.

Which are now done.

But first some history...

First, in 1983 (!), there was ping and network operators rejoiced, as they could see if a host was down or not, and have all sorts of geeky statistics:

PING koumbit.net (209.44.112.66): 48 data bytes
56 bytes from 209.44.112.66: icmp_seq=0 ttl=52 time=25.076 ms
56 bytes from 209.44.112.66: icmp_seq=1 ttl=52 time=24.006 ms
56 bytes from 209.44.112.66: icmp_seq=2 ttl=52 time=24.106 ms
^C--- koumbit.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 24.006/24.396/25.076/0.483 ms


Then, in 2006, there was noping, and things were, well, not much better, but we had colors, and there was some rejoicing.

Then, in october 2013, there was prettyping.sh, and things got really flashy and "oh wow, you can do that?" There was much rejoicing.

Then, tonight, I learned ncurses and there was much headaches.

But then, I reimplemented prettyping in noping, and I am so happy that I wrote this blog post:

Unless you haven't figured out how cool this is, let me break it down for you:

1. it supports IPv4 and IPv6
2. it allows you to track multiple hosts at the same time, and compare them
3. this allows you to easily track down failure points in a network, something for which you usually need smokeping (needs a webserver) or mtr (doesn't have colors)
4. it allows you to track a lot (the last minute at least) of history by default
5. it is visually easy to track, even from a distance

You may know of that hack that can make "ping" ring a bell when it receives a packet? This is better: you can see the packets latency (or when they are just dropped!) from a distance, using an intuitive color code.

The code is up for review here:

git clone -b prettyping git://src.anarc.at/liboping


Thanks to the well architectured noping, the patches were not that complicated to implemented.

I have contacted upstream to get those changes merged, and hopefully this will be in your favorite Debian distribution soon.

Rejoice!

03 December, 2013 05:00AM by anarcat

# December 02, 2013

## Tim Retout <!-- document.write( "<a href=\"#\" id=\"http://retout.co.uk/blog/2013/12/02/how-not-to-parse-search-queries_hide\" onClick=\"exclude( 'http://retout.co.uk/blog/2013/12/02/how-not-to-parse-search-queries' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://retout.co.uk/blog/2013/12/02/how-not-to-parse-search-queries_show\" style=\"display:none;\" onClick=\"show( 'http://retout.co.uk/blog/2013/12/02/how-not-to-parse-search-queries' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### How not to parse search queries

While I remember, I have uploaded the slides from my talk about Solr and Perl at the London Perl Workshop.

This talk was inspired by having seen and contributed to at least five different sets of Solr search code at my current job, all of which (I now believe) were doing it wrong. I distilled this hard-won knowledge into a 20 minute talk, which - funny story - I actually delivered twice to work around a cock-up in the printed schedule. I don't believe any video was successfully taken, but I may be proved wrong later.

I have also uploaded the Parse::Yapp grammar mentioned in the talk.

In case you don't have time to read the slides, the right way to present Solr via Perl is to use the 'edismax' parser, and write your code a bit like this:

my $solr = WebService::Solr->new($url);
my $s =$query->param('q');

# WebService::Solr::Query objects are useful for
# 'fq' params, but avoid them for main 'q' param.
my $options = { fq => [WebService::Solr::Query->new(...)]; };$solr->search($s, \%options);  The key thing here is not to put any complicated parsing code in between the user and Solr. Avoid Search::QueryParser at all costs. ### Questhub.io At the London Perl Workshop last Saturday, one of the lightning talks was about Questhub.io, formerly known as "play-perl.org". It's social gamification for your task list, or something like that. Buzzword-tastic! But most importantly, there seems to be a nice community of programming types to procrastinate with you on your quests. This means I can finally get to work refuting lamby's prediction about gamification of Debian development! Tasks are referred to as "Quests", and are pursued in themed "Realms", for that World of Warcraft feeling. For example, there's a "Perl" realm, and a "Lisp" realm, and a "Haskell" realm, but also non-programming realms like "Fitness" and "Japanese". Of course, part of me now wants to construct a federated version which can be self-hosted. :) Another downside of questhub currently is the lack of SSL support - your session cookies are sent in plain text. I hope this changes soon. ## Thorsten Glaser <!-- document.write( "<a href=\"#\" id=\"https://www.mirbsd.org/permalinks/wlog-10_e20131202-tg.htm#e20131202-tg_wlog-10_hide\" onClick=\"exclude( 'https://www.mirbsd.org/permalinks/wlog-10_e20131202-tg.htm#e20131202-tg_wlog-10' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"https://www.mirbsd.org/permalinks/wlog-10_e20131202-tg.htm#e20131202-tg_wlog-10_show\" style=\"display:none;\" onClick=\"show( 'https://www.mirbsd.org/permalinks/wlog-10_e20131202-tg.htm#e20131202-tg_wlog-10' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Neo900 I’ve did something I surely will (financially) regret, next year, and designated the Neo900 to be the successor to my PocketPC, due to the latter having only 64 MiB RAM and Geocaching applications being quite hungry. It’s got a lovely hardware keyboard, a “pen” display like the PocketPC (as opposed to the “wishy-washy” displays that Android and iPhone have), not only GPS but also GLONASS, fully free software with mostly free firmware (I’m okay with that, mostly), a Ctrl key (useful in ssh and locally and my text editor; ^I is Tab, so it’s useful in shell, too), WLAN, UMTS (I don’t think I need LTE and would rather it have the more RAM), USB host (OTG), and lots of other nice features. In short, it’s a tinkerable device: one I can not only hack at, but also hack on. Since I use a “dumbphone” for mobile phone anyway (pro: separate battery from the “toy” PocketPC/Smartphone – we’re talking two+ weeks of battery time when using it here, and easier use and less bugs, and a reliable fallback when I tinker “too much”), this is perfect for me. I’m reposting this in the wlog mostly because it’s an interesting technical and OSS project, and because if 1000 people want one it will get less expensive for all of us (while here… shameless plug… any sponsors willing to contribute some EUR so I don’t ruin myself with this, in exchange for services of some kind?). I’ll probably run Debian on it (unless it goes systemd), maybe in a chroot – if the native OS has functionality needed that I can’t simply put into packages; they say Maemo has much better power management, but considering most use will have GPS, GLONASS and backlight on, battery isn’t going to last long anyway… – or maybe even native… I’ve been wanting to know what this “freesmartphone” stuff my m68k (Atari VM) buildd has been happily compiling, anyway… and some sort of Geocaching application (ideally a cross between something online, CacheWolf and an offline OSM (with most of Europe, but uninteresting tags stripped) and possibly access to the GS Live API but nevertheless supporting TC, NC, OC, gpsgames too), and my usual mksh(1), GNU screen, jupp(1), lynx(1), ssh(1) toolchain.) Delivery is expected for mid to end of 2014, but once it’s there I’ll keep you informed ☺ 02 December, 2013 07:41PM by MirOS Developer tg (tg@mirbsd.org) ## Enrico Zini <!-- document.write( "<a href=\"#\" id=\"http://www.enricozini.org/2013/shops/_hide\" onClick=\"exclude( 'http://www.enricozini.org/2013/shops/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://www.enricozini.org/2013/shops/_show\" style=\"display:none;\" onClick=\"show( 'http://www.enricozini.org/2013/shops/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### shops # Shops Christmas songs should only ever be played on Christmas day. In church. At midnight. Unless I happen to be there. ## Roland Mas <!-- document.write( "<a href=\"#\" id=\"http://roland.entierement.nu/blog/2013/12/02/rsyncing-a-backuppc-storage-pool-efficiently.html_hide\" onClick=\"exclude( 'http://roland.entierement.nu/blog/2013/12/02/rsyncing-a-backuppc-storage-pool-efficiently.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://roland.entierement.nu/blog/2013/12/02/rsyncing-a-backuppc-storage-pool-efficiently.html_show\" style=\"display:none;\" onClick=\"show( 'http://roland.entierement.nu/blog/2013/12/02/rsyncing-a-backuppc-storage-pool-efficiently.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Rsyncing a BackupPC storage pool, efficiently BackupPC is a pretty good backup system. Its configuration is rather flexible, it has nice expiry policies, and it can store duplicated file contents only once (for files that are shared across hosts or don't change in time) within a compressed pool of data. However, it doesn't do much to help pushing the data to off-site storage, or at least not very efficiently. So if you have a BackupPC instance running on a Raspberry Pi or a plug computer at home, it's a bit tricky to protect your data against loss due to burglary or home fire. The obvious solution would be to rsync the storage pool to a remote site. However, the current pooling system relies heavily on hardlinks, and rsync is notoriously inefficient with those. In the home backup server scenario, this means that even if the computer is more powerful than a Pi and can handle the memory requirements of rsync, you'll often end up transferring way too much data. So, since the obvious solution doesn't work straight away, what do we do? Why, we fix it, of course. With a little look into the storage pool, we notice that the bulk of the data is stored in files with an “abstract“ name (related to the contents) within a$prefix/pool directory; the files with concrete names looking much like their original are stored within $prefix/pc, and they're actually the same files because they're hardlinks. Knowing this (that rsync doesn't), we can make a smarter replication tool, by 1. pushing only the pool with standard rsync; 2. storing locally, and recreating remotely, the structure of hardlinks; 3. pushing everything again with standard rsync. Steps 1 and 3 are simple invocations of rsync -aH; step 2 can be implemented using the following two scripts. Run store-hardlinks.pl locally, push the links file, then run restore-hardlinks.pl on the remote server. This will ensure that files already present in the pool are also hardlinked in their natural location. store-hardlinks.pl: #! /usr/bin/perl -w use strict; use Storable qw(nstore); use File::Find; use vars qw/$prefix $poolpath$pcpath %i2cpool %todo $store/;$prefix = '/var/lib/backuppc';

$poolpath = '$prefix/cpool';
$pcpath = '$prefix/pc';
$store = '$prefix/links';

# for the convenience of &wanted calls, including -eval statements:
use vars qw/*name *dir *prune/;
*name   = *File::Find::name;
*dir    = *File::Find::dir;
*prune  = *File::Find::prune;

# Scan pool
File::Find::find({wanted => \&wanted_pool}, $poolpath); # Scan PC dirs File::Find::find({wanted => \&wanted_pc},$pcpath);

nstore \%todo, $store; exit; sub wanted_pc { my ($dev,$ino,$mode,$nlink,$uid,$gid); (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_)) &&
-f _ &&
($nlink > 1) && do {$name =~ s,$pcpath/,,; if (defined$i2cpool{$ino}) {$todo{$name} =$i2cpool{$ino}; } } } sub wanted_pool { my ($dev,$ino,$mode,$nlink,$uid,$gid); (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($_)) &&
-f _ &&
($nlink > 1) && do {$name =~ s,$poolpath/,,;$i2cpool{$ino} =$name;
}
}


restore-hardlinks.pl:

#! /usr/bin/perl -w

use strict;
use Storable;
use File::Path qw/make_path/;

use vars qw/$prefix$poolpath $pcpath %todo$store/;

$prefix = '/srv/backuppc-mirror';$poolpath = "$prefix/cpool";$pcpath = "$prefix/pc";$store = "$prefix/links"; %todo = %{retrieve ($store)};

my ($dev,$ino,$mode,$nlink,$uid,$gid);

foreach my $src (keys %todo) { my$inode;
my $dest =$todo{$src}; my$dpath = "$poolpath/$dest";
my $spath = "$pcpath/$src"; my$sdir = $spath;$sdir =~ s,/[^/]*?$,,; make_path ($sdir);
next unless -e $dpath; if (! -e$spath) {
link $dpath,$spath;
next;
}
(($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($spath));$inode = $ino; (($dev,$ino,$mode,$nlink,$uid,$gid) = lstat($dpath));
if ($ino !=$inode) {
unlink $spath; link$dpath, $spath; } }  The initial transfer can still take forever if the pool is large (and if you're pushing it through the small end of an ADSL link…), but at least the files are only transferred once. Note: This is only useful for current versions of BackupPC. Apparently BackupPC 4 will have a different pooling system without hardlinks, and the following hack will no longer be required. For now, though, here it is. ## Dirk Eddelbuettel <!-- document.write( "<a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/01#rcpp_talks_uc_and_ku_2013_hide\" onClick=\"exclude( 'http://dirk.eddelbuettel.com/blog/2013/12/01#rcpp_talks_uc_and_ku_2013' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/12/01#rcpp_talks_uc_and_ku_2013_show\" style=\"display:none;\" onClick=\"show( 'http://dirk.eddelbuettel.com/blog/2013/12/01#rcpp_talks_uc_and_ku_2013' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Recent Rcpp talks at U Chicago / Booth and U Kansas In early October, I had an opportunity to talk about Rcpp and RcppArmadillo at the Statistical Computing Seminar at the Booth School of Business at the University of Chicago. And then two weeks ago, I had an invitation to talk at the Center for Research Methods and Data Analysis at the University of Kansas where I covered similar material as well as ongoing work on the RcppZiggurat package (for which I should have an updated version soon). Slides from both talks are now at the top of my talks / presentations page. This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings. ## Ben Hutchings <!-- document.write( "<a href=\"#\" id=\"http://womble.decadent.org.uk/blog/upgrading-from-android-23-gingerbread-to-43-jelly-bean.html_hide\" onClick=\"exclude( 'http://womble.decadent.org.uk/blog/upgrading-from-android-23-gingerbread-to-43-jelly-bean.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://womble.decadent.org.uk/blog/upgrading-from-android-23-gingerbread-to-43-jelly-bean.html_show\" style=\"display:none;\" onClick=\"show( 'http://womble.decadent.org.uk/blog/upgrading-from-android-23-gingerbread-to-43-jelly-bean.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Upgrading from Android 2.3 'Gingerbread' to 4.3 'Jelly Bean' #### Replacing my phone My first Android phone was a ZTE Blade (sold as Orange San Francisco here in the UK). It originally shipped with Android 2.1 but was upgradable to 2.3 thanks to CyanogenMod (or other unofficial mods). However there's little sign of an upgrade to 4.x; the apps I want to use are pushing the limits of its CPU, RAM and internal storage; and I've never got very good at typing on a soft keyboard. So it seemed like time to get a newer phone with a hard keyboard (and still with a μSD slot). After a little research with the CyanogenMod compatibility list and some time looking at reviews, I settled on the Samsung Galaxy S Relay 4G, which was exclusive to T-Mobile USA but is being resold through eBay. It shipped with Android 4.0 but I immediately installed CyanogenMod 10.2 (Android 4.3). This was a bit of an adventure as I bought the Blade with CM already installed and wasn't familiar with the multiple steps that were necessary. #### Copying my data The last step, and the real subject of this entry, was to move my data across. Much of this was on a μSD card which I could simply plug into the Relay. The internal files had to be backed up onto this card and then restored, using the recovery environment (ClockworkMod) on each phone. After rebooting the Relay into the full Android system, my apps and settings were mostly present but I was immediately confronted with a series of error dialogs reporting that 'Unfortunately, Dialler has stopped' - and the same for 'Clock' and 'the process android.process.acore' (whatever that is). #### What went wrong There are thankfully more detailed error logs in the filesystem, under /data/system/dropbox (this is for logging at the Java level; if a process is terminated by a fatal signal it's logged to /data/tombstones). There are several ways to get at them, but I used recovery mode and adb to get a root shell where I could easily read and write files as necessary. The Contacts (aka People) database upgrade fails with an SQLiteException, apparently because it doesn't account for upgrading from the schema used in 2.3: Process: android.process.acore Flags: 0x883e45 Package: com.android.providers.applications v18 (4.3.1-f963020e38) Package: com.android.providers.contacts v18 (4.3.1-f963020e38) Package: com.android.providers.userdictionary v18 (4.3.1-f963020e38) Build: samsung/apexqtmo/apexqtmo:4.1.2/JZO54K/T699UVBMC5:user/release-keys android.database.sqlite.SQLiteException: no such column: phonebook_label (code 1): , while compiling: UPDATE raw_contacts SET display_name_source=?,display_name=?,display_name_alt=?,phonetic_name=?,phonetic_name_style=?,sort_key=?,phonebook_label=?,phonebook_bucket=?,sort_key_alt=?,phonebook_label_alt=?,phonebook_bucket_alt=? WHERE _id=? ... at com.android.providers.contacts.ContactsDatabaseHelper.updateRawContactDisplayName(ContactsDatabaseHelper.java:5344) at com.android.providers.contacts.ContactsDatabaseHelper.upgradeToVersion504(ContactsDatabaseHelper.java:3580) at com.android.providers.contacts.ContactsDatabaseHelper.onUpgrade(ContactsDatabaseHelper.java:2261) ...  Clock fails somewhat similarly though it apparently didn't try to upgrade: Process: com.android.deskclock Flags: 0xc8be45 Package: com.android.deskclock v203 (2.0.3) Build: samsung/apexqtmo/apexqtmo:4.1.2/JZO54K/T699UVBMC5:user/release-keys android.database.sqlite.SQLiteException: no such column: incvol (code 1): , while compiling: SELECT _id, hour, minutes, daysofweek, alarmtime, enabled, vibrate, message, alert, incvol, profile FROM alarms WHERE (enabled=1) ... at com.android.deskclock.AlarmProvider.query(AlarmProvider.java:73) at android.content.ContentProvider.query(ContentProvider.java:744) at android.content.ContentProvider$Transport.query(ContentProvider.java:199)
at android.content.ContentResolver.query(ContentResolver.java:414)
at android.content.ContentResolver.query(ContentResolver.java:357)
at com.android.deskclock.Alarms.getFilteredAlarmsCursor(Alarms.java:165)
at com.android.deskclock.AlarmInitReceiver$1.run(AlarmInitReceiver.java:49) ...  The media player fails with a NullPointerException: Process: com.andrew.apollo:main Flags: 0x98be65 Package: com.andrew.apollo v2 (1.1) Build: samsung/apexqtmo/apexqtmo:4.1.2/JZO54K/T699UVBMC5:user/release-keys java.lang.NullPointerException at com.andrew.apollo.MusicPlaybackService.stop(MusicPlaybackService.java:878) at com.andrew.apollo.MusicPlaybackService.openCurrentAndMaybeNext(MusicPlaybackService.java:1048) at com.andrew.apollo.MusicPlaybackService.openCurrentAndNext(MusicPlaybackService.java:1031) at com.andrew.apollo.MusicPlaybackService.access$1500(MusicPlaybackService.java:74)
at com.andrew.apollo.MusicPlaybackService$MusicPlayerHandler.handleMessage(MusicPlaybackService.java:2337) at android.os.Handler.dispatchMessage(Handler.java:99) at android.os.Looper.loop(Looper.java:137) at android.os.HandlerThread.run(HandlerThread.java:61)  #### Fixing the problem Maybe I could have worked out how to upgrade the relevant databases myself, but I went for simpler solutions. The clock settings are easy to re-enter and most of the media player state is regenerated by scanning files on the μSD card. So I just deleted those on the Relay:  rm -rf /data/data/com.android.deskclock rm -rf /data/data/com.android.providers.media  The contacts were what I really cared about, and there are actually specific menu items in Contacts to export and import those (using VCF format), side-stepping the database upgrade. So I did: 1. Insert μSD card in Blade 2. Open Contacts and export to VCF (I forget where this is in the menus but it was easy to find) 3. Remove broken Contacts database on Relay: rm -rf /data/data/com.android.providers.contacts 4. Insert μSD card in Relay 5. Move exported contacts to internal storage: mv /storage/sdcard1/*.vcf /storage/emulated/legacy 6. Open People and tap the menu key, 'Import/export', 'Import from storage', then the filename This may not include all data, and in particular it doesn't seem to include attached photos. But that was good enough for me. # December 01, 2013 ## Raphaël Hertzog <!-- document.write( "<a href=\"#\" id=\"http://raphaelhertzog.com/2013/12/01/my-free-software-activities-in-november-2013/_hide\" onClick=\"exclude( 'http://raphaelhertzog.com/2013/12/01/my-free-software-activities-in-november-2013/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://raphaelhertzog.com/2013/12/01/my-free-software-activities-in-november-2013/_show\" style=\"display:none;\" onClick=\"show( 'http://raphaelhertzog.com/2013/12/01/my-free-software-activities-in-november-2013/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### My Free Software Activities in November 2013 This is my monthly summary of my free software related activities. If you’re among the people who made a donation to support my work (44.52 €, thanks everybody!), then you can learn how I spent your money. Otherwise it’s just an interesting status update on my various projects. ### The Debian Administrator’s Handbook Wheezy update completed. Roland and I completed the update of the Debian Administrator’s Handbook for Debian 7 Wheezy. We still have some proofreading work to do but you can already enjoy the result here: http://debian-handbook.info/browse/wheezy/ Feel free to report back any problem that you discover. You can also submit us patches ready to apply if you want to go one step further. Publican contributions. The book is generated with publican and I maintain its Debian package. This month I got a release critical bug because it stopped working… it turns out that the problem lied in libxml-treebuilder-perl and I thus reassigned #728885 while providing a tentative patch to the upstream author. After a few days without action from the pkg-perl team, and after having received a FTBFS bug on debian-handbook (of course publican was broken in unstable!), I prepared a fixed package myself and I uploaded it (I’m still part of the pkg-perl team although I’m inactive). Since I used publican heavily this month, I filed two tickets in its bugzilla. I requested a new feature in #1034836 (the possibility to keep around the former string for fuzzy strings to update), and I reported a problem with the handling of “\n” in PO files in #1036150. ### Debian France Galette update. I updated the galette package and its paypal plugin, and I deployed those on france.debian.net. It had some fixes for the reminder mails sent to members. Bylaws update. I also resumed my work on preparing new bylaws for Debian France. Sylvestre Ledru came up with a draft (with the help of a lawyer) a few months ago and I’m reviewing/improving them now. The main goal is to clarify that Debian France is meant to be a Trusted Organization for the Debian project. Debian France Shop. We had the idea since a few months already but Sylvestre did the leg work to open a Debian France shop with the help of EnVenteLibre. I asked our members to prepare some CSS that better match the Debian colors and this should be fixed in a few days. The first goodies will also start to appear shortly, just in time for Christmas! ### Misc Debian work Distro Tracker. In the continuation of the Google Summer of Code, I asked the DSA team to setup a new virtual machine to host tracker.debian.org, an instance of Distro Tracker, the rewritten Package Tracking System. They have done their part of the job (except the mail setup), it’s now waiting on me to find some time to complete some cleanups and deploy the thing. WordPress. I packaged wordpress 3.7.1 and sent a call for help on debian-mentors. I got 3 replies, I gave them some initial direction but I haven’t heard back anything since. WordPress 3.8 is expected in a few days, hopefully one of the new volunteers will take care of preparing the next update. Dpkg regressions. I haven’t done anything for multiple months but at least I keep running the git version of dpkg and I detected two regressions. Good to have them squashed before the upcoming 1.17.2 upload to unstable. PTS fix. I fixed some warnings that the PTS code started generating since the upgrade of its host to wheezy. They were generating some annoying backscatter mails to users of the pts@qa.debian.org bot. Ruby security update. I helped the ruby team to prepare the required security updates of ruby1.8 and ruby1.9.1 (see #730178 and #730189). This work was sponsored by Kali/Offensive Security. Smartcard setup. I bought 2 OpenPGP smartcards with a reader and I moved all my private keys on those devices (one card with the master key for signature/certification to be kept at home, one card for daily/mobile usage with the subkeys for encryption/signature/authentication). My laptop’s harddrive doesn’t contain any private key anymore. I have kept the required offline backup in a safe place, but in the end, my private keys are much harder to steal. I should write down my findings in another article… ### Thanks See you next month for a new summary of my activities. 2 comments | Liked this article? Click here. | My blog is Flattr-enabled. 01 December, 2013 10:45PM by Raphaël Hertzog ## Marco d'Itri <!-- document.write( "<a href=\"#\" id=\"http://blog.bofh.it/debian/id_440_hide\" onClick=\"exclude( 'http://blog.bofh.it/debian/id_440' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.bofh.it/debian/id_440_show\" style=\"display:none;\" onClick=\"show( 'http://blog.bofh.it/debian/id_440' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); --> ### Easily installing Debian on a Cubieboard I recently bought a Cubieboard to replace my old Sheevaplug which has finally blown a power supply capacitor (this appears to be a common defect of Sheevaplugs), so I am publishing these instructions which show how to install Debian on sunxi systems (i.e. based on the Allwinner A10 SoC or one of its newer versions) with no need for cross compilers, emulators or ugly FAT partitions. This should work on any sunxi system as long as U-Boot is at least version 2012.10. The first step is to erase the beginning of SD card to remove anything in the unpartitioned space which may confuse U-Boot, partition and format it as desired. The first partition must begin at 1MB (1024*1024/512=2048 sectors) because the leading unpartitioned space is used by the boot loaders. dd if=/dev/zero of=/dev/mmcblk0 bs=1M count=1 parted /dev/mmcblk0 mklabel msdos mkpart primary ext4 2048s 15G unit s print mkpart primary linux-swap ... -1 mkfs.ext4 -L root /dev/mmcblk0p1 mkswap --label swap /dev/mmcblk0p2  Download the boot loaders and an initial kernel and install them: tar xf cubieboard_hwpack.tar.xz dd if=bootloader/sunxi-spl.bin of=/dev/mmcblk0 bs=1024 seek=8 dd if=bootloader/u-boot.bin of=/dev/mmcblk0 bs=1024 seek=32 mount /dev/mmcblk0p1 /mnt mkdir /mnt/boot/ cp kernel/script.bin kernel/uImage /mnt/boot/  script.bin is Allwinner's proprietary equivalent of the device tree: it will be needed until sunxi support will be fully merged in mainline kernels. U-Boot needs to be configured to load the kernel from the ext4 file system (join the lines at \\, this is not a supported syntax!): cat << END > /mnt/boot/uEnv.txt # kernel=uImage root=/dev/mmcblk0p1 rootwait boot_mmc=ext4load mmc 0:1 0x43000000 boot/script.bin && ext4load mmc 0:1 0x48000000 boot/${kernel} \\
&& watchdog 0 && bootm 0x48000000
END


Now the system is bootable: add your own root file system or build one with debootstrap. My old Sheevaplug tutorial shows how to do this without a working ARM system or emulator (beware: the other parts are quite obsolete and should not be trusted blindly).

If you have an old armel install around it will work as well, and you can easily cross-grade it to armhf as long as it is up to date to at least wheezy (the newer, the better).

You can also just use busybox for a quick test:

mkdir /mnt/bin/
dpkg-deb -x .../busybox-static_1.21.0-1_armhf.deb .
cp bin/busybox /mnt/bin/
ln -s busybox /mnt/bin/sh


After booting the busybox root file system you can run busybox --install /bin/ to install links for all the supported commands.

Until Debian kernels will support sunxi (do not hold your breath: there are still many parts which are not yet in mainline) I recommend to install one of Roman's kernels:

dpkg -i linux-image-3.4.67-r0-s-rm2+_3.4.67-r0-s-rm2+-10.00.Custom_armhf.deb
mkimage -A arm -O linux -T kernel -C none -a 40008000 -e 40008000 \
-n uImage -d /boot/vmlinuz-3.4.67-r0-s-rm2+ /boot/uImage-3.4.67-r0-s-rm2+


It is not needed with these kernels for most setups, but an initramfs can be created with:

update-initramfs -c -k 3.4.67-r0-s-rm2+
mkimage -A arm -T ramdisk -C none -n uInitrd \
-d /boot/initrd.img-3.4.67-r0-s-rm2+ /boot/uInitrd-3.4.67-r0-s-rm2+


/boot/uEnv.txt will have to be updated to load the initramfs.

Since the Cubieboard lacks a factory-burned MAC address you should either configure one in script.bin or (much easier) add it to /etc/network/interfaces:

iface eth0 inet dhcp


# November 30, 2013

## Gunnar Wolf <!-- document.write( "<a href=\"#\" id=\"http://gwolf.org/blog/errors-exams-short-rant_hide\" onClick=\"exclude( 'http://gwolf.org/blog/errors-exams-short-rant' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://gwolf.org/blog/errors-exams-short-rant_show\" style=\"display:none;\" onClick=\"show( 'http://gwolf.org/blog/errors-exams-short-rant' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### On errors in exams - Short rant

Blogging from a phone... first time ever. I don't want to forget some specifics for this :)

I have just completed an exam to try to enter a postgraduate program (I'll talk more about it once it becomes real ). The exam is administered by CENEVAL, the same evaluation agency Where I presented my graduation equivalency exam some years ago - Only this exam is for all of the postgraduate studies on many national universities and is thus basically just a psychometric test.

The exam had 162 questions, all to be filled in a optical reader sheet, on five subjects: mathematical reasoning, Spanish grammar and comprehension, Project management, Computers and technology, And English reading and understanding.

It was all in all a fun exam to take, mostly due to the math reasoning part. But... on the Subject I Know I am an expert, I have to complain (and intend to find a easy to do so formally). First, I spotted two absolute mistakes (and answered based on What I knew others would, but knowing the answer is wrong technically). One was a subtlety, on how and why have hard drives should be defragmented (and part of my quip is that it's an obsolete habit, but besides, the answers were all erroneous), but a second one was... just wrong. It asked on what should not be part of an "Internet link" (can only guess they meant An URL). The 4 options were valid parts of a URL - including one very seldom used by most people, but very often by many of us: the @ sign.

Anyway, answered it, but my other main gripe is that most of the section was in specific use of Office software. Not only In Office-like, which would be bad enough to begin with, but on specific ways of using Mainly Excel And PowerPoint. Syntax issues, or the name of the menu under which to look for specific functions.
Anyway, I will wait the stipulated 10 days for the exam to be rated, but will anyway look die a way to contact the very opaque and secretive CENEVAL. Not to demand to be better treated, but to try to correct those known mistakes and errors.

30 November, 2013 06:08PM by gwolf

## Lars Wirzenius <!-- document.write( "<a href=\"#\" id=\"http://blog.liw.fi/posts/obnam-1.6/_hide\" onClick=\"exclude( 'http://blog.liw.fi/posts/obnam-1.6/' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://blog.liw.fi/posts/obnam-1.6/_show\" style=\"display:none;\" onClick=\"show( 'http://blog.liw.fi/posts/obnam-1.6/' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Obnam 1.6.1 (backup software) and larch 1.20131130 (B-tree) releases: serious bug fixes

Backups are fun and exciting! Restores are exciting, in a terrifying and stressful way. Fixing serious bugs is gratifying, in a depressing way.

I am glad to announce two software releases: Obnam version 1.6.1 and larch version 1.20131130. Obnam is my backup application, larch is a Python copy-on-write B-tree implementation that Obnam uses. I've uploaded the new versions to Debian unstable and to my own apt repository at [code.liw.fi] (also for wheezy). (I don't have the energy to upload to Debian backports: help is welcome there.)

These are mainly bug fix releases, and minor improvements. The larch release fixes serious problems, and everyone should be upgrading.

NEWS for larch:

• Serious bug fixed: the "KeyError" crash for reference counts. This was false memory use optimisation, which triggered a rare bug in related code. Repeatable test case by Rob Kendrick, and helpful analysis by Itamar Turing-Trauring.

• Serious bug fixed: another "node missing" bug. This crash was caused by a bug that overwrote on-disk reference count groups with zeroes. Repeatable test case by Rob Kendrick.

• Fixes to fsck from Antoine Brenner.

NEWS for Obnam (combining versions 1.6 and 1.6.1, both released today):

• Fix Debian package dependencies correctly.

• Stop logging paramiko exceptions that get converted into another type of exception by the SFTP plugin in Obnam.

• obnam-benchmark can now use an installed version of larch. Patch by Lars Kruse.

• Obnam has been ported to FreeBSD by Itamar Turner-Trauring of HybridCluster.

• Backup progress reporting now reports scanned file data, not just backed up file data. This will hopefully be less confusing to people.

• The list-keys, client-keys, and list-toplevels commands now obey a new option, --key-details, to show the usernames attached to each public key. Patch by Lars Kruse.

• New option --ssh-command to set the command Obnam runs when invoking ssh. patch by Lars Kruse.

• obnam clients can now be used without being an existing client. Patch by Itamar Turner-Trauring.

• New option --ssh-host-keys-check to better specify how SSH host keys should be checked. Patch by Itamar Turner-Trauring.

Bug fixes:

• Fix"obnam list-toplevels so it doesn't give an error when it's unable to read the per-client directory of another client, when encryption is used. Fix by Lars Kruse.

• Fix the encryption plugin to give a better error message when it looks for client directories but fails to find them. Fix by Lars Kruse.

• obnam list-toplevels got confused when the repository contained extra files, such as "lock" (left there by a previous, crashed Obnam run). It no longer does. Fix by Lars Kruse.

• The SFTP plugin now handles another error code (EACCESS) when writing a file and the directory it should go into not existing. Patch by Armin Größlinger.

• Obnam's manual page now explains about breaking long logical lines into multiple physical ones.

• The /~/ path prefix in SFTP URLs works again, at least with sufficiently new versions of Paramiko (1.7.7.1 in Debian wheezy is OK). Reported by Lars Kruse.

• The Nagios plugin to report errors in a way Nagios expects. Patch by Martijn Grendelman.

• The Nagios plugin for Obnam now correctly handles the case where a backup repository for a client exists, but does not have a backup yet. Patch by Lars Kruse.

• obnam ls now handles trailing slashes in filename arguments. Reported by Biltong.

• When restoring a backup, Obnam will now continue past errors, instead of aborting with the first one. Patch by Itamar Turner-Trauring.

## Dirk Eddelbuettel <!-- document.write( "<a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/11/30#rcppcnpy_0.2.2_hide\" onClick=\"exclude( 'http://dirk.eddelbuettel.com/blog/2013/11/30#rcppcnpy_0.2.2' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://dirk.eddelbuettel.com/blog/2013/11/30#rcppcnpy_0.2.2_show\" style=\"display:none;\" onClick=\"show( 'http://dirk.eddelbuettel.com/blog/2013/11/30#rcppcnpy_0.2.2' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### RcppCNPy 0.2.2

Right on the heels of release 0.2.1 of RcppCNPy, a new version 0.2.2 is now on CRAN. RcppCNPy uses the CNPY library by Carl Rogers to provide R with easy read and write access to NumPy files.

The reason for the new version that I had experimented with a different way to test endianness (as needed for the NumPy file headers) but accidentally sent an interim tarball to CRAN which still wanted to include endian.h promptly breaking Windows builds. So now we do something even simpler and just rely on the (even more complete) test for endianness when R is built, which prevents all sorts of complications for us and builds everywhere (with thanks to Brian Ripley for the suggestion). While we were at it, we also added a new unit test.

Full changes are listed below.

#### Changes in version 0.2.2 (2013-11-29)

• Switched to using the result from the compile-time configuration for R to determine big or little endian (as needed for the NPy headers)

• Added a new test (and test validation result file) for a complete save-reload cycle and comparison

CRANberries also provides a diffstat report for 0.2.2 relative to 0.2.1. As always, feedback is welcome and the rcpp-devel mailing list off the R-Forge page for Rcpp is the best place to start a discussion.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

## Guido Günther <!-- document.write( "<a href=\"#\" id=\"http://honk.sigxcpu.org/con/CrystalHD_progress.html_hide\" onClick=\"exclude( 'http://honk.sigxcpu.org/con/CrystalHD_progress.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://honk.sigxcpu.org/con/CrystalHD_progress.html_show\" style=\"display:none;\" onClick=\"show( 'http://honk.sigxcpu.org/con/CrystalHD_progress.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### CrystalHD progress

Following up on my port of the crystalhd plugin to the gstreamer 1.0 api I realized that the CrystalHD repo is pretty dormant. After reading slomo's nice article about GStreamer and hardware integration and a short off list mail exchange I decided to split the GStreamer part out of the CrystalHD repo and to try to get the plugin into gst-plugins-bad.

Since the kernel part is already in linux kernel's staging area there would not be much left in the repo except for the libcrystalhd library itself and the firmware blobs. So I split them out as well and started to clean them up a bit by moving it to autoconf/automake, dropping the need for a C++ compiler and adding symbol versioning among other things.

So up to know video is still smooth with:

gst-launch-1.0 filesrc location=sample.mp4 ! decodebin ! xvimagesink


There are #ifdefs for macosx and windows but I doubt they're functional but in case anybody is building libcrystalhd on these these platforms it'd be great to know if it still works.

Should these efforts lead to the crystalhd plugin being merged into GStreamer getting the kernel driver out of staging would be a great next step.

This blog is flattr enabled.

## Petter Reinholdtsen <!-- document.write( "<a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Dugnadsnett_for_alle__a_wireless_community_network_in_Oslo__take_shape.html_hide\" onClick=\"exclude( 'http://people.skolelinux.org/pere/blog/Dugnadsnett_for_alle__a_wireless_community_network_in_Oslo__take_shape.html' ); hideHosts(); return false;\"><img src=\"common/minus-8.png\" style=\"border: none;\" title=\"Hide Author\" alt=\"Hide Author\" height=\"8\" width=\"8\"><\/a> <a href=\"#\" id=\"http://people.skolelinux.org/pere/blog/Dugnadsnett_for_alle__a_wireless_community_network_in_Oslo__take_shape.html_show\" style=\"display:none;\" onClick=\"show( 'http://people.skolelinux.org/pere/blog/Dugnadsnett_for_alle__a_wireless_community_network_in_Oslo__take_shape.html' ); return false;\"><img src=\"common/plus-8.png\" style=\"border: none;\" title=\"Show Author\" alt=\"Show Author\" height=\"8\" width=\"8\"><\/a>" ); -->

### Dugnadsnett for alle, a wireless community network in Oslo, take shape

If you want the ability to electronically communicate directly with your neighbors and friends using a network controlled by your peers in stead of centrally controlled by a few corporations, or would like to experiment with interesting network technology, the Dugnasnett for alle i Oslo might be project for you. 39 mesh nodes are currently being planned, in the freshly started initiative from NUUG and Hackeriet to create a wireless community network. The work is inspired by Freifunk, Athens Wireless Metropolitan Network, Roofnet and other successful mesh networks around the globe. Two days ago we held a workshop to try to get people started on setting up their own mesh node, and there we decided to create a new mailing list dugnadsnett (at) nuug.no and IRC channel #dugnadsnett.no to coordinate the work. See also the NUUG blog post announcing the mailing list and IRC channel.