Planet Debian

Daniel Kahn Gillmor: gpg --ask-cert-level considered harmful

Daniel Kahn Gillmor (dkg) — 2013-05-20T06:37:33+00:00

Occasionally, someone asks me whether we should encourage use of the --ask-cert-level option when certifying OpenPGP keys with gpg. I see no good reason to use this option, and i think we should discourage people from trying to use it. I don't think there is a satisfactory answer to the question "how will specifying the level of identity certification concretely benefit anyone involved?", and i don't see why we should want one.

gpg gets it absolutely right by not asking users this question by default. People should not be enabling this option.

Some background: gpg's --ask-cert-level option allows the user who is making an OpenPGP identity certification to indicate just how sure they are of the identity they are certifying. The user's choice is then mapped into four levels of OpenPGP certification of a User ID and Public-Key packet, which i'll refer to by their signature type identifiers in the OpenPGP spec:

0x10: Generic certification
The issuer of this certification does not make any particular assertion as to how well the certifier has checked that the owner of the key is in fact the person described by the User ID.
0x11: Persona certification
The issuer of this certification has not done any verification of the claim that the owner of this key is the User ID specified.
0x12: Casual certification
The issuer of this certification has done some casual verification of the claim of identity.
0x13: Positive certification
The issuer of this certification has done substantial verification of the claim of identity.
Most OpenPGP implementations make their "key signatures" as 0x10 certifications. Some implementations can issue 0x11-0x13 certifications, but few differentiate between the types.

By default (if --ask-cert-level is not supplied), gpg issues certificates ("signs keys") using 0x10 (generic) certifications, with the exception of self-sigs, which are made as type 0x13 (positive).

When interpreting certifications, gpg does distinguish between different certifications in one particular way: 0x11 (persona) certifications are ignored; other certifications are not. (users can change this cutoff with the --min-cert-level option, but it's not clear why they would want to do so).

So there is no functional gain in declaring the difference between a "normal" certification and a "positive" one, even if there were a well-defined standard by which to assess the difference between the "generic" and "casual" or "positive" levels; and if you're going to make a "persona" certification, you might as well not make one at all.

And it gets worse: the problem is not just that such an indication is functionally useless; encouraging people to make these kind of assertions actively encourages leaks of a more-detailed social graph than just encouraging everyone to use the default blanket 0x13-for-self-sigs, 0x10-for-everyone-else policy.

A richer public social graph means more data that can feed the ravenous and growing appetite of the advertising-and-surveillance regimes. i find these regimes troubling. I admit that people often leak much more information than this indication of "how well do you know X" via tools like Facebook, but that's no excuse to encourage them to leak still more or to acclimatize people to the idea that the details of their personal relationships should by default be public knowledge.

Lastly, the more we keep the OpenPGP network of identity certifications (a.k.a. the "web of trust") simple, the easier it is to make sensible and comprehensible and predictable inferences from the network about whether a key really does belong to a given user. Minimizing the complexity and difficulty of deciding to make a certification helps people streamline their signing processes and reduces the amount of cognitive overhead people spend just building the network in the first place.

Evgeni Golov: powerdyn – a dynamic DNS service for PowerDNS users

evgeni — 2013-05-19T21:45:55+00:00

You may not know this, but I am a huge PowerDNS fan. This may be because it is so simple to use, supports different databases as backends or maybe just because I do not like BIND, pick one.

I also happen to live in Germany where ISPs usually do not give static IP-addresses to private customers. Unless you pay extra or limit yourself to a bunch of providers that do good service but rely on old (DSL) technology, limiting you to some 16MBit/s down and 1MBit/s up. Luckily my ISP does not force the IP-address change, but it does happen from time to time (once in a couple of month usually). To access the machine(s) at home while on a non-IPv6-capable connection, I have been using my old (old, old, old) DynDNS.com account and pointing a CNAME from under die-welt.net to it.

Some time ago, DynDNS.com started supporting AAAA records in their zones and I was happy: no need to type hostname.ipv6.kerker.die-welt.net to connect via v6 — just let the application decide. Well, yes, almost. It’s just DynDNS.com resets the AAAA record when you update the A record with ddclient and there is currently no IPv6 support in any of the DynDNS.com clients for Linux. So I end up with no AAAA record and am not as happy as I should be.

Last Friday I got a mail from DynDNS:

Starting now, if you would like to maintain your free Dyn account, you must now log into your account once a month. Failure to do so will result in expiration and loss of your hostname. Note that using an update client will no longer suffice for this monthly login. You will still continue to get email alerts every 30 days if your email address is current.
Yes, thank you very much…

Given that I have enough nameservers under my control and love hacking, I started writing an own dynamic DNS service. Actually you cannot call it a service. Or dynamic. But it’s my own, and it does DNS: powerdyn. It is actually just a script, that can update DNS records in SQL (from which PowerDNS serves the zones).

When you design such a “service”, you first think about user authentication and proper information transport. The machine that runs my PowerDNS database is reachable via SSH, so let’s use SSH for that. You do not only get user authentication, server authentication and properly crypted data transport, you also do not have to try hard to find out the IP-address you want to update the hostname to, just use $SSH_CLIENT from your environment.

If you expected further explanation what has to be done next: sorry, we’re done. We have the user (or hostname) by looking at the SSH credentials, and we have the IP-address to update it to if the data in the database is outdated. The only thing missing is some execution daemon or … cron(8). :)

The machine at home has the following cron entry now:

*/5 * * * * ssh -4 -T -i /home/evgeni/.ssh/powerdyn_rsa powerdyn@ssh.die-welt.net

This connects to the machine with the database via v4 (my IPv6 address does not change) and that’s all.

The machine with the database has the following authorized_keys entry for the powerdyn user:

command="/home/powerdyn/powerdyn/powerdyn dorei.kerker.die-welt.net" ssh-rsa AAAA... evgeni@dorei

By forcing the command, the user has no way to get the database-credentials the script uses to write to the database and neither cannot update a different host. That seems secure enough for me. It won’t scale for a setup as DynDNS.com and the user-management sucks (you even have to create the entries in the database first, the script can only update them), but it works fine for me and I bet it would for others too :)

Nicolas Dandrimont: Hello world

olasd — 2013-05-19T20:02:02+00:00

Or rather, hello Planet!

Here’s a somewhat traditional introductory post.

I’m Nicolas Dandrimont, I’m French, I’m sysadmin in a grande école, where I’m mostly in charge of the GNU/Linux workstations and servers.

In Debian, I’m a DM, currently in the NM queue, so I might become a DD soon-ish. I am (rather inactively) co-maintaining a few packages. In my Debian “career”, I have been involved in OCaml packaging and Python packaging, although lately most of my time has been spent on Google Summer of Code (mentor for two mentors.debian.net projects in 2012, org admin for Debian in 2013), and on mentors.debian.net.

In other free-software related projects, I own a RepRap 3D printer, and I grew some interest in the related software, e.g. Slic3r and printrun. There have been a lot of action in Fedora about packaging 3D-printing-related software, and it’d be great to get a team together to work on that in Debian during the jessie release cycle. Consider this a call for interested parties

Unrelatedly, paultag has tricked me into working on hy, which is way too much fun. Blame him if you feel that I have been inactive lately, this has been eating way too much of my free time

Hopefully I’ll be able to make regular updates on the work I do in Debian and free software, so stay tuned!

Gregor Herrmann: RC bugs 2013/20

Gregor Herrmann — 2013-05-19T19:59:27+00:00

besides working on the preparation of the Perl 5.18 transition, I also looked into some RC bugs:

#542564 – xmlroff: "xmlroff: uses libgnomeprint which is scheduled for removal"
drop build dependency and disable in ./configure, upload to DELAYED/2
~~#665506~~ – src:ario: "ario: Including individual glib headers no longer supported"
apply patch from Michael Biebl, upload to DELAYED/2, overriden by a faster upload of another bug squashing DD
#665530 – src:getstream: "getstream: Including individual glib headers no longer supported"
add patch from Michael Biebl, upload to DELAYED/2
#665555 – src:gxine: "gxine: Including individual glib headers no longer supported"
add info about next build failure to bug report
#665573 – src:librcc: "librcc: Including individual glib headers no longer supported"
include patch from Colin Watson, upload to DELAYED/2
#665579 – src:meanwhile: "meanwhile: Including individual glib headers no longer supported"
apply patch from Michael Biebl, upload to DELAYED/2
#665609 – src:sagasu: "sagasu: Including individual glib headers no longer supported"
apply patch from Michael Biebl, upload to DELAYED/2
#665628 – src:xmlroff: "xmlroff: Including individual glib headers no longer supported"
apply patch from Michael Biebl, upload to DELAYED/2
~~#707686~~ – dhelp: "dhelp: FTBFS and uninstallable in sid: needs ruby-gettext"
upload last week's patch to DELAYED/2
~~#708598~~ – src:libgeo-ip-perl: "libgeo-ip-perl: FTBFS: CAPI must be at least 1.4.8 - Please update"
upload new upstream release (pkg-perl)
~~#708730~~ – libanyevent-perl: "libanyevent-perl: architecture specific constants in an arch:all package (again)"
switch back to arch:any (pkg-perl)
#708766 – libimager-qrcode-perl: "libimager-qrcode-perl: Update for newer libimager-perl needed"
file a bug with patch (update for newer libimager-perl)

Wouter Verhelst: Whee

Wouter Verhelst — 2013-05-19T19:29:00+00:00

Today, I played at TC Cantincrode in Mortsel, Belgium, in the first round. This is the first year I'm playing tennis competitively, so I was expecting to lose by a pretty wide margin. Now while I didn't win, the margin wasn't as wide as I'd expected; 6/4 - 6/3 isn't too bad for the non-ranked beginner that I am. For comparison: I lost my previous match with 6/2 - 6/0, and I was not unhappy about that.

Part of this was due to my opponent (by his own admission) not playing his best; but still, I'm quite happy about my result here.

My next match probably won't be as good. Oh well.

Benjamin Mako Hill: The Cost of Inaccessibility at the Margins of Relevance

Benjamin Mako Hill — 2013-05-19T16:00:05+00:00

I use RSS feeds to keep up with academic journals. Because of an undocumented and unexpected feature (bug?) in my (otherwise wonderful) free software newsreader NewBlur, many articles published over the last year were marked as having been read before I saw them.

Over the last week, I caught up. I spent hours going through abstracts and downloading papers that looked interesting or relevant to my research. Because I did this for hundreds of articles, it gave me an unusual opportunity to reflect on my journal reading practices in a systematic way.

On a number of occasions, there were potentially interesting articles in non-open access journals that neither MIT nor Harvard subscribes to and that were otherwise not accessible to me. In several cases where the research was obviously important to my work, I made an interlibrary request, emailed the papers’ authors for copies, or tracked down a colleague at an institution with access.

Of course, articles that look potentially interesting from the title and abstract often end up being less relevant or well executed on closer inspection. I tend to cast a wide net, skim many articles, and put them aside when it’s clear that the study is not for me. This week, I downloaded many of these possibly relevant papers to, at least, give a skim. But only if I could download them easily. On three or four occasions, I found inaccessible articles at this margin of relevance. In these cases, I did not bother trying to track down the articles.

Of course, what appear to be marginally relevant articles sometimes end up being a great match for my research and I will end up citing and building on the work. I found several suprisingly interesting papers last week. The articles that were locked up have no chance at this.

When people suggest that open access hinders the spread of scholarship, a common retort is that the people who need the work have or can finagle access. For the papers we know we need, this might be true. As someone with access to two of the most well endowed libraries in academia who routinely requests otherwise inaccessible articles through several channels, I would have told you, a week ago, that locked-down journals were unlikely to keep me from citing anybody.

So it was interesting watching myself do a personal cost calculation in a way that sidelined published scholarship — and that open access publishing would have prevented. At the margin of relevance to ones research, open access may make a big difference.

Martin F. Krafft: Streaming a camera to the local network

Martin F. Krafft — 2013-05-19T11:48:01+00:00

I have a Raspberry Pi running Raspbian (wheezy) with a UVC camera available as /dev/video0.

I've been trying for three weeks to live-stream the picture from the camera onto the local network. I have tried crtmpserver and vlc, read several dozens of how-tos, but so far I have not been able to get a streaming setup working, no matter what I tried.

Hence my plea to the lazy web: does anyone have such a setup running on top of Debian? Would you please let me know how you did it?

Thanks a lot!

NP: Eels: End Times

Martin F. Krafft: Packaging workflows

Martin F. Krafft — 2013-05-19T11:48:01+00:00

All recent articles on packaging using a version control system should really appear over at Planet vcs-pkg. Feel free to just ping me with a feed URL that is vcs-pkg-specific.

Hideki Yamane: monthy magazine update (Debian Hot Topics, in Japanese)

Hideki Yamane — 2013-05-19T10:32:37+00:00

I've written an article as monthly one, "Debian Hot Topics", and this time, teaching steps and ways that how to put packages to Debian official repository. Japanese readers, have fun :)

Neil Williams: pybit 1.0.0 - distributed, scalable builds direct from VCS or archives

Neil Williams — 2013-05-19T00:02:28+00:00

PyBit is a distributed build system able to build packages in response to VCS commits or other triggers, across multiple architectures, multiple clients and multiple build environments with automated uploads to a nominated repository.

Support is included in 1.0.0 for building Debian packages using sbuild in response to subversion commits or changes in debian-devel-changes@lists.debian.org (by using apt as a version control handler) for any architecture and build environment which sbuild can support. There is also an example git commit template. Pybit has been designed to be fully extensible, so support for RPM or other package formats can be added as well as other version control handlers, other build environments and other architectures. Pybit is also scalable, when one type of client is struggling with the workload, another machine of the same architecture can be added to the pool to share the load. Pybit can also build a package for any number of architectures and build environments at the same time. The Pybit web interface provides an at-a-glance summary of all current builds as well as options to blacklist certain combinations, cancel and retry specific jobs and add monitor each pybit client. Current use cases include:

Rapidly changing VCS - one or more subversion repositories with lots of Debian packages, built automatically for any number of build environments and architectures every time the debian/changelog is modified. Clean chroot builds provide continuous integration testing of the every package.

Rebuilding the archive with different compilers or flags - a dedicated email account subscribed to debian-devel-changes@lists.debian.org feeding messages through procmail to the changes-debian hook, passing build requests to the apt handler to rebuild each package in your own sbuild chroots, using whatever environments, suites and build options can be configured within those chroots.

something else we haven't thought of yet ... there is scope for a lot more hooks, package formats, chroot tools and handler plugins.

arrived in Debian unstable

https://freecode.com/projects/pybit

http://nicholasdavidson.github.io/pybit/

https://github.com/nicholasdavidson/pybit

Francois Marier: Three wrappers to run commands without impacting the rest of the system

Francois Marier — 2013-05-18T06:14:00+00:00

Most UNIX users have heard of the nice utility used to run a command with a lower priority to make sure that it only runs when nothing more important is trying to get a hold of the CPU:

nice long_running_script.sh

That's only dealing with part of the problem though because the CPU is not all there is. A low priority command could still be interfering with other tasks by stealing valuable I/O cycles (e.g. accessing the hard drive).

Prioritizing I/O

Another Linux command, ionice, allows users to set the I/O priority to be lower than all other processes.

Here's how to make sure that a script doesn't get to do any I/O unless the resource it wants to use is idle:

sudo ionice -c3 hammer_disk.sh

The above only works as root, but the following is a pretty good approximation that works for non-root users as well:

ionice -n7 hammer_disk.sh

You may think that running a command with both nice and ionice would have absolutely no impact on other tasks running on the same machine, but there is one more aspect to consider, at least on machines with limited memory: the disk cache.

Polluting the disk cache

If you run a command (for example a program that goes through the entire file system checking various things, you will find that the kernel will start pulling more files into its cache and expunge cache entries used by other processes. This can have a very significant impact on a system as useful portions of memory are swapped out.

For example, on my laptop, the nightly debsums, rkhunter and tiger cron jobs essentially clear my disk cache of useful entries and force the system to slowly page everything back into memory as I unlock my screen saver in the morning.

Thankfully, there is now a solution for this in Debian: the nocache package.

This is what my long-running cron jobs now look like:

nocache ionice -c3 nice long_running.sh

Turning off disk syncs

Another relatively unknown tool, which I would certainly not recommend for all cron jobs but is nevertheless related to I/O, is eatmydata.

If you wrap it around a command, it will run without bothering to periodically make sure that it flushes any changes to disk. This can speed things up significantly but it should obviously not be used for anything that has important side effects or that cannot be re-run in case of failure.

After all, its name is very appropriate. It will eat your data!

Paul Tagliamonte: Hy: recent developments and some work from doctormo

Paul Tagliamonte — 2013-05-18T01:58:04+00:00

Thanks to DoctorMo for the hilarious photo. It’s just so good.

We’ve got Classes working, the usual fixes from the ‘crew, and native macros. Huzzah!

I’ve had to take the site down for now (well, stop updating it) because of a vulnerability I introduced (macros allow arbitrary code to run), which means, if anyone’s keen, they should add the sandboxing code to the Hy Site as well!

More coming soon!

Richard Hartmann: Release Critical Bug report for Week 20

Richard 'RichiH' Hartmann — 2013-05-17T22:02:07+00:00

If I did everything right, this post will not appear on any RSS feed yet still make it to my blog to maintain history.

The UDD bugs interface currently knows about the following release critical bugs:

In Total: 1088
- Affecting Jessie: 214 That's the number we need to get down to zero before the release. They can be split in two big categories:
  - Affecting Jessie and unstable: 183 Those need someone to find a fix, or to finish the work to upload a fix to unstable:
    - 43 bugs are tagged 'patch'. Please help by reviewing the patches, and (if you are a DD) by uploading them.
    - 15 bugs are marked as done, but still affect unstable. This can happen due to missing builds on some architectures, for example. Help investigate!
    - 125 bugs are neither tagged patch, nor marked done. Help make a first step towards resolution!
  - Affecting Jessie only: 31 Those are already fixed in unstable, but the fix still needs to migrate to Jessie. You can help by submitting unblock requests for fixed packages, by investigating why packages do not migrate, or by reviewing submitted unblock requests.
    - 0 bugs are in packages that are unblocked by the release team.
    - 31 bugs are in packages that are not unblocked.

How do we compare to the Squeeze release cycle?

Week	Squeeze	Wheezy	Diff
43	284 (213+71)	468 (332+136)	+184 (+119/+65)
44	261 (201+60)	408 (265+143)	+147 (+64/+83)
45	261 (205+56)	425 (291+134)	+164 (+86/+78)
46	271 (200+71)	401 (258+143)	+130 (+58/+72)
47	283 (209+74)	366 (221+145)	+83 (+12/+71)
48	256 (177+79)	378 (230+148)	+122 (+53/+69)
49	256 (180+76)	360 (216+155)	+104 (+36/+79)
50	204 (148+56)	339 (195+144)	+135 (+47/+90)
51	178 (124+54)	323 (190+133)	+145 (+66/+79)
52	115 (78+37)	289 (190+99)	+174 (+112/+62)
1	93 (60+33)	287 (171+116)	+194 (+111/+83)
2	82 (46+36)	271 (162+109)	+189 (+116/+73)
3	25 (15+10)	249 (165+84)	+224 (+150/+74)
4	14 (8+6)	244 (176+68)	+230 (+168/+62)
5	2 (0+2)	224 (132+92)	+222 (+132/+90)
6	release!	212 (129+83)	+212 (+129/+83)
7	release+1	194 (128+66)	+194 (+128/+66)
8	release+2	206 (144+62)	+206 (+144/+62)
9	release+3	174 (105+69)	+174 (+105/+69)
10	release+4	120 (72+48)	+120 (+72/+48)
11	release+5	115 (74+41)	+115 (+74/+41)
12	release+6	93 (47+46)	+93 (+47/+46)
13	release+7	50 (24+26)	+50 (+24/+26)
14	release+8	51 (32+19)	+51 (+32/+19)
15	release+9	39 (32+7)	+39 (+32/+7)
16	release+10	20 (12+8)	+20 (+12/+8)
17	release+11	24 (19+5)	+24 (+19/+5)
18	release+12	2 (2+0)	+2 (+2/+0)

Graphical overview of bug stats thanks to azhag:

Rob Bradford: GNOME in Moblin: Myzone

Rob Bradford — 2013-05-17T12:32:00+00:00

Howdy, i’m sure most people are aware of the recent release of Moblin 2.0; a user experience for netbooks. I’m going to write a few blog posts about how the Moblin user experience is built on the awesome technologies in the GNOME platform.

So first up, let’s look at the Myzone, we’re starting here since this is the first thing I really worked on in the Moblin UX and i’ve been able to see it through from early ideas to the 2.0 and 2.1 releases.

So, deep breath, the idea behind the Myzone is to provide a springboard to things that matter to you most: your recent files and web pages you’ve visited, your upcoming events and things you need to do, things that are happening on social web services and your favourite applications.

Now then, that’s the theory, how does it work:

Recent files: Recent file information is pulled from the GtkRecentManager and the thumbnails are pulled from the XDG thumbnail specification directory. Metadata for the file comes courtesy of gio which I presume comes from shared-mime-info. Yay. By using the GtkRecentManager for all our recent activity metadata across the platform we’re allowing legacy GNOME applications to just work. Sweet.
Events and tasks: These are pulled from EDS using libjana, a calendaring library primarily developed by Chris Lord (of Dates fame.) A couple of months back (well, uh, March) I enhanced libjana to support tasks and thus we are able reuse the existing Tasks/Dates apps for interacting with the calendar.
Favourite apps: Here I let the side down. I use some quite crazy custom format for doing this which frankly stinks. I’m going to try and sit down with the GNOME shell guys to see if we can come up with some better way for dealing with user originated application metadata.
Social networking/web service integration: This comes courtesy of Mojito and librest, two projects that I and the esteemed Ross Burton have been working on. Mojito is a project that pulls in content from a variety web services into a centralised place, abstracting some of the complexity and the makes it trivial to query. librest is a library for to keep developers happy even though they’re having to deal with web services. It does this by making requests and parsing the result simple.

Rob Bradford: GNOME in Moblin: People panel

Rob Bradford — 2013-05-17T12:31:41+00:00

Previously i’d talked about how we use GNOME technologies in the Moblin Myzone. Now i’m going to talk about another component that i’m responsible for, the People Panel.

An important aspect of the Moblin user experience is about communicating with others and this panel provides quick access to do this. The core of the content is provided by an abstraction, simplification and aggregation library called Anerley. This provides a “feed” of “items” (an addressbook of people) that aggregates across the system addressbook, powered by EDS, and your IM roster, powered by Telepathy. You have small set of actions you can do on these people such as start an IM conversation / email / edit them with Contacts. The core of our IM experience is supplied by the awesome Empathy. We’ve been working with the upstream maintainers to accomodate some of the needs of Moblin into the upstream source. This included the improvements to the accounts dialog and wizard that landed for GNOME 2.28.

One of the biggest problems with the IM experience in Moblin 2.0 was that it was easy to miss when somebody was talking to you. If you were looking away when the notification popped up, whoops, it’s gone. With our switch to Mission Control 5 I was able to integrate a Telepathy Observer into Anerley and the People Panel. An Observer will be informed of channels that are requested on the system. This allows us to show ongoing conversations in the panel and by exploiting channel requests and window presentation allow the user to switch between ongoing conversations. This wouldn’t have been possible without the assistance of the nice folks in #telepathy and at Collabora: Sjoerd, Will, Jonny and countless others.

Hideki Yamane: add epub support to developers reference

Hideki Yamane — 2013-05-17T12:29:30+00:00

I've added epub support to Debian developers reference 3.4.10 (see /usr/share/doc/developers-reference*/*.epub), so you can read it with your favorite ebook reader like kindle, sony reader or something that NetBSD folks uses for porting ;-)

Petter Reinholdtsen: How to transform a Debian based system to a Debian Edu installation

Petter Reinholdtsen — 2013-05-17T09:50:00+00:00

Debian Edu / Skolelinux is an operating system based on Debian intended for use in schools. It contain a turn-key solution for the computer network provided to pupils in the primary schools. It provide both the central server, network boot servers and desktop environments with heaps of educational software. The project was founded almost 12 years ago, 2001-07-02. If you want to support the project, which is in need for cash to fund developer gatherings and other project related activity, please donate some money.

A topic that come up again and again on the Debian Edu mailing lists and elsewhere, is the question on how to transform a Debian or Ubuntu installation into a Debian Edu installation. It isn't very hard, and last week I wrote a script to replicate the steps done by the Debian Edu installer.

The script, debian-edu-bless in the debian-edu-config package, will go through these six steps and transform an existing Debian Wheezy or Ubuntu (untested) installation into a Debian Edu Workstation:

Add skolelinux related APT sources.
Create /etc/debian-edu/config with the wanted configuration.
Install debian-edu-install to load preseeding values and pull in our configuration.
Preseed debconf database with profile setup in /etc/debian-edu/config, and run tasksel to install packages according to the profile specified in the config above, overriding some of the Debian automation machinery.
Run debian-edu-cfengine-D installation to configure everything that could not be done using preseeding.
Ask for a reboot to enable all the configuration changes.

There are some steps in the Debian Edu installation that can not be replicated like this. Disk partitioning and LVM setup, for example. So this script just assume there is enough disk space to install all the needed packages.

The script was created to help a Debian Edu student working on setting up Raspberry Pi as a Debian Edu client, and using it he can take the existing Raspbian installation and transform it into a fully functioning Debian Edu Workstation (or Roaming Workstation, or whatever :).

The default setting in the script is to create a KDE Workstation. If a LXDE based Roaming workstation is wanted instead, modify the PROFILE and DESKTOP values at the top to look like this instead:

PROFILE="Roaming-Workstation"
DESKTOP="lxde"

The script could even become useful to set up Debian Edu servers in the cloud, by starting with a virtual Debian installation at some virtual hosting service and setting up all the services on first boot.

Daniel Pocock: Zermatt, Matterhorn and Gornergrat

Daniel.Pocock — 2013-05-17T09:46:11+00:00

The DebConf13 registration deadline for developers requesting sponsorship has been extended up to Sunday, so for those still undecided or anybody else thinking about a visit to .ch, I'm sharing some more pictures today.

The Matterhorn is one of the iconic symbols of Switzerland's natural beauty and appears on many postcards. The car-free town of Zermatt is at the bottom and is the final stop on the Matterhorn Gotthard Bahn railway, so it is really easy to get there with one or two trains every hour of the day.

One of the most exciting places to view the Matterhorn is from the nearby observatory at Gornergrat, which is 3,089m above sea level. It is great for a single day trip of hiking and there is a convenient train station there too.

The scenic train to Zermatt is included in any of the Swiss rail passes, but the train up to Gornergrat is a private railway and a special ticket must be purchased. Discounts are sometimes offered at rail stations in Swiss cities or online or it is possible to hike up and down.

Russell Coker: Voltage Inside a Car

etbe — 2013-05-17T02:57:47+00:00

I previously wrote a post with some calculations about the power supplied to laptops from a car battery [1]. A comment on the post suggested that I might have made a mistake in testing the Voltage because leaving the door open (and thus the internal lights on) will cause a Voltage drop.

So I’ve done some more tests:

Test	Voltage
battery terminals	12.69
front power socket with doors closed	12.64
front power socket with doors open OR ignition switch on	12.37
cigarette lighter socket with ignition switch on	12.32
front power socket with doors closed and headlights on	11.96
front power socket with engine running	14.38
front power socket with engine running and headlights on	14.29

In my previous tests I recorded 12.85V inside my car (from the front power socket which although having the same connector as a cigarette lighter isn’t designed for lighting cigarettes) and 13.02V from the battery terminals – a 0.17V difference. In my tests today I was unable to reproduce that but I think that my biggest mistake was to take the reading too quickly. Today I noticed that it took up to a minute for the Voltage to stabilise after opening a door (the Voltage dips after any current draw and takes time to recover) so a quick reading isn’t going to be accurate.

My car is a Kia Carnival which has two sockets in the front for power and for actually lighting cigarettes. The one for lighting cigarettes has a slightly lower Voltage and only works when the ignition is turned on. The car also has a power socket in the boot (the trunk for US readers) which delivers the same Voltage as the power socket in the front.

Also one thing to note is that today is a reasonably cold day (16.5C outside right now) and my car hasn’t been driven since last night so the battery would be quite cold (maybe 12C or less). My previous measurements were taken in summer so the battery would have been a lot warmer and therefore working more effectively.

Conclusion

The Voltage drop from turning on the internal lights surprised me, I had expected that a car battery which is designed to supply high current wouldn’t be affected by such things. Certainly not to give a 2% Voltage drop! The Voltage difference from reading inside the car and at the battery terminals might be partly due to the apparent lead coating on the terminals, I pushed the probes of my multimeter beneath the surface of the metal and got a really good connection.

The 14% Voltage increase when the engine was running was also a surprise. It seems to me that if you are running a power hungry device (such as a laptop) it would be a good idea to disconnect it when the engine is turned off. A 14% higher voltage will give a 14% lower current if the PSU is efficient and therefore less problems with heat in the wiring and less risk of blowing a fuse.

Also it’s a good idea to be more methodical about performing tests than I was before my last post. There are lots of other tests I could run (such as testing after the engine has been running for a while) but at the moment I don’t have enough interest in this topic to do more tests. Please leave a comment if there’s something interesting that you think I missed.

[1] http://etbe.coker.com.au/2013/01/24/power-supplies-wires/

Russell Coker: Effective Conference Calls

etbe — 2013-05-17T01:53:47+00:00

I’ve been part of many conference calls for work and found them seriously lacking. Firstly there’s a lack of control over the call, so when someone does something stupid like putting an unmuted phone handset near a noise source there’s no way to discover who did it and disconnect them.

Another problem is that of noise on the line when some people don’t mute their phones, which is related to the lack of control as it’s impossible to determine who isn’t muting their phone.

Possibly the biggest problem is how to determine who gets to speak next. When group discussions take place in person non-verbal methods are used to determine who gets to speak next. With a regular phone call (two people) something like the CSMACD algorithm for network packets works well. But when there are 8+ people involved it becomes time consuming to resolve issues of who speaks next even when there are no debates. This is more difficult for multinational calls which can have a signal round trip time of 700ms or more.

I think that we need a VOIP based conference call system for smart phones to manage this. I think that an ideal system would be based on the push to talk concept with software control that only allows one phone to transmit at a time. If someone else is speaking and you want to say something then you would push a button to indicate your desire but your microphone wouldn’t go live while the other person was speaking. The person speaking would be notified of your request and one of the following things would happen:

You are added to the queue of people wishing to speak. When the other person finished speaking the next person in the queue gets a turn.
You are added to the queue and the moderator of the call chooses who gets to speak next. This isn’t what I’d prefer but would probably be desired by managers for corporate calls.
You get to interrupt the person who’s speaking. This may not be ideal but is similar to what currently happens.

Did I miss any obvious ways for the system to react to a talk request?

Is there any free software to do something like this? A quick search of the Google Play store didn’t find anything that seems to match.

Scott Kitterman: New ipaddress module in python3.3

skitterman — 2013-05-16T20:44:49+00:00

Back in 2010 I packaged Google’s ipaddr module because I needed a light weight IP address manipulation library that supported both IPv4 and IPv6 and (at the time) python-subnettree was IPv4 only. Well, ipaddr is all grown up now and included in python3.3 as the ipaddress manipulation module in the standard library. You can find details, as well as some description of the differences, in PEP 3144.

I just converted one package that I’m upstream for to use either ipaddr (for python2.6/2.7/3.2) or ipaddress instead of some custom code. It turned out to be pretty easy to make it work with either. Other than the name, the only difference I ran into was the removal of the common, generic IPAddress and IPNetwork functions that are replaced by ip_address and ip_network.

…
-import ipaddr
+try:
+    import ipaddress
+except ImportError:
+    import ipaddr as ipaddress
…
-    address = ipaddr.IPAddress(ip)
-    if isinstance(address, ipaddr.IPv4Address):
+    try:
+        address = ipaddress.ip_address(ip)
+    except AttributeError:
+        address = ipaddress.IPAddress(ip)
+    if isinstance(address, ipaddress.IPv4Address):
…

Currently, python3-ipaddr has no reverse-dependencies in the archive (python-ipaddr does). Once python3.2 is dropped from Jessie, I think I’ll drop the python3-ipaddr binary on the assumption people newly coding for python3.3 should use ipaddress. The python-ipaddr module will stick around for use with python2.7.

DebConf team: DebConf13 registration extended and DebConf12 Final Report (Posted by Didier Raboud)

DebConf Organizers — 2013-05-16T19:30:00+00:00

Dear all,

DebConf13 sponsorship application date extended

As communicated through the debconf-announce@lists.debconf.org mailing list, the deadline to apply for DebConf13 sponsorship has been extended to the end of this week, May 19th.

If you intend to attend DebConf13 in August and would like to apply for sponsored registration, now is the time to register in Penta! After this deadline you will no longer be able to apply for sponsored food, accomodation or travel. Please refer to the announcement and to the registration documentation for details. Please contact us on the debconf-discuss mailing list if you have any questions.

DebConf12 final report

The DebConf team is also happy to announce the release of the DebConf12 Final Report. It’s a 39-page document which gives the reader an idea about the conference as a whole. It includes descriptions of talks, DebCamp and Debian Day activities, personal impressions, attendee and budgeting numbers, the work of various teams, social events and so on. If you attended Debconf12, the report may refresh some of your memories and bring you closer to the organization team work. If not, it will certainly encourage you to be part of future Debian events.

We thank the Universidad Centroamericana, the Government of Nicaragua, Google and all other DebConf12 sponsors for their support that made the event possible.

The DebConf team

Vincent Sanders: True art selects and paraphrases, but seldom gives a verbatim translation

Vincent Sanders — 2013-05-16T14:53:51+00:00

In my professional life I am sometimes required to provide technical support to one of our salesmen. I find this an interesting change in pace though sometimes challenging.

Occasionally I fail to clearly convey the solution we are trying to sell because of my tendency to focus on detail the customer probably does not need to understand but I think is the interesting part of the problem.

Conversely sometimes the sales people gloss over important technology choices which have a deeper impact on the overall solution. I was recently in such a situation where as part of a larger project the subject of internationalisation (you can see why it gets abbreviated to i18n) was raised.

I had little direct personal experience with handling this within a project workflow so could not give any guidance but the salesman recommended the Transifex service as he had seen it used before, indicated integration was simple and we moved onto the next topic.

Unfortunately previous experience tells me that sometime in the near future someone is going to ask me hard technical questions about i18n and possibly how to integrate Transifex into their workflow (or at least give a good estimate on the work required).

Learning

Being an engineer I have few coping strategies available for situations when I do not know how something works. The approach I best know how to employ is to give myself a practical crash course and write up what I learned...so I did.

I proceeded to do all the usual things you do when approaching something unfamiliar (wikipedia, google, colleagues etc.) and got a basic understanding of internationalisation and localisation and how they fit together.

This enabled me to understand that the Transifex workflow proposed only covered the translation part of the problem and that, as Aldrich observed in my title quote, there is an awful lot more to translation than I suspected.

Platforms

My research indicated that there are numerous translation platforms available for both open source and commercial projects and Transifex is one of many solutions.

Although the specific platform used was Transifex most of these observations apply to all these other platforms. The main lesson though is that all platforms are special snowflakes and once a project invests effort and time into one platform it will result in the dreaded lock in. The effort to move to another platform afterwards is at least as great as the initial implementation.

It became apparent to me that all of these services, regardless of their type, boil down to a very simple data structure. They appear to be a trivial table of Key:Language:Value wrapped in a selection of tools to perform format conversions and interfaces to manipulate the data.

There may be facilities to attach additional metadata to the table such as groupings for specific sets of keys (often referred to as resources) or translator hints to provide context but the fundamental operation is common.

The pseudo workflow is:

Import a set of keys
Provide a resource grouping for the keys.
Import any existing translations for these keys.
Use the services platform to provide additional translations
Export the resources in the desired languages.

The first three steps are almost always performed together by the uploading of a resource file containing an initial set of translations in the "default" language and due to the world being the way it is this is almost always english (some services are so poorly tested with other defaults they fail if this is not the case!)

The platforms I looked at generally follow this pattern with a greater or lesser degree of freedom in what the keys are, how the groupings into resources are made and the languages that can be used. The most common issue with these platforms (especially open source ones) is that the input convertors will only accept a very limited number of formats and often restricted to just GNU gettext PO files. This means that to use those platforms a project would have to be able to convert any internal resources into gettext translatable format.

The prevalence of the PO format pushes assumptions into almost every platform I examined, mainly that a resource is for a single language translation and that the Key (msgid in gettext terms) is the untranslated default language string in the C locale.

The Transifex service does at least allow for the Key values to be arbitrary although the resources are separated by language.

Even assuming a project uses gettext PO files and UTF-8 character encoding (and please can we kill every other character encoding and move the whole world to UTF-8) the tools to integrate the import/export into the project must be written.

A project must decide some pretty important policies, including:

Will they use a single service to provide all their translations.
Will they allow updates to the files in their revision control system and how those will be integrated.
Will there be a verification step and if so who and how will that be performed. Especially important is the question of a reviewer understanding the translated language being integrated and how that is controlled.
Will the project be paying for translations
Will the project allow machine translations, if not can they be used as an initial hint (sometimes useful if the translators are weak in the "default" language

These are project policy decisions and, as I discovered, just as difficult to answer as the technical challenges.

Armed with my basic understanding it was time to move on and see how the transifex platform could be integrated into a real project workflow.

Implementing

Proof of concept

My first exercise was to take a trivial command line tool, use xgettext to generate a PO file and add the relevant libintl calls to produce gettext internationalised tool.

A transifex project was created and the english po file uploaded as the initial resource. A french language was added and the online editor used to provide translations for some strings. The PO resource file for french was exported and the tool executed with LANGUAGE=fr and the french translation seen.

This proved the trivial workflow was straightforward to implement. It also provided insight into the need to automate the process as the manual website operation would soon become exceptionally tedious and error prone.

Something more useful

To get a better understanding of a real world workflow I needed a project that:

Already internationalised but had limited language localisation
Did not directly use gettext
Had a code base I understood
Could be modified reasonably easily.
Might find the result useful rather than it being a purely academic exercise.

I selected the NetSurf web browser as it best fit this list.

Internally NetSurf keeps all the translated messages in a simple associative array this is serialised to an equally straightforward file named FatMessages. The file is UTF-8 encoded with keys separated from values by a colon. The Key is constrained to be ASCII characters with no colons and is structured as language.toolkit.identifier and is unique on identifier part alone.

This file is processed at build time into a simple identifier:value dictionary for each language and toolkit.

Transifex can import several resource formats similar to this, after experimenting with YAML and Android Resource format I immediately discovered a problem, the services import and export routines were somewhat buggy.

These routines coped ok with simple use cases but having more complex characters such as angle brackets and quotation marks in the translated strings would completely defeat the escaping mechanisms employed by both these formats (through entity escaping in android resource format XML is problematic anyway)

Finally the Java property file format was used (with UTF-8 encoding) which while having bugs in the import and export escaping these could at least be worked around. The existing tool that was used to process the FatMessages file was rewritten to cope with generating different output formats and a second tool to merge the java property format resources.

To create these two tools I enlisted the assistance of my colleague Vivek Dasmohapatra as his Perl language skills exceeded my own. He eventually managed to overcome the format translation issues and produce correct input and output.

I used the Transifex platforms free open source product, created a new project and configured it for free machine translation from the Microsoft service, all of which is pretty clearly documented by Transifex.

Once this was done the messages file was split up tinto resources for the supported languages and uploaded to the transifex system.

I manually marked all the uploaded translations as "verified" and then added a few machine translations to a couple of languages. I also created spanish as a new language and machine translated most of the keys.

The resources for each language were then downloaded and merged and the resulting FatMessages file checked for differences and verified only the changes I expected appeared.

I quickly determined that manually downloading the language resources every time was not going to work with any form of automation, so I wrote a perl script to retrieve the resources automatically (might be useful for other projects too).

Once these tools were written and integrated into the build system I could finally make an evaluation as to how successful this exercise had been.

Conclusions

The main things I learned from this investigation were:

Internationalisation has a number of complex areas
Localisation to a specific locale is more than a mechanical process.
The majority of platforms and services are oriented around textural language translation
There is a concentration on the gettext mode of operation in many platforms
Integration to any of these platforms requires both workflow and technical changes.
At best tools to integrate existing resources into the selected platform need to be created
Many project will require format conversion tools, necessitating additional developer time to create.
The social issues within an open source project may require compromise on the workflow.
The external platform may offer little benefits beyond a pretty user interface.
External platforms introduce an external dependency unless the project is prepared and able to run its own platform instance.
Real people are still required to do the translations and verify them.

Overall I think the final observation has to be that integrating translation services is not a straightforward operation and each project has unique challenges and requirements which reduce the existing platforms to compromise solutions.

Wouter Verhelst: Single-stepping init systems

Wouter Verhelst — 2013-05-16T11:42:00+00:00

The Linux init systems are a bit in flux at the moment. That is, they're in flux in Debian; outside Debian, most other distributions have stepped away from sysvinit and towards something else (systemd, openrc, or upstart). I've not been a proponent of any switch, though I understand the reasoning, and it probably makes sense for us to switch at some point. But yesterday, the fact that this customer's system was running sysvinit and not systemd or upstart saved me quite a bit.

There's a server. It has one quadcore processor. For reasons that I won't go into here, the customer wants an extra quadcore processor to be added to the system.

After having done so, I power on the system... only to see it power itself off at some point during boot. I did notice some kernel messages fly by just moments before the system would power itself off, but it was impossible for me to read them. So what did I do?

Boot the system with init=/bin/bash,
After having booted the system, go to /etc/rcS.d and manually run each and every one of the scripts there in turn. When the system powers off, I know what the problem is.
Disable the init script that causes the problem, and boot the system normally.

That last bit is, obviously, a bit of an ugly workaround; the better way to fix this issue would have been to debug what the actual issue was, and implement a proper fix. However, I didn't have time for that (the fact that there was need for a second quadcore chip explains how much this system is in use), and the workaround was acceptable for the customer. It is not the first time that this ability to single-step the init system has saved me. The fact that sysvinit is so simplistic is what makes this possible, and I consider that one of its most important features.

Recently, I came into contact with a distribution that uses systemd as its init system (in casu, Arch Linux). I had made a mistake in configuration; I had installed and enabled a graphical login system, but had no xterm or similar available, and had done something else wrong through which I couldn't get a regular shell on the console anymore, either. To fix this, I tried doing something like the above (running with init=/bin/bash and single-stepping the init system), but found that doing so with systemd is nigh impossible. In the end, I knew what exactly the problem was and could disable automatically starting the login manager through removing a symlink, but it brought home the issue that debugging a similar issue when running systemd rather than sysvinit might be a lot harder to do.

We'll see what the future brings.

Daniel Pocock: Debian to rescue Skype users?

Daniel.Pocock — 2013-05-16T07:16:53+00:00

Last year at DebConf12 and the Paris mini-DebConf I mentioned some of the sophisticated techniques that the likes of Microsoft and Facebook are using to monitor their customers.

So when Skype was busted spying on the content of chat messages, it was no surprise for many people in the Debian community.

People are already rushing to find alternatives like XMPP and Jitsi. Debian 7 has been released just in time, with powerful features like TURN support that finally allow users to make free calls and chats with seamless NAT traversal. Sadly, Debian's built-in VoIP/RTC client, Empathy, only uses Google's TURN servers and not native Debian servers, but hopefully a solution will come soon, but it is easy enough to install Jitsi instead and configure it to use any of the free TURN server software on Debian.

It should be emphasized that Skype does not just spy on URLs in chat - it has simply been possible to detect this form of spying by detecting when the URL is accessed. Microsoft has taken out various patents for secretive monitoring of Internet phone calls and the analysis of speech patterns to detect both the content and emotions during a conversation. This allows them to get a very thorough analysis of the state of mind of every user at almost every moment and fine-tune the type of advertising and branding that is delivered to that person through conventional means and also through biased `news' reporting and other means.

Russ Allbery: Review: Asimov's, July 2011

Russ Allbery — 2013-05-16T03:58:00+00:00

Review: Asimov's Science Fiction, July 2011

Editor:	Sheila Williams
Issue:	Volume 35, No. 7
ISSN:	1065-2698
Pages:	112

Williams's editorial is a mildly interesting piece about story titles. Silverberg's column is a more interesting (and rather convincing) rebuttal of the joke that fiction authors are "professional liars," combined with an examination of a fake and fantastic 14th travelogue that (at least in Silverberg's telling) was widely believed at the time. The precis of Silverberg's argument is that lying requires an intent to deceive, which is a property of deceptive memoir writers but not of fiction authors.

Di Filippo's review column, as usual, is devoted almost entirely to esoterica, although I was moderately interested to hear of Stableford's continued work on translating early French SF. None of it seems compelling enough to go buy, but good translations of early works seem like a good thing to have in the world.

"Day 29" by Chris Beckett: The conceit of this novelette is an interstellar travel system akin to a transporter that allows near-instantaneous travel between worlds. The drawback is that all memories from somewhere between 40 and 29 days before transit up until transit are wiped. The progatonist is a data analyst who is about to travel, and therefore by agency rule is required to stop doing work on day 40 before transmission since he can't be held legally liable for anything he has no recollection of doing. (I would like to say that I find this implausible, since one could always keep records, but it's exactly the sort of ass-covering regulation that a human resources department would come up with.)

The premise is quite interesting: what do you do during that period that you're going to forget? Beckett wisely mixes Stephen's current waiting period on the colony world with his diary of his original waiting period on Earth the first time he went through the transmission process, and the latter adds greatly to the reader's appreciation of the weirdness of the forgotten interval.

Unfortunately, this is a story more about psychological exploration than about plot, and Stephen just isn't very interesting. The telepathic but possibly nonsentient aliens add weirdness but not much else, and the ending of the story provided little sense of closure or conclusion for me. A good idea, but not the execution I wanted. (5)

"Pug" by Theodora Goss: Since I grew up with a pug, I have a soft spot for a story featuring one; sadly, though, this story has insufficient pug in it. This is a quiet fantasy (Asimov's calls it SF, presumably on the basis of parallel worlds and a hypothesized scientific explanation, but it reads like fantasy to me) featuring Victorian girls, including one with a bad heart. They discover a hidden door to other versions of their world and do some minor exploration. There's little or nothing in the way of plot; the story is more of an attempt to capture a mood. It's mildly diverting, but I wish it had gone somewhere more substantial. (5)

"Dunyon" by Kristine Kathryn Rusch: A Rusch story is often the highlight of an issue, and this is no exception. The protagonist is the owner of a bar in a space station that's become a combination of a refugee camp and a slum. War and chaos have created desperate people, most of whom are attempting to find some way to resources and get out of the bottom of society. The story is about a rumor: a mythical system named Dunyon that's safe and far away. And it's about how people react to that rumor. There's nothing particularly surprising about the direction the story goes (it's fairly short), but Rusch is always a good storyteller. (7)

"The Music of the Sphere" by Norman Spinrad: I've had mixed feelings about Spinrad's fiction (and some of his essays), but I liked this story, despite its implausibility. It's set in the near future, featuring an expert in cetaceans and dolphin perception and a composer obsessed with both loud music and classical musical style. Just from that description, you can probably predict much of the story, but I thought it had some neat ideas about dolphins, whales, and alternate perception and aesthetics. (Note: neat, not necessarily biologically plausible.) Enjoyable. (6)

"Bring on the Rain" by Josh Roseman: In a change of pace from the rest of the issue, this is a post-apocalyptic story of caravans of wheeled ships traversing a scorched and ruined landscape in search of weather systems and rain. The feel is of an inverted Waterworld, but with more emphasis on military tactics and cooperating fleets. The transposition of fleet maneuvers to huge ground vehicles adds some extra fun. The plot has little to do with the background and is a fairly stock military adventure scenario, but it's reasonably well-told. The story feels like an excerpt from a larger military-SF-inspired adventure, but the length keeps the quantity of tactics and maneuvering below the threshold where I would get bored. (6)

"Twelvers" by Leah Cypess: This is a sharp and occasionally mean story of adolescent cruelty and alienation. Darla is a "twelver," a child who was carried an extra three months in the womb using newly-invented medical technology because of a belief in the advantages this would bring in later life. Unfortunately for all those who used this technique, what it also brought was a preternatural calm and an unusual reaction to emotions. Darla finds it almost impossible to get upset at anything, and that, of course, prompts the cruelty and abuse of other children. Most of the story is a description of that abuse, leading up to Darla stumbling into a nasty solution to her immediate problem. It's all very believable (well, apart from the motivating biology), but I didn't enjoy reading about it, and I'm certainly not convinced that the ending will lead to anything good. (5)

"The Messenger" by Bruce McAllister: This is a very short time travel story, where time travel is used to try to unwind old family pain. This world follows the unalterable history model: no changes to the past are possible, and anything you do in the past has already happened. The mechanics are mostly avoided. Instead, McAllister concentrates on his mother, his father, and their complex relationship. I would have needed a bit more background on the characters to care enough about them for the story to be fully effective, but while the heartstring-pulling is kind of obvious, it's still a solid story. (6)

"The Copenhagen Interpretation" by Paul Cornell: This is the most ingenious of the stories in this issue. It's set in a future world that extends what seemed to me to be pre-World-War-I great power politics, although there may be a hint of the Cold War. Great nations have reached a careful balance of power, and spies and secret services work to sustain that balance. The progatonist is one of those agents, making use of advanced technology like space folds in the service of a cause that he doesn't entirely believe in. Cornell mixes in mental conditioning, artificial people, space travel, and even aliens (maybe) in a taut thriller plot that, for me, gained a great deal from the unexplained strangeness of its background. If you like diving into the deep end and following a fast-moving plot against a background of strangeness, this is the sort of SF you'll enjoy. (7)

Rating: 6 out of 10

Russ Allbery: WebAuth 4.5.3

Russ Allbery — 2013-05-15T22:47:00+00:00

Good news: we finally tracked down the intermittant redirect looping bug so that I could fix it! Bad news: it was also a security vulnerability. Thankfully, it was fairly specific: you had to be using FastCGI for the login page and you also had to be using the $REMUSER_REDIRECT option. But in those situations, WebAuth versions from 4.4.1 through 4.5.2 could potentially leak authentication state from one user to another.

The full scenario is somewhat tedious to explain, but the short version is that, in 4.4.1, I switched over to using a single persistent CGI::Application object instead of re-creating it for each request. This takes better advantage of FastCGI. However, CGI::Application doesn't reset header properties between requests, and while we mostly did that internally, there was one specific case around REMOTE_USER redirects where we didn't.

For more details, including a patch for those who don't want to upgrade, see the security advisory.

WebAuth 4.5.3 has been released with only this fix relative to 4.5.2. You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Lisandro Damián Nicanor Pérez Meyer: Qt 4.8.4 in experimental.

Lisandro Damián Nicanor Pérez Meyer — 2013-05-15T15:22:00+00:00

Since a few days we have Qt 4.8.4 (4:4.8.4+dfsg-3) in some archs of the experimental Debian archive. This release allows Qt4 to coexist with Qt5 while avoiding FTBFSs of current Qt4 packages in the archive.

So if you maintain a Qt4 app and want to check how it works with 4.8.4, you should be ready to go.

Benjamin Mako Hill: Sounds Like a Map

Benjamin Mako Hill — 2013-05-15T15:15:48+00:00

I love maps — something that became clear to me when I was looking at the tag cloud of my bookmarks a few years back. One of my favorite blogs (now a book) is Frank Jabobs’ Strange Maps.

So it’s no coincidence that a number of my favorite MIT Mystery Hunt puzzles are map based. Trying to connect the two worlds, I sent Jacobs a write-up of the hunt and of a particularly strange sound-based map puzzle called White Noise that I worked with Don Armstrong to solve in the 2006 hunt. While I wasn’t paying attention, Jacobs did a very nice writeup of my writeup of the puzzle for Strange Maps!

Craig Small: itools is back

Craig — 2013-05-15T13:14:08+00:00

My last post I said that I had to remove my internet query tools due to some bugs that were a concern. Some of the code was hard to maintain and probably had holes and I had noticed that it looped at times.

I’m happy to say that I have restored some of those tools now, still located at http://enc.com.au/itools

This code is completely re-written in Python using the TurboGears toolkit which means it is a lot cleaner in how it works and how it looks. Some of the lookup tables use a database rather than an array for ease of updating and querying. The downside is the backends will take time. It currently only does nslookup queries and whois only works for IPv4 addresses. The domain name queries will be a while off as these are the most complicated to handle. To give you an idea, all IPv4 and IPv6 address information comes from 5 sources with two formats while domain names come from over 200 sources with about 40 formats. This means the information from Regional Internet Registries will be done first.

Bastian Venthur: How to get the most precise time, comparable between processes in Python?

Bastian — 2013-05-15T10:49:58+00:00

Let’s consider the following scenario: I have two Python processes receiving the same events and I have to measure the delay between when process A received the event and when process B received it, as precisely as possible (i.e. less than 1ms).

Using Python 2.7 and a Unix system you can use the time.time method which provides the time in seconds since Epoch and has a typical resolution of a fraction of a ms on Unix. You can use it on different processes and still compare the results, since both processes receive the time since Epoch, a defined and fixed time in the past.

On Windows time.time also provides the time since Epoch, but the resolution is in the range of 10ms, which is not suitable for my application.

There is also time.clock which is super precise on Windows, and much less precise on Unix. The mayor drawback is that it returns the time since the process started or since the first call of time.clock within that processes. This means you cannot compare the results of time.clock between two processes as they are not calibrated to a common t-zero.

I had high hopes for Python 3.3 where the time module was revamped and I was reading about time.monotonic and time.perf_counter. Especially time.perf_counter looked like it would suit my needs as the documentation said it provides the highest available resolution for the system and was “system-wide”, in contrast to for example the new time.process_time which was “process_wide”. Unfortunately it turned out that time.perf_counter acts similar to time.clock on Python 2.7 as it provides you with the time since the process started or the first time the method was called within the process. The results of time.monotonic are comparable between processes, but again not precise enough on Windows.

Here is a small script which demonstrates how the times provided by time.clock and time.perf_counter are not comparable between processes. It starts two processes and lets both of them print out the output of the timer to stdout. In the output the times should be monotonically increasing. Since I let process 2 sleep for one second before calling the timer method for the first time, the output of this process is usually one second smaller when using time.clock or time.perf_counter.

#!/usr/bin/env python


from multiprocessing import Process
import time

timers = ['clock', 'time', 'monotonic', 'perf_counter']

def proc(timer):
    timer = getattr(time, timer)
    time.sleep(1)
    for i in range(3):
        print('P2 {time}'.format(time=timer()))
        time.sleep(1)

if __name__ == '__main__':
    for t in timers:
        print("Using {timer}".format(timer=t))
        p = Process(target=proc, args=(t,))
        timer = getattr(time, t)
        p.start()
        for i in range(3):
            print('P1 {time}'.format(time=timer()))
            time.sleep(1)
        p.join()

The result when running on Windows with Python 3.3:

$ python timertest.py
Using clock
P1 6.146032526480321e-06
P1 0.9926582847820045
P2 2.9612702173041547e-05
P1 1.9941743992602412
P2 1.0008579302676737
P2 2.0022709590185346
Using time
P1 1368614235.509732
P1 1368614236.511172
P2 1368614236.601301
P1 1368614237.512612
P2 1368614237.602741
P2 1368614238.604181
Using monotonic
P1 484.636
P1 485.63800000000003
P2 485.738
P1 486.639
P2 486.73900000000003
P2 487.741
Using perf_counter
P1 12.390910576623565
P1 13.39050745276285
P2 7.542858100680394e-06
P1 14.39190763071843
P2 1.0014012954160376
P2 2.0041399116368144

So as far as I see it, there is no way of getting comparable times between two processes on Windows with more precision than 10ms. Is that correct or am I missing something?

Russ Allbery: WebAuth 4.5.2

Russ Allbery — 2013-05-15T02:51:00+00:00

Last weekend, I spent several hours carefully going over some of the WebLogin code to try to track down a weird bug that we ran into in our UAT environment. The bad part is that I didn't find it, although restarting Apache made it disappear. The good part is that I found a bunch of other bugs that would have been troublesome later.

This release is just a WebLogin bug fix release, cleaning up those issues plus a few other things we've found in testing for our upcoming production upgrade. Specifically, there's now a way to preserve remember_login across a failed login attempt, clearing of failed login attempts after a successful one works properly, cookies are set correctly on the error page, and WebLogin no longer erroneously clears cookies when redirecting to check for cookie support.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Daniel Kahn Gillmor: OpenPGP User ID Comments considered harmful

Daniel Kahn Gillmor (dkg) — 2013-05-15T02:40:00+00:00

Most OpenPGP User IDs look like this:

Jane Q. Public <jane@example.org>

This is clean, clear, and unambiguous.

However, some tools (gpg, enigmail among others) ask the user to provide a "Comment:" field when they are choosing a new User ID (e.g. when making a new key). These UI prompts are evil. The savvy user knows to avoid entering anything in this field, so that they can end up with a User ID like the one above. The user who provides something here (perhaps even something inconsequential like "I like strawberries", due to not being sure what should go in this little box) will instead end up with a User ID like:

Jane Q. Public (I like strawberries) <jane@example.org>

This is bad. This means that Jane is asking the people who certify her key+userid to certify whether she actually likes strawberries (how could they know? what if she changes her mind? should they revoke their certifications?) and anywhere that she is referred to by name will include this mention of strawberries. This is not Jane's identity, and it doesn't belong in an OpenPGP User ID packet.

Furthermore, since User IDs are atomic, if Jane wants to change the comment field (but leave her name and e-mail address the same), she will instead need to create a new User ID, publish it, get everyone who has certified her old key+userid to certify the key+newuserid, and then revoke the old one.

It is difficult already to help people understand and participate in the certification network that forms that backbone of OpenPGP's so-called "web of trust". These bogus comment fields make an already-difficult task harder. And all because of strawberries!

Tools like enigmail and gpg should not expose the "Comment:" field to users who are generating keys or choosing new User IDs. If they feel it absolutely must be present for some weird corner case that 0.1% of their users will have, they could require that the user enters some sort of "expert mode" before prompting the user to do something that is likely to be a mistake.

There is almost no legitimate reason for anyone to use this field. Let's go through some examples of this people use, taken from some examples i have lying around (identifying marks have been changed to protect the innocent who were duped by this bad UI choice, but you can probably find them on the public keyserver network if you want to hunt around):

domain repetition

John Q. Public (Debian) <johnqpublic@debian.org>

We know you're with debian already from the @debian.org address. If this is in contrast to your other address (johnqpublic@example.org) so that people know where to send you debian-related e-mail, this is still not necessary.

Lest you think i'm just calling out debian developers, people with @ubuntu.com addresses and (Ubuntu) comments (as well as @example.edu addresses and (Example University) comments and @example.com addresses and (Example Corp) comments) are out there too.

nicknames already evident

John Q. Public (Johnny) <johnqpublic@example.net>
John Q. Public (wackydude) <wackydude@example.net>

Again, the information these comments are providing offers no clear disambiguation from the info already contained in the name and e-mail address, and just muddies the water about what the people who certify this identity should actually be trying to verify before they make their certification.

"Work"

John Q. Public (Work) <johnqpublic@example.com>

if John's correspondents know that he works for Example Corp, then "Work" isn't helpful to them, because they already know this as the address that they're writing to him with. If they don't know that, then they probably aren't writing to him at work, so they don't need this comment either. The same problem appears (for example) with literal comments of (School) next to their @example.edu address.

This is my nth try at this crazy system!

John Q. Public (This is my second key) <johnqpublic@example.com>
John Q. Public (This is my primary key) <johnqpublic@example.com>
John Q. Public (No wait really use this one) <johnqpublic@example.com>

OpenPGP is confusing, and it can be tricky to get it right. We all know :) This is still not part of John's identity. If you want to designate a key as your preferred key, keep it up-to-date, get people to certify it, and revoke or expire your old keys. People who care can look at the timestamps on your keys and tell which ones are the most recent ones. You do have a revocation certificate for your key handy just in case you lose it, right?

Don't use this key

John Q. Public (Old key, do not use) <johnqpublic@example.com>
John Q. Public (Please only use this through September 2004) <johnqpublic@example.com>

This kind of sentiment is better expressed by revoking the key in question or setting an expiration time on the key or User ID self-sig directly. This sentiment is not part of John's identity, and shouldn't be included as though it were.

"none"

John Q. Public (none) <johnqpublic@example.com>

sigh. This is clearly someone getting mixed up by the UI.

I use strong crypto!

John Q. Public (3092 bits of RSA) <johnqpublic@example.com>

This comment refers to the strength of the key material, or the algorithms preferred by the user. Since the User ID is associated with the key material already, people who care about this information can get it from the key directly. This is also not part of the user's actual identity.

"no comment"

John Q. Public (no comment) <johnqpublic@example.com>

This is actually not uncommon (some keyservers reply "too many matches!"). It shows that the user is witty and can think on their feet (at least once), but it is still not part of the user's identity.

But wait (i hear you say)! I have a special case that actually is a legitimate use of the comment field that cannot be expressed in OpenPGP in any other way!

I'm sure that such cases exist. I've even seen one or two of them. The fact that one or two cases exist does not excuse the fact that that overwhelming majority of these comments in OpenPGP User IDs are a mistake, caused only by bad UI design that prompts people to put something (anything!) in the empty box (or on the command prompt, depending on your preference).

And this mistake is one of the thousand papercuts that inhibits the robust growth of the OpenPGP certification network that some people call the "web of trust". Let's avoid them so we can focus on the other 999 papercuts.

Please don't use comments in your OpenPGP User ID. And if you make a user interface for OpenPGP that prompts the user to decide on a new User ID, please don't include a prompt for "Comment" unless the user has already certified that they are really and truly a special special snowflake.

Thanks!

Tags: openpgp, ui

Ulrich Dangel: Debian Ireland Meetup Friday 17th of May

Ulrich Dangel — 2013-05-14T23:37:27+00:00

Thanks to Federico the Debian Irish User Group celebrates the Wheezy release with some pints this Friday (17.05.2013) at 8 at Mac Turcaill’s. For more information and a link to the pub have a look at the mailing list posting from Federico.

Oh and by the way: the Irish Debian Community officially launched last year, i.e. debian-dug-ie is #newinwheezy.

Petter Reinholdtsen: Second alpha release of Debian Edu / Skolelinux based on Debian Wheezy

Petter Reinholdtsen — 2013-05-14T21:30:00+00:00

The Debian Edu / Skolelinux project is making great progress and made its second Wheezy based release today. This is the release announcement:

New features for Debian Edu 7.0.0 alpha1 released 2013-05-14

This is the release notes for for Debian Edu / Skolelinux 7.0.0 edu alpha1, based on <ahref>Debian with codename "Wheezy".

About Debian Edu and Skolelinux

Debian Edu, also known as Skolelinux, is a Linux distribution based on Debian providing an out-of-the box environment of a completely configured school network. Immediatly after installation a school server running all services needed for a school network is set up just waiting for users and machines being added via GOsa², a comfortable Web-UI. A netbooting environment is prepared using PXE, so after initial installation of the main server from CD, DVD or USB stick all other machines can be installed via the network.

This is the first test release based on Wheezy (which currently is not released yet). Basically this is an updated and slightly improved version compared to the Squeeze release.

Software updates

Install freemind (0.9.0) by default, and stop installing vym by default.
Install chromium (26.0.1410.43) by default.
Install goplay (0.5-1.1) to make golearn available by default.
Updated support for Japanese input methods, now based on ibus-anthy.

Other changes

Switched default file system from ext3 to ext4 for speed and reliability improvements.
Got rid of unwanted winbind daemon and PAM setup activated because of 706434.
Extended and improved the testsuite tests to detect more possible problems.
Corrected proxy handling to not set http_proxy to a bogus direct:// URL.
Corrected proxy setup for diskless workstations.
Corrected PXE setup to use our updated udebs during installation.
Made installation handling of low entropy level more robust.
Create larger partitions for Roaming workstations and Thin client servers, to make room for all the software installed.
Fix bug in Roaming workstation PAM setup, making it impossible to log in (706753).

Known issues

IP resolution for the local hostname give useless IPv6 address (705900). Only install libnss-myhostname on roaming workstations until it is fixed.
DVD images are not yet ready.
No mass import of user account data in GOsa (ldif or csv) available yet (698840).
Missing artwork for the KDE desktop (and probably a few others).
KDE Debian submenu lacks icons.
LXDE menu lacks entry for changing GOsa password (website). Installing gosa-desktop will be an option.
Backup configuration via web interface is impossible due to password submission problem (700257).

Where to get it

To download the multiarch netinstall CD release you can use

ftp://ftp.skolelinux.org/skolelinux-cd/wheezy/debian-edu~7.0+edu0~a1-CD.iso
http://ftp.skolelinux.org/skolelinux-cd/wheezy/debian-edu~7.0+edu0~a1-CD.iso
rsync -avzP ftp.skolelinux.org::skolelinux-cd/wheezy/debian-edu~7.0+edu0~a1-CD.iso debian-edu~7.0+edu0~a1-CD.iso

The MD5SUM of this image is: 685ed76c1aa8e44b12d3fde21faf450b

The SHA1SUM of this image is: 6c874de157024da13e115bab29c068080a11ec4c

How to report bugs

http://wiki.debian.org/DebianEdu/HowTo/ReportBugs

Russ Allbery: backport 1.30

Russ Allbery — 2013-05-14T20:55:00+00:00

Debian wheezy has been released (yay!), so I've updated my backport script to backport to wheezy by default and shuffled the meanings of stable and oldstable. The whole script badly needs a rewrite and needs to become more configuration-driven, but I sadly don't have the time at the moment, so will have to make do with this.

If anyone else is using it, you can get the latest copy from my scripts page.

Also done: suite names changed for local Stanford repositories. jessie added to our local Debian mirroring. reprepro pull rules changed accordingly. All local build chroots updated, with new ones created for wheezy and wheezy-backports.

Still to do: update suite names and pull rules for the eyrie.org Debian repository (which isn't used much any more). Delete the old per-service lenny-based distributions, since we've gotten everything off of lenny that cared about them. Add a new jessie build chroot to our local build servers. Update our FAI installation to build wheezy by default and to use a wheezy NFS root.

reprepro makes this whole process so massively easier than it was with debarchiver.

Steve Kemp: Some good, some bad

Steve Kemp — 2013-05-14T20:23:08+00:00

Today my main machine was down for about 8 hours. Oops.

That meant when I got home, after a long and dull train journey, I received a bunch of mails from various hosts each saying:

Failed to fetch slaughter policies from rsync://www.steve.org.uk/slaughter

Slaughter is my sysadmin utility which pulls policies/recipies from a central location and applies them to the local host.

Slaughter has a bunch of different transports, which are the means by which policies and files are transferred from the remote "central host" to the local machine. Since git is supported I've now switched my policies to be fetched from the master github repository.

This means:

All my servers need git installed. Which was already the case.
I can run one less service on my main box.
We now have a contest: Is my box more reliable than github?

In other news I've fettled with lumail a bit this week, but I'm basically doing nothing until I've pondered my way out of the hole I've dug myself into.

Like mutt lumail has the notion of "limiting" the display of things:

Show all maildirs.
Show all maildirs with new mail in them.
Show all maildirs that match a pattern.
Show all messages in the currently selected folder(s)
- More than one folder may be selected :)
Shall all unread messages in the currently selected folder(s).

Unfortunately the latter has caused an annoying, and anticipated, failure case. If you open a folder and cause it to only show unread messages all looks good. Until you read a message. At which point it is no longer allowed to be displayed, so it disappears. Since you were reading a message the next one is opened instead. WHich then becomes marked as read, and no longer should be displayed, because we've said "show me new/unread-only messages please".

The net result is if you show only unread messages and make the mistake of reading one .. you quickly cycle through reading all of them, and are left with an empty display. As each message in turn is opened, read, and marked as non-new.

There are solutions, one of which I documented on the issue. But this has a bad side-effect that message navigation is suddenly complicated in ways that are annoying.

For the moment I'm mulling the problem over and I will only make trivial cleanup changes until I've got my head back in the game and a good solution that won't cause me more pain.

Ben Hutchings: That perf root exploit (CVE-2013-2094)

Ben Hutchings — 2013-05-14T19:40:53+00:00

There's some exploit code going around that will let you get root on a range of Linux kernel versions by using a bug in the perf_event_open() syscall. The fix for this is in 3.2.45 and various other stable updates. As a workaround, until it's in Debian stable, you can set sysctl kernel.perf_event_paranoid=2. This blocks the exploit I've seen, but it is still possible to get around this restriction.

Red Hat has a SystemTap script that should provide more complete mitigation. The debuginfo packages for Debian kernels are named e.g. linux-image-3.2.0-4-amd64-dbg. They are only provided for some architectures and flavours.

Updated: Added the CVE ID. Added SystemTap information.

Iustin Pop: no-reply@…

Iustin Pop — 2013-05-14T19:01:42+00:00

I had the surprise of seeing this at the bottom of the confirmation email when I ordered something online:

Bei Fragen zu deiner Bestellung antworte bitte auf diese E-Mail.

In translation: “If you have questions about your order, please reply to this e-mail”. Wow. Someone out there still reads email. The address pointed helpfully to info@… instead of the usual no-reply@…. I am really surprised.

James Morrison: Google IO Predictions: Appengine

James A Morrison — 2013-05-14T15:40:34+00:00

Well, I put out crappy predictions for Google IO related to Android. So here are my crappy predictions for Appengine:

PHP runtime support - 95% (I would not have guessed this 3 weeks ago)
Memory increase for at least python - 50%
Instance hour price cut - 40%
Premium memcache pricing - 10%
Python 3 support - 5%

It should be obvious, but I really have no clue what Appengine related things could be announced. If PHP is not there then the Appengine team deserves some applause for their slight of hand. The rest is mostly my wishlist :)

Martín Ferrari: A new life

Martín Ferrari — 2013-05-14T14:48:02+00:00

A week ago, I made the big step and presented my resignation letter at Google. It was not an easy decision, to leave a good job to pursue a blurry plan that sounds a bit infeasible, but I feel this what I want to do: it's a dream becoming reality.

After the 31st of May, I will become self-employed, working as a freelancer, while travelling around the world. I plan to live with a small budget, working with my laptop from wherever I am, instead of stressing about getting many clients to keep an expensive lifestyle.

I've had the travelling bug for some time, always thinking about my next trip, leaving for the airport just after finishing work, coming back on Monday and going directly to the office. You end up wishing for more vacation days all the time (and I had a fair amount of them). Now, for different reasons I want to spend some time in my old house in Nice, and in Argentina. There was no way I could do that with my current job, and that was the trigger for my decision.

After that, I will come back to Ireland, just to think where my next destination will be. I know this is going to be a great experience, we'll see how well it works!

If you think you -or your employer- might need my services, I'd be more than happy to talk! I'll be concentrating on the kind of work I've been doing at Google and before: finding creative solutions for difficult problems, be it systems administration, or (systems) programming. Think of hiring an SRE for just a few hours or days.

Hideki Yamane: net-snmp 5.7.2 is in unstable

Hideki Yamane — 2013-05-14T14:35:25+00:00

Hi, I've put net-snmp 5.7.2(upstream LTS) to unstable, it's jump from 5.4.3 and fix 20 or 30 bugs from it. Have fun.

Ian Wienand: Debugging puppetmaster with Foreman

Ian Wienand — 2013-05-14T12:37:22+00:00

This is a little note for anyone trying to get some debugging out of the puppetmaster when deploying with Foreman.

The trick, much as it is, is that Foreman is running puppet via Apache; so if you're trying to start a puppet master daemon outside that it won't be able to bind to port 8140. You thus want to edit the config file Apache is using to launch puppet /etc/puppet/rack/config.ru. It's probably pretty obvious what's happening when you look in there; simply add

ARGV << "--debug"

and you will start to get debugging output. One issue is that this goes to syslog (/var/log/messages) by default and is a lot of output; so much so that it might get throttled. Although you can certainly reconfigure your syslog daemon to split out puppet logs, an easier way is to just skip syslog while you're debugging. Don't be fooled by config options; simply add

ARGV << "--logdest" << "/var/log/puppet/puppet-master.debug"

to the same file to get the logs going to a separate file. Don't forget to restart Apache so the changes stick.

Mònica Ramírez Arceda: Outreach Program for Women talk

monica — 2013-05-14T08:13:18+00:00

Last Saturday (2013-05-11), I gave a talk about Outreach Program for Women (OPW) at the Ubuntu Party Festa Raring Ringtail. I was invited to give this talk because I'm one of the coordinators of this program in Debian side.

This was a small talk and was split in three parts. During the first part I talked about the problem in general: lack of women in technology world. In the second part I talked about the paradox that there are even less women in FLOSS, giving Debian as an example: a very wonderful project, where techie (or non-techie) women should be in love with (at least I am!), has only about 1.6% of women DD. The last part was focused in OPW itself, the successful experience of GNOME with an increasing number of women in their organization and how the program works.

I hope that women attendees will think about applying to OPW or collaborating actively in FLOSS

Here you have the slides (in Catalan): talk_debian_opw

Matthew Palmer: A Modest Vocabulary Proposal

Matt Palmer — 2013-05-14T05:00:00+00:00

I would like to suggest that the word “unprofessional” be struck from the dictionary – and anyone who uses it struck with a dictionary. It is a word which conveys no useful information or proposal for action, and is thus nothing but meaningless noise.

The purpose of communication is to adjust another person’s process of cognition. I’ve heard it said that “all communication is persuasion”, which is quite true – you’re trying to persuade someone to change what they think. We can consider the intention and effectiveness of an attempt to communicate in this light.

What is someone trying to achieve when they label a person or behaviour “unprofessional”? If we’re being charitable, we would probably say that they’re trying to highlight that something is bad, or could be better. However, just stamping our foot and saying “bad!” isn’t enough – it’s also important to provide some information that the recipient can act upon.

The problem with the word “unprofessional” is that it really isn’t specific enough on the subject of “what is wrong”. Have you ever had someone say something like, “your behaviour yesterday was really unprofessional”? They’re assuming you know what they’re talking about – and you might well have a reasonable guess – but what if you guess wrong? Should you never do anything you did yesterday, just in case that particular thing was unprofessional?

When I’ve caught myself thinking, “that was unprofessional”, of my own behaviour, or someone else’s, I think about what caused me to think that. Once I drill down into it, I usually come to the conclusion that what I really meant was, “I don’t like that”. Since I’m not paid to like things, that’s pretty much irrelevant as a reason to tell someone not to do something.

On the occasions when I come up with something more concrete, it is invariably a more useful expression than “unprofessional”. Things like, “it frustrates the customer”, or “it pisses off the person sitting in the next cube” are a much better expression of why something is bad than “unprofessional”.

I’d encourage everyone to keep a careful watch over themselves and those around them for use of the word. When you catch yourself saying it (or thinking it), examine your motives more closely. Whatever the more specific adjective is, use that instead. If it just comes down to “I don’t like that”, at the very least say that to the person you’re talking to. Don’t try and hang anything grandiose on your personal prejudices. You might come off as being petty, but at least you’ll be honest.

Dirk Eddelbuettel: RcppArmadillo 0.3.820

Dirk Eddelbuettel — 2013-05-14T01:40:00+00:00

Conrad rolled up a new Armadillo release 3.820 (following two minor fix release in the 0.3.810 series of which we packaged the one that was relevant for us). This new version is now out in a release 0.3.820 of RcppArmadillo which is already on CRAN and in Debian.

The summary of the main changes follows:

Changes in RcppArmadillo version 0.3.820 (2013-05-12)

Upgraded to Armadillo release Version 3.820 (Mt Cootha)

faster as_scalar() for compound expressions

faster transpose of small vectors

faster matrix-vector product for small vectors

faster multiplication of small fixed size matrices

Courtesy of CRANberries, there is also a diffstat report for the most recent release As always, more detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

Daniel Pocock: Get WebRTC going fast

Daniel.Pocock — 2013-05-13T15:05:44+00:00

A question that comes up more and more these days: what's the quickest way to try WebRTC and see it working? How can a web developer start experimenting with WebRTC in their blog or demo site?

Good news: it's no longer necessary to compile anything from source - and many of the components are available on Debian-based systems (including Ubuntu) or RPM-based solutions like Fedora

A quick look at how easy it is, explanation below:

# apt-get update
# apt-get install -t experimental repro resiprocate-turn-server
# apt-get install -t unstable chromium sipml5-web-phone
# cd /var/www && mkdir jssip && cd jssip
# wget -r -nH http://tryit.jssip.net
# vi /etc/repro/repro.config
# vi /etc/reTurnServer.config
# vi /var/www/jssip/js/custom.REMOVE_THIS.js

and then try browsing to /jssip or /sipml5-web-phone

Start with a SIP proxy

As explained in the RTC Quick Start guide for regular RTC, a SIP proxy is a clean and simple component to start with. The same is true for WebRTC: start with a proxy. There are two I'll emphasize here:

repro from reSIProcate is quick and easy to set up and has built in TLS support. A 1.9 alpha release with WebSocket support for WebRTC has just been uploaded to Debian experimental and is ready to use on wheezy. RPM users just need to download the alpha release tarball and use rpmbuild to get packages from it.
Kamailio provides very good WebRTC support too. The packages are available but due to GPL license issues must be recompiled with TLS, see the README.Debian file for details. Also feel free to try the upstream package repository for binaries that do include TLS

Get a TURN server

TURN servers help media streams traverse NAT. They are very easy to set up, but must have real IP addresses.

reTurn from reSIProcate is in Debian packages and it is in Fedora too
TurnServer.org from the makers of Jitsi is also packaged on Debian
RFC5766 TURN server is another open-source TURN server with some advanced features that is in the final stages of Debian package, on the mentors site for review

Put the JavaScript in the web server

Adding WebRTC to a web site can be as simple as cutting and pasting some JavaScript code into the HTML.

Three working samples to start with:

Use the SIPml5 web phone package on Debian and add it to a virtual host, browse to /sipml5-web-phone
Use wget to fetch a copy of the JsSIP sample page from tryit.jssip.net and edit the provided custom.js file to hard-code your SIP proxy address
QoffeeSIP is another alternative - this email gives details how to get started with it

Browser

Users need a recent browser.

The latest Chromium packages in Debian are based on Google Chrome M26 code and this should work.

Help and support

Please come and ask on the users mailing lists or IRC channels for any of the packages mentioned here.

Jan Wagner: 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

Jan 'spion' Wagner — 2013-05-13T14:49:00+00:00

If you updated recently your system to Debian wheezy and you are using vsftpd with enabled chrooted local users ...

[~] # grep -i  ^chroot_local_user=yes /etc/vsftpd.conf | tail -1
chroot_local_user=YES

... you maybe faced with the following problem:

500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.

This problem raised already in Bug #656900 and it was fixed by adjusting the documentation. Beside that there maybe configurations you want to relax such a strict check. Unfortunately this feature was implemented in version 3.0.0 which is not part of Debian wheezy:

- Add new config setting "allow_writeable_chroot" to help people in a bit of
a spot with the v2.3.5 defensive change. Only applies to non-anonymous.

The Frontier Group created a patched package of vsftpd for Ubuntu. After reviewing the patch we decided to also create a Debian package for wheezy.

You can easily install the package by the following sniplet:

echo "deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib" >> \
/etc/apt/sources.list.d/wheezy-updates.cyconet.list; \
aptitude update; aptitude install -t wheezy-updates debian-cyconet-archive-keyring vsftpd && \
echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf && /etc/init.d/vsftpd restart

Updates, in case of bugfixes in Debian wheezy, should be also available through this distribution channel.

Hideki Yamane: 100th Tokyo Debian meeting & "Wheezy" release party

Hideki Yamane — 2013-05-13T11:59:57+00:00

We are please to report that we held "100th, Tokyo Area Debian Meeting"... yes, 100th!!! (since 2005), 11th May in Shibuya, Tokyo

Discussed about "stable" releasing,

lectured "cdn.debian.net" by Yasuhiro Araki

and "modern packaging" by Osamu Aoki.

Also, Ubuntu folks showed "Ubuntu phone" and it looks good and interesting (however, it's on the development stage, yet).

Then, party!!! :-) happy to release "Wheezy"

I hope we'll hold "Jessie" in early 2015.

Steinar H. Gunderson: Framework performance

Steinar H. Gunderson — 2013-05-13T10:54:00+00:00

This was fascinating. They've basically done some very simple things in (what they perceive to be) the idiomatic way in a bunch of different web frameworks and platforms, and compared performance. Unfortunately, the one I consider the most realistic (the “fortunes” test, since it actually spits out HTML in the end) is not run for that many frameworks yet, but it's a very good measure.

The very coarse summary is that Java and Go do well, Node.js and (raw) PHP do quite okay, and Django and Rails do crap. This is pretty much in line with what I'd expect, but most Django and Rails developers I do mostly go “LA LA LA” with regards to performance… (And this is with simple things; you know, those that come before you need a complex query your ORM really can't handle.)

Also note: The difference between raw PHP and the fastest PHP framework in the test is about 3x.

Dirk Eddelbuettel: Recent Rcpp talks at U of C and MCW

Dirk Eddelbuettel — 2013-05-12T22:39:00+00:00

A couple of days ago, I had an opportunity to give a guest lecture on our Rcpp package for R and C++ integration. This was in CMSC 12300 Computer Science with Applications-3 in the Department of Computer Science at University of Chicago. The course is the final part of a three term sequence introducing students to data-centric work in R, Python, Java and C++. I tried to keep it brief and engaging in order to motivate the why or R/C++ integration while providing plenry of useful examples.

And yesterday I got to spend a day giving an invited day-long workshop at the Medical College of Wisconsin as part of a two-day R workshop sponsored by the Milwaukee Chapter of the American Statistical Assocation as well as the CTSI and PCOR centers at the Medical College of Wisconsin. In the workshop, I followed the previously-used setup of four parts on introduction, Rcpp details, advanced topics and last-but-not-least applications, but also updated and extended to more recent topics.

Pdf slides from both events are now on my presentations page.

Gregor Herrmann: RC bugs 2013/19

Gregor Herrmann — 2013-05-12T21:08:00+00:00

after the release is before the release. this week I started to pick up my RC bug squashing activities again. first results:

#675231 – psad: "psad: prompting due to modified conffiles which were not modified by the user"
add a comment to the bug report
~~#700527~~ – libjs-jquery: ""libjs-jquery broken by movabletype-opensource << 5.1.4+dfsg-3~""
upload to DELAYED/2 with patch (adding Conflicts) prepared by a fellow DD, then uploaded by maintainer
~~#706764~~ – assaultcube-data: "assaultcube-data: fails to upgrade from squeeze - trying to overwrite /usr/share/man/man6/assaultcube-server.6.gz"
add Breaks/Replaces as suggested in the bug report, upload to DELAYED/2
~~#707686~~ – dhelp: "dhelp: FTBFS and uninstallable in sid: needs ruby-gettext"
file new bug with patch

besides that I've also started to look at the "FTBFS with perl 5.18 in experimental" bugs which are not RC yet. – yes, perl 5.18 is already in experimental!

Ian Campbell: qcontrol 0.5.1

Ian Campbell — 2013-05-12T18:28:28+00:00

I've just released qcontrol 0.5.1. Changes since the last release:

Add build targets to enable static linking (Original patch by Frans Pop).
Wake-on-Lan and EUP control (by Michael Stapelberg, Debian bug #703888).
Updated example configurations (based on Debian package).
Support loading configuration snippets from a directory (Ian Campbell, Debian bug #697574).
Various other bug fixes.

I also put together a very basic homepage.

Get it from gitorious or http://www.hellion.org.uk/qcontrol/releases/0.5.1/.

The Debian package will be uploaded shortly.

Matthias Klumpp: PackageKit, AppStream and Listaller – A status report

Matthias — 2013-05-12T14:38:59+00:00

I was asked by some people to write a status report about the whole PK/AS/LI stuff – sorry guys that it took so much time to write it .

PackageKit

(PackageKit is an abstraction layer for package-management systems, allowing applications to access the package-manager using simple DBus calls)

PackageKit is an incredibly successful project. With the 0.8.x series, it received many performance improvements, and has now the same speed on my computer than the distribution’s native tools. PackageKit is used in almost all major Linux distributions, except for Ubuntu[1]. But even Ubuntu has written some compatibility layer, so most calls to PackageKit will work.

The only major distro where PackageKit is currently not available, seems to be Gentoo (and I am not sure about the shape of the Gentoo PackageKit backend too).

Debian Wheezy includes PackageKit by default, and in Jessy we are going to replace some distribution-specific tools with PackageKit frontends (mostly the old and unmaintained update-notifier and Software-Updater – no worries, we are not going for a Synaptic replacement (currently this won’t be possible with PK anyway))

Unfortunately, some PackageKit backends are still not adjusted for the 0.8.x API and are only running on 0.7.x. This is bad, since 0.8.x is a huge step forward for PackageKit. But the situation is slowly improving, with the latest OpenSUSE release, the Zypper backend is now available on 0.8.x too.

Being able to run a PackageKit from the 0.8.x series is a requirement for both AppStream and Listaller.

AppStream

(AppStream is a cross-distro effort for building Software-Center-like applications. It contains stuff like a screenshot-service, ratings&reviews etc. The most important component is a Xapian database, storing information about all available applications in the distribution’s repositories. The Xapian DB is distro-agnostik, but distributors need to provide data to fill it. AppStream offers an application-centric way to look at a package database)

The AppStream side doesn’t look incredibly great, but the situation is improving. As far as I know, OpenSUSE is shipping AppStream XML to generate the database. Ubuntu ships the desktop-files, and I am working on AppStream support in Debian’s Archive Kit. On the Fedora side, negotiations with the infrastructure-team are still going on. I haven’t heard anything from Mageia and other AppStream participants yet.

Unfortunately, at least for OpenSUSE, the AppStream efforts seem to be stalled, due to people having moved to different tasks. But efforts to add the remaining missing things exist.

On the software side, Apper (KDE PackageKit frontend) has full support for AppStream. Apper just needs to be compiled with some extra flags to make it use the AppStream database.

On the GNOME-side, GNOME-Software is being developed. The tool will make use of the AppStream database, on distributions where it is available.

Also, a Software-Center for Elementary and other GTK+-based desktops is being developed, which is based on AppStream (already quite usable!).

Using the Ubuntu Software Center on not-Ubuntu-based distributions ist still not much fun, but with the AppStream database available and a working PackageKit 0.8.x with a backend which supports parallel transactions, it is possible to use it.

On the infrastructure side: I recently landed some patches in AppStream-Core, which will improve the search function a lot. AppStream-Core contains all tools necessary to generate the AppStream database. It also contains libappstream, a GObject-based library which can be used to access the AppStream database.

Also, we discuss dropping PackageKit’s internal desktop-file-cache in favour of using the AppStream database. If we do that, we will also add software descriptions to the AppStream db, to improve search results and to speed up search for applications. Because we have to deprecate API for that, I expect this change to happen with PackageKit 0.9.x.

As soon as the Freedesktop-Wiki is alive again and my account is re-enabled, I will create compatibility-list, showing which distribution implements what of the PK/AS/LI stuff, especially focusing on components needed for AppStream.

Only a few distributions package AppStream-Core so far. Although it is beta-software, creating packages for it and shipping the required data to generate the AppStream database would be a very huge step forward.

Listaller

(Listaller is a cross-distro 3rd-party software installer, which integrates into PackageKit and AppStream. It allows installing 3rd-party applications, which are not part of the distributor’s repositories, using standard tools used also for native-package handling. Everything which uses PackageKit can make use of Listaller packages too. Listaller also allows sandboxing of new applications, and uses an AppDir-like approach for installing software.)

Listaller is currently undergoing it’s last transition before a release with stable API and specifications can be made. Dependency solving will be improved a lot during the current release-cycle, making it less powerful, but working on all distributions instead. (Fedora always had an advantage in dependency-solving, due to RPM providing more package metadata for Listaller to use) This change was delayed due to discussing a possible use of ZeroInstall-feeds to provide missing dependencies with the ZeroInstall team. We did not come to a conclusion about extending the XML, so Listaller will contain an own format to define a dependency, which can reference a ZeroInstall feed. That should be a good solution for everyone.

All these changes will result in IPK1.2, a new version of the IPK spec with small changes in the pkoptions file syntax and huge changes in dependency-handling. The new code is slowly stabilizing in a separate branch, and will soon be merged into master.

The next Listaller release will be the last one of the 0.5.x series, we will start 0.6.x then. KDE currently has support for Listaller through Apper, which is enabled on a few distributions. In GNOME, optional Listaller support is being developed and will be available in one of the upcoming releases.

Currently, to my knowledge, only a few distributions package Listaller. This should improve, so it is easier for application developers to deploy IPK packages.

The upcoming changes in KDE and GNOME to build stable developer platforms will help Listaller a lot in finding matching dependencies, and for stuff which only depends on one software frameworks, installations should be a matter of seconds.

As you can see, lots of things are happening, and there is improvement in all components related to installing and presenting software on Linux machines. However, all these projects have a severe lack of manpower, especially AppStream and Listaller have the lowest number of developers working on the tools (at time, only two active developers). This is the main reason for the slow development. But I am confident that we will have something shipped in the next distribution releases. At least AppStream should be ready then.

[1]: I don’t blame Ubuntu for that – during the time they wrote an own solution, PackageKit did not have all the required features. (This situation has changed now, fortunately.)

NOTE: I might extend this post with feedback from the different distributions, as soon as I get it.

Steve Kemp: The rain in Scotland mainly makes me code

Steve Kemp — 2013-05-11T22:25:37+00:00

Lumail <http://lumail.org> received two patches today, one to build on Debian Unstable, and one to build on OpenBSD.

The documentation of the lua primitives is almost 100% complete, and the repository has now got a public list of issues which I'm slowly working on.

Even though I can't reply to messages I'm cheerfully running it on my mail box as a mail-viewer. Faster than mutt. Oddly enough. Or maybe I'm just biased.

Petter Reinholdtsen: Debian, the Linux distribution of choice for LEGO designers?

Petter Reinholdtsen — 2013-05-11T18:30:00+00:00

In January, I announced a new IRC channel #debian-lego, for those of us in the Debian and Linux community interested in LEGO, the marvellous construction system from Denmark. We also created a wiki page to have a place to take notes and write down our plans and hopes. And several people showed up to help. I was very happy to see the effect of my call. Since the small start, we have a debtags tag hardware::hobby:lego tag for LEGO related packages, and now count 10 packages related to LEGO and Mindstorms:

brickos	alternative OS for LEGO Mindstorms RCX. Supports development in C/C++
leocad	virtual brick CAD software
libnxt	utility library for talking to the LEGO Mindstorms NX
lnpd	daemon for LNP communication with BrickOS
nbc	compiler for LEGO Mindstorms NXT bricks
nqc	Not Quite C compiler for LEGO Mindstorms RCX
python-nxt	python driver/interface/wrapper for the Lego Mindstorms NXT robot
python-nxt-filer	simple GUI to manage files on a LEGO Mindstorms NXT
scratch	easy to use programming environment for ages 8 and up
t2n	simple command-line tool for Lego NXT

Some of these are available in Wheezy, and all but one are currently available in Jessie/testing. leocad is so far only available in experimental.

If you care about LEGO in Debian, please join us on IRC and help adding the rest of the great free software tools available on Linux for LEGO designers.

Russell Coker: Geographic Sorting – Lessons to Learn from Ingress

etbe — 2013-05-11T13:38:04+00:00

I’ve recently been spending a bit of my spare time playing Ingress (see the Wikipedia page if you haven’t heard of it). A quick summary is that Ingress is an Android phone game that involves geo-location of “portals” that you aim to control and most operations on a portal can only be performed when you are within 40 meters – so you do a lot of travelling to get to portals at various locations. One reasonably common operation that can be performed remotely is recharging a portal by using it’s key, after playing for a while you end up with a collection of keys which can be difficult to manage.

Until recently the set of portal keys was ordered alphabetically. This isn’t particularly useful given the fact that portal names are made up by random people who photograph things that they consider to be landmarks. If people tried to use a consistent geographic naming system (which was short enough to fit in large print on a phone display) then it would be really difficult to make it usable. But as joke names are accepted there’s just no benefit in having a sort by name.

A recent update to the Ingress client (the program which runs on the Android phone and is used for all game operations) changed the sort order to be by distance. This makes it really easy to see the portals which are near you (which is really useful) but also means that the order changes whenever you move – which isn’t such a good idea for use on a mobile phone. It’s quite common for Ingress players to recharge portals while on public transport. But with the new Ingress client the list order will change as you move so anyone who does recharging on a train will find the order of the list changing during the process and it’s really difficult to find items in a list which is in a different order each time you look at it.

This problem of ordering by location has a much greater scope than Ingress. One example is collections of GPS tagged photographs, it wouldn’t make any sense to mix the pictures of two different sets of holiday pictures because they were both taken in countries that are the same distance from my current location (as the current Ingress algorithm would do).

It seems to me that the best way of sorting geo-tagged items (Ingress portals, photos, etc) is to base it on the distance from a fixed point which the user can select. It could default to the user’s current location but in that case the order of the list should remain unchanged at least until the user returns to the main menu and I think it would be ideal for the order to remain unchanged until the user requests it.

I think that most Ingress players would agree with me that fixing annoying mis-features of the Ingress client such as this one would be better for the game than adding new features. While most computer games have some degree of make-work (in almost every case a computer could do things better than a person) I don’t think that finding things in a changing list should be part of the make-work.

Also it would be nice if Google released some code for doing this properly to reduce the incidence of other developers implementing the same mistakes as the Ingress developers in this regard.

Joachim Breitner: How to play Rock-Paper-Scissors online?

nomeata — 2013-05-11T10:26:57+00:00

There was an interesting question by ‘Fool’ recently on the StackExchange site for Boardgames: How do you play a game like Rock-Paper-Scissors with friends online? Or any other game where players have to simultaneously submit their moves (e.g. Diplomacy, or Rock-Paper-Scissors-Lizzard-Spock), which, as I just learned, are simultaneous action selection games. While there are websites dedicated to playing specific games, such as webdiplomacy.net, we could not find a generic one that you can use if you, for example, invent your own variants of a game.

So I created one: At you-say-first.nomeata.de you can enter rooms and share the URL with your friends. On the one hand, you have a regular chat room there. But there is also the possibility to enter moves (whatever a move may be to you) and only when all players have done that and marked the move as final, it is shown to everyone. If you want to try it out: There is an integrated, not very fancy Rock-Paper-Scissors-playing bot. Just enter a room, join and say „I want to play!“

Note that this site can be used for more than just for games. Have you ever observed that persons would often want other to express their preference (e.g. where to dine) first to not reveal their own preference, so that they can (or pretend to) change their mind if they would contradict? In such situations simultaneous action selection can be a fairer method.

A technical note: I created this web app using meteor (a JavaScript framework building on node.js and MongoDB that allows for reactive programming), and it is also hosted on meteor.com. I chose Meteor after someone mentioned Firebase to me, which looked very slick, but was not Free Software, so I looked for alternatives. I did not do any cross-browser-testing, and the UI design could be improved, so if you want to help out (or just complain), please use the GitHub code repository and issue tracker.

Bastian Venthur: Wee! Wheezy is out (better late than never)

Bastian — 2013-05-11T09:57:38+00:00

Last week we released Wheezy, roughly two years after our last release Squeeze.

I’d like to thank all the contributors in- and outside of Debian for your fine work! Every single contribution — no matter how big or small — summed up to the wonderful release we finished last week. Without you this release would not have been possible. Keep up the good work guys and make Jessie rock even harder!

PS: It is very nice to see once again fresh packages rolling into unstable and spending some time fixing broken dependencies

James Morrison: Google IO predictions

James A Morrison — 2013-05-11T00:55:20+00:00

I don't work at Google, so I can play to Google IO prediction game. Here are my Android predictions:

New android version -- 99%
New Nexus 7 -- 90%
Upgraded storage on the Nexus 4 -- 70%
T-mobile LTE for Nexus 4 -- 40%
AT&T LTE for Nexus 4 -- 30%
Verizon Nexus 4 -- 15%

So I think that means there is a (0.99 * 0.9 * 0.7 * 0.4 * 0.3 * 0.15) a 1% chance of all of these things happening.