Joachim Breitner: Kofi-Annan Center for Excellence in ICT

Thu, 16 Nov 2006 18:56:19 +0000 - mail@joachim-breitner.de (nomeata)

Until now, I always had to tell the not very joyful story of the motivated volunteer who came to Ghana to run against a wall of disinterest and misunderstandings. Luckily, things will change:

Yesterday, I had an appointment with the Director of the Ghana-India Kofi-Annan Center for Excellence in ICT (KACE), where I asked, with littele hope, if they might make more use of me in the next weeks, until I will most likely return to Europe. To my surprise, She found that an excellent idea and immediately referred me to the techies to discuss the details. Today I saw the principal of the SOSHGIC and my current employer, trying to find out if this would be possible. She agreed that it makes more sense for me to work at KACE instead of the school, and would “lend” me to them while still being empoyed by SOSHGIC. I will be around the school a few times, to finish some reports and two more club meetings and luckily I am still allowed to live in the flat. I think I’ll spend another one or two weeks in January at KACE (as a “real” volunteer then), before I head back to my boring standard safe study life.

The first, smaller, project at KACE came up spontaniously during the meeting yesterday: I mentioned the game infon (see my last blog entry), and she was very interested in that as a programming teaching aid. My idea is now to polish it a bit, make it a bit easier to use for beginners, improve documentation, create debian packages and maybe work on some lessen plan suggestions. The author of infon, dividuum, is also quite happy about the news and the attention that his work might get now.

The other project is my idea about an internet café distribution. It happens that the team at KACE is working on a very similar thing (called “Community Information Center”) for the government, and they will start a Linux version in very few weeks, so I think I can help there as well. I expect that a lot of work for Skolelinux can be used here, so I’m looking forward to work with the DebianEDU team a bit.

I’m also looking forward to work with my future collegues at KACE. All of them qualify as geeks, in my opinion, most are Free Software advocates (or at least approvers), and the work athmosphere is very relaxed. Seven weeks of (almost) DebCamp! I’ll keep you up to date...

Joerg Jaspert: Call for Papers for DebConf7

Thu, 16 Nov 2006 18:37:47 +0000 -

So, after a lot of work to get the system up and running (and then changing it until others from the team liked it) we finally sent out the Call for Papers and Registration informations for DebConf7.

Now, only about one hour later we already have 37 registered users in that system. Thats fast.

A nice detail about the new system we use (except the complete change it means for everyone :) ) is that accounts you create now get re-used for all future DebConfs. No need to reenter your data every year.

Additionally we (as in DebConf) can offer other Debian related events the ability to use this system for their stuff. That means - if you organize a Debian related conference and want to keep track of attendees, events/talks, manage a schedule, or just parts of this - contact me, it can be arranged easily. The advantage for your attendees/speakers is that they only need one account at one system, not one for every conference. And you as organizer get a fully running system for free. :)

Russell Coker: biometrics and passwords

Thu, 16 Nov 2006 18:22:20 +0000 - russell@coker.com.au (etbe)

In a comment on my post more about securing an office someone suggested using biometrics. The positive aspect of biometrics is that they can't be lost, no-one is accidentally going to leave a finger or an eye in their car while they go to a party while other authentication devices are regularly lost in such a manner.

The down-side is that having your finger or eye stolen would be a lot less pleasant than having a USB device, swipe-card, key, or other security device stolen. I think that it's good to have an option of surrendering your key when under threat (for the person who might be attacked at least).

Rumor has it that some biometric sensors look for signs of life (EG temperature and pulse), but I believe that these could be faked with a suitable amount of effort. A finger attached to a mini heart/lung machine should make it possible to pass the temperature and pulse checks (although I don't think that I have access to any data that is important enough to justify such effort on the part of an attacker).

One thing that biometrics could be useful for is screen-blankers. It would be good to be able to have a screen-blanker for your computer that operates when you go to get a coffee. For a period of 10 minutes after leaving a biometric method could be used to re-enable access. After that time a different method would ave to be used. This gives the convenience of biometrics for when you need it most (the many short trips away from your computer that you make during the day) but removes the benefit for an attacker who might consider removing part of your body. Also I am not convinced in the general security of biometrics. There are claims that you can make a finger based on a fingerprint which can fool a biometric sensor. If those claims are correct then a biometric sensor would still work for a coffee break (presumably you are not far away and will be back soon, and other people are in the area). The coffee break security is usually to prevent casual snooping such as colleagues who want to see what was on your screen but not actually do anything invasive to get it. Another benefit of biometrics for a screen saver is that although I trust people in the same office as me (whichever office that may be) not to try anything when they might get caught I still don't want them shoulder-surfing my password. Replacing the trivial authentication cases with a fingerprint reader would prevent that.

In the KDE 1.x days I had a shell script launched when the lid closed on my laptop which would lock the screen (the screen-saver ran in the background and a signal could make it lock the screen). This meant that I could merely close the lid of my laptop to lock the screen, this is fast and easy and also is not immediately recognised as locking the screen. Some people get offended if you lock your laptop screen when in their presence as they think that you should trust them enough to leave your most secret data open to them (generally people who aren't serious about computers - I'm sure that the same people would happily lock their diary if I was ever in the same room as it). Being able to lock the screen in a non-obvious way is a security benefit.

Regarding the comment about using a USB device to store passwords, there are two problems with this, one is that all passwords will be available all the time, this means a program that is permitted to access password A would also be given access to password B. The other is that the passwords can be accessed easily. The ideal solution is to have an encryption device that uses public key cryptography and stores the private keys on the device with no way of removing them. It would also permit the user to authorise each transaction.

I would like to see a USB device that stores multiple GPG keys and implements the GPG algorithm (with no way for anyone with less resources than the NSA to extract the keys). The device would have a display and a couple of buttons. When it is accessed it would display messages such as "signing attempt on key 1" and allow me to press a button to authorise or reject that operation.

This means that if I insert the key to sign an email I won't have a background trojan start issuing sign and decrypt commands. The only viable attack that would be permitted is the case where I want to sign a message and my message is sent to /dev/null and a message from an attacker is signed again. The non-arrival of my original message would hopefully alert me to this problem. I am not aware of any hardware which supports these functions.

Also I have just received a couple of RSA SecurID tokens as a sample. An RSA representative phoned me to ask about my use of the tokens, I said that I am an independent consultant and I have been having trouble getting my clients to accept my recommendations to use such devices and that I want to implement them on a test network so that I can give more detailed advice to my clients and hopefully get them to improve their security. For some reason the RSA rep found that funny, but I got my sample hardware so it's fine.

Jordi Mallach: Debconf7 travel options

Thu, 16 Nov 2006 16:52:00 +0000 -

The Debconf team just announced that registration is now open for next year's Debconf7, to be held in Edinburgh next June.

The preparations seem to go at good pace, and they already have a Travel wiki page with information so attendees can start looking for the best option for them. I am delighted to see they have been thinking about every case out there and it will be possible to swim all the way over to Leith, not even getting a bad cold.

Thanks! This of course is yet another reason to plan ahead so I don't miss out, like last year in Mexico. Erinn, remind me about it in late May or so, mkay?

MJ Ray: An Uneasy Multilingualism

Thu, 16 Nov 2006 16:30:00 +0000 -

In the past, I have suggested that it was a mistake to make a state-based fsfe-uk mailing list instead of a language-based fsfe-en list. The discussion resulting from a call for Welsh and Irish help is a pretty sad example of some reasons why.

Michael Janssen: Quickie Hack: Online X-mas list

Thu, 16 Nov 2006 15:09:16 +0000 - jamuraa-blog@base0.net (Jamuraa)

It's getting around that time of year when kids start singing little annoying songs and thinking of the toys that they will be getting in slightly more than a month. In my family, when everyone gathered for thanksgiving, the younguns were expected to have a list which could be disseminated throughout the family with everything they wanted. This avoided some of the more cliché gifts such as sweaters and socks. But who's to say that grownups can't have a little fun as well? It's rather easy to use del.icio.us as a holder for your whole Christmas list. If you find something you want, just add it to your del.icio.us bookmarks with a special tag - I'm using “xmaslist2006”. Using del.icio.us gives you a few advantages over the traditional list:

A nice URL which you can give to friends, family and anyone else who might want to give you something - mine, for example, is http://del.icio.us/jamuraa/xmaslist2006. It's very readable and could even be memorable to someone who uses del.icio.us themselves.
You get to put comments by each item, which may persuade perusers of your list to get a certain item, or point out synergistic items like the Two iPod things you want.
The list can be updated by yourself, meaning there's really no deadline for your list to be finished. This also adds a little bit of non-repeatability - if I know that someone else already bought their gift, I can buy something added recently for a better chance of uniqueness.
You get to keep your list around, letting you get those things you wanted with the plethora of gift cards that you received, buy the things you REALLY wanted yourself, or even carry things over to next year.

Things on the list need not be completely techie - if you're just looking for a nice sweater, you can add a general page or a representative item with a comment on it. Perhaps include your sizes as well, especially for items which come in a large number of sizes like pants. With any luck, you'll get just what you want this year.

Adrian von Bidder: A replacement for screen

Thu, 16 Nov 2006 14:22:25 +0000 -

ITP: retty says:

retty is a tiny tool that lets you attach processes running on other terminals. So you were running that mutt outside of screen at your home machine and now wanna check your mail? Attach it with retty, do whatever you want, detach it again and everything is as it was before. You don't have to run them all in screen just in case.

Daniel Jacobowitz analyzed the tool a bit:

What it seems to be doing is injecting code onto the stack which causes the target process to open your terminal and dup2 it onto stdout, stderr, et cetera. Interesting.

Interesting isn't really the word I'd use here. More like Eek! Incredibly ugly, but incredibly useful if it works reliably.

Evan Prodromou: 24 Brumaire CCXV

Thu, 16 Nov 2006 12:27:05 +0000 -

Interesting Techcrunch article about aboutus.org, the wiki about every domain on the Internet. It was started by Ray King, an extremely nice guy that we've met at a couple of Wiki events, and it seems to be doing really well. I guess he just closed an initial round of investments, which is great.

There was an article about Aboutus in the Portland Business Journal. Although I don't think it's a "potential Google" (!), as the reporter does (gotta love the home town crowd), Aboutus is a neat idea and it's a good group of people, too.

tags: aboutus ray king techcrunch portland wiki

Puck Quebecois

Speaking of things that are rocking, I just got an invite to Le Puck Quebecois. It's the Montreal tournament of the Hocky Association of the Arts, a group of artists and musicians nationwide who love to play hockey against each other.

The organizer is Jeff Waye of Ninjatune, who combines in one person an unhealthy obsession with music with an unhealthy addiction to hockey. It should be a really fun amateur hockey tournament. All proceeds go to charity, of course.

tags: hockey jeff waye ninjatune montreal tournament

Not only but also

Next week, 30 Brumaire, (or 22 November for those of you who need some math help) there's a meeting of MSLUG, the Montreal Scheme/Lisp Users Group. I have get to get out to an MSLUG meeting, but I think this one will be my first. It's admirable that the group has pulled off so many meetings in the last 3 years.

tags: montreal scheme mslug meeting

Lenny

So, at the bottom of this release message, we get the name of the post-etch Debian release: Lenny. Is Debian now using codenames from The Simpsons? I think Lenny Leonard is as nice as the next guy, but we're still going through the minor characters in Toy Story.

I've scoured the Toy Story credits and Toy Story 2 credits, and "Lenny" is the name of the little binoculars character, which gets about 12 seconds of screen time, if I remember correctly. Man, we're really scraping the bottom of the barrel on this naming convention.

tags: lenny debian binoculars next release

Hey Doc!

Don Marti's intro to OpenID for Doc Searls is cracking me up. I'd mentioned in my articles for LinuxWorld last week that I'd written an OpenID extension for MediaWiki, and I guess now Doc wants to know how to use it.

tags: don marti doc searls openid wikitravel

Meike Reichle: Instilled modesty ...

Thu, 16 Nov 2006 11:22:00 +0000 -

Is a bad trait for a blogger! The time and enery I invest into writing blog posts that I then never post, thinking "Actually ... who cares."

Gah!

Stefano Zacchiroli: cdbs relevance

Thu, 16 Nov 2006 10:13:26 +0000 -

/me on the Relevance of CDBS

Whoa, people discussing about CDBS, I can't help joining them.

My position: I love CDBS. I started switching my packages to CDBS an year ago or so and nowadays I've almost finished.

I understand that people not knowing CDBS might have trouble fixing bugs in my packages, but that's life and it's the same as having to fix a bug in a software written in a programming language you are not fond of. It's just a matter of setting a minimal standard: today people in the NM have to learn debhelper, tomorrow they will have to learn CDBS too.

I think it's worth the effort, because CDBS, if used extensively in our archive, has the benefit of providing a single place where to massively make changes to potentially all packages of the archive. That's a huge win for QA in Debian. The same does debhelper, but it only takes care of technical aspects in the packaging process while CDBS also takes care of behavioural aspects.

Of course CDBS has drawbacks and nuisances (the available hooks for examples are not properly standardized nor documented IMO), but I think it's a step in the right direction. In Debian we should push more and more toward the possibility of making changes in a centralized/batch manner, so that when maintainers tend to get MIA we have a quick and easy way to take over their unfulfilled duties.

Collaborative maintenance is a social step in that direction, CDBS is a technical one.

Peter Van Eynde: on blobs

Thu, 16 Nov 2006 10:11:11 +0000 -

I notice that the binary blob discussion is again on lwns front page. Recently I got a new portable from work and this gave me some new insight. In short: binary-only drivers are so bad people will buy other hardware.
The machine (a Lenovo Z61m) uses a X1400 ATI chip, so I have to use the ATI binary-only driver. Well. I'm trying to use it.
The amount of grief I'm getting from it would convince even billg himself that opensource drivers are mandatory in an opensource system. Strange errors pop up and you're just lost, googling only gives you forums where other poor users are trying to make it all work. Due to the dynamic nature of xorg and kernel development the driver will never 'catch up' and problems will keep popping up. And there is little I can do except complain to the responsible person and urge him to buy the Intel only portable next time.
If this keeps on Intel will just sweep the Linux hacker's market, and with it the heart and minds of a lot of people. My next machine will be an Intel, the first one in years, because I cannot get an AMD with a open graphics card, and I think I won't be alone in this.

Mario Iseli: Microsoft and Novell - Support for opensource projects?

Thu, 16 Nov 2006 09:54:55 +0000 -

Right now I sit in my office and read the magazine “InfoWeek”. This is a magazine for IT professionals and IT companies, almost everbody in Switzerland who works as a sysadmin or programmer read it. Generally I really like this magazine, because you find stories about almost everything, opensource, closedsource, new technologies, routers, databases etc. Sometimes there are also good tutorials about how to exchange something in a company with an opensource pendant.

Today I found this bad article, the title is “Microsoft unterstützt Linux” (means in english something like “MS supports Linux”). There’s a picture with Steve Ballmer and Ron Hovsepian shaking their hands. Hmmm, for me the title is just completely wrong. Because this would mean “Linux ==Novell” and nothing more. There’s written that they got a lot of money from Microsoft which is dedicated for opensource projects. Now a question to everyone: Did someone of you got money from Microsoft/Novell for your free software project? I think not really, otherwise I would be very confused.

Dear reporters of IT magazines:

Linux is a free operating kernel and not “a desktop system developed by Novell”. And by buying money _FOR_ Linux you would have to give this money to the community or whatever because opensource products in general are not developed by companies as Microsoft.

Sorry in a way for this article, I hope that the !Free-Software-People reading my blog will learn anything, I really hate this “Linux == Novell product”, because Novell is in my eyes a very proprietary company which destroys parts of the community.

Andreas Barth: More Documentation

Thu, 16 Nov 2006 08:30:00 +0000 -

Another day spent mostly on documentation. It seems incredible how much time it takes to get things right, but still - it is an very important task, as our users rely on good documentation. The release notes are now mostly ready, except for some more information on the kernel/udev/... (and thanks for Dann for so much input on the kernel situation). Thursday will be spent on merging some comments on the release notes which I got in the late evening, and trying out some upgrade scenarios.

David Welton: Random Rants

Thu, 16 Nov 2006 08:18:00 +0000 -

Edge Eft breaks ldap

At work, we decided to test upgrading to Ubuntu's Edgy Eft on a spare machine. CRUNCH... that didn't go so well. The bug is here:

https://launchpad.net/distros/ubuntu/+source/libnss-ldap/+bug/51315

Also, it's no longer possible to boot with init=/bin/bash, you have to use init=/bin/dash. Single user mode brings up so much stuff that it's not really viable as a rescue mode, IMO.

require_gem ?

What is the deal with having a separate command to require gem-installed packages in Ruby. Perhaps there is a logical reason for it, but it's ugly looking to me.

Rubyforge is down...again

Ruby's popular these days, isn't there someone who could invest a bit of money in setting up a system that stays up?

Harumph!

Amaya Rodrigo: We are Debian!

Thu, 16 Nov 2006 06:26:57 +0000 -

Valessio strikes back!

I have a new background!

Benjamin Mako Hill: Dare to DReaM?

Thu, 16 Nov 2006 04:19:08 +0000 -

I went to a talk today by Sun scientist Susan Landau on Sun's DReaM/Open Media Commons DRM system that I've mentioned in the past. Landau used a variant of these slides to do a rough overview of the Sun system and the problems that it is trying to solve.

Halfway through her talk, Landau showed a slide titled, "Users Matter: Creative Commons." Elaborating, Landau mentioned that she had been talking to a number of people -- both at CC and outside -- about the possibility of using DReaM to enforce the terms of CC licenses.

I interrupted Landau to point out that CC licenses had an anti-DRM clause that, as far I knew, would make her system unusable on CC content. The CC anti-DRM clause, plus the resistance of the CC and iCommons community to accept parallel distribution language, are why it's impossible to play CC-licensed works on an unmodified PlayStation or XBox (these systems only play signed disks) -- even if you include an unencumbered copy alongside! Landau reassured me that I must be mistaken and that she had talked about DReaM in depth with CC leadership, lawyers, and technical advisory board members and she was sure her system was at least possible. Puzzled, I shut up.

For most of the rest of her talk, Landau talked about fair use and how a DRM system might go about respecting it. In his qualified endorsement of the DRM system, Lessig mentioned that DReaM, "would be implemented to allow individuals to assert 'fair use,' and unlock DRM'd content, with a tag to trace misuse." At the time, I had a hard time imagining how fair use could be built into such a system -- separating fair from unfair use is remarkably resistant to technical solutions. Even bright light cases like verbatim copies every page of the Encyclopedia Britannica might be fair use if I were to make them into a paper mâché bust of Johann Gutenburg or use them to wallpaper a gallery wall.

Landau's acknowledged the trickiness around fair use and suggested a compromise:

By default, works might be encumbered in the ways and to the degrees that the copyright holder wish. However, users could petition for an unencumbered "fair use copy" by identifying themselves and then checking some boxes and explaining (briefly) why they think their use for the work qualifies as fair. Once they've done this, the system would present the user with an unencumbered, watermarked, and fully traceable piece of media.

Conceivably, requests would be subject to some sort of review (at the very least to prevent automated requests) and non-fair uses of watermarked goods would be strictly tracked. If a "fair use" copy is found in the wild, the watermark would be traced and the originator would be held liable. Of course, anonymous fair use becomes impossible but, as Simson Garfinkel pointed out at Landau's talk, users may have a right to anonymous speech and to fair use but not to anonymous fair use. "Fair" enough.

It is perhaps important to point out that DReaM does not currently implement this "fair use" system and that, one can only assume, the vast majority of DReaM users (e.g., Hollywood movie studios and their ilk) would have no little interest in giving their users a blanket ability to make "fair use copies" and would in most cases choose not to enable such an option.

But let's return to the issue of DRM enforcement of CC license terms. While I was initially quite confused by the idea of DRM enforcement of CC license terms, it made much more sense when I looked at the CC anti-DRM clause itself:

You may not distribute, publicly display, publicly perform, or publicly digitally perform the Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement.

The emphasis (mine) points to the crux of the issue. The CC anti-DRM clause only blocks technological measures that overstep the boundaries set in the rest of the licensee. For the free licenses, that's a wide boundary that leaves little room for DRM. But as I've pointed out before, CC is a lot more than just free licenses.

Landau mentioned that her group was primarily interested in using the DReaM system to enforce attribution and non-derivative work clauses in CC licenses -- a wise choice as non-commercial use is hard enough for humans to discern. As a result, the DReaM system might be used to make it impossible to remove attribution from CC works or might block modification to works marked as "ND." The catch that led me to believe that CC license blocked all DRM was the fact that I didn't think it would be possible for a DRM system to respect fair use. After all, each CC license includes an explicit affirmation that, "nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use."

The question that the possibility of a CC DRM scheme like DReaM hangs on is: to what degree does Landau's suggestion live up to the fair use legal bargain?

Landau pointed out that a number of lawyers including Pam Samuelson and CC's technical advisory board and legal staff have been generally positive about her fair use permission-asking compromise. Honestly and on CC's own terms, it's hard to see why they wouldn't be. The loss of anonymous fair use was only ever a right we enjoyed by a fortunate accident. Watermarks are only there to "keep honest people honest." If you are not doing anything wrong, what do you have to hide?

But DReaM enforcement of CC licenses is a bad thing and the bad taste that it inevitably leaves in many commoners mouths is not hard to explain:

Many commoners are not comfortable with the idea of DRM because it shifts power over users' computing devices away from the users and makes computers obey the will of a copyright holder. That's true of DReaM just as much as as it is of Apple iTunes or Microsoft DRM.
Many commoners are not completely comfortable with all CC licenses, so the idea of technical protection measures enforcing these terms, even those allowing for fair use lines and in line with the will of the author, is seen as dangerous.

To solve the first issue, CC needs a more strongly worded anti-DRM clause -- ideally one tied to a parallel distribution clause. To solve the second, we will ultimately need a new banner under which only truly free cultural works will reside.

Susan Landau doesn't have it easy but she does seem to have the genuine best interest of consumers and users at heart. That's more than I can say about the vast majority of people in the DRM business. She's trying to walk a fine line and she's almost certainly being abused and heckled by folks in the industry who call her "communist" and by folks like me who feel that she's sacrificing essential principles in an attempt to compromise. The one thing we all agree on is that the ground she's treading is mine field.

Yet while I sympathize with her, I must speak out against both her and DReaM. A DRM compromise at this stage would be insanity. This is a fight we have to win.

Benjamin Mako Hill: Ignorance is Bliss

Thu, 16 Nov 2006 04:00:18 +0000 -

A banker at my hippy bank had never heard of Google. I had to spell the name out and explain it to her!

I've never imagined one could feel so happy about their choice of financial institution.

Zak B. Elep: Ubuntu-PH Release Party for 6.10 (Edgy Eft)

Thu, 16 Nov 2006 03:40:28 +0000 -

Ubuntu-PH Release Party for 6.10 (Edgy Eft), originally uploaded by zakame.

Last night I called Ubunteros nearby Manila for the Edgy Eft (belated) release party at the Coffee Bean and Tea Leaf at Greenbelt 3. Little did I know that there will be a lot of folks coming from the just-concluded FOSS@work workshop joining in the fun, thanks to Yolynne Medina and Eric Pareja.

Diane Gonzales and I got to the venue first, then followed by the FOSS@Work folks. Dominique Cimafranca, Migs Paraz, Ranulf Goss, Jopes Gallardo, and Joel Bryan Juliano were there too, and all in all we were easily the noisiest group in the coffee shop, seemingly occupying the entirety of the place. I originally planned to move the group to have dinner somewhere, but along the way everybody seemed to forgot dinner and we quite engaged in talking to everyone else. It was terrific.

The 2 boxes of Edgy {,K,Ed}Ubuntu CDs I brought were easily given away to everyone; we even had them exchanged and autographed (naks!) reminiscent of what Ealden and I did last February when Mark came here. As a finale, we had a group photo of everyone with their CDs; Dominique remarks that in his `informal’ study, more and more women prefer Ubuntu (and I sure do think he’ll be blogging more about this soon.

Needless to say, the above photo doesn’t do great justice to what happened last night; it came from my elric which I didn’t get use much as a camera since I too was happily chatting away. That said, I expect RJ Ian will be posting his photos from his brand-spanking-new Kodak camera to the Ubuntu-PH site once he gets back to Mindanao with Yolynne and company. I also think the FOSS@Work folks also have their own photosite or wiki to post more photos, which we’ll be seeing sooner.

Jerome Gotangco and Ealden Escañan, the guys whom we all owe Ubuntu-PH to, were unfortunately unable to attend last night, as Jerome was off to Cebu to participate in the ICT congress there, while Ealden was quite busy at work. Hopefully they (as well as last night’s attendees!) can attend the next Release Party for 7.04 (aka Feisty Fawn,) and hopefully it will be just as fun, and be more meaningful if more Ubuntu-PH folks get involved in its development!

Update: Yolynne and RJ just posted pics fresh from their arrival to home. Expect more pics later, nicely tagged too…

Jeff Licquia: What Do We Want From Microsoft?

Thu, 16 Nov 2006 02:57:37 +0000 -

Jason Matusow of Microsoft wants to know:

That said, the real voice of the community is…well…from those of you I don’t know. I have to tell you that the issues with getting this covenant right are incredibly complex and there are real concerns on all sides. Our design goal is to get language in place that allows individual developers to keep developing.

(This is in response to the recent patent deal between Microsoft and Novell, and the poor reception it’s getting from the free software community.)

Unfortunately, he got GrokLaw-ed, and his comment system isn’t taking the heat well. So, here’s my feedback; hopefully, he’s paying attention to views outside his comments.

The big problem, if you ask me, is the distinction between “commercial” and “non-commercial” that Matusow (and everyone else I hear from Microsoft) is making.

In our world, that distinction is a lot less important than the distinction between “proprietary” and “open”. For us, “commercial” is just another way software can be used, and restrictions on commercial use are like restrictions on use by women, or by people in Illinois, or by people who have ever picked their nose in public. Why are businessmen any less deserving of our software as a class than housewives, or Haitians, or other free software developers?

Matusow claims not to be interested in any of this:

We are not interested in providing carte blanche clearance on patents to any commercial activity - that is a separate discussion to be had on a per-instance basis. As you comment, please keep in mind that we are talking about individuals, not .orgs, not .com, not non-profits, not…well, not anyone other than individual non-commercial coders.

Dialogue often means meeting the other person where they’re at, not where you want them to be. They would, presumably, not take us seriously if we insisted on a blanket patent license as a condition for any kind of conversation. Fair enough; but then why should we taken them seriously when they insist on us turning our backs on one of our bedrock principles?

But does the conversation have to be either-or? I’m betting that Matusow’s blog post is evidence that it doesn’t. People at his level are not the types to waste time on wild goose chases.

And is it all that strange to think there might be value in the conversation? There’s a mighty thin line between “proprietary” and “commercial”, so thin even we get them confused sometimes. Does Microsoft really care all that much about for-profit use and improvement of free and open tech? If so, they’re prominent members of a small and shrinking club. If not, then it seems to me that we have a lot of common ground for discussion.

Russell Coker: economics of a computer store (why they don't stoc...

Wed, 15 Nov 2006 22:16:53 +0000 - russell@coker.com.au (etbe)

In some mailing list discussions recently some people demonstrated a lack of knowledge of the economics of a shop. Having run a shop for a few years (an Internet Cafe) I have some practical knowledge of this. I will focus on small businesses in this article, but the same economic principles apply to large corporations too.

When running a shop the main problem you have is in managing stock. There are two ways of getting stock, one is to have wholesalers give it to you for a period in which you can try to sell it and you pay for it when it's sold, this is probably quite rare (I don't know of an example of it being done - and probably no retailer wants to talk about it in case they lose it). Often retailers consider themselves to be privileged if they are permitted to pay for hardware one month after they receive it! The more common way of getting stock is simply to buy it and hope you can sell it in a reasonable period of time (often the wholesaler will offer to buy the stock back at a 10% discount if you can't sell it).

To buy stock you need money, this can come from money that has accrued in the business account (if things are going really well) or from a mortgage taken out by the business owner if things aren't going so well. For small businesses things usually don't go so well so the money used to buy stock is borrowed at an interest rate of about 7% or 8% (I'm using numbers based on the current economic conditions in Australia, different numbers apply to different countries and different times but the same principles apply). The ideal situation is when there is money in the company bank account to cover the purchase of all stock, this means that the cost of owning stock is that you miss out on the 5.5% interest that the money will get in a term deposit.

Almost all stock has a use-by date of some form. Some items have a very short expiry (EG milk used to make hot chocolate in an Internet cafe, some have a moderate expiry date (computer systems become almost unsellable in about 18 months and lose value steadily month after month), but in the computer industry nothing has a long expiry date.

Let's assume for the sake of discussion that you want to run a small computer store that is open to passing trade (this means that you must have stock for an immediate sale). Let's assume that all items of computer hardware lose half their value over the period of 20 months at a steady rate of 2.5% of the original price per month (I think that most computer hardware loses value faster than that, but it's just an assumption to illustrate the point).

The next major issue is the profit margin on each sale. If you can make a 20% profit on a sale then an item that has lost 10% of it's value while gathering dust in your store will still be profitable. However the profit margins on computer sales are very small due to having a small number of major manufacturers (Intel, AMD, nVidia, ATI, Seagate, and WD) that have almost cartel positions in their markets and there being little to differentiate the stores apart from price. I have been told that 3% profit is typical for retail computer hardware sales by the small companies nowadays! Now if the stock will lose 2.5% of it's value per month, you pay 0.5% interest per month and you make a 3% profit then if an item remains in stock for a month then you lose money. So on average (by value) you need to have stock spending significantly less than a month in your store. Cheap items such as low-quality cases and PSUs can stay in stock for a while. More expensive items such as new CPUs and the motherboards to house them must be moved quickly.

What's the first thing that you do to reduce stock? You can keep stocks low, but there is a limit to how low you can go without losing sales. The next thing to do is to not stock items that customers won't often buy or items where there is a similar item that you can stock as a substitute. The classic example of this is hard drives, a customer will want a certain capacity for a certain price - if their preferred brand is not in stock they will almost always take a different brand if it has the same capacity at the same price. Stores often advertise prices on multiple brands of hard drive in each capacity, but often only try to keep one brand in stock.

Of course this is a problem for the more fussy buyer. If you want to buy two identical parts from the same store on different days you might discover that they don't have the stock on the second day and that they instead offer you something equivalent. Not only do retailers have issues with managing their investment in stock but wholesalers have the same problem. So if a retailer runs out of WD drives and discovers that their preferred wholesaler has also run out of WD drives then they just buy a different brand - most customers don't care anyway.

There are some companies I deal with that have a business model based on services. One of them sells hardware to customers at cost, but charges them for the time spend assembling them, transporting them, etc. The potential for a 3% profit on the hardware isn't worth persuing, they prefer to just charge for work and also save themselves the sales effort. Another company I know operates almost exclusively on the basis of ordering parts when customers request them (but still make a small profit margin on the sales), this means that the customer can be invoiced as soon as the hardware arrives. The down-side to this is that wholesalers have the same stock issues and they sometimes have excessive delays before the wholesaler can deliver the hardware.

Dell is the real winner out of this. As they operate by mail-order they don't need to have the stock immediately available, they have a few days to deliver it which gets them time to arrange the supply. They can also have a central warehouse per region which reduces the stock requirements again. A 3% profit on items that rapidly decrease in value makes it almost impossible to sustain a small business. But an organization such as Dell can sustain a successful business at that level.

Of course the down-side for the end-user is that Dell doesn't want to have too many models as that just makes it more complex for the sales channel. Also they have deals with major suppliers which presumably give them deep discounts in exchange for not selling rival products (this is why some brands of parts are conspicuously absent from Dell systems).

10 years ago there used to be a small computer store in every shopping area. Now in Australia there are a few large stores (which often only have a small section devoted to computers) and mail-order. There seems to be much less choice in computer hardware than there was, but it is much cheaper.

PS I've attached a picture of day 39 of the beard.

Steve Kemp: I could kill, but I don’t care about it

Wed, 15 Nov 2006 21:56:54 +0000 -

I’ve significantly updated the code behind the Debian Administration website over the past few days.

Now:

A fair amount of authority has been delegated to other users.
Several icky aspects of the code have been tidied up.
The test cases are more thorough.
The site stoodup to being on the front-page of Digg for a day. With no manual tweaking at all!

I still need to decide whether to open up the inter-user messaging system, and implement a few more tweaks and fixups. But these are pretty trivial to do, it is more a matter of deciding whether they are appropriate things than actually writing the code.

All of this work combined with travelling a fair amount recently has left me behind on several fronts though.

I’m going to dedicate tomorrow to catching up on the biggest outstanding issues, but I’m not sure how far I’ll get.

Being behind on things actually makes me feel pretty good, I’m no longer on as many critic paths as I was a few months ago, so whilst getting behind is frustrating and annoying it doesn’t affect quite so many people/projects/packages/things.

Either way better to be happy and behind than the reverse ..

ObXen: The xen-hosting setup managed to reach an uptime of 100 days. I’m obviously not geeky enough; powers of ten remain much more significant to me than powers of two!

Actually I take that back: I can recite powers of two to rediculous degrees and disassemble x86 and z80 hex dumps into opcodes with a fair degree of accuracy .. About time I got more practised at patching binaries; although its hard to find GNU/Linux software which requires serial numbers

Per Olofsson: What's the deal with hermeneutics?

Wed, 15 Nov 2006 19:14:58 +0000 -

Dear Lazyweb,

Today I had a philosophy class and we discussed hermeneutics. But I didn't understand a thing. Not that I ever understand much of what my philosophy teacher says, but I just don't get hermeneutics.

Yes, I've looked it up on Wikipedia, and I've read about it in a book. But I still don't understand. The language used to describe hermeneutics is complicated and weird, and just doesn't make any sense to me.

What I've grasped so far is this: Hermeneutics is a methodology and/or epistemology used in the humanities and, to some extent, the social sciences. Hermeneutics is about interpreting texts. A text can be a literary text or something else (like a film, painting, or perhaps even reality). When you read a text, you need to read it several times and perform "close reading" of the parts. A text consists of the parts and the whole, and somehow they relate to each other, and you need to understand the parts to understand the whole and vice versa (I have no idea what this means). Hermeneutics is also some kind of way of describing reality (epistemology) which differs from the natural science in that it seeks to understand things rather than explain them. In the natural sciences, or the logical positivist tradition, knowledge is sought by explaining cause and effect (at least that's what my teacher says). Proponents of hermeneutics argue that this method does not apply to the humanities. Hermeneutics also employ something called the "hermeneutic circle", which means that you understand a text better the more you read it.

But I don't understand this method. What's so special about reading a text several times? What's the deal with close reading, why is it that good? What kind of knowledge is gained by this method? How does it differ from simply reading a text any number of times and then write an essay about what you think and feel about it? The parts I understand about hermeneutics are only trivialities. Also, there seems to be some kind of rules when you read the text. Like, you need to observe the characters one time, and the plot the second time, etc. Who decided that? Why is it necessary to follow these particular rules, if they exist?

Most importantly, exactly why is hermeneutics a scientific method? To me it looks merely as a practice of reading texts and writing essays about them. These essays are of course subjective; they don't generate any objective knowledge in the natural scientific sense. I'm not saying that it's wrong to write about literature, I just don't understand why a certain method of doing it is considered more scientific than any arbitrary method. In the natural sciences, there are criteria of intersubjectivity, independent testability, verifiability, falsifiability, etc. I see nothing of the like in hermeneutics; I don't know any of its scientific criteria. Apparently you need to refer to specific parts of the text in order to justify your statements (opinions? theories?), but it is a rather vague criterion, and I don't understand the rationale for it.

Another thing is the epistemological side of it. Somehow, hermeneutics is a general theory of knowledge. How that could be I don't know. Why would, for example, a close reading of a text give us the answer to questions like the distance to a particular star or human effect on global warming? Maybe that's not what hermeneutics is intended for. But if it is claimed to be a general theory of knowledge, it should be able to answer those questions in some way.

Maybe all this is just me being stupid or zealous. Or maybe I'm not thinking clearly -- I'm suspecting that I've not been thinking clearly lately. Perhaps I'm refusing to understand out of mere distaste or frustration. My classmates suggested something in the line of that. Perhaps it's because I've read physicist Alan Sokal's brilliant satirical article "Transgressing the Boundaries: Toward a Transformative Hermeneutics of Quantum Gravity", and I am now allergic to the language used by academics in the humanities.

If someone could enlighten me on these issues, that would be much appreciated.

Biella Coleman: Stuck on the technology of yesterday

Wed, 15 Nov 2006 19:00:10 +0000 -

So I am in Alberta, Canada but I decided not to get a local phone number mostly because I have a VOIP phone that works fine and it lets me call Puerto Rico for free, and allows my sister call me for free too.

But not having an Alberta 780 area code can be quite problematic at times and the latest chapter in the confusion has come from trying to get the IBM warranty folks to accept that you can call from Alberta with a non Alberta area code and realze that even if they accept that, the computer is the one wearing the pants and thus making the decision…So even if you convince them that new technologies make this possible, the transaction is still sabotaged because in the end, they rely on computer to get the actual service repair person to call you and the computer relies, and can only rely on the area code., who can only see that an area code 773= USA, so then it gets a US rep to contact you back after the initial phone call.

Here is an IRC transcript discussing the confusion, which I think is pretty amusing:

m: they are so confused
m: the guys says “what province are you in?” I say “Alberta”
m: and then he gets my number and he says “You aren’t in Alberta, sir”
m: and I say “Yes I am, my phone number is a US phone number, but I assure you, I am in Edmonton, Alberta right now”
m: and he says “Are you a canadian citizen?”
m: and I say ‘no, do I need to be, in order to be in Alberta?” and he says “The problem is, you are actually in the US right now”
m: I AM NOT IN THE USA
biella: heh
m: so I had to say “You realize that cell phones and voip technology allow you to roam outside of the USA and still use the same phone number?!”
b: and then what?
m: well he said I needed a canada number or their system would send it to the states
m: regardless if thats where my address is
m: their computer is too smart
micah anyways
biella: or not smart enough

Well, we are now using my office number so hopefully all will be OK.

Jonathan McDowell: MPEG2 straight to the brane

Wed, 15 Nov 2006 17:54:00 +0000 - noodles-blog@earth.li (Jonathan McDowell <>)

I received a Freecom DVB-T stick last week (early wedding present). I've not actually played with DVB-T before, so I wasn't sure how much of a hassle it would be.

My first act was to plug it into my laptop, with the aim of finding out the USB ID and thus which driver I'd need to compile up (I have a tendancy to build my own kernels with only drivers I think I'm likely to need). I did so and was greeted with:

dvb-usb: found a 'WideView WT-220U PenType Receiver (Typhoon/Freecom)' in cold state, will try to load a firmware
dvb-usb: did not find the firmware file. (dvb-usb-wt220u-02.fw) Please see linux/Documentation/dvb/ for more details on firmware-problems. (-2)
usbcore: registered new driver dvb_usb_dtt200u

Interesting, think I. I'm more organised than I thought and have already compiled up all the various v4l bits I thought I might end up using. So I go looking for the firmware file, find a copy, dump it in /usr/lib/hotplug/firmware/. Replug the device. And get:

dvb-usb: found a 'WideView WT-220U PenType Receiver (Typhoon/Freecom)' in cold state, will try to load a firmware
dvb-usb: downloading firmware from file 'dvb-usb-wt220u-02.fw'
usb 1-4: USB disconnect, address 15
dvb-usb: generic DVB-USB module successfully deinitialized and disconnected.
usb 1-4: new high speed USB device using ehci_hcd and address 16
usb 1-4: configuration #1 chosen from 1 choice
dvb-usb: found a 'WideView WT-220U PenType Receiver (Typhoon/Freecom)' in warm state.
dvb-usb: will use the device's hardware PID filter (table count: 15).
DVB: registering new adapter (WideView WT-220U PenType Receiver (Typhoon/Freecom)).
DVB: registering frontend 0 (WideView USB DVB-T)...

Rockin'. Now I need to tune it. I find Adam's DVB page which has the initial tuning file for the Tacolneston transmitter in Norfolk. I type scan uk-Tacolneston. It fails to find anything. I wonder if I'm using the wrong transmitter. I decide the supplied antenna is probably to blame and go to see about sorting out the one in the attic. I try again. I get a channels.conf containing 91 channels. Wooo. Copy this into ~/.mplayer/ and fire up mplayer dvb://. And have Freeview on my laptop. Nice.

Unfortunately this requires me to have the loft aerial plugged into my laptop, which isn't very portable. Paddy tell me this will get better when the analogue transmitters get turned off and the digital power ramped up, so I look forward to that. Until then it should still prove useful to have a portable DVB-T stick - I intend to see if I can pick up BBC HD next time I'm staying in London, and check if Freeview coverage has made it to my parents' yet.

Writing this all down makes it seem quite convoluted, but actually the process was a lot smoother than I expected; plug in stick, copy firmware, replug stick, scan for channels, watch tv. The issue that took most time to sort was the aerial. It's really quite cool to think about how easily you can get yourself an MPEG2 stream of TV to play with.

Erich Schubert: Eclipse just doesn't work

Wed, 15 Nov 2006 16:24:03 +0000 -

Eclipse just doesn't work right for me. I'm so pissed by this crap...

I've been following this tutorial (whoever had the idea to use screenshots for the actual code parts... ever heard of copy'n'paste?).

At one point you need to add a class. A new class. Derived from Object.

So I chose the menu option in Eclipse to, well, add a new class. After pressing "Next" in the wizard, eclipse froze, using 100% CPU.

After killing and restarting eclipse, it had only created an empty file. But since I have to type in the data from the Tutorial anyway, ok.

Next step in the tutorial: edit the faces-config.xml file with the faces-config editor. Sounds easy. I click on the file, open with, faces-config editor. Boom. First some content type error message is displayed, but the details actually list a NullPointerException:

java.lang.NullPointerException
    at org.eclipse.wst.sse.ui.StructuredTextEditor.update(StructuredTextEditor.java:3047)
    at org.eclipse.jst.jsf.facesconfig.ui.FacesConfigEditor.addPages(FacesConfigEditor.java:396)
    at org.eclipse.ui.forms.editor.FormEditor.createPages(FormEditor.java:142)
    at org.eclipse.ui.part.MultiPageEditorPart.createPartControl(MultiPageEditorPart.java:276)
    [... 40 more lines of backtrace ...]

Error handling in Java sucks, too. Usually you just get a 50 lines+ stack trace.

[Update: deinstalling XML buddy resolved the last problem, and I could add a second class without another crash]

Steinar H. Gunderson: Poor kittens

Wed, 15 Nov 2006 15:59:00 +0000 -

Erich posts to Planet Debian with a post called "CDBS is NMU-friendly", and then goes on how to explain that CDBS is a good thing (except he never actually explains why it would be NMU-friendly; in fact, he even admits there is "black magic" involved). Perhaps I should explain my recent desire to kill kittens:

cdbs, like debhelper, is an abstraction layer. When you design an abstraction layer, you want it to abstract away a set of things (either because they're tedious, or because they're difficult) and abstract those away well. Those who have followed Joel on Software (highly recommended, Joel is an excellent writer) will probably have read his tidbit about this, called The Law of Leaky Abstractions; basically, if your abstraction is to have any value at all, it must hide what's beneath very tightly, or in a very obvious way, or you have not really added much except complexity.

The current version of cdbs fails on both accounts. First, it's nowhere near actually hiding the full complexity of Debian packaging; it gives you somewhat less to write for the common cases (most packages would normally call dh_builddeb near the end, for instance), but for more complex setups you have to add your own rules in the middle.

Here's where the non-obviousness comes in. For one, cdbs is really horribly documented -- I'm somewhat fascinated when people claim that a complete dump of all known debian/rules files using CDBS has any sort of documentation value, for instance. What one would need is a complete list of what happens, in which order, where you can insert your own stuff, and in which cases you'd want to do that. It doesn't really help that it's incredibly non-orthogonal; where you can actually add your own hooks seems to be somewhat random, and their naming does not seem to follow any sort of predefined scheme. Sure, if you've done it five times it might make some sort of sense to you that it's DEB_PYTHON_BUILD_ARGS but DEB_MAKEMAKER_USER_FLAGS, but to the rest of us, it's not really that obvious. Tell me really, why is it "DEB_AUTO_UPDATE_LIBTOOL = pre" but "DEB_AUTO_UPDATE_AUTOMAKE = 1.9"?

I've seen suggestions that you "read the CDBS source code" but really, this isn't a way to run something you suggest is going to help a thousand Debian developers. Furthermore, this isn't exactly easy when the entire kaboodle is written in something that was never, ever intended to be a programming language -- really, am I expected to grapple through thousands of lines of stuff like "$(if $(DEB_AUTO_UPDATE_ACLOCAL),if [ -d $(DEB_SRCDIR)/m4 ]; then m4="-I m4"; fi; if [ -e $(DEB_SRCDIR)/aclocal.m4 ]; then cd $(DEB_SRCDIR) && aclocal-$(DEB_AUTO_UPDATE_ACLOCAL) $$m4; fi,$(if $(DEB_AUTO_UPDATE_AUTOMAKE), if [ -d $(DEB_SRCDIR)/m4 ]; then m4="-I m4"; fi; if [ -e $(DEB_SRCDIR)/aclocal.m4 ]; then cd $(DEB_SRCDIR) && aclocal-$(DEB_AUTO_UPDATE_AUTOMAKE) $$m4; fi))"? If something doesn't work, is it a bug in CDBS, or a bug in my package? And if I do not want some action to happen (since, well, it's a special case), how can I find out what magic flag turns it off? (With a regular, imperative debian/rules file, this is utterly trivial; just uncomment the line with the action. It's all there in one place, no need to search.)

I am not against clever Debianization aids. However, to me the current incarnation of cdbs is really only adding a lot of complexity, winning one single thing, reducing the of lines of code in your debian/rules file (which I think is a worthless metric anyway; we stopped counting lines of code in the 80s).

Please, think of the kittens.

Erich Schubert: CDBS is NMU-friendly

Wed, 15 Nov 2006 15:17:04 +0000 -

Steinar H. Gunderson even threatens kittens because of it, and Steve McIntyre ranted against using CDBS for packaging, claiming that it's much harder to fix bugs in packages that use CDBS.

I have to disagree.

More than once I've given up on fixing a bug in a package because I couldn't decrypt the huge makefiles used for building the package.

For private packages I often switch over packages to CDBS then, so I don't have to fiddle around with a build system noone except the original maintainer understands. And every now and then I fix a bug in Debian, but don't upload it because I replaced the "magic" build system with CDBS magic...

While CDBS does a lot of "black magic" to build packages, it usually does quite a good job. If it doesn't, it maybe even is a bug in CDBS, that happens.

debian/rules files that use CDBS are usually quite easy to read, even easier than traditional debhelper template-based scripts. And that is why I think that CDBS is a good thing: it does a good job at separating package-specific and package-independendant build scripting.

Maybe all we need is more documentation on how to properly fix common issues in CDBS, starting with misplaced or misnamed files etc. CDBS has a lot of hooks, but it's not obvious which hooks to use for which fixes.

(Note that sometimes the fix should maybe be done in the upstream makefile instead.)

On the long run, Debian could use a more unified way of packaging. Debhelper has already unified package building a lot, and CDBS maybe goes one step too far, but ideally we would all be able to understand each others debian/rules.

MJ Ray: Notes on Affero GPL

Wed, 15 Nov 2006 14:31:00 +0000 -

Debian, Free Software and licences: Affero GPL added.

Erich Schubert: Third party software

Wed, 15 Nov 2006 14:22:01 +0000 -

Ubuntu has been attracting "newbie" users, and also has drawn users away from Debian. Some people are annoyed by Ubuntu because of this - I am not.

Ubuntu users have been happily collecting third-party repositories to get the latest glitz like beryl. Treviño compiled a huge list of them, and made it easy to install (DON'T USE THIS!).

Everybody concerned with security must go mad with just the throught of collecting thrid party repositories for the fun of it. To most of us, it's bad if we have to use any third party repositories...

However, Johan Kiviniemi reacted in an interesting way. His highly experimental repository - setup for some 5 users or so, on his home DSL line - was included in this stupid "every repository I could find" list. Noticing this increase in users, he found out about this madness - and made a package to replace the default wallpapers (and disable wallpaper changing) with this scary warning message.

Sounds like a good plan to me, however many users were pissed by being warned that they've done something stupid...

So: thank you, Ubuntu community, for helping teaching new users that they shouldn't just blindly install software from the internet. :-) and for keeping these users away from Debian.

Norbert Tretkowski: Broken yaird backport

Wed, 15 Nov 2006 10:43:00 +0000 -

People keep asking me why installing kernel-images from backports.org fails, and what's the workaround. The reason why installing the packages fails is a broken yaird backport. Because nobody seems interested in fixing it, I just removed yaird from the backports.org archive. Use initramfs-tools instead, it works fine.

Holger Levsen: Solaris GPLed?

Wed, 15 Nov 2006 10:21:28 +0000 -

I am amused to imagine what Jörg Schilling thinks about this :-) More seriously and less rumor, thanks and kudos to Sun for freeing Java! But Sun is hardly important for my well being, this is a job for the sun:

And on a not related note, the sun rises so low now, that it shines onto the desktop in my room. Yay to the nice effects of winter! Not that there are that many, but there are some :)

Uwe Hermann: Google sponsors the LinuxBIOS project [Update]

Wed, 15 Nov 2006 10:08:31 +0000 -

As announced yesterday, Google has sponsored some work on the LinuxBIOS project, a Free Software (GPL) BIOS/firmware implementation for various architectures (x86, PowerPC, Alpha, and others).

LinuxBIOS currently supports more than 100 different mainboards from various vendors. A list of supported chipsets, CPUs, and Super I/O chips is also available, so you can easily estimate how hard it will be to add support for a new mainboard.

Most of the mainboards currently supported are high-end server-type mainboards (e.g. from Tyan) and embedded boards. There are not too many cheap, mainstream motherboards supported, yet, but that is about to change soonish.

I've been contributing for a while now to the LinuxBIOS project in various areas (e.g. adding support for a bunch of Super I/O chips, which are required if you want to get LinuxBIOS debug output over the serial port). But one of my personal main goals for the project is to support a reasonably high number of cheap, standard desktop mainboards, and I'll concentrate my efforts in this area in the future.

Any help from further developers with experience in the hardware, embedded, or low-level firmware area is very appreciated! If you're interested, checkout the website and say hi on the mailling list.

But I digress. The Google funding was used to create an automated, distributed test infrastructure, which will help...

...to significantly improve the project's Quality Assurance process by creating a completely automated and distributed testing environment. Every single commit results in BIOS images being built for all mainboards, and tested on real hardware located all over the world. So whenever you want to download a LinuxBIOS image, you can now know that it works on a reference machine before flashing it to your system.

A per-revision overview is available, as are test results for specific revisions, and you can even get detailed reports that include extensive logs for each motherboard. Developers can also use the build and test system without checking their code into the LinuxBIOS repository. The automatic build client has an option to submit BIOS images to the test system manually; you can see an overview of manually triggered builds. Anyone with a spare board supported by LinuxBIOS is welcome to put it into the automated test system, thus helping the LinuxBIOS project increase their quality on your hardware.

This is a great thing, and something which not many projects out there can claim to have. Automated test-suites in the software development "scene" are used seldomly enough (which is bad), but in the low-level hardware/embedded area you're usually stuck...

(See also Golem and Heise if you speak German)

Update 2006-11-15: Ok, the site is slashdotted right now. Maybe you can try archive.org or the Google cache...

Alexander Sack: mozilla security updates available for testing

Wed, 15 Nov 2006 09:19:06 +0000 - nospam@example.com (asac (Alexander Sack))

Thanks to Mike Hommey we have another set of security updates for
our mozilla apps in sarge. The versions are:

mozilla-firefox 1.0.4-2sarge13
mozilla-thunderbird 1.0.2-2.sarge1.0.8d.1
mozilla 1.7.8-1sarge8

Please use my security archive to get the preview packages and
test them as extensively as possible.

If you encounter any NEW problems, please let us know at pkg-mozilla-maintainers@lists.alioth.debian.org.

Thanks for your support.

Kenshi Muto: Newer (beta-level) amd64 d-i image for Sarge with kernel 2.6.18

Wed, 15 Nov 2006 09:17:00 +0000 -

Today I updated i386 and amd64 sarge-bpo CD images.

i386 changes are minor from previous version.

Defined ide-generic driver for Marvell PATA controller at discover1-data. This controller is used by some ICH8 board. I hope final 2.6.19 will support it (mm patch has already supported it).
Provided boot.img.gz for USB memory instead of vmlinuz/initrd file.

amd64 version is wanted by many people. Well, I faced more problems on amd64 than on i386.

Applied 2.6.18-5~bpo.1. This source is as same as one provided by backports.org. But bpo site hasn't made it for amd64.
LVM/RAID support. Although I haven't tested yet, partman routine is same as i386 version already supports.
rescue mode support. But strangely rescue-check routine prevents boot up.. You can enable it by executing "anna-install rescue-mode" from VT2 shell.
Strangely my linux-image made with kernel-package 10.062~bpo.1 failed to install by "Missing required parameter 'Old' at /var/lib/dpkg/info/linux-image-2.6.18-2-amd64.postinst line 393". Finally I avoided this to set "relative_links = no".
2nd stage won't be internationalized for CJK people. Something happens on FB and jfbterm..

MJ Ray: Business: Email, sigs and signing

Wed, 15 Nov 2006 09:03:00 +0000 -

Ian Rawlings wrote in an article in uk.comp.os.linux that:

"There was a legal precedent set in the UK a little less than a year ago, in which the company's name and contact details in an email signature were taken as sufficient identification of the company for the contents of the email to be acceptable as a contract [...]"

and then helpfully provided some references about it.

The headline on Disclaimers could make emails into contracts [The Register] seems a bit off. Even the article ends:

"The end result of this could be that people who include a signature and disclaimer at the bottom of their emails might actually be making themselves more liable than people who just send one line emails."

Note the might there. It's quite a leap, isn't it?

Mehta v J Pereira Fernandes SA [2006] EWHC 813 (Ch) (07 April 2006) appears to have ruled that headers were not a sufficient signature, rather than that a plain text signature block (sig) is sufficient. Have I missed a key point here?

AFAICS, the ruling contains the following key general points:

"28. I have no doubt that if a party creates and sends an electronically created document then he will be treated as having signed it to the same extent that he would in law be treated as having signed a hard copy of the same document. [...]"

"30. [...] if a party or a party's agent sending an e mail types his or her or his or her principal's name to the extent required or permitted by existing case law in the body of an e mail, then in my view that would be a sufficient signature for the purposes of Section 4. [...]"

I doubt that a sig is quite the same as a hand signature, as it doesn't necessarily 'serve as a method of authentication' as required by the Digital Signature Directive ( 1999/93/EC, Electronic Signatures Regulations 2002), but there are times when it could bind one to things. Essentially, using a sig is like using headed paper, not like hand-signing.

Parts of the ruling (para.19) seem to argue that automatic insertions make things carry less weight AFAICT - does that hint at how futile those forced stupid disclaimers would be if relied upon in court?

Does the same automatic-or-decision point also mean that using a electronic signature tool (gpg or whatever) selectively helps it carry more weight than signing everything automatically? I don't agree it ... signs death warrant for Digital Signatures [Financial Cryptography]

Interesting questions. Anyone know if the answers are decided yet?

Matthew Palmer: Severe Discomfort's "The Joy of UDP"

Wed, 15 Nov 2006 04:19:25 +0000 -

(For the grammar Nazis out there: no, that apostrophe is not misplaced)

There are times when a connectionless protocol almost doesn't seem worth the hassle.

Take, for instance, the troubles of a round-trip communication, using UDP, where the initial request is sent to a secondary IP address on an interface. Your code, on the server, might look like this:

 s = UDPSocket.new
 s.bind('', 12345)
 loop { data, remote = s.recvfrom(65535); s.send(data, 0, remote[3], remote[1] }

This is a pretty simple Ruby fragment which just reflects your UDP packets back at you. It really doesn't get much simpler than that. Connect to this thing from somewhere else (using nc -u remoteip 12345) and you can reflect packets back and forth to your heart's content. Or so you'd think...

When talking to a regular IP address, your packets probably look something like this (when viewed using tethereal):

 192.168.0.1 -> 192.168.0.2 UDP Source port: 35716 Destination port: 12345
 192.168.0.2 -> 192.168.0.1 UDP Source port: 12345 Destination port: 35716

Fantastic -- I send a packet, and get one back. In netcat, you see whatever you typed printed back out again.

But, what if I add a secondary IP address to the server's interface (ifconfig eth0:1 192.168.0.5, for instance) and try sending packets to that IP address (with nc -u 192.168.0.5 12345)? I get this insanity:

 192.168.0.1 -> 192.168.0.5 UDP Source port: 35772 Destination port: 12345
 192.168.0.2 -> 192.168.0.1 UDP Source port: 12345 Destination port: 35772

And of course, no self-respecting network stack is going to accept a packet back from a totally different IP address, even if it did manage to get the ports right. Hence, the client never sees the return packets, and thinks that the server is snubbing it.

What's happening here seems insane, but it's actually just a regular artifact of a connecntionless protocol like UDP. You see, we've bound our socket to the "any" address (the empty string in the call to #bind tells UDPSocket to bind to the "any" address -- no, I don't know why either, it's not a particularly intuitive interface). When we get the packet into our app via #recvfrom, we get no information on what address the packet was actually sent to, only that the OS decided that the packet was for us (yay for encapsulation). The only information we get is where the packet was coming from -- and due to the fact that the kernel keeps no connection-related information around for the socket (the kernel figures it'll hold us to our connectionless pledge), when the time comes for us to send a packet back, we have to explicitly say where we want that packet to go -- that's the remote[3], remote[1] arguments in the #send call.

The brain-leakage starts when we work out where to say the packet is coming from. When we send the packet, a source address needs to calculated -- again, the kernel keeps no information on source or destination because we're connectionless. Because our socket is bound to the "any" interface, the OS thinks it has carte blanche to set whatever source address it likes. In Linux, the behaviour appears to be to pick the IP address set on the primary alias for the interface that will be used to send the packet out on. So for the common case (one IP address per physical interface) everything is fine. But those corner cases, gee, they're awfully sharp and pointy...

The solution, of course, is to send the packet out through a socket that is bound to the particular address you want to use as the source address -- then the kernel knows what source address you want, and there's no confusion. Seems pretty trivial, right? Surely every sensible network application does that already, right? So obviously Ruby's UDPSocket implementation just sucks. That's what I thought, and I don't blame you if you think so too. But before you raise pitchforks and storm the gem-covered castle, try repeating our little experiment with some other widely-used UDP-based applications, such as net-snmpd or your ntp server. (The NTP server is a little different, in that to trigger the problem you need to start it and then setup the interface alias, for reasons I'll explain later). Both net-snmpd and ntpd exhibit the same behaviour as our trivial UDP echo service -- at least, the versions present in Ubuntu Breezy do, although I can't imagine everyone's suddenly cottoned onto this problem in the last 12 months or so and come out with a rash of fixes.

So, basically, everyone seems to be suffering from the same malady. For values of "everyone" that equal "some UDP servers". There's some services that don't seem to have such troubles with alias interfaces -- the Bind DNS server comes immediately to mind, and ntpd works fine if you start the NTP server after you setup the interfaces. Why the difference? These services are clever and bind to each IP address on the system separately, like so:

 $ netstat -lun |grep :53
 udp        0      0 192.168.0.1:53          0.0.0.0:*                          
 udp        0      0 192.168.0.5:53          0.0.0.0:*                          
 udp        0      0 127.0.0.1:53            0.0.0.0:*

This is very cool, and solves the problem, except that if you add another interface after you start Bind, it doesn't pick up the new address, and you're boned until you restart the daemon. It also increases code complexity a bit, since you need add a select into your request handling loop (instead of just blocking on the #recvfrom call, like I've been doing thus far). Whilst I'm never happy about unnecessary complexity, I'll deal with it where I have to, but the real killer for this application is the "you can't change your interfaces after starting the daemon" rule -- my particular need is to make requests to a virtual service IP address, and restarting my service after each IP address change is going to suck hard.

I mentioned ntpd earlier because it has some extra trickery at work. It's list of bound interfaces looks like this:

udp        0      0 10.6.66.6:123           0.0.0.0:*                          
udp        0      0 192.168.250.6:123       0.0.0.0:*                          
udp        0      0 172.14.16.6:123         0.0.0.0:*                          
udp        0      0 172.31.62.1:123         0.0.0.0:*                          
udp        0      0 192.168.37.179:123      0.0.0.0:*                          
udp        0      0 10.64.64.64:123         0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*

It listens to every IP address explicitly plus the "any" interface. I'm not quite sure why, either -- just listening to the specific addresses works for Bind, and if you add an interface alias after starting ntpd, it exhibits exactly the same problem as the trivial UDP echo service, so I don't think that listening on "any" is really gaining it anything. Listening on "any" does make ntpd behave differently to Bind: with Bind, if you send packets to an interface that wasn't available when Bind was started, it just completely ignores you (because it lacks a socket listening for packets to that address), while with ntpd the packets hit the "any" socket and suffer from the wrong-source-address bug.

At the moment, my best chance of a solution appears to be to follow Bind and ntpd's lead and hook onto every address, but with the extra twist inspired by ntpd -- listen on the "any" address as well as all of the specific addresses. If I use any packets that arrive on the "any" socket as a trigger to rescan the available addresses (to add any new addresses that have been created since the last scan), that should solve all my problems.

Now I only need to make it work (and deal with the insanities that will no doubt result). Wish me luck. The screams of pain and frustration you hear (no matter where you are in the world) are probably mine.

Clint Adams: ABC, easy as 321, simple as fa-sol-la

Wed, 15 Nov 2006 03:02:00 +0000 -

Far too late after #394749 got fixed, ZOMG switched from mpg321 to mpg123.

The reason that this is so exciting is that mpg123 supports output buffering, whereas mpg321 has been sucking ass for over five years.

Michael Janssen: Birthdays and non-events.

Tue, 14 Nov 2006 22:18:09 +0000 - jamuraa-blog@base0.net (Jamuraa)

This is just a short note to remind everyone that the most wonderful woman in the world deserves birthday greetings. She's still only 4 years, 5 months, and 2 days older than me, and not 5 years older, which she would like you to believe. Despite that, she easily is beautiful enough to be younger than me, and I'm blessed that she can tolerate my ineptitude.

Happy birthday

ceilingsarecool!

Junichi Uekawa: Server moves.

Tue, 14 Nov 2006 21:56:50 +0000 -

Netfort.gr.jp is going to be relocated.Mail / Web may experience a bit of downtime.

Josselin Mouette: Have (little) fun with python2.5

Tue, 14 Nov 2006 21:02:33 +0000 -

While preparing a new upload of python-support containing a workaround for #396840 (python2.3 inadvertently removed from all pyversions calls), I noticed a very nice side effect: it enables support for python2.5 for all modules using python-support.

Extensions are still not built, but it means python 2.5 in etch will have at least a few add-on modules.

Joey Hess: broken

Tue, 14 Nov 2006 20:15:45 +0000 -

I fell less than 2 feet and managed to get a minor fracture of my radius at the elbow, so I'm in a sling and will get to practice being right-handed for a few weeks. Typing so slowly feels almost like being struck mute.

Andreas Barth: Documentation and other long standing tasks

Tue, 14 Nov 2006 20:10:00 +0000 -

After a day off yesterday I spent some more day on release today. Some was to work on our proposed mail to debian-devel-announce (hopefully, we can finally send it out today). More time was spent on updating the release notes, and work on the submitted requests what should be included. Now the only requests still open are connected with the kernel/udev (and I asked the kernel list for some more input), security situation with php and mozilla, related to sarge (which probably translates into a "wontfix"), and a few minor issues.

That's good news because we want to have release notes available now as we have an Release Candidate of the installer published.

And as always, some time is spent on the thousands minor little things that are so time-expansive. But still need to be done.

Joachim Breitner: Infoning in Ghana

Tue, 14 Nov 2006 19:35:22 +0000 - mail@joachim-breitner.de (nomeata)

I’m running a computer club at the school in Ghana where am volunteering as a Free Software advocate at the moment (as you probably know already). At first I tried to spread a little bit of general hacker attitude by introducing an internal wiki and blog, and by explaining what Free Software is. Then some students indicated interest in a programming course, so I held python lessons in the club (Sessions 3, 4, 5, 6, 7, 8, 9 and 10). Unfortunately, interest was declining over time, and while the first lessons had over ten participants (not to speak of the 20 at the very first one), it soon fell to around four. There was also some fluctuation, students leaving, others joining (and then of course lacking the lessions from the earlier sessions).

So today, with four students who only recently joined, I started something new: I introduced the game infon, by fellow entropianian Florian 'dividuum' Wesch. It is a networked battle area where bugs compete over food and fight each other. Suitable for the computer club makes it the fact that the bugs are not directly controlled, but the players write their “intelligence” (using the simple language lua) and only upload code to the server. They can even do this while the game is running and it was a very fun game to play at GPN5 in Karlsruhe. You can read my infon-tutorial, and it’s mostly non-SOSHGIC specific.

I got them far enough to type the code that I presented as an example, to get it running, and to extend it slightly. I am only hoping that they will dig in a little bit deeper until next week. I think that you can only be successful in learning programing or similar things if you spend some time doing it besides the classes, and I did not see that happening when I was doing python. Maybe I was going too fast or the text-only way of doing it was discouraging, but I did expect them to starting having their own ideas at least after we were programming a simple text-based maze in the club.

Prendre le café tranquillement avec Tux...

Recherche tuxcoffee.net

Nouvelles de cette page

Planet Debian